From 67b9489709ac97fe4052ceacad4bade1512e4581 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 6 May 2021 21:21:58 -0400 Subject: [PATCH 01/13] wazuh ids --- scripts/services/Mistborn-wazuh.service | 4 + .../services/wazuh/suricata/suricata_init.sh | 96 +++++++++++++++++++ .../services/wazuh/suricata/suricata_start.sh | 7 ++ .../services/wazuh/suricata/suricata_stop.sh | 6 ++ 4 files changed, 113 insertions(+) create mode 100755 scripts/services/wazuh/suricata/suricata_init.sh create mode 100755 scripts/services/wazuh/suricata/suricata_start.sh create mode 100755 scripts/services/wazuh/suricata/suricata_stop.sh diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index ca8354e..83acf17 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -17,9 +17,13 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose # Agent install ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh +# Suricata +ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh +ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh [Install] WantedBy=Mistborn-base.service diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh new file mode 100755 index 0000000..73c6fe3 --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +set -e + +# detect if suricata is installed +if [[ $(dpkg-query -W -f='${Status}' suricata 2>/dev/null | grep -c "ok installed") -eq 1 ]]; then + echo "Suricata Installed" + exit 0 +fi + +source /opt/mistborn/scripts/subinstallers/platform.sh + +# minimal dependencies +sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ + libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ + make libmagic-dev libjansson-dev + +## recommended dependencies +#sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ +# libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ +# libcap-ng-dev libcap-ng0 make libmagic-dev \ +# libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \ +# python-yaml rustc cargo + +# iptables/nftables integration +sudo -E apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 \ + libnetfilter-log-dev libnetfilter-log1 \ + libnfnetlink-dev libnfnetlink0 + + +if [ "$DISTRO" == "ubuntu" ]; then + echo "Installing Suricata Ubuntu PPA" + sudo -E add-apt-repository -y ppa:oisf/suricata-stable + sudo -E apt-get update + sudo -E apt-get install -y suricata +elif [ "$DISTRO" == "debian" ]; then + # retrieve version codename + source /etc/os-release + echo "deb http://http.debian.net/debian $VERSION_CODENAME-backports main" | \ + sudo -E tee /etc/apt/sources.list.d/backports.list + sudo -E apt-get update + sudo -E apt-get install -y suricata -t ${VERSION_CODENAME}-backports +else + echo "Basic Suricata installation" + sudo -E apt-get install -y suricata +fi + +# # iptables +# sudo iptables -A INPUT -j NFQUEUE +# sudo iptables -I FORWARD -j NFQUEUE +# sudo iptables -I OUTPUT -j NFQUEUE + +# # rsyslog to create /var/log/suricata.log +# sudo cp ./scripts/conf/20-suricata.conf /etc/rsyslog.d/ +# sudo chown root:root /etc/rsyslog.d/20-suricata.conf +# sudo systemctl restart rsyslog + +IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}') +sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml +sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata + +systemctl restart suricata + +# wait for service to be listening +while ! nc -z 10.2.3.1 55000; do + WAIT_TIME=10 + echo "Waiting ${WAIT_TIME} seconds for Wazuh API..." + sleep ${WAIT_TIME} +done + +# set working directory to mistborn for docker-compose +pushd . +cd /opt/mistborn + +# ensure group exists +sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null + +# add this host to group +WAZUH_ID=$(sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',') +sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q + +# write agent.conf +sudo docker-compose -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF + + + json + /var/log/suricata/eve.json + + +EOF +" + +# restart manager +sudo docker-compose -f extra/wazuh.yml restart wazuh + +popd diff --git a/scripts/services/wazuh/suricata/suricata_start.sh b/scripts/services/wazuh/suricata/suricata_start.sh new file mode 100755 index 0000000..08803fc --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_start.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +systemctl start suricata +systemctl enable suricata + +#apt-get install -y python-pyinotify +#python /opt/mistborn/scripts/services/scirius/suri_reloader -p /etc/suricata/rules & \ No newline at end of file diff --git a/scripts/services/wazuh/suricata/suricata_stop.sh b/scripts/services/wazuh/suricata/suricata_stop.sh new file mode 100755 index 0000000..9cd5ba3 --- /dev/null +++ b/scripts/services/wazuh/suricata/suricata_stop.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +systemctl stop suricata +systemctl disable suricata + +#kill $(pgrep -f suri_reloader) 2>/dev/null \ No newline at end of file From 99fccaa33a4bc48b4689f742f74b72ab513e4197 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 6 May 2021 21:23:05 -0400 Subject: [PATCH 02/13] reorder --- scripts/services/Mistborn-wazuh.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index 83acf17..444dc4c 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -22,8 +22,8 @@ ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistb ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down -ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_stop.sh +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh [Install] WantedBy=Mistborn-base.service From 85969bc1ea685f8548dcc90d7ea26a8575f7f3b4 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 6 May 2021 21:40:21 -0400 Subject: [PATCH 03/13] suricata-update --- scripts/services/Mistborn-wazuh.service | 1 + .../services/wazuh/suricata/suricata_init.sh | 21 ++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index 444dc4c..8f1f7fb 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -7,6 +7,7 @@ PartOf=Mistborn-base.service [Service] Restart=always RestartSec=15 +TimeoutStartSec=600 User=root Group=docker PermissionsStartOnly=true diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh index 73c6fe3..f95dccf 100755 --- a/scripts/services/wazuh/suricata/suricata_init.sh +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -59,7 +59,7 @@ IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}') sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata -systemctl restart suricata +#systemctl restart suricata # wait for service to be listening while ! nc -z 10.2.3.1 55000; do @@ -94,3 +94,22 @@ EOF sudo docker-compose -f extra/wazuh.yml restart wazuh popd + +# suricata-update +apt install python3-pip +pip3 install pyyaml +pip3 install https://github.com/OISF/suricata-update/archive/master.zip + +pip3 install --pre --upgrade suricata-update + +suricata-update enable-source oisf/trafficid +suricata-update enable-source etnetera/aggressive +suricata-update enable-source sslbl/ssl-fp-blacklist +suricata-update enable-source et/open +suricata-update enable-source tgreen/hunting +suricata-update enable-source sslbl/ja3-fingerprints +suricata-update enable-source ptresearch/attackdetection + +suricata-update + +systemctl restart suricata \ No newline at end of file From 21aae692874c5c30284e1805b684e5cbcdbdf47e Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 6 May 2021 21:49:52 -0400 Subject: [PATCH 04/13] sudo --- .../services/wazuh/suricata/suricata_init.sh | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh index f95dccf..aa0a667 100755 --- a/scripts/services/wazuh/suricata/suricata_init.sh +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -96,20 +96,20 @@ sudo docker-compose -f extra/wazuh.yml restart wazuh popd # suricata-update -apt install python3-pip -pip3 install pyyaml -pip3 install https://github.com/OISF/suricata-update/archive/master.zip +sudo -E apt install python3-pip +sudo -E pip3 install pyyaml +sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip -pip3 install --pre --upgrade suricata-update +sudo -E pip3 install --pre --upgrade suricata-update -suricata-update enable-source oisf/trafficid -suricata-update enable-source etnetera/aggressive -suricata-update enable-source sslbl/ssl-fp-blacklist -suricata-update enable-source et/open -suricata-update enable-source tgreen/hunting -suricata-update enable-source sslbl/ja3-fingerprints -suricata-update enable-source ptresearch/attackdetection +sudo -E suricata-update enable-source oisf/trafficid +sudo -E suricata-update enable-source etnetera/aggressive +sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist +sudo -E suricata-update enable-source et/open +sudo -E suricata-update enable-source tgreen/hunting +sudo -E suricata-update enable-source sslbl/ja3-fingerprints +sudo -E suricata-update enable-source ptresearch/attackdetection -suricata-update +sudo -E suricata-update -systemctl restart suricata \ No newline at end of file +sudo systemctl restart suricata \ No newline at end of file From 7fc0bb3fc0080db02d9b23a10dd620ecfe2f2dff Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 10:03:19 -0400 Subject: [PATCH 05/13] netcat --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index 0924e86..30539cc 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -125,7 +125,7 @@ sudo systemctl enable ssh sudo systemctl restart ssh # Additional tools fail2ban -sudo -E apt-get install -y dnsutils fail2ban +sudo -E apt-get install -y dnsutils fail2ban netcat # Install kernel headers if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then From 054de948592ce94a97b22e4715017c4414811f0c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 10:09:09 -0400 Subject: [PATCH 06/13] check netcat --- scripts/install.sh | 2 +- scripts/wrappers/mistborn_docker.sh | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index 30539cc..0924e86 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -125,7 +125,7 @@ sudo systemctl enable ssh sudo systemctl restart ssh # Additional tools fail2ban -sudo -E apt-get install -y dnsutils fail2ban netcat +sudo -E apt-get install -y dnsutils fail2ban # Install kernel headers if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index a5fa403..fa918e9 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -37,6 +37,12 @@ for SERVICE in "${SERVICES_ARRAY[@]}"; do fi done +# check that netcat exists +if ! [ -x "$(command -v nc)" ]; then + echo "Installing netcat" + sudo apt-get install -y netcat +fi + # ensure base is up and listening echo "Checking that Mistborn-base has finished starting up..." From ce44b04f573c0c98cddf7965c6370d449b003a6e Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 10:36:12 -0400 Subject: [PATCH 07/13] env file --- scripts/services/wazuh/suricata/suricata_init.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh index aa0a667..a6578ac 100755 --- a/scripts/services/wazuh/suricata/suricata_init.sh +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -73,14 +73,14 @@ pushd . cd /opt/mistborn # ensure group exists -sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -g suricata -q 2>/dev/null # add this host to group -WAZUH_ID=$(sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',') -sudo docker-compose -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q +WAZUH_ID=$(sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/manage_agents -l | egrep ^\ *ID | grep $(hostname) | awk '{print $2}' | tr -d ',') +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh /var/ossec/bin/agent_groups -a -i ${WAZUH_ID} -g suricata -q # write agent.conf -sudo docker-compose -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml exec -T wazuh bash -c "cat > /var/ossec/etc/shared/suricata/agent.conf << EOF json @@ -91,7 +91,7 @@ EOF " # restart manager -sudo docker-compose -f extra/wazuh.yml restart wazuh +sudo docker-compose --env-file /opt/mistborn/.env -f extra/wazuh.yml restart wazuh popd From fe994a3ac9da5afd98557e039e119d9e4d2c5a4c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 10:47:06 -0400 Subject: [PATCH 08/13] ignore suricata error for wazuh --- scripts/services/Mistborn-wazuh.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index 8f1f7fb..fe019ed 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -19,7 +19,7 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh # Suricata -ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh +ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_init.sh ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/suricata/suricata_start.sh # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down From edc09821c08fe08b5bc1bc25bb25b472b54f2df5 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 12:04:29 -0400 Subject: [PATCH 09/13] suricata.yaml --- scripts/services/wazuh/suricata/suricata_init.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh index a6578ac..9d14af9 100755 --- a/scripts/services/wazuh/suricata/suricata_init.sh +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -13,7 +13,7 @@ source /opt/mistborn/scripts/subinstallers/platform.sh # minimal dependencies sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \ - make libmagic-dev libjansson-dev + make libmagic-dev libjansson-dev jq wget ## recommended dependencies #sudo -E apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \ @@ -55,6 +55,9 @@ fi # sudo chown root:root /etc/rsyslog.d/20-suricata.conf # sudo systemctl restart rsyslog +sudo -E rm -f /etc/suricata/suricata.yaml +sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml + IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}') sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yaml sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata @@ -112,4 +115,5 @@ sudo -E suricata-update enable-source ptresearch/attackdetection sudo -E suricata-update +sudo systemctl daemon-reload sudo systemctl restart suricata \ No newline at end of file From f50ad5fe31cc6eff2aa250a4bf89befb5b22a2c5 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 12:17:46 -0400 Subject: [PATCH 10/13] README: suricata --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 1ad2195..062d9c6 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy - [Wazuh](https://wazuh.com/): Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. +- [Suricata](https://suricata-ids.org/): Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers: - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first @@ -117,6 +118,8 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the Wireguard connections. Instructions for adding endpoint agents can be found within Wazuh itself. +Mistborn's Wazuh installs and integrates with Suricata running on Mistborn with logs ingested into Wazuh. + ![Mistborn Security Center: Wazuh Modules](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_modules.png) The Wazuh Kibana plugin leverages the power of Elasticsearch: From 4faa430cfbe9c988273cb2b4648d88397b84fca8 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 12:22:33 -0400 Subject: [PATCH 11/13] README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 062d9c6..870c6ac 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,8 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur - [Pi-hole](https://pi-hole.net): A DNS server for network-wide ad blocking, etc - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy + +These tools can be turned on from the Mistborn Security Operations Center: - [Wazuh](https://wazuh.com/): Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. - [Suricata](https://suricata-ids.org/): Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. From f8c6dc41d16ca36c83fb260b20a080d44e27ba2d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 12:34:39 -0400 Subject: [PATCH 12/13] rules --- scripts/services/wazuh/suricata/suricata_init.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh index 9d14af9..97cda65 100755 --- a/scripts/services/wazuh/suricata/suricata_init.sh +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -55,6 +55,16 @@ fi # sudo chown root:root /etc/rsyslog.d/20-suricata.conf # sudo systemctl restart rsyslog +# rules +pushd . +cd /tmp +wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz +tar zxvf emerging.rules.tar.gz +sudo -E rm /etc/suricata/rules/* -f +sudo -E mv rules/*.rules /etc/suricata/rules/ +popd + +# suricata yaml sudo -E rm -f /etc/suricata/suricata.yaml sudo -E wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml From e8879d07fc3910845b526eac31edd0de1a857ce8 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 7 May 2021 12:38:17 -0400 Subject: [PATCH 13/13] do not enable sources --- scripts/services/wazuh/suricata/suricata_init.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/services/wazuh/suricata/suricata_init.sh b/scripts/services/wazuh/suricata/suricata_init.sh index 97cda65..7937739 100755 --- a/scripts/services/wazuh/suricata/suricata_init.sh +++ b/scripts/services/wazuh/suricata/suricata_init.sh @@ -115,13 +115,13 @@ sudo -E pip3 install https://github.com/OISF/suricata-update/archive/master.zip sudo -E pip3 install --pre --upgrade suricata-update -sudo -E suricata-update enable-source oisf/trafficid -sudo -E suricata-update enable-source etnetera/aggressive -sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist -sudo -E suricata-update enable-source et/open -sudo -E suricata-update enable-source tgreen/hunting -sudo -E suricata-update enable-source sslbl/ja3-fingerprints -sudo -E suricata-update enable-source ptresearch/attackdetection +# sudo -E suricata-update enable-source oisf/trafficid +# sudo -E suricata-update enable-source etnetera/aggressive +# sudo -E suricata-update enable-source sslbl/ssl-fp-blacklist +# sudo -E suricata-update enable-source et/open +# sudo -E suricata-update enable-source tgreen/hunting +# sudo -E suricata-update enable-source sslbl/ja3-fingerprints +# sudo -E suricata-update enable-source ptresearch/attackdetection sudo -E suricata-update