233 lines
7.4 KiB
Bash
233 lines
7.4 KiB
Bash
#!/bin/bash
|
|
# Configure Elasticsearech for Odin
|
|
#
|
|
|
|
echo -e "\e[93m"
|
|
|
|
log() {
|
|
echo -e "\t\e[96m[*]${1}\e[93m"
|
|
}
|
|
|
|
export CRITSTACK_KEY=f9bc6af4-5cc6-4fa5-623b-b0906572d703
|
|
export BRO_FACE=eth1
|
|
export BRO_URL=https://www.bro.org/downloads/bro-2.5.2.tar.gz
|
|
export BROPKG_URL=https://github.com/bro/package-manager/archive/master.zip
|
|
export LIBKAFKA_URL=https://github.com/edenhill/librdkafka/archive/master.zip
|
|
export FSF_URL=https://github.com/EmersonElectricCo/fsf/archive/master.zip
|
|
export NCPU=$(grep processor /proc/cpuinfo |tail -1 |awk '/:/{print $3}') && let NCPU=$NCPU+1
|
|
export IP=$(ip route | awk '/src/{print $9}')
|
|
echo "bro" >/etc/hostname
|
|
echo -e "${IP}\tbro" >> /etc/hosts
|
|
|
|
deluser -q --remove-home ubuntu
|
|
|
|
apt-get update || exit 1
|
|
apt-get --purge remove snapd lxd mdadm -y
|
|
apt-get upgrade -y
|
|
apt-get clean
|
|
apt-get install -y htop wget cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev unzip python-pip linux-headers-`uname -r`
|
|
|
|
useradd -r -c "Bro IDS" -m -d /opt/bro -s /bin/bash bro
|
|
|
|
cd /opt
|
|
wget -O fsf.zip ${FSF_URL}
|
|
unzip fsf.zip && rm fsf.zip
|
|
mv fsf-master/fsf-client /opt/fsf
|
|
rm -rf /opt/fsf-master /opt/master.zip
|
|
sed -i 's/127.0.0.1/fsf/g' /opt/fsf/conf/config.py
|
|
chown -R bro:bro /opt/fsf
|
|
|
|
cd /usr/local/src
|
|
wget -O bro.tgz ${BRO_URL}
|
|
tar xzf bro.tgz
|
|
rm bro.tgz
|
|
mv bro-2* bro
|
|
cd bro
|
|
./configure --prefix=/opt/bro
|
|
make -j${NCPU}
|
|
make install
|
|
|
|
cd ../
|
|
wget -O librdkafka.zip ${LIBKAFKA_URL}
|
|
unzip librdkafka.zip
|
|
rm librdkafka.zip
|
|
mv librdkafka-* librdkafka
|
|
cd librdkafka
|
|
./configure && make && make install
|
|
|
|
cd /usr/local/src/bro/aux/plugins/kafka
|
|
./configure && make && make install
|
|
|
|
chown -R bro:bro /opt/bro
|
|
#pip install bro-pkg -- currently out of date?
|
|
cd /usr/local/src
|
|
wget -O bropkg.zip ${BROPKG_URL}
|
|
unzip bropkg.zip
|
|
rm bropkg.zip
|
|
mv package-manager* bro-pkg
|
|
cd bro-pkg
|
|
python setup.py install
|
|
|
|
echo 'PATH="/opt/bro/bin:$PATH"' >> /etc/profile
|
|
export PATH="/opt/bro/bin:$PATH"
|
|
sudo -i -u bro env PATH=/opt/bro/bin:$PATH bro-pkg --verbose autoconfig
|
|
sudo -i -u bro env PATH=/opt/bro/bin:$PATH bro-pkg --verbose refresh --aggregate
|
|
sudo -i -u bro env PATH=/opt/bro/bin:$PATH bro-pkg --verbose install bro-af_packet-plugin --force
|
|
|
|
sed -i 's/MailConnectionSummary = 1/MailConnectionSummary = 0/g' /opt/bro/etc/broctl.cfg
|
|
sed -i 's/MinDiskSpace = 5/MinDiskSpace = 0/g' /opt/bro/etc/broctl.cfg
|
|
sed -i 's/MailHostUpDown = 1/MailHostUpDown = 0/g' /opt/bro/etc/broctl.cfg
|
|
sed -i 's/LogRotationInterval = 3600/LogRotationInterval = 86400/g' /opt/bro/etc/broctl.cfg
|
|
sed -i 's/LogExpireInterval = 0/LogExpireInterval = 60/g' /opt/bro/etc/broctl.cfg
|
|
sed -i 's/StatsLogExpireInterval = 0/StatsLogExpireInterval = 1/g' /opt/bro/etc/broctl.cfg
|
|
|
|
cat >> /opt/bro/share/bro/site/local.bro <<EOF
|
|
@load policy/protocols/smb
|
|
@load packages
|
|
@load policy/protocols/smb
|
|
@load policy/protocols/conn/mac-logging
|
|
@load policy/protocols/conn/vlan-logging
|
|
@load Bro/Kafka/logs-to-kafka.bro
|
|
redef Kafka::logs_to_send = set(Stats::LOG, Conn::LOG, DHCP::LOG, DNS::LOG, FTP::LOG, HTTP::LOG, IRC::LOG, KRB::LOG, NTLM::LOG, RADIUS::LOG, RDP::LOG, SIP::LOG, SMB::CMD_LOG, SMB::FILES_LOG, SMB::MAPPING_LOG, SMTP::LOG, SNMP::LOG, SOCKS::LOG, SSH::LOG, SSL::LOG, Syslog::LOG, Tunnel::LOG, Files::LOG, PE::LOG, X509::LOG, Intel::LOG, Notice::LOG, Software::LOG, Weird::LOG, CaptureLoss::LOG);
|
|
redef Kafka::kafka_conf = table(
|
|
["metadata.broker.list"] = "kafka:9092"
|
|
);
|
|
|
|
export
|
|
{
|
|
const ext_map: table[string] of string = {
|
|
["application/x-dosexec"] = "exe",
|
|
["application/x-compress"] = "",
|
|
["application/zip"] = "zip",
|
|
["application/x-dmg"] = "dmg",
|
|
["application/pdf"] = "pdf",
|
|
["application/hta"] = "hta",
|
|
["application/java-archive"] = "jar",
|
|
["application/x-java-applet"] = "jar",
|
|
["application/x-java-jnlp-file"] = "jnlp",
|
|
["application/x-shockwave-flash"] = "swf",
|
|
["application/vnd.ms-cab-compressed"] = "cab",
|
|
["application/font-woff"] = "woff",
|
|
["application/x-font-ttf"] = "ttf",
|
|
["application/vnd.ms-fontobject"] = "eot",
|
|
["application/x-font-sfn"] = "",
|
|
["application/vnd.ms-opentype"] = "otf",
|
|
["application/x-mif"] = "mif",
|
|
["application/vnd.font-fontforge-sfd"] = "sfd",
|
|
["application/msword"] = "doc",
|
|
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "docx",
|
|
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "xlsx",
|
|
["application/vnd.openxmlformats-officedocument.presentationml.presentation"] ="pptx",
|
|
} &redef &default="";
|
|
}
|
|
|
|
redef FileExtract::prefix = "/opt/bro/file_extract";
|
|
|
|
event file_sniff(f: fa_file, meta: fa_metadata)
|
|
{
|
|
local ext = "";
|
|
|
|
if ( meta?\$mime_type )
|
|
{
|
|
ext = ext_map[meta\$mime_type];
|
|
}
|
|
|
|
if ( ext == "" )
|
|
{
|
|
return;
|
|
}
|
|
# Hash the file for good measure
|
|
Files::add_analyzer(f, Files::ANALYZER_MD5);
|
|
|
|
local fname = fmt("%s-%s-%s", f\$source, f\$id, ext);
|
|
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [\$extract_filename=fname, \$extract_limit=104857600]);
|
|
}
|
|
|
|
event file_state_remove(f: fa_file)
|
|
{
|
|
if ( f\$info?\$extracted )
|
|
{
|
|
local scan_cmd = fmt("%s %s/%s", "/opt/fsf/fsf_client.py --delete --source EVision --suppress-report --archive all-on-alert", FileExtract::prefix, f\$info\$extracted);
|
|
system(scan_cmd);
|
|
}
|
|
}
|
|
EOF
|
|
|
|
cat > /opt/bro/etc/node.cfg <<EOF
|
|
[logger]
|
|
type=logger
|
|
host=localhost
|
|
|
|
[manager]
|
|
type=manager
|
|
host=localhost
|
|
|
|
[proxy-1]
|
|
type=proxy
|
|
host=localhost
|
|
|
|
[odin]
|
|
type=worker
|
|
host=localhost
|
|
interface=af_packet::${BRO_FACE}
|
|
lb_method=custom
|
|
lb_procs=4
|
|
#pin_cpus=0,1,2,3
|
|
af_packet_fanout_id=24
|
|
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
|
|
EOF
|
|
|
|
cat > /etc/network/interfaces.d/60-ids.cfg <<EOF
|
|
auto eth1
|
|
iface eth1 inet manual
|
|
up ifconfig ${BRO_FACE} -arp up
|
|
up ip link set ${BRO_FACE} promisc on
|
|
down ip link set ${BRO_FACE} promisc off
|
|
down ifconfig ${BRO_FACE} down
|
|
post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K ${BRO_FACE} \${i} off 2>/dev/null; done
|
|
post-up echo 1 > /proc/sys/net/ipv6/conf/${BRO_FACE}/disable_ipv6
|
|
EOF
|
|
ifup eth1
|
|
|
|
cat >/etc/systemd/system/bro.service <<EOF
|
|
[Unit]
|
|
Description=Bro Network Intrusion Detection System (NIDS)
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=forking
|
|
User=bro
|
|
Group=bro
|
|
Environment=HOME=/opt/bro/spool
|
|
ExecStart=/opt/bro/bin/broctl deploy
|
|
ExecStop=/opt/bro/bin/broctl stop
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
chown -R bro:bro /opt/bro
|
|
# Interesting note, a chown erases capabilities on files.
|
|
# So we have to do it after the chown -R
|
|
setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
|
|
|
|
|
|
if [ -z ${CRITSTACK_KEY} ]; then
|
|
log "Please provide your Critical Stack API key\!."
|
|
log "Not installing Critical Stack."
|
|
exit 0
|
|
else
|
|
wget -q --no-check-certificate https://intel.criticalstack.com/client/critical-stack-intel-amd64.deb
|
|
dpkg -i critical-stack-intel-amd64.deb
|
|
export PATH="/opt/bro/bin:$PATH"
|
|
critical-stack-intel config --set=bro.path=/opt/bro #--set=app.user=bro
|
|
critical-stack-intel api ${CRITSTACK_KEY}
|
|
critical-stack-intel pull
|
|
fi
|
|
|
|
add-apt-repository -y -u ppa:oisf/suricata-stable
|
|
apt-get install -y prometheus-node-exporter suricata
|
|
|
|
systemctl enable bro
|
|
systemctl start bro
|
|
echo -e "\e[0m"
|