From 9fed54a1b33a8f0cb0685736ed6857815d1f3260 Mon Sep 17 00:00:00 2001 From: "HADES\\V1D1AN" Date: Mon, 3 Jul 2023 14:00:16 +0200 Subject: [PATCH 1/7] Change tcpreplay for replay. Zircolite starts on demand --- docker-compose-multi.yml | 33 +++++++++++---------------------- docker-compose-single.yml | 33 +++++++++++---------------------- replay/replay.sh | 12 ++++++++++++ 3 files changed, 34 insertions(+), 44 deletions(-) create mode 100644 replay/replay.sh diff --git a/docker-compose-multi.yml b/docker-compose-multi.yml index 11f782c..729b612 100644 --- a/docker-compose-multi.yml +++ b/docker-compose-multi.yml @@ -464,19 +464,26 @@ services: max-size: "10m" max-file: "3" - tcpreplay: - image: v1d1an/tcpreplay:2.0 - container_name: tcpreplay - hostname: tcpreplay + replay: + image: v1d1an/replay:1.0 + container_name: replay + hostname: replay restart: always logging: driver: "json-file" options: max-size: "10m" max-file: "3" + environment: + - ZIRCOLITE_USER=${ZIRCOLITE_USER} + - ZIRCOLITE_PASSWORD=${ZIRCOLITE_PASSWORD} volumes: + - ./replay/replay.sh:/data/tcpreplay.sh + - zircolite:/evtx - upload:/pcap - /var/run/docker.sock:/var/run/docker.sock + networks: + - s1em file-upload: image: v1d1an/file-upload:1.1 @@ -509,24 +516,6 @@ services: networks: - s1em - zircolite: - image: docker.io/wagga40/zircolite:latest - container_name: zircolite - hostname: zircolite - restart: always - user: root - tty: true - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - volumes: - - zircolite:/case - command: "--ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog" - networks: - - s1em - zircolite-upload: image: v1d1an/file-upload:1.1 container_name: zircolite-upload diff --git a/docker-compose-single.yml b/docker-compose-single.yml index 1fe1b61..64a061c 100644 --- a/docker-compose-single.yml +++ b/docker-compose-single.yml @@ -385,19 +385,26 @@ services: max-size: "10m" max-file: "3" - tcpreplay: - image: v1d1an/tcpreplay:2.0 - container_name: tcpreplay - hostname: tcpreplay + replay: + image: v1d1an/replay:1.0 + container_name: replay + hostname: replay restart: always logging: driver: "json-file" options: max-size: "10m" max-file: "3" + environment: + - ZIRCOLITE_USER=${ZIRCOLITE_USER} + - ZIRCOLITE_PASSWORD=${ZIRCOLITE_PASSWORD} volumes: + - ./replay/replay.sh:/data/tcpreplay.sh + - zircolite:/evtx - upload:/pcap - /var/run/docker.sock:/var/run/docker.sock + networks: + - s1em file-upload: image: v1d1an/file-upload:1.1 @@ -430,24 +437,6 @@ services: networks: - s1em - zircolite: - image: docker.io/wagga40/zircolite:latest - container_name: zircolite - hostname: zircolite - restart: always - user: root - tty: true - logging: - driver: "json-file" - options: - max-size: "10m" - max-file: "3" - volumes: - - zircolite:/case - command: "--ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog" - networks: - - s1em - zircolite-upload: image: v1d1an/file-upload:1.1 container_name: zircolite-upload diff --git a/replay/replay.sh b/replay/replay.sh new file mode 100644 index 0000000..c4f5c3a --- /dev/null +++ b/replay/replay.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +/usr/bin/inotifywait -m --format '%f' -e close_write /pcap/ /evtx/ | while read FILE +do + if [[ "$FILE" == *".pcap" ]]; then + docker exec suricata sh -c "suricata --runmode=autofp -c /etc/suricata/suricata.yaml -l /var/log/suricata -r /pcap/$FILE"; + docker exec zeek sh -c "zeek -C local -r /pcap/$FILE"; + rm -fr /pcap/$FILE; + elif [[ "$FILE" == *".evtx" ]]; then + docker run --rm --name zircolite --network s1em_s1em -v s1em_zircolite:/case/ docker.io/wagga40/zircolite:latest --ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite-whatever' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog; + fi +done; \ No newline at end of file From f465ff532b07ea382e5f3f6d1d9a12148ed15780 Mon Sep 17 00:00:00 2001 From: "HADES\\V1D1AN" Date: Mon, 3 Jul 2023 14:01:38 +0200 Subject: [PATCH 2/7] Change start tcpreplay for replay --- 01_deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/01_deploy.sh b/01_deploy.sh index 3dfe6d1..ede4d09 100644 --- a/01_deploy.sh +++ b/01_deploy.sh @@ -705,7 +705,7 @@ echo "####### STARTING OTHER DOCKER ###########" echo "#########################################" echo echo -docker compose up -d fleet-server elastalert cyberchef zircolite zircolite-upload file-upload velociraptor-upload syslog-ng tcpreplay file4thehive heartbeat spiderfoot codimd watchtower +docker compose up -d fleet-server elastalert cyberchef zircolite zircolite-upload file-upload velociraptor-upload syslog-ng replay file4thehive heartbeat spiderfoot codimd watchtower echo echo if [ "$cluster" == SINGLE ]; From d8d883549e92cf6821d9658c38b28fa375c2fd9d Mon Sep 17 00:00:00 2001 From: "HADES\\V1D1AN" Date: Mon, 3 Jul 2023 18:57:40 +0200 Subject: [PATCH 3/7] Configuration of replay for zircolite --- 00_create_instance.sh | 6 ++---- 01_deploy.sh | 9 +++++++++ replay/replay.sh | 2 +- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/00_create_instance.sh b/00_create_instance.sh index 891057f..6ec08e8 100755 --- a/00_create_instance.sh +++ b/00_create_instance.sh @@ -81,11 +81,9 @@ then rsync -r ./ $WORKDIR sleep 5 cd $WORKDIR + echo "INSTANCE=$name" >> env.sample sudo bash 01_deploy.sh cd .. else echo "directory/instance name found, deployment stopped" -fi - - - +fi \ No newline at end of file diff --git a/01_deploy.sh b/01_deploy.sh index ede4d09..53e4525 100644 --- a/01_deploy.sh +++ b/01_deploy.sh @@ -701,6 +701,15 @@ curl -XPUT -sk -u$admin_account:$admin_password -H 'Content-type: application/js echo echo echo "#########################################" +echo "###### CONFIGURATION DE REPLAY ##########" +echo "#########################################" +echo +echo +instance=$(grep -oP 'INSTANCE=\K.*' .env) +sed -i "s|instance_name|$instance|g" replay/replay.sh +echo +echo +echo "#########################################" echo "####### STARTING OTHER DOCKER ###########" echo "#########################################" echo diff --git a/replay/replay.sh b/replay/replay.sh index c4f5c3a..ec58fbb 100644 --- a/replay/replay.sh +++ b/replay/replay.sh @@ -7,6 +7,6 @@ do docker exec zeek sh -c "zeek -C local -r /pcap/$FILE"; rm -fr /pcap/$FILE; elif [[ "$FILE" == *".evtx" ]]; then - docker run --rm --name zircolite --network s1em_s1em -v s1em_zircolite:/case/ docker.io/wagga40/zircolite:latest --ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite-whatever' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog; + docker run --rm --name zircolite --network instance_name_s1em -v instance_name_zircolite:/case/ docker.io/wagga40/zircolite:latest --ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite-whatever' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog; fi done; \ No newline at end of file From 52298263474bfa6ed026461f7773f2c007f79046 Mon Sep 17 00:00:00 2001 From: "HADES\\V1D1AN" Date: Mon, 3 Jul 2023 19:28:45 +0200 Subject: [PATCH 4/7] Correction bug --- docker-compose-multi.yml | 2 +- docker-compose-single.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose-multi.yml b/docker-compose-multi.yml index 729b612..d087a7a 100644 --- a/docker-compose-multi.yml +++ b/docker-compose-multi.yml @@ -478,7 +478,7 @@ services: - ZIRCOLITE_USER=${ZIRCOLITE_USER} - ZIRCOLITE_PASSWORD=${ZIRCOLITE_PASSWORD} volumes: - - ./replay/replay.sh:/data/tcpreplay.sh + - ./replay/replay.sh:/data/replay.sh - zircolite:/evtx - upload:/pcap - /var/run/docker.sock:/var/run/docker.sock diff --git a/docker-compose-single.yml b/docker-compose-single.yml index 64a061c..51621cf 100644 --- a/docker-compose-single.yml +++ b/docker-compose-single.yml @@ -399,7 +399,7 @@ services: - ZIRCOLITE_USER=${ZIRCOLITE_USER} - ZIRCOLITE_PASSWORD=${ZIRCOLITE_PASSWORD} volumes: - - ./replay/replay.sh:/data/tcpreplay.sh + - ./replay/replay.sh:/data/replay.sh - zircolite:/evtx - upload:/pcap - /var/run/docker.sock:/var/run/docker.sock From db394ccf4dc3fdcf9bff48246827c4061a31060a Mon Sep 17 00:00:00 2001 From: "HADES\\V1D1AN" Date: Mon, 3 Jul 2023 19:57:21 +0200 Subject: [PATCH 5/7] Suppression of zircolite on 01_deploy.sh --- 01_deploy.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/01_deploy.sh b/01_deploy.sh index 53e4525..f7d9311 100644 --- a/01_deploy.sh +++ b/01_deploy.sh @@ -37,9 +37,9 @@ sed -i "s|n8n_account|$admin_account|g" .env sed -i "s|zircolite_account|$admin_account|g" .env echo while true; do - read -s -p "Password (Must be a password with at least 6 characters): " admin_password + read -s -p "Password (Must be a password with at least 6 characters):" admin_password echo - read -s -p "Password (again): " admin_password2 + read -s -p "Password (again):" admin_password2 echo [ "$admin_password" = "$admin_password2" ] && break echo "Please try again" @@ -77,7 +77,7 @@ echo "##########################################" echo echo while true; do - read -r -p "Do you want use 1 node elasticsearch (Single) or 3 nodes elasticsearch (Multi) [S/M] ?" cluster + read -r -p "Do you want use 1 node elasticsearch (Single) or 3 nodes elasticsearch (Multi) [S/M]?" cluster case $cluster in [Ss]) cluster=SINGLE; break;; [Mm]) cluster=MULTI; break;; @@ -110,15 +110,15 @@ then fi if [ "$cluster" == SINGLE ]; then - read -p "Enter the RAM in Go of node elasticsearch [2]: " master_node + read -p "Enter the RAM in Go of node elasticsearch [2]:" master_node master_node=${master_node:-2} sed -i "s|RAM_MASTER|$master_node|g" docker-compose.yml elif [ "$cluster" == MULTI ]; then - read -p "Enter the RAM in Go of master node elasticsearch [2]: " master_node + read -p "Enter the RAM in Go of master node elasticsearch [2]:" master_node master_node=${master_node:-2} sed -i "s|RAM_MASTER|$master_node|g" docker-compose.yml - read -p "Enter the RAM in Go of data,ingest node elasticsearch [4]: " data_node + read -p "Enter the RAM in Go of data,ingest node elasticsearch [4]:" data_node data_node=${data_node:-4} sed -i "s|RAM_DATA|$data_node|g" docker-compose.yml fi @@ -130,7 +130,7 @@ echo "########## CONFIGURING THEHIVE ###########" echo "##########################################" echo echo -read -p "Enter the RAM in Go of TheHive [1]: " ram_thehive +read -p "Enter the RAM in Go of TheHive [1]:" ram_thehive ram_thehive=${ram_thehive:-1} sed -i "s|RAM_THEHIVE|$ram_thehive|g" docker-compose.yml echo @@ -140,7 +140,7 @@ echo "########### CONFIGURING CORTEX ###########" echo "##########################################" echo echo -read -p "Enter the RAM in Go of Cortex [1]: " ram_cortex +read -p "Enter the RAM in Go of Cortex [1]:" ram_cortex ram_cortex=${ram_cortex:-1} sed -i "s|RAM_CORTEX|$ram_cortex|g" docker-compose.yml echo @@ -714,7 +714,7 @@ echo "####### STARTING OTHER DOCKER ###########" echo "#########################################" echo echo -docker compose up -d fleet-server elastalert cyberchef zircolite zircolite-upload file-upload velociraptor-upload syslog-ng replay file4thehive heartbeat spiderfoot codimd watchtower +docker compose up -d fleet-server elastalert cyberchef zircolite-upload file-upload velociraptor-upload syslog-ng replay file4thehive heartbeat spiderfoot codimd watchtower echo echo if [ "$cluster" == SINGLE ]; From 075e0eaec704cfc5bd21eb348e37e7e451a54c43 Mon Sep 17 00:00:00 2001 From: "HADES\\V1D1AN" Date: Mon, 3 Jul 2023 21:09:29 +0200 Subject: [PATCH 6/7] Change variable for zircolite --- replay/replay.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/replay/replay.sh b/replay/replay.sh index ec58fbb..84d0e2b 100644 --- a/replay/replay.sh +++ b/replay/replay.sh @@ -7,6 +7,6 @@ do docker exec zeek sh -c "zeek -C local -r /pcap/$FILE"; rm -fr /pcap/$FILE; elif [[ "$FILE" == *".evtx" ]]; then - docker run --rm --name zircolite --network instance_name_s1em -v instance_name_zircolite:/case/ docker.io/wagga40/zircolite:latest --ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite-whatever' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog; + docker run --rm --name zircolite --network instance_name_s1em -v instance_name_zircolite:/case/ docker.io/wagga40/zircolite:latest --ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite-whatever' --eslogin "${ZIRCOLITE_USER}" --espass "${ZIRCOLITE_PASSWORD}" --forwardall --remove-events --nolog; fi done; \ No newline at end of file From fa31a7442cb7b464f24429c994db2f818a3e8761 Mon Sep 17 00:00:00 2001 From: "HADES\\V1D1AN" Date: Mon, 3 Jul 2023 21:30:08 +0200 Subject: [PATCH 7/7] change the permission of replay.sh --- 01_deploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/01_deploy.sh b/01_deploy.sh index f7d9311..26ec9c0 100644 --- a/01_deploy.sh +++ b/01_deploy.sh @@ -705,6 +705,7 @@ echo "###### CONFIGURATION DE REPLAY ##########" echo "#########################################" echo echo +chmod 755 replay/replay.sh instance=$(grep -oP 'INSTANCE=\K.*' .env) sed -i "s|instance_name|$instance|g" replay/replay.sh echo