From 67b9489709ac97fe4052ceacad4bade1512e4581 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 6 May 2021 21:21:58 -0400 Subject: [PATCH] wazuh ids --- scripts/services/Mistborn-wazuh.service | 4 + .../services/wazuh/suricata/suricata_init.sh | 96 +++++++++++++++++++ .../services/wazuh/suricata/suricata_start.sh | 7 ++ .../services/wazuh/suricata/suricata_stop.sh | 6 ++ 4 files changed, 113 insertions(+) create mode 100755 scripts/services/wazuh/suricata/suricata_init.sh create mode 100755 scripts/services/wazuh/suricata/suricata_start.sh create mode 100755 scripts/services/wazuh/suricata/suricata_stop.sh diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index ca8354e..83acf17 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -17,9 +17,13 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose # Agent install ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh +# Suricata +ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh +ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh [Install] WantedBy=Mistborn-base.service diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh new file mode 100755 index 0000000..73c6fe3 --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +set -e + +# detect if suricata is installed +if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then + echo "Suricata Installed" + exit 0 +fi + +source /opt/mistborn/scripts/subinstallers/platform.sh + +# minimal dependencies +sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ + libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ + make libmagic-dev libjansson-dev + +## recommended dependencies +#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ +# libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ +# libcap-ng-dev libcap-ng0 make libmagic-dev \ +# libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \ +# python-yaml rustc cargo + +# iptables/nftables integration +sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 \ + libnetfilter-log-dev libnetfilter-log1 \ + libnfnetlink-dev libnfnetlink0 + + +if [ "$DISTRO" == "ubuntu" ]; then + echo "Installing Suricata Ubuntu PPA" + sudo -E add-apt-repository -y ppa:oisf/suricata-stable + sudo -E apt-get update + sudo -E apt-get install -y suricata +elif [ "$DISTRO" == "debian" ]; then + # retrieve version codename + source /etc/os-release + echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \ + sudo -E tee /etc/apt/sources.list.d/backports.list + sudo -E apt-get update + sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports +else + echo "Basic Suricata installation" + sudo -E apt-get install -y suricata +fi + +# # iptables +# sudo iptables -A INPUT -j NFQUEUE +# sudo iptables -I FORWARD -j NFQUEUE +# sudo iptables -I OUTPUT -j NFQUEUE + +# # rsyslog to create /var/log/suricata.log +# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/ +# sudo chown root:root /etc/rsyslog.d/20-suricata.conf +# sudo systemctl restart rsyslog + +IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}') +sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml +sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata + +systemctl restart suricata + +# wait for service to be listening +while ! nc -z 10.2.3.1 55000; do + WAIT_TIME=10 + echo "Waiting ${WAIT_TIME} seconds for Wazuh API..." + sleep ${WAIT_TIME} +done + +# set working directory to mistborn for docker-compose +pushd . +cd /opt/mistborn + +# ensure group exists +sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null + +# add this host to group +WAZUH_ID=$(sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',') +sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q + +# write agent.conf +sudo docker-compose -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF + + + json + /var/log/suricata/eve.json + + +EOF +" + +# restart manager +sudo docker-compose -f extra/wazuh.yml restart wazuh + +popd diff --git a/scripts/services/wazuh/suricata/suricata_start.sh b/scripts/services/wazuh/suricata/suricata_start.sh new file mode 100755 index 0000000..08803fc --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_start.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +systemctl start suricata +systemctl enable suricata + +#apt-get install -y python-pyinotify +#python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules & \ No newline at end of file diff --git a/scripts/services/wazuh/suricata/suricata_stop.sh b/scripts/services/wazuh/suricata/suricata_stop.sh new file mode 100755 index 0000000..9cd5ba3 --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_stop.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +systemctl stop suricata +systemctl disable suricata + +#kill $(pgrep -f suri_reloader) 2>/dev/null \ No newline at end of file