Merge branch '135-wazuh-ids' into 'master'

Resolve "Adding Suricata" Closes #135 See merge request cyber5k/mistborn!82
5 years ago · d289abaa4b
6 changed files with 158 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -39,7 +39,10 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur
				@@ -39,7 +39,10 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur
 - [Pi-hole](https://pi-hole.net): A DNS server for network-wide ad blocking, etc
 - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered
 - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy
+
+These tools can be turned on from the Mistborn Security Operations Center:
 - [Wazuh](https://wazuh.com/): Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
+- [Suricata](https://suricata-ids.org/): Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

 Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers:
 - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first
@ -117,6 +120,8 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/
				@@ -117,6 +120,8 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/

 The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the Wireguard connections. Instructions for adding endpoint agents can be found within Wazuh itself.

+Mistborn's Wazuh installs and integrates with Suricata running on Mistborn with logs ingested into Wazuh.
+
 ![Mistborn Security Center: Wazuh Modules](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_modules.png)

 The Wazuh Kibana plugin leverages the power of Elasticsearch:
--- a/scripts/services/Mistborn-wazuh.service
+++ b/scripts/services/Mistborn-wazuh.service
@ -7,6 +7,7 @@ PartOf=Mistborn-base.service
				@@ -7,6 +7,7 @@ PartOf=Mistborn-base.service
 [Service]
 Restart=always
 RestartSec=15
+TimeoutStartSec=600
 User=root
 Group=docker
 PermissionsStartOnly=true
@ -17,8 +18,12 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose
				@@ -17,8 +18,12 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose
 # Agent install
 ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh
 ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh
+# Suricata
+ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh
+ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh
 # Stop container when unit is stopped
 ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down
+ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh
 ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh

 [Install]
--- a/scripts/services/wazuh/suricata/suricata_init.sh
+++ b/scripts/services/wazuh/suricata/suricata_init.sh
@ -0,0 +1,129 @@
				@@ -0,0 +1,129 @@
+#!/bin/bash
+
+set -e
+
+# detect if suricata is installed
+if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then
+    echo "Suricata Installed"
+    exit 0
+fi
+
+source /opt/mistborn/scripts/subinstallers/platform.sh
+
+# minimal dependencies
+sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
+                libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
+                make libmagic-dev libjansson-dev jq wget
+
+## recommended dependencies
+#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
+#                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
+#                libcap-ng-dev libcap-ng0 make libmagic-dev         \
+#                libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
+#                python-yaml rustc cargo
+
+# iptables/nftables integration
+sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1  \
+                libnetfilter-log-dev libnetfilter-log1      \
+                libnfnetlink-dev libnfnetlink0
+
+
+if [ "$DISTRO" == "ubuntu" ]; then
+    echo "Installing Suricata Ubuntu PPA"
+    sudo -E add-apt-repository -y ppa:oisf/suricata-stable
+    sudo -E apt-get update
+    sudo -E apt-get install -y suricata
+elif [ "$DISTRO" == "debian" ]; then
+    # retrieve version codename
+    source /etc/os-release
+    echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \
+        sudo -E tee /etc/apt/sources.list.d/backports.list
+    sudo -E apt-get update
+    sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports
+else
+    echo "Basic Suricata installation"
+    sudo -E apt-get install -y suricata
+fi
+
+# # iptables
+# sudo iptables -A INPUT -j NFQUEUE
+# sudo iptables -I FORWARD -j NFQUEUE
+# sudo iptables -I OUTPUT -j NFQUEUE
+
+# # rsyslog to create /var/log/suricata.log
+# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/
+# sudo chown root:root /etc/rsyslog.d/20-suricata.conf
+# sudo systemctl restart rsyslog
+
+# rules
+pushd .
+cd /tmp
+wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
+tar zxvf emerging.rules.tar.gz
+sudo -E rm /etc/suricata/rules/* -f
+sudo -E mv rules/*.rules /etc/suricata/rules/
+popd
+
+# suricata yaml
+sudo -E rm -f /etc/suricata/suricata.yaml
+sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
+
+IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
+sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml
+sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
+
+#systemctl restart suricata
+
+# wait for service to be listening
+while ! nc -z 10.2.3.1 55000; do
+    WAIT_TIME=10
+    echo "Waiting ${WAIT_TIME} seconds for Wazuh API..."
+    sleep ${WAIT_TIME}
+done
+
+# set working directory to mistborn for docker-compose
+pushd .
+cd /opt/mistborn
+
+# ensure group exists
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null
+
+# add this host to group
+WAZUH_ID=$(sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',')
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q
+
+# write agent.conf
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF
+<agent_config>
+    <localfile>
+        <log_format>json</log_format>
+        <location>/var/log/suricata/eve.json</location>
+    </localfile>
+</agent_config>
+EOF
+"
+
+# restart manager
+sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml restart wazuh
+
+popd
+
+# suricata-update
+sudo -E apt install python3-pip
+sudo -E pip3 install pyyaml
+sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip
+
+sudo -E pip3 install --pre --upgrade suricata-update
+
+# sudo -E suricata-update enable-source oisf/trafficid
+# sudo -E suricata-update enable-source etnetera/aggressive
+# sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist
+# sudo -E suricata-update enable-source et/open
+# sudo -E suricata-update enable-source tgreen/hunting
+# sudo -E suricata-update enable-source sslbl/ja3-fingerprints
+# sudo -E suricata-update enable-source ptresearch/attackdetection
+
+sudo -E suricata-update
+
+sudo systemctl daemon-reload
+sudo systemctl restart suricata
--- a/scripts/services/wazuh/suricata/suricata_start.sh
+++ b/scripts/services/wazuh/suricata/suricata_start.sh
@ -0,0 +1,7 @@
				@@ -0,0 +1,7 @@
+#!/bin/bash
+
+systemctl start suricata
+systemctl enable suricata
+
+#apt-get install -y python-pyinotify
+#python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules &
--- a/scripts/services/wazuh/suricata/suricata_stop.sh
+++ b/scripts/services/wazuh/suricata/suricata_stop.sh
@ -0,0 +1,6 @@
				@@ -0,0 +1,6 @@
+#!/bin/bash
+
+systemctl stop suricata
+systemctl disable suricata
+
+#kill $(pgrep -f suri_reloader) 2>/dev/null
--- a/scripts/wrappers/mistborn_docker.sh
+++ b/scripts/wrappers/mistborn_docker.sh
@ -37,6 +37,12 @@ for SERVICE in "${SERVICES_ARRAY[@]}"; do
				@@ -37,6 +37,12 @@ for SERVICE in "${SERVICES_ARRAY[@]}"; do
    fi
 done

+# check that netcat exists
+if ! [ -x "$(command -v nc)" ]; then
+    echo "Installing netcat"
+    sudo apt-get install -y netcat
+fi
+
 # ensure base is up and listening
 echo "Checking that Mistborn-base has finished starting up..."