wazuh ids

scripts/services/Mistborn-wazuh.service

@@ -17,9 +17,13 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose
 # Agent install
 ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
+# Suricata
+ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh
+ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh
 
 [Install]
 WantedBy=Mistborn-base.service

scripts/services/wazuh/suricata/suricata_init.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+set -e
+
+# detect if suricata is installed
+if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then
+    echo "Suricata Installed"
+    exit 0
+fi
+
+source /opt/mistborn/scripts/subinstallers/platform.sh
+
+# minimal dependencies
+sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
+                libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
+                make libmagic-dev libjansson-dev
+
+## recommended dependencies
+#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
+#                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
+#                libcap-ng-dev libcap-ng0 make libmagic-dev         \
+#                libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
+#                python-yaml rustc cargo
+
+# iptables/nftables integration
+sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1  \
+                libnetfilter-log-dev libnetfilter-log1      \
+                libnfnetlink-dev libnfnetlink0
+
+
+if [ "$DISTRO" == "ubuntu" ]; then
+    echo "Installing Suricata Ubuntu PPA"
+    sudo -E add-apt-repository -y ppa:oisf/suricata-stable
+    sudo -E apt-get update
+    sudo -E apt-get install -y suricata
+elif [ "$DISTRO" == "debian" ]; then
+    # retrieve version codename
+    source /etc/os-release
+    echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
+        sudo -E tee /etc/apt/sources.list.d/backports.list
+    sudo -E apt-get update
+    sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
+else
+    echo "Basic Suricata installation"
+    sudo -E apt-get install -y suricata
+fi
+
+# # iptables
+# sudo iptables -A INPUT -j NFQUEUE
+# sudo iptables -I FORWARD -j NFQUEUE
+# sudo iptables -I OUTPUT -j NFQUEUE
+
+# # rsyslog to create /var/log/suricata.log
+# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
+# sudo chown root:root /etc/rsyslog.d/20-suricata.conf
+# sudo systemctl restart rsyslog
+
+IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
+sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml
+sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
+
+systemctl restart suricata
+
+# wait for service to be listening
+while ! nc -z 10.2.3.1 55000; do
+    WAIT_TIME=10
+    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
+    sleep ${WAIT_TIME}
+done
+
+# set working directory to mistborn for docker-compose
+pushd .
+cd /opt/mistborn
+
+# ensure group exists
+sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null
+
+# add this host to group
+WAZUH_ID=$(sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',')
+sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q
+
+# write agent.conf
+sudo docker-compose -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF
+<agent_config>
+    <localfile>
+        <log_format>json</log_format>
+        <location>/var/log/suricata/eve.json</location>
+    </localfile>
+</agent_config>
+EOF
+"
+
+# restart manager
+sudo docker-compose -f extra/wazuh.yml restart wazuh
+
+popd

scripts/services/wazuh/suricata/suricata_start.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+systemctl start suricata
+systemctl enable suricata
+
+#apt-get install -y python-pyinotify
+#python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules &

scripts/services/wazuh/suricata/suricata_stop.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+systemctl stop suricata
+systemctl disable suricata
+
+#kill $(pgrep -f suri_reloader) 2>/dev/null