Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Neo4J not working with BloodHound #159

Closed
fastlorenzo opened this issue Apr 30, 2021 · 6 comments · Fixed by #160 or #162
Closed

Neo4J not working with BloodHound #159

fastlorenzo opened this issue Apr 30, 2021 · 6 comments · Fixed by #160 or #162
Projects
v2.0.0-beta.4

Comments

@fastlorenzo
Copy link
Collaborator

I can't use the Neo4J instance with BloodHound (bolt port).
This works fine with the Neo4J browser.
I've tried via SSH tunneling and via direct IP access, BloodHound stays stuck in a loop.

By changing the container image from specterops/bloodhound-neo4j to neo4j:4.2, everything works fine.

Proposed patch to adapt it.

Furthermore, the mount point in the docker compose file (/var/lib/neo4j) is incorrect, it should be /data
fastlorenzo added a commit to fastlorenzo/RedELK that referenced this issue Apr 30, 2021
@fastlorenzo
Moved to neo4j official docker to fix outflanknl#159
faae390 
Signed-off-by: fastlorenzo <git@bernardi.be>
@fastlorenzo fastlorenzo mentioned this issue Apr 30, 2021
Merged
@MarcOverIP
Copy link
Member

This all works fine in my testing. Perhaps an issue related to another of your PRs? Or maybe not proper ports exposed in docker-compose file?

Moving to a newer branch of the neo4j is desired at some point. But it equals opening a whole new can of worms. Im not happy to do this now. Amongst others, it would require testing if Jupyter notebook docker still works.

I'll leave this PR open for future additions.

@MarcOverIP
Copy link
Member

Did a quick check and found the issue. The used SpecterOps neo4j image is indeed very old (v3), while modern BloodHound app require a neo4j instance using a newer bolt protocol version. That is why the builtin neo4j browser does work (it uses the old v3 protocol). I did not check, but Im pretty sure the data path did work for the old image, but indeed needs to be changed for newer neo4j images.

Forcing RedELK users to an old BloodHound app is no option. We need to move to a newer neo4j image asap. I did a quick test with your proposed solution, and it works at least for neo4j data. Jupyter workbooks connectivity is to be checked.

MarcOverIP added a commit that referenced this issue May 7, 2021
@MarcOverIP
Merge pull request #160 from fastlorenzo/fix-neo4j-bolt
a4fe347 
Moved to neo4j official docker to fix #159
MarcOverIP added a commit that referenced this issue May 7, 2021
@MarcOverIP
Revert "Moved to neo4j official docker to fix #159"
64884fc
MarcOverIP added a commit that referenced this issue May 7, 2021
@MarcOverIP
Merge pull request #161 from outflanknl/revert-160-fix-neo4j-bolt
6b0f889 
Revert "Moved to neo4j official docker to fix #159"
@MarcOverIP
Copy link
Member

Reverting your PR as it breaks access to /neo4jbrowser which redirects to ip:7473. Seems neo4j 4 needs different handling of the ssl certs.

I see three options - ranging from most to less preferred:

  1. put the neo4jbrowser behind the nginx proxy
  2. make the neo4j image also use the tls certificates that nginx uses
  3. make the neo4jbrowser available on 7474, which would be clear text.

@MarcOverIP MarcOverIP reopened this May 7, 2021
@fastlorenzo
Copy link
Collaborator Author

I'll check this one ;)

@MarcOverIP
Copy link
Member

Note: when we'll update neo4j, we prolly also need a newer install of py2neo in the jupyter image. Dockerfile currently states a specific version with pip3 install py2neo==4.3.0. Possibly this can/needs to be upgraded to later.

@MarcOverIP MarcOverIP added this to To do in v2.0.0-beta.4 May 7, 2021
@MarcOverIP MarcOverIP moved this from To do to In progress in v2.0.0-beta.4 May 7, 2021
@fastlorenzo
Copy link
Collaborator Author

I've worked on a fix, which I tested to be working: it uses nginx to listen on port 7687, and proxies the requests to the neo4j container. Adds back the neo4j container behind nginx as well.
This way, we don't have to touch the neo4j container.

As this touches the Nginx container config, I'll wait for #152 to be merged before making a PR

@fastlorenzo fastlorenzo mentioned this issue May 8, 2021
Merged
@MarcOverIP MarcOverIP moved this from In progress to Done in v2.0.0-beta.4 May 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
v2.0.0-beta.4
Done
Milestone
No milestone
2 participants
@fastlorenzo @MarcOverIP