shane/threatline
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
24148713aefe1040f968e3f12caf0d8b4bbd59a6
threatline/doc/setup_pfsense.sh
Shane Peters 525ecff602 initial commit
2018-11-10 13:29:42 -05:00

102 lines
3.4 KiB
Bash
Raw Blame History

# FreeBSD 11.1-RELEASE
# Install dependencies
pkg install -y bash git flex bison cmake libpcap librdkafka python py27-sqlite3 caf swig
# Compile Bro (no install)
# Needs compiled because build/src/bifcl is needed to compile plugins
mkdir /usr/local/src; cd /usr/local/src/
git clone https://github.com/bro/bro
cd bro; ./configure && make -j2
# Compile kafka plugin (no install)
# This will generate APACHE_KAFKA.tar.gz
cd /usr/local/src/
git clone https://github.com/apache/metron-bro-plugin-kafka.git
./configure --bro-dist=/usr/local/src/bro
make
# Copy APACHE_KAFKA.tgz to pfsense
# Login into pfsense and enable FreeBSD repos (temporarily)
sed -i '' 's/FreeBSD: { enabled: no/FreeBSD: { enabled: yes/g' /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
sed -i '' 's/FreeBSD: { enabled: no/FreeBSD: { enabled: yes/g' /usr/local/etc/pkg/repos/FreeBSD.conf
pkg install -y bro librdkafka
sed -i '' 's/FreeBSD: { enabled: yes/FreeBSD: { enabled: no/g' /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
sed -i '' 's/FreeBSD: { enabled: yes/FreeBSD: { enabled: no/g' /usr/local/etc/pkg/repos/FreeBSD.conf
pkg update
# Extract plugin and enable it
tar xzf APACHE_KAFKA.tgz -C /usr/local/lib/bro/plugins
cat > /usr/local/share/bro/site/local.bro <<EOF
@load misc/loaded-scripts
@load tuning/defaults
@load misc/capture-loss
@load misc/stats
@load misc/scan
@load frameworks/software/vulnerable
@load frameworks/software/version-changes
@load-sigs frameworks/signatures/detect-windows-shells
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
@load protocols/ftp/detect
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs
@load protocols/ssl/validate-certs
@load protocols/ssl/log-hostcerts-only
@load protocols/ssh/geo-data
@load protocols/ssh/detect-bruteforcing
@load protocols/ssh/interesting-hostnames
@load frameworks/files/hash-all-files
@load frameworks/files/detect-MHR
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
@load policy/protocols/smb
@load Apache/Kafka/logs-to-kafka.bro
redef Kafka::topic_name = "TLINGEST-CLIENTNAME";
redef Kafka::tag_json = T;
redef Kafka::logs_to_send = set(CaptureLoss::LOG, PacketFilter::LOG, Stats::LOG, Conn::LOG, DHCP::LOG, DNS::LOG, FTP::LOG, HTTP::LOG, IRC::LOG, KRB::LOG, NTLM::LOG, RADIUS::LOG, RDP::LOG, SIP::LOG, SMB::CMD_LOG, SMB::FILES_LOG, SMB::MAPPING_LOG, SMTP::LOG, SNMP::LOG, SOCKS::LOG, SSH::LOG, SSL::LOG, Syslog::LOG, Tunnel::LOG, Files::LOG, PE::LOG, X509::LOG, Intel::LOG, Notice::LOG, Software::LOG, Weird::LOG, CaptureLoss::LOG);
redef Kafka::kafka_conf = table(["client.id"] = "setme.client"
, ["compression.codec"] = "lz4"
, ["request.required.acks"] = "0"
, ["metadata.broker.list"] = "10.15.0.40:9092,10.15.0.41:9092,10.15.0.42:9092"
);
EOF
cat > /usr/local/etc/node.cfg <<EOF
[logger]
type=logger
host=localhost
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=igb1
EOF
cat > /usr/local/etc/broctl.cfg <<EOF
MailTo = root@localhost
MailConnectionSummary = 0
MinDiskSpace = 0
MailHostUpDown = 0
LogRotationInterval = 3600
LogExpireInterval = 0
StatsLogEnable = 1
StatsLogExpireInterval = 1
StatusCmdShowAll = 0
CrashExpireInterval = 1
SitePolicyScripts = local.bro
LogDir = /usr/local/logs
SpoolDir = /usr/local/spool
CfgDir = /usr/local/etc
EOF
broctl check
Reference in New Issue View Git Blame Copy Permalink