-
Notifications
You must be signed in to change notification settings - Fork 0
/
Install Instructions
157 lines (143 loc) · 5.52 KB
/
Install Instructions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
All of this came from here: https://holdmybeersecurity.com/2019/05/01/back-in-the-saddle-install-setup-elastic-stack-7-0-on-ubuntu-18-04/
And here: https://www.cronocide.com/post/byfswtes/
And here for some Zeek stuff: https://holdmybeersecurity.com/2019/04/03/part-1-install-setup-zeek-pf_ring-on-ubuntu-18-04-on-proxmox-5-3-openvswitch/
- Add Elastic repo
sudo su
apt-get update -y
apt-get install apt-transport-https -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
apt-get update -y
- Install/Setup Java
apt-get update -y
apt install openjdk-8-jdk
java -version
- Install/Setup Elasticsearch
apt-get install elasticsearch
sed -i 's/#network.host: 192.168.0.1/network.host: localhost/g' /etc/elasticsearch/elasticsearch.yml
sed -i 's/#http.port: 9200/http.port: 9200/g' /etc/elasticsearch/elasticsearch.yml
systemctl enable elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch
Test Elasticsearch
curl http://localhost:9200
- Install/Setup Logstash
apt-get install logstash -y
cd /etc/logstash/conf.d
nano 01-BeatsConfig.conf
paste contents of file into nano. save and exit
systemctl enable logstash
systemctl start logstash
- Install/Setup Kibana
apt-get install kibana
sed -i 's/#server.host: "localhost"/server.host: "localhost"/g' /etc/kibana/kibana.yml
sed -i 's/#server.port: 5601/server.port: 5601/g' /etc/kibana/kibana.yml
sed -i 's?#elasticsearch.hosts:?elasticsearch.hosts:?g' /etc/kibana/kibana.yml
systemctl enable kibana
systemctl start kibana
systemctl status kibana
- Install/Setup Nginx
apt-get install nginx
mkdir /etc/nginx/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
This will take a while ~10-20mins
wget https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/ElasticStackv7/configs/nginx/nginx.conf -O /etc/nginx/nginx.conf
wget kibana.conf https://raw.githubusercontent.com/CptOfEvilMinions/BlogProjects/master/ElasticStackv7/configs/nginx/kibana.conf -O /etc/nginx/conf.d/kibana.conf
sed -i 's#server_name kibana;#server_name <FQDN of Kibana>;#g' /etc/nginx/conf.d/kibana.conf
systemctl enable nginx
systemctl restart nginx
- Configure UFW
ufw enable
ufw allow ssh
ufw allow http
ufw allow https
ufw allow 5044/tcp
ufw reload
ufw status
- Install/Setup Zeek
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
For xUbuntu 18.04 run the following:
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O Release.key
sudo apt-key add - < Release.key
sudo apt-get update
sudo apt-get install zeek
nano /opt/zeek/etc/node.cfg
Change interface to correct interface name
nano /etc/netplan/50-cloud-init.yaml
copy the config for the working NIC and paste it in the file. change the name to the correct NIC
sudo netplan try
sudo netplan apply
do an ifconfig to make sure the interface is up
start promiscuious mode: ip link set ens160 promisc on
nano /opt/zeek/share/zeek/base/frameworks/logging/writers/ascii.zeek
change line to: const use_json = T &redef;
now download something like Kali and keep doing an ifconfig. you should see the RX packets go up. that means the interface is sniffing
cd /opt/zeek
bin/zeekctl
install
deploy
status
you can exit zeekctl
check /opt/zeek/logs/current
There should be log files in this folder. If so, Zeek is working correctly
# if you want to install Elastic SIEM continue on
# if you want to just get Zeek running, copy over the config files
nano /opt/zeek/share/zeek/site/local.zeek
add the following
# Output to JSON
@load policy/tuning/json-logs.zeek
cp /etc/filebeat/modules.d/zeek.yml /etc/filebeat/modules.d/zeek.yml.original
nano /etc/filebeat/modules.d/zeek.yml
replace everything with this:
- module: zeek
# All logs
connection:
enabled: true
var.paths:
- /opt/zeek/logs/current/conn.log
dns:
enabled: true
var.paths:
- /opt/zeek/logs/current/dns.log
http:
enabled: true
var.paths:
- /opt/zeek/logs/current/http.log
files:
enabled: true
var.paths:
- /opt/zeek/logs/current/files.log
ssl:
enabled: true
var.paths:
- /opt/zeek/logs/current/ssl.log
notice:
enabled: true
var.paths:
- /opt/zeek/logs/current/capture_loss.log
- /opt/zeek/logs/current/known_services.log
- /opt/zeek/logs/current/loaded_scripts.log
- /opt/zeek/logs/current/packet_filter.log
- /opt/zeek/logs/current/reporter.log
- /opt/zeek/logs/current/stats.log
- /opt/zeek/logs/current/stderr.log
- /opt/zeek/logs/current/stdout.log
- /opt/zeek/logs/current/weird.log
- Install/Setup SIEM
Open Kibana (https://ip) and go to SIEM
click Zeek Logs
Click the DEB tab and follow the instructions
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.5.2-amd64.deb
sudo dpkg -i filebeat-7.5.2-amd64.deb
cd /etc/filebeat
cp filebeat.yml filebeat.yml.original
nano filebeat.yml
Under type: log change enabled to true:
enabled: true
Change the path to:
- /opt/zeek/logs/current/*.log
filebeat modules enable zeek
sudo filebeat setup
sudo service filebeat start