Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.




Install Java:

apt-get install openjdk-8-jre

Server Elasticsearch


sudo dpkg -i elasticsearch-6.1.2.deb

Change listen address:

sudo sed -i "s/#network.host: 192\.168\.0\.1/network.host: 10\.0\.0\.1/g"

Prepare Elasticsearch for Packetbeat logging by inserting the template with index objects. This template comes with packetbeat itself:

wget https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-6.1.2-amd64.deb
sudo dpkg -i packetbeat-6.1.2-amd64.deb
packetbeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=[""]'

Install Logstash plugins GeoIP, User-Agent:

sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-user-agent

Install Virustotal:

apt-get install ruby
git clone https://github.com/coolacid/logstash-filter-virustotal.git
cd logstash-filter-virustotal/
gem build logstash-filter-virustotal.gemspec
/usr/share/logstash/bin/logstash-plugin install --no-verify logstash-filter-virustotal-0.1.2.gem

Start Elasticsearch:

sudo systemctl start elasticsearch

Server Kibana


wget https://artifacts.elastic.co/downloads/kibana/kibana-6.1.2-amd64.deb
sudo dpkg -i kibana-6.1.2-amd64.deb

Change listen address:

sudo sed -i "s/#server.host: \"localhost\"/server\.host: \"10\.0\.0\.1\"/g" /etc/kibana/kibana.yml

Change Elasticsearch address:

sudo sed -i "s/#elasticsearch\.url: \"http:\/\/localhost:9200\"/elasticsearch\.url: \"http:\/\/10\.0\.0\.1:9200\"/g" /etc/kibana/kibana.yml

Server Logstash

Install Logstash:

wget https://artifacts.elastic.co/downloads/logstash/logstash-6.1.2.deb
sudo dpkg -i logstash-6.1.2.deb

Generate TLS certs to receive logging secure (when IP used, set subjectAltName = IP - https://documentation.wazuh.com/2.0/installation-guide/optional-configurations/elastic_ssl.html):

sudo mkdir -p /etc/pki/tls/certs
sudo mkdir /etc/pki/tls/private
cp /etc/ssl/openssl.cnf custom_openssl.cnf
sed -i "s/\[ v3_ca \]/\[ v3_ca \]\nsubjectAltName = IP: 10\.0\.0\.1/g" custom_openssl.cnf
sudo openssl req -config custom_openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt



Prepare Logstash for Packetbeat logging by copying packetbeat config:

sudo cp conf.d/10-packetbeat.conf /etc/logstash/conf.d

Configure 10-packetbeat.conf accordingly:

  1. set input listening host
  2. set input certificates to the ones created previously
  3. set virustotal api
  4. set output elasticsearch host

Start Logstash:

sudo systemctl start logstash.service


Install Packetbeat on system to receive network logging. First argument is SSH credentials of the client.

sudo ./install_packetbeat.sh ricklahaye@
  Kibana Server IP and Port [5601]:
  Logstash Server IP and Port [5044]:
  Logstash TLS Public Key Cert: /home/ricklahaye/logstash-forwarder.crt
  Hostname to supply with logging: redirector-2
  To be monitored C2 HTTP port: 80
  Packetbeat should have been started



Copy Virustotal config file to Logstash:

sudo cp conf.d/20-md5.conf /etc/logstash/conf.d

Configure 20-md5 accordingly:

  1. set input listening host
  2. set output elasticsearch host


Install Virustotal script on Client to generate hashes of payloads and send them to Logstash:

  1. install python2.7
  2. copy virustotal/virustotal.py to client
  3. edit script and set the to be monitored file as file_name
  4. set host and port of logstash
  5. run script with python
  6. now logs of virustotal and this hash can be seen in Kibana

Restart Logstash on server:

sudo systemctl restart logstash.service

DNS server


Copy DNS config file to Logstash:

sudo cp conf.d/30-dns.conf /etc/logstash/conf.d

Configure 30-dns accordingly:

  1. set input file (if you change this, you need to change it in the dns server config as well!)
  2. set output host

Install Bind/Named on the DNS server that will act as client to send logging to Logstash:

  1. install Bind DNS Server
  2. create authoritative zone for the to be monitored zone
  3. enable logging and let it log to /var/log/named-query.log
  4. Start DNS Server

Restart Logstash on server:

sudo systemctl restart logstash.service