#!/bin/bash
# Configure Elasticsearech for Odin
# 

echo -e "\e[93m"

log() {
    echo -e "\t\e[96m[*]${1}\e[93m"
}

export CRITSTACK_KEY=f9bc6af4-5cc6-4fa5-623b-b0906572d703
export BRO_FACE=eth1
export BRO_URL=https://www.bro.org/downloads/bro-2.5.2.tar.gz
export BROPKG_URL=https://github.com/bro/package-manager/archive/master.zip
export LIBKAFKA_URL=https://github.com/edenhill/librdkafka/archive/master.zip
export FSF_URL=https://github.com/EmersonElectricCo/fsf/archive/master.zip
export NCPU=$(grep processor /proc/cpuinfo |tail -1 |awk '/:/{print $3}') && let NCPU=$NCPU+1
export IP=$(ip route | awk '/src/{print $9}')
echo "bro" >/etc/hostname
echo -e "${IP}\tbro" >> /etc/hosts

deluser -q --remove-home ubuntu

apt-get update || exit 1
apt-get --purge remove snapd lxd mdadm -y
apt-get upgrade -y
apt-get clean
apt-get install -y htop wget cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev unzip python-pip  linux-headers-`uname -r`

useradd -r -c "Bro IDS" -m -d /opt/bro -s /bin/bash bro

cd /opt
wget -O fsf.zip ${FSF_URL}
unzip fsf.zip && rm fsf.zip
mv fsf-master/fsf-client /opt/fsf
rm -rf /opt/fsf-master /opt/master.zip
sed -i 's/127.0.0.1/fsf/g' /opt/fsf/conf/config.py
chown -R bro:bro /opt/fsf

cd /usr/local/src
wget -O bro.tgz ${BRO_URL}
tar xzf bro.tgz
rm bro.tgz
mv bro-2* bro
cd bro
./configure --prefix=/opt/bro
make -j${NCPU}
make install

cd ../
wget -O librdkafka.zip ${LIBKAFKA_URL}
unzip librdkafka.zip
rm librdkafka.zip
mv librdkafka-* librdkafka
cd librdkafka
./configure && make && make install

cd /usr/local/src/bro/aux/plugins/kafka
./configure && make && make install

chown -R bro:bro /opt/bro
#pip install bro-pkg -- currently out of date?
cd /usr/local/src
wget -O bropkg.zip ${BROPKG_URL}
unzip bropkg.zip
rm bropkg.zip
mv package-manager* bro-pkg
cd bro-pkg
python setup.py install

echo 'PATH="/opt/bro/bin:$PATH"' >> /etc/profile
export PATH="/opt/bro/bin:$PATH"
sudo -i -u bro env PATH=/opt/bro/bin:$PATH bro-pkg --verbose autoconfig
sudo -i -u bro env PATH=/opt/bro/bin:$PATH bro-pkg --verbose refresh --aggregate
sudo -i -u bro env PATH=/opt/bro/bin:$PATH bro-pkg --verbose install bro-af_packet-plugin --force

sed -i 's/MailConnectionSummary = 1/MailConnectionSummary = 0/g' /opt/bro/etc/broctl.cfg
sed -i 's/MinDiskSpace = 5/MinDiskSpace = 0/g' /opt/bro/etc/broctl.cfg
sed -i 's/MailHostUpDown = 1/MailHostUpDown = 0/g' /opt/bro/etc/broctl.cfg
sed -i 's/LogRotationInterval = 3600/LogRotationInterval = 86400/g' /opt/bro/etc/broctl.cfg
sed -i 's/LogExpireInterval = 0/LogExpireInterval = 60/g' /opt/bro/etc/broctl.cfg
sed -i 's/StatsLogExpireInterval = 0/StatsLogExpireInterval = 1/g' /opt/bro/etc/broctl.cfg

cat >> /opt/bro/share/bro/site/local.bro <<EOF
@load policy/protocols/smb
@load packages
@load policy/protocols/smb
@load policy/protocols/conn/mac-logging
@load policy/protocols/conn/vlan-logging
@load Bro/Kafka/logs-to-kafka.bro
redef Kafka::logs_to_send = set(Stats::LOG, Conn::LOG, DHCP::LOG, DNS::LOG, FTP::LOG, HTTP::LOG, IRC::LOG, KRB::LOG, NTLM::LOG, RADIUS::LOG, RDP::LOG, SIP::LOG, SMB::CMD_LOG, SMB::FILES_LOG, SMB::MAPPING_LOG, SMTP::LOG, SNMP::LOG, SOCKS::LOG, SSH::LOG, SSL::LOG, Syslog::LOG, Tunnel::LOG, Files::LOG, PE::LOG, X509::LOG, Intel::LOG, Notice::LOG, Software::LOG, Weird::LOG, CaptureLoss::LOG);
redef Kafka::kafka_conf = table(
    ["metadata.broker.list"] = "kafka:9092"
);

export
{
        const ext_map: table[string] of string = {
                ["application/x-dosexec"] = "exe",
                ["application/x-compress"] = "",
                ["application/zip"] = "zip",
                ["application/x-dmg"] = "dmg",
                ["application/pdf"] = "pdf",
                ["application/hta"] = "hta",
                ["application/java-archive"] = "jar",
                ["application/x-java-applet"] = "jar",
                ["application/x-java-jnlp-file"] = "jnlp",
                ["application/x-shockwave-flash"] = "swf",
                ["application/vnd.ms-cab-compressed"] = "cab",
                ["application/font-woff"] = "woff",
                ["application/x-font-ttf"] = "ttf",
                ["application/vnd.ms-fontobject"] = "eot",
                ["application/x-font-sfn"] = "",
                ["application/vnd.ms-opentype"] = "otf",
                ["application/x-mif"] = "mif",
                ["application/vnd.font-fontforge-sfd"] = "sfd",
                ["application/msword"] = "doc",
                ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "docx",
                ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "xlsx",
                ["application/vnd.openxmlformats-officedocument.presentationml.presentation"] ="pptx",
        } &redef &default="";
}

redef FileExtract::prefix = "/opt/bro/file_extract";

event file_sniff(f: fa_file, meta: fa_metadata)
{
        local ext = "";

        if ( meta?\$mime_type )
        {
                ext = ext_map[meta\$mime_type];
        }

        if ( ext == "" )
        {
                return;
        }
        # Hash the file for good measure
        Files::add_analyzer(f, Files::ANALYZER_MD5);

        local fname = fmt("%s-%s-%s", f\$source, f\$id, ext);
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [\$extract_filename=fname, \$extract_limit=104857600]);
}

event file_state_remove(f: fa_file)
{
        if ( f\$info?\$extracted )
        {
                local scan_cmd = fmt("%s %s/%s", "/opt/fsf/fsf_client.py --delete --source EVision --suppress-report --archive all-on-alert", FileExtract::prefix, f\$info\$extracted);
                system(scan_cmd);
        }
}
EOF

cat > /opt/bro/etc/node.cfg <<EOF
[logger]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[odin]
type=worker
host=localhost
interface=af_packet::${BRO_FACE}
lb_method=custom
lb_procs=4
#pin_cpus=0,1,2,3
af_packet_fanout_id=24
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
EOF

cat > /etc/network/interfaces.d/60-ids.cfg <<EOF
auto eth1
iface eth1 inet manual
  up ifconfig ${BRO_FACE} -arp up
  up ip link set ${BRO_FACE} promisc on
  down ip link set ${BRO_FACE} promisc off
  down ifconfig ${BRO_FACE} down
  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K ${BRO_FACE} \${i} off 2>/dev/null; done
  post-up echo 1 > /proc/sys/net/ipv6/conf/${BRO_FACE}/disable_ipv6
EOF
ifup eth1

cat >/etc/systemd/system/bro.service <<EOF
[Unit]
Description=Bro Network Intrusion Detection System (NIDS)
After=network.target

[Service]
Type=forking
User=bro
Group=bro
Environment=HOME=/opt/bro/spool
ExecStart=/opt/bro/bin/broctl deploy
ExecStop=/opt/bro/bin/broctl stop

[Install]
WantedBy=multi-user.target
EOF
chown -R bro:bro /opt/bro
# Interesting note, a chown erases capabilities on files.
# So we have to do it after the chown -R
setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro


if [ -z ${CRITSTACK_KEY} ]; then
        log "Please provide your Critical Stack API key\!."
        log "Not installing Critical Stack."
        exit 0
else
        wget -q --no-check-certificate https://intel.criticalstack.com/client/critical-stack-intel-amd64.deb
        dpkg -i critical-stack-intel-amd64.deb
        export PATH="/opt/bro/bin:$PATH"
        critical-stack-intel config --set=bro.path=/opt/bro #--set=app.user=bro
        critical-stack-intel api ${CRITSTACK_KEY}
        critical-stack-intel pull
fi

add-apt-repository -y -u ppa:oisf/suricata-stable
apt-get install -y prometheus-node-exporter suricata

systemctl enable bro
systemctl start bro
echo -e "\e[0m"