-
Notifications
You must be signed in to change notification settings - Fork 369
RedELK server installation
Marc Smeets edited this page Mar 4, 2022
·
15 revisions
- extract
elkserver.tgz
on your RedELK server - edit
mounts/redelk-config/etc/redelk/config.json
- run
install-elkserver.sh
(optional with parameters) - post installation config of
mounts/redelk-config/etc/cron.d/redelk
- post installation config of
mounts/redelk-config/etc/redelk/iplist_*
files
Copy and extract elkserver.tgz on your RedELK server as part of your red team infra deployment procedures.
Modify mounts/redelk-config/etc/redelk/config.json
to include:
-
loglevel
option to define the logging level for the daemon (possible values:CRITICAL
,ERROR
,WARNING
,INFO
,DEBUG
- Default:WARNING
) -
redelkserver_letsencrypt
options if you want to use certbot certificates for your Kibana interface. -
notifications
options for delivering notifications such as SMTP details -
alarms
options to enable which alarms you want -
alarm_filehash
with details on querying virustotal and others
Run: install-elkserver.sh
. Optional parameters:
-
dryrun
: only do pre install checks and write config to .env file. Its good practice to run this parameter the first time. -
fixedmemory
: skips the auto memory adjustment and sets memory for elasticsearch and neo4j to 1GB -
limited
: do not install Neo4j and Jupyter notebooks -
dev
: only used for development (rebuilds all docker containers and inserts some test logs)
This script will install docker images of logstash, elasticsearch, kibana, neo4j, jupyter notebook and certbot. The local .env
. file contains all docker specific parameters
You are not done yet. You need to manually enter the details of your C2 servers in mounts/redelk-config/etc/cron.d/redelk
, as well as tune the config files in mounts/redelk-config/etc/redelk/
:
-
iplist_redteam.conf
: public IP addresses of your red team, one per line. Convenient for identifying testing done by red team members. Including an address here will set a tag for applicable records in the redirhaproxy-* index. -
iplist_customer.conf
: public IP addresses of your target, one per line. Including an address here will set a tag for applicable records in the redirhaproxy-* index. -
iplist_unknown.conf
: public IP addresses of gateways that you are not sure about yet, but don't want to be warned about again. One per line. Including an address here will set a tag for applicable records in the redirhaproxy-* index. -
rogue_useragents.conf
: User agents that are known bad when they access your C2 backend. We have included a basic list of UAs like curl, python-urllib and some other tools blue teamers like to use. The list also contains a list of UAs of instant messaging tools such as WhatsApp, Skype and Slack. Very useful for when your C2 us shared amongst analysts using IM. Feel free to add UAs to this list. -
known_testsystems.conf
: beacon characteristics of known test systems. You probably want to add info regarding your own test systems. One per line. Including data here here will set a tag for applicable records in the rtops-* index. -
iplist_alarmed.conf
: one IP per line that you don't want to be alarmed about.
Other config files not recommended to edit:
-
abusebotnetc2ip.conf
: auto-updated list of known C2 IP addresses as listed by abuse.ch -
abusesslcert.conf
: auto-updated list of known hashes of C2 TLS certs C2 as listed by abuse.ch -
roguedomains.conf
: auto-updated list of known bad domains, from multiple sources. -
torexitnodes.conf
: auto-updated list of known TOR exit node IP addresses. -
known_sandboxes.conf
: beacon characteristics of known AV sandbox systems. One per line. Including data here here will set a tag for applicable records in the rtops-* index. This is not really relevant anymore as more and more sandboxes have fully random names. -
redteamdomains.conf
: list of domains as used by your offensive infrastructure. As there is no alarm coded yet to check this, there is no need to edit this file.