RP2
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bind
logstash
packetbeat
virustotal
README.md
install_packetbeat.sh

README.md

rp2

Java

Install Java:

apt-get install openjdk-8-jre

Server Elasticsearch

Install:

wget
https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.1.2.deb
sudo dpkg -i elasticsearch-6.1.2.deb

Change listen address:

sudo sed -i "s/#network.host: 192\.168\.0\.1/network.host: 10\.0\.0\.1/g"
/etc/elasticsearch/elasticsearch.yml

Prepare Elasticsearch for Packetbeat logging by inserting the template with index objects. This template comes with packetbeat itself:

wget https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-6.1.2-amd64.deb
sudo dpkg -i packetbeat-6.1.2-amd64.deb
packetbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["10.0.0.1:9200"]'

Install Logstash plugins GeoIP, User-Agent:

sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent

Install Virustotal:

apt-get install ruby
git clone https://github.com/coolacid/logstash-filter-virustotal.git
cd logstash-filter-virustotal/
gem build logstash-filter-virustotal.gemspec
/usr/share/logstash/bin/logstash-plugin install --no-verify logstash-filter-virustotal-0.1.2.gem

Start Elasticsearch:

sudo systemctl start elasticsearch

Server Kibana

Install:

wget https://artifacts.elastic.co/downloads/kibana/kibana-6.1.2-amd64.deb
sudo dpkg -i kibana-6.1.2-amd64.deb

Change listen address:

sudo sed -i "s/#server.host: \"localhost\"/server\.host: \"10\.0\.0\.1\"/g" /etc/kibana/kibana.yml

Change Elasticsearch address:

sudo sed -i "s/#elasticsearch\.url: \"http:\/\/localhost:9200\"/elasticsearch\.url: \"http:\/\/10\.0\.0\.1:9200\"/g" /etc/kibana/kibana.yml

Server Logstash

Install Logstash:

wget https://artifacts.elastic.co/downloads/logstash/logstash-6.1.2.deb
sudo dpkg -i logstash-6.1.2.deb

Generate TLS certs to receive logging secure (when IP used, set subjectAltName = IP - https://documentation.wazuh.com/2.0/installation-guide/optional-configurations/elastic_ssl.html):

sudo mkdir -p /etc/pki/tls/certs
sudo mkdir /etc/pki/tls/private
cp /etc/ssl/openssl.cnf custom_openssl.cnf
sed -i "s/\[ v3_ca \]/\[ v3_ca \]\nsubjectAltName = IP: 10\.0\.0\.1/g" custom_openssl.cnf
sudo openssl req -config custom_openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt

Packetbeat

Server

Prepare Logstash for Packetbeat logging by copying packetbeat config:

sudo cp conf.d/10-packetbeat.conf /etc/logstash/conf.d

Configure 10-packetbeat.conf accordingly:

  1. set input listening host
  2. set input certificates to the ones created previously
  3. set virustotal api
  4. set output elasticsearch host

Start Logstash:

sudo systemctl start logstash.service

Client

Install Packetbeat on system to receive network logging. First argument is SSH credentials of the client.

sudo ./install_packetbeat.sh ricklahaye@145.100.111.133
  Kibana Server IP and Port [5601]: 10.0.0.1:5601
  Logstash Server IP and Port [5044]: 10.0.0.1:5044
  Logstash TLS Public Key Cert: /home/ricklahaye/logstash-forwarder.crt
  Hostname to supply with logging: redirector-2
  To be monitored C2 HTTP port: 80
  Packetbeat should have been started

Virustotal

Server

Copy Virustotal config file to Logstash:

sudo cp conf.d/20-md5.conf /etc/logstash/conf.d

Configure 20-md5 accordingly:

  1. set input listening host
  2. set output elasticsearch host

Client

Install Virustotal script on Client to generate hashes of payloads and send them to Logstash:

  1. install python2.7
  2. copy virustotal/virustotal.py to client
  3. edit script and set the to be monitored file as file_name
  4. set host and port of logstash
  5. run script with python
  6. now logs of virustotal and this hash can be seen in Kibana

Restart Logstash on server:

sudo systemctl restart logstash.service

DNS server

Server

Copy DNS config file to Logstash:

sudo cp conf.d/30-dns.conf /etc/logstash/conf.d

Configure 30-dns accordingly:

  1. set input file (if you change this, you need to change it in the dns server config as well!)
  2. set output host

Install Bind/Named on the DNS server that will act as client to send logging to Logstash:

  1. install Bind DNS Server
  2. create authoritative zone for the to be monitored zone
  3. enable logging and let it log to /var/log/named-query.log
  4. Start DNS Server

Restart Logstash on server:

sudo systemctl restart logstash.service