From 0c654073887931faef4f160d530fe156ff300f0a Mon Sep 17 00:00:00 2001
From: Steven Foerster <steven@cyber5k.com>
Date: Mon, 3 May 2021 20:47:08 -0400
Subject: [PATCH] filebeat

---
 scripts/services/Mistborn-scirius.service       |  4 ++++
 scripts/services/Mistborn-wazuh.service         |  3 +--
 .../services/scirius/files/filebeat.docker.yml  | 17 +++++++++++++++++
 scripts/services/scirius/init.sh                |  4 ++++
 scripts/services/scirius/suricata_start.sh      |  4 ++++
 scripts/services/scirius/suricata_stop.sh       |  4 ++++
 6 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 scripts/services/scirius/files/filebeat.docker.yml
 create mode 100755 scripts/services/scirius/suricata_start.sh
 create mode 100755 scripts/services/scirius/suricata_stop.sh

diff --git a/scripts/services/Mistborn-scirius.service b/scripts/services/Mistborn-scirius.service
index 3ae3c33..7c9a274 100644
--- a/scripts/services/Mistborn-scirius.service
+++ b/scripts/services/Mistborn-scirius.service
@@ -15,9 +15,13 @@ ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-co
 
 # Start container when unit is started
 ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build
+# Suricata
+ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh
+
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
 # Post stop
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh
 
 [Install]
 WantedBy=Mistborn-base.service
diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service
index 13fedeb..ca8354e 100644
--- a/scripts/services/Mistborn-wazuh.service
+++ b/scripts/services/Mistborn-wazuh.service
@@ -18,9 +18,8 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose
 ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
 # Stop container when unit is stopped
-ExecStop=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
-
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
 
 [Install]
 WantedBy=Mistborn-base.service
diff --git a/scripts/services/scirius/files/filebeat.docker.yml b/scripts/services/scirius/files/filebeat.docker.yml
new file mode 100644
index 0000000..b7b6dc6
--- /dev/null
+++ b/scripts/services/scirius/files/filebeat.docker.yml
@@ -0,0 +1,17 @@
+filebeat.config:
+  modules:
+    path: ${path.config}/modules.d/*.yml
+    reload.enabled: false
+
+filebeat.autodiscover:
+  providers:
+    - type: docker
+      hints.enabled: true
+
+processors:
+- add_cloud_metadata: ~
+
+output.elasticsearch:
+  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
+  username: '${ELASTICSEARCH_USERNAME:}'
+  password: '${ELASTICSEARCH_PASSWORD:}'
diff --git a/scripts/services/scirius/init.sh b/scripts/services/scirius/init.sh
index 281e62a..7fae11f 100755
--- a/scripts/services/scirius/init.sh
+++ b/scripts/services/scirius/init.sh
@@ -54,3 +54,7 @@ fi
 # sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
 # sudo chown root:root /etc/rsyslog.d/20-suricata.conf
 # sudo systemctl restart rsyslog
+
+IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
+sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yml
+sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
diff --git a/scripts/services/scirius/suricata_start.sh b/scripts/services/scirius/suricata_start.sh
new file mode 100755
index 0000000..c23b06b
--- /dev/null
+++ b/scripts/services/scirius/suricata_start.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+systemctl start suricata
+systemctl enable suricata
\ No newline at end of file
diff --git a/scripts/services/scirius/suricata_stop.sh b/scripts/services/scirius/suricata_stop.sh
new file mode 100755
index 0000000..870b0f5
--- /dev/null
+++ b/scripts/services/scirius/suricata_stop.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+systemctl stop suricata
+systemctl disable suricata
\ No newline at end of file