Added bro and suricata to the logger vagrant

configured splunk to ingest both bro and suricata logs

reconfigured logger vagrant box to have 2 CPUs and 4GB of RAM

Vagrant/Vagrantfile

@@ -13,16 +13,17 @@ Vagrant.configure("2") do |config|
     end
 
     cfg.vm.provider "vmware_desktop" do |v, override|
-      v.memory = 2048
-      v.cpus = 1
+      v.memory = 4096
+      v.cpus = 2
       v.gui = true
     end
 
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
-      vb.customize ["modifyvm", :id, "--memory", 2048]
-      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--memory", 4096]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
       vb.customize ["modifyvm", :id, "--vram", "32"]
+      vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
       vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
       vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
     end

Vagrant/bootstrap.sh

@@ -88,6 +88,8 @@ install_splunk() {
     /opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index sysmon -auth 'admin:changeme'
     /opt/splunk/bin/splunk add index powershell -auth 'admin:changeme'
+    /opt/splunk/bin/splunk add index bro -auth 'admin:changeme'
+    /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme'
     # Add a Splunk TCP input on port 9997
@@ -215,6 +217,148 @@ install_caldera() {
   fi
 }
 
+install_bro() {
+    # environment variables
+	BRO_VERSION=2.5.4
+	BRO_SRC=/usr/src/bro
+	NODECFG=/opt/bro/etc/node.cfg
+	SPLUNK_BRO_JSON=/opt/splunk/etc/apps/TA-bro_json
+	SPLUNK_BRO_MONITOR='monitor:///opt/bro/spool/manager'
+	SPLUNK_SURICATA_MONITOR='monitor:///var/log/suricata'
+
+    # update APT repositories
+	apt-get -qq -ym update
+    # install tools to build and configure bro
+	apt-get -qq -ym install crudini \
+			build-essential \
+			git \
+			unzip \
+			python-pip \
+			flex \
+			libpcap-dev \
+			flex \
+			bison \
+			libpcap-dev \
+			swig \
+			cmake \
+			libssl-dev \
+			devscripts
+
+    # grab bro from github and build and install
+	git clone --recursive --branch v$BRO_VERSION git://git.bro.org/bro $BRO_SRC
+	cd $BRO_SRC
+	./configure --disable-broker --prefix=/opt/bro
+	make
+	make install
+
+    # load bro scripts
+	cat<<EOF >> /opt/bro/share/bro/site/local.bro
+
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+
+@load tuning/json-logs
+@load policy/integration/collective-intel
+@load policy/frameworks/intel/do_notice
+
+@load frameworks/intel/seen
+@load frameworks/intel/do_notice
+@load frameworks/files/hash-all-files
+
+@load policy/protocols/smb
+
+@load policy/protocols/conn/vlan-logging
+
+@load policy/protocols/conn/mac-logging
+
+redef Intel::read_files += {
+        "/opt/bro/etc/intel.dat"
+};
+
+EOF
+
+
+    # configure bro
+	crudini --del $NODECFG bro
+	crudini --set $NODECFG manager type manager
+	crudini --set $NODECFG manager host localhost
+	crudini --set $NODECFG proxy type proxy
+	crudini --set $NODECFG proxy host localhost
+	CPUS=$(lscpu  -e |awk /yes/'{print $1'} |wc -l)
+
+    # setup $CPUS numbers of bro workers
+	for i in eth1
+	do
+			crudini --set $NODECFG worker-$i type worker
+			crudini --set $NODECFG worker-$i host localhost
+			crudini --set $NODECFG worker-$i interface $i
+			crudini --set $NODECFG worker-$i lb_method pf_ring
+			crudini --set $NODECFG worker-$i lb_procs $CPUS
+	done
+
+    # setup bro to run at boot
+    cp /vagrant/resources/bro/bro.service /lib/systemd/system/bro.service
+
+    for i in bro
+    do
+        systemctl enable $i
+        systemctl start $i
+    done
+
+    # setup splunk TA to ingest bro and suricata data
+	git clone https://github.com/jahshuah/splunk-ta-bro-json $SPLUNK_BRO_JSON
+
+	mkdir -p $SPLUNK_BRO_JSON/local
+	cp $SPLUNK_BRO_JSON/default/inputs.conf $SPLUNK_BRO_JSON/local/inputs.conf
+
+
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR index   bro
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR sourcetype   json_bro
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR whitelist   '.*\.log$'
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR blacklist   '.*(communication|stderr)\.log$'
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_BRO_MONITOR disabled   0
+
+
+
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index   suricata
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype   json_suricata
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist   'eve.json'
+	crudini --set  $SPLUNK_BRO_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled   0
+
+    # ensure permissions are correct and restart splunk
+	chown -R splunk $SPLUNK_BRO_JSON
+    /opt/splunk/bin/splunk restart
+}
+
+install_suricata() {
+    # install yq to maniuplate the suricata.yaml inline
+    /usr/bin/go get -u  github.com/mikefarah/yq
+    # install suricata
+    add-apt-repository -y ppa:oisf/suricata-stable
+    apt-get -qq -y update && apt-get -qq -y install suricata crudini
+    # install suricata-update
+    pip3.6 install --pre --upgrade suricata-update
+    # add DC_SERVERS variable to suricata.yaml in support et-open signatures
+    /root/go/bin/yq w  -i /etc/suricata/suricata.yaml vars.address-groups.DC_SERVERS '$HOME_NET'
+    crudini --set --format=sh /etc/default/suricata '' iface eth1
+    # update suricata signature sources
+    suricata-update update-sources
+    # disable protocol decode as it is duplicative of bro
+    echo re:protocol-command-decode >> /etc/suricata/disable.conf
+    # enable et-open and attackdetection sources
+    for i in et/open ptresearch/attackdetection
+    do
+                suricata-update enable-source $i
+
+            done
+    # update suricata and restart
+    suricata-update
+    systemctl restart suricata
+
+}
+
 main() {
   install_mongo_db_apt_key
   apt_install_prerequisites
@@ -226,6 +370,8 @@ main() {
   download_palantir_osquery_config
   import_osquery_config_into_fleet
   install_caldera
+  install_suricata
+  install_bro
 }
 
 main