trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added kali and fixed path for securityonion

Browse Source
This commit is contained in:
Trinitor
2021-08-06 17:06:40 +02:00
parent 70f1922e80
commit ea58df86cc
2 changed files with 385 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
Vagrant/Vagrantfile vendored
View File

@@ -82,7 +82,6 @@ EOF
systemctl start default-gateway.service systemctl start default-gateway.service
SHELL SHELL
cfg.vm.provider "virtualbox" do |vb, override| cfg.vm.provider "virtualbox" do |vb, override|
vb.gui = false vb.gui = false
vb.name = "logger" vb.name = "logger"
@@ -99,11 +98,11 @@ EOF
config.vm.define "dc" do |cfg| config.vm.define "dc" do |cfg|
cfg.vm.box = "detectionlab/win2016" cfg.vm.box = "detectionlab/win2016"
cfg.vm.hostname = "dc" cfg.vm.hostname = "dc"
cfg.vm.boot_timeout = 600 cfg.vm.boot_timeout = 1200
cfg.winrm.transport = :plaintext cfg.winrm.transport = :plaintext
cfg.vm.communicator = "winrm" cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300 cfg.winrm.timeout = 1200
cfg.winrm.retry_limit = 20 cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8" cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8"
@@ -149,10 +148,10 @@ EOF
config.vm.define "wef" do |cfg| config.vm.define "wef" do |cfg|
cfg.vm.box = "detectionlab/win2016" cfg.vm.box = "detectionlab/win2016"
cfg.vm.hostname = "wef" cfg.vm.hostname = "wef"
cfg.vm.boot_timeout = 600 cfg.vm.boot_timeout = 1200
cfg.vm.communicator = "winrm" cfg.vm.communicator = "winrm"
cfg.winrm.basic_auth_only = true cfg.winrm.basic_auth_only = true
cfg.winrm.timeout = 300 cfg.winrm.timeout = 1200
cfg.winrm.retry_limit = 20 cfg.winrm.retry_limit = 20
cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102" cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
@@ -236,6 +235,50 @@ EOF
end end
end end
config.vm.define "kali", autostart: false do |cfg|
cfg.vm.box = "kalilinux/rolling"
cfg.vm.hostname = "kali"
cfg.vm.network :private_network, ip: "192.168.38.20", gateway: "192.168.38.1", dns: "8.8.8.8"
cfg.vm.network :private_network, ip: "192.168.39.20", gateway: "192.168.39.1", dns: "8.8.8.8"
cfg.vm.provision "shell", run: "always", inline: <<-SHELL
route del default gw 10.0.2.2
route add default gw 192.168.38.2
SHELL
cfg.vm.provision "shell", inline: <<-SHELL
export DEBIAN_FRONTEND=noninteractive
cat <<-'EOF' >/opt/default-gateway.sh
#!/bin/bash
route del default gw 10.0.2.2
route add default gw 192.168.38.2
EOF
cat <<-'EOF' >/etc/systemd/system/default-gateway.service
[Unit]
After=network.service
Description=default-gateway
[Service]
Type=simple
ExecStart=/opt/default-gateway.sh
[Install]
WantedBy=multi-user.target
EOF
chmod 744 /opt/default-gateway.sh
chmod 664 /etc/systemd/system/default-gateway.service
systemctl daemon-reload
systemctl enable default-gateway.service
systemctl start default-gateway.service
SHELL
cfg.vm.provider "virtualbox" do |vb|
vb.name = "kali"
vb.gui = false
vb.cpus = 2
vb.memory = "4096"
end
end
config.vm.define "securityonion", autostart: false do |cfg| config.vm.define "securityonion", autostart: false do |cfg|
cfg.vm.box = "ubuntu/trusty64" cfg.vm.box = "ubuntu/trusty64"
cfg.vm.hostname = "securityonion" cfg.vm.hostname = "securityonion"
@@ -260,7 +303,7 @@ EOF
apt-get -y install securityonion-all syslog-ng-core apt-get -y install securityonion-all syslog-ng-core
apt-get -y autoremove apt-get -y autoremove
apt-get clean apt-get clean
sosetup -y -f /vagrant/sosetup.conf sosetup -y -f /vagrant/resources/securityonion/sosetup.conf
ufw allow 443/tcp ufw allow 443/tcp
SHELL SHELL
end end

336
Vagrant/resources/securityonion/sosetup.conf Normal file
View File

@@ -0,0 +1,336 @@
################################
# sosetup.conf
################################
# This file can be used to automate sosetup.
#
# Copy this example file to your home directory:
# cp /usr/share/securityonion/sosetup.conf ~
#
# Edit your new sosetup.conf:
# nano ~/sosetup.conf
#
# Run Setup with the -f switch and the path to this file:
# sudo sosetup -f ~/sosetup.conf
################################
# Management Interface
################################
# MGMT_INTERFACE
# Which network interface should be the management interface?
# The management interface has an IP address and is NOT used for sniffing.
# We recommend that you always make this eth0 if possible for consistency.
MGMT_INTERFACE='eth2'
# MGMT_CONFIG_TYPE
# Should the management interface be configured using DHCP or static IP?
# We recommend using static IP whenever possible.
MGMT_CONFIG_TYPE='static'
# MGMT_CONFIG_TYPE='DHCP'
# If MGMT_CONFIG_TYPE=static, then provide the details here:
ADDRESS='192.168.39.10'
NETMASK='255.255.255.0'
GATEWAY='192.168.39.1'
NAMESERVER='192.168.39.1'
DOMAIN='example.com'
################################
# Sniffing interface(s)
################################
# Which interface(s) will be sniffing network traffic?
# For multiple interfaces, please separate them with spaces.
# For example:
# SNIFFING_INTERFACES='eth1 eth2'
SNIFFING_INTERFACES='eth0 eth1'
################################
# Master Server
################################
# SERVER
# If set to 1, then this box will be a Master server:
# SERVER=1
# If set to 0, then this box will connect to a separate Master server:
# SERVER=0
SERVER=1
# SERVERNAME
# If SERVER=1, then this should be 'localhost':
# SERVERNAME='localhost'
# If SERVER=0, then this should be the name/IP of the separate Master server:
# SERVERNAME='sguilserver.example.com'
SERVERNAME='localhost'
# SSH_USERNAME
# If SERVER=0, then this should be the name of an
# account on the separate Master server that has sudo privileges.
# sudo privileges can be revoked after sosetup is complete.
# SSH_USERNAME='sensor1'
SSH_USERNAME=''
# SGUIL_SERVER_NAME
# If SERVER=1, then this is the name of the Sguil server we'll create.
# You probably shouldn't change this value.
SGUIL_SERVER_NAME='securityonion'
# SGUIL_CLIENT_USERNAME
# If SERVER=1, then this is the username that we'll create
# for Sguil/Squert/ELSA.
# Please use alphanumeric characters only!
SGUIL_CLIENT_USERNAME='vagrant'
# SGUIL_CLIENT_PASSWORD_1
# If SERVER=1, then this is the password that we'll create
# for Sguil/Squert/ELSA.
# If you set a password here, you may want to change it later and/or
# shred this file.
SGUIL_CLIENT_PASSWORD_1='vagrant'
################################
# Master server services
################################
# If SERVER=0, then no server services will run.
# If SERVER=1, then the following services can be enabled/disabled.
# Do you want to run Xplico? yes/no
XPLICO_ENABLED='no'
################################
# ELSA
################################
# ELSA
# If set to YES, then this box will run ELSA components:
# ELSA=YES
# If set to NO, then this box will not run ELSA components:
# ELSA=NO
# If you want to run ELSA, then you should enable this setting on every box in your deployment.
ELSA=YES
# UPDATE_ELSA_SERVER
# If SERVER=0, then the server's elsa_web.conf will need
# to be updated and Apache restarted for it to recognize
# this new ELSA node. Restarting Apache will interrupt
# any running ELSA queries.
# To automatically update the server's elsa_web.conf and
# restart Apache, set this option to 'YES':
# UPDATE_ELSA_SERVER='YES'
# If you'd rather update the server's elsa_web.conf yourself
# and manually restart Apache, set this option to 'NO':
# UPDATE_ELSA_SERVER='NO'
UPDATE_ELSA_SERVER='YES'
# LOG_SIZE_LIMIT
# This setting controls how much disk space ELSA uses.
# 10TB = 10000000000000
# LOG_SIZE_LIMIT='10000000000000'
# 1TB = 1000000000000
# LOG_SIZE_LIMIT='1000000000000'
# 100GB = 100000000000
# LOG_SIZE_LIMIT='100000000000'
# 10GB = 10000000000
LOG_SIZE_LIMIT='10000000000'
################################
# Enable/disable services
################################
# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database.
# Do you want to run the OSSEC Agent? yes/no
OSSEC_AGENT_ENABLED='no'
# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild.
OSSEC_AGENT_LEVEL='5'
# Salt allows you to manage your entire Security Onion deployment
# as one cohesive whole. It provides configuration management
# and remote code execution.
# Do you want to enable Salt? yes/no
SALT='no'
################################
# Sensor components
################################
# SENSOR
# If set to 1, then this box will run sensor components and sniff ethernet interfaces:
# SENSOR=1
# If set to 0, then this box will not run sensor components:
# SENSOR=0
SENSOR=1
################################
# Enable/disable sensor services
################################
# If SENSOR=0, then no sensor services will run.
# If SENSOR=1, then the following services can be enabled/disabled.
# BRO_ENABLED
# Do you want to run Bro? yes/no
BRO_ENABLED='yes'
# IDS_ENGINE_ENABLED
# Do you want to run an IDS engine (Snort/Suricata)? yes/no
IDS_ENGINE_ENABLED='yes'
# SNORT_AGENT_ENABLED
# Do you want to run the Snort agent? yes/no
# The Snort agent sends Snort IDS alerts to the Sguil database.
SNORT_AGENT_ENABLED='yes'
# BARNYARD2_ENABLED
# Do you want to run Barnyard2? yes/no
# Barnyard2 sends IDS alerts from Snort/Suricata to
# Sguil's Snort agent and syslog (ELSA).
BARNYARD2_ENABLED='yes'
# PCAP_ENABLED
# Do you want to run full packet capture? yes/no
PCAP_ENABLED='yes'
# PCAP_AGENT_ENABLED
# Do you want to run Sguil's pcap_agent? yes/no
# The pcap_agent allows Sguil to access the pcap store.
PCAP_AGENT_ENABLED='yes'
# PRADS_ENABLED
# Do you want to run Prads? yes/no
# Prads writes session data and asset data.
# Bro provides the same data types plus more, so most
# folks don't run Prads.
PRADS_ENABLED='no'
# SANCP_AGENT_ENABLED
# Do you want to run the sancp_agent? yes/no
# sancp_agent sends session data from Prads to Sguil.
SANCP_AGENT_ENABLED='no'
# PADS_AGENT_ENABLED
# Do you want to run the pads_agent? yes/no
# pads_agent sends asset data from Prads to Sguil.
PADS_AGENT_ENABLED='no'
# HTTP_AGENT_ENABLED
# Do you want to run the http_agent? yes/no
# http_agent sends http logs from Bro to Sguil.
# If you're running ELSA, then you probably want to disable this.
HTTP_AGENT_ENABLED='no'
# ARGUS_ENABLED
# Do you want to run Argus? yes/no
# Argus writes session data, also provided by Bro and Prads.
# Most folks don't run Argus.
ARGUS_ENABLED='no'
################################
# Rules
################################
# IDS_RULESET
# This setting is only necessary on a master server.
# Sensors automatically inherit ruleset from the master server.
# Which IDS ruleset would you like to use?
# Emerging Threats Open (no oinkcode required):
# ETOPEN
# Emerging Threats PRO (requires ETPRO oinkcode):
# ETPRO
# Sourcefire VRT (requires VRT oinkcode):
# VRT
# VRT and ET (requires VRT oinkcode):
# VRTET
IDS_RULESET='ETOPEN'
# OINKCODE
# This setting is only necessary on a master server.
# Sensors automatically inherit ruleset from the master server.
# If you're running VRT or ETPRO rulesets, you'll need to supply your
# oinkcode here.
OINKCODE=''
################################
# PF_RING Config
################################
# PF_RING_SLOTS
# The default is 4096.
# High traffic networks may need to increase this.
PF_RING_SLOTS=4096
################################
# IDS Config
################################
# IDS_ENGINE
# Which IDS engine would you like to run? snort/suricata
# Whatever you choose here will apply to the master server
# and then sensors inherit this setting from the master server.
# To run Snort:
# IDS_ENGINE='snort'
# To run Suricata:
# IDS_ENGINE='suricata'
IDS_ENGINE='snort'
# IDS_LB_PROCS
# How many PF_RING load-balanced processes would you like to run?
# This value should be lower than your number of CPU cores.
IDS_LB_PROCS='1'
# HOME_NET
# Setup by default configures Snort/Suricata's HOME_NET variable
# as RFC 1918 (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12).
# If you wish to provide a custom value, enter it below,
# ensuring a comma is placed after each range, with no spaces in between.
# Ex. HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12'
HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12'
################################
# Bro Config
################################
# BRO_LB_PROCS
# How many PF_RING load-balanced processes would you like Bro to run?
# This value should be lower than your number of CPU cores.
BRO_LB_PROCS='1'
# EXTRACT_FILES
# Do you want Bro to automatically extract Windows EXEs and write them to disk? yes/no
EXTRACT_FILES='yes'
################################
# PCAP Config
################################
# PCAP_SIZE
# How large do you want your pcap files to be?
# The default is 150MB.
PCAP_SIZE='150'
# PCAP_RING_SIZE
# How big of a ring buffer should be allocated for netsniff-ng?
# The default is 64MB.
PCAP_RING_SIZE='64'
# PCAP_OPTIONS
# The default option here of '-c' is intended for low-volume environments.
# If monitoring lots of traffic, you will want to remove the -c to use
# netsniff-ng's default scatter/gather I/O or consider netsniff-ng's --mmap option.
PCAP_OPTIONS='-c'
################################
# Maintenance
################################
# WARN_DISK_USAGE
# Begin warning when disk usage reaches this level
WARN_DISK_USAGE='80'
# CRIT_DISK_USAGE
# Begin purging old files when disk usage reaches this level
CRIT_DISK_USAGE='90'
# DAYSTOKEEP
# Only applies to Sguil database ('securityonion_db')
DAYSTOKEEP='30'
# DAYSTOREPAIR
# Only applies to Sguil database ('securityonion_db')
DAYSTOREPAIR='7'