SHARE
TWEET

Untitled

a guest Sep 16th, 2019 166 in 1 day
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. ELK installation  Sept 2019
  3.  
  4.  
  5. ## Snortbox ##
  6. # Move to home dir
  7. cd
  8. # Get package from Inside-SRV
  9. wget http://10.10.2.13/debs/elasticsearch-7.3.1-amd64.deb
  10.  
  11. # Install it
  12. sudo dpkg -i elasticsearch-7.3.1-amd64.deb
  13.  
  14. # Install JDK
  15. sudo apt install default-jdk
  16.  
  17. Confirm additional disk space usage
  18. (screenshot)
  19.  
  20. Edit /etc/elasticsearch/elasticsearch.yml
  21. uncomment network.host and change to "localhost"
  22. (screenshot)
  23.  
  24. #Start it
  25. sudo systemctl start elasticsearch
  26.  
  27. No feedback from the system.  To check, open a browser and navigate to localhost:9200
  28. (screenshot)
  29.  
  30. #Enable on startup
  31. sudo systemctl enable elasticsearch
  32.  
  33. #Next is kibana
  34. # Get package
  35. wget http://10.10.2.13/debs/kibana-7.3.2-amd64.deb
  36.  
  37. #Install it
  38. sudo dpkg -i kibana-7.3.2-amd64.deb
  39.  
  40.  
  41.  
  42.  
  43.  
  44. #Start it
  45. sudo systemctl start kibana
  46.  
  47. #Enable on startup
  48. sudo systemctl enable kibana
  49.  
  50. #Next we need to setup Nginx to serve the Kibana dashboard.  This is because Kibana is configured only to listen on localhost.  To allow external access we need to setup an nginx reverse proxy.
  51.  
  52. #First, create a kibana user and a password and put it in the Nginx htpasswd.users file
  53. # This command will prompt you for a password, enter "password" (without quotes), it will then ask you to type it again.
  54.  
  55. (screenshot)
  56. sudo echo "kibanaadmin:`openssl passwd -apr1`" | sudo tee -a /etc/nginx/htpasswd.users
  57. (notice the single quotes in this command are "backtics" this character is found on the upper left corner of many keyboards.
  58.  
  59. # Next you will need to direct the Nginx traffic to the Kibana application.
  60. # The necessary code has been provided. To install it first download the code block to the Snort host.  You should still be in your home directory.
  61.  
  62. cd
  63. wget http://10.10.2.13/debs/kibana-nginx.txt
  64.  
  65. #Then copy the code to the Nginx sites-available folder
  66. sudo cp ./kibana-nginx.txt /etc/nginx/sites-available/localhost
  67.  
  68. #Then create a simlink to this file in the sites-enabled folder
  69. sudo ln -s /etc/nginx/sites-available/localhost /etc/nginx/sites-enabled/localhost
  70.  
  71. # Now test your nginx configuration
  72. sudo nginx -t
  73. #The test should resturn as successful
  74.  
  75. #Restart nginx to enable the config
  76. sudo systemctl restart nginx
  77.  
  78. #Finally you must update your host firewall to allow access to Nginx
  79. sudo ufw allow 'Nginx Full'
  80.  
  81. # To test, open Firefox and enter
  82. localhost/status
  83. When prompted for credentials enter
  84. Username: kibanaadmin
  85. Password: password
  86.  
  87. You should then see the dashboard shown below
  88. (screenshot)
  89.  
  90.  
  91. #Logstash
  92. #Get package
  93. wget http://10.10.2.13/debs/logstash-7.3.2.deb
  94.  
  95. #Install it
  96. sudo dpkg -i logstash-7.3.2.deb
  97.  
  98. ## At this point we're going to try it with Snort
  99.  
  100. snort.lua changes
  101. enable community rules in Section 6
  102. (hopefully this will already be done in an earlier lab)
  103. use the all-snort3-community.rules file to enable all 3,500 rules.
  104.  
  105. wget http://10.10.2.13/debs/all-snort3-community.rules
  106. sudo cp all-snort3-community.rules /usr/local/etc/snort/rules
  107.  
  108. cd (back to  home if you left)
  109. wget http://10.10.2.13/debs/snort-lua-alert-json.txt
  110.  
  111. sudo gedit /usr/local/etc/snort/snort.lua
  112. (open the snort-lua-alert-json.txt file in Gedit as well and you can copy and paste between the two documents to avoid typing all the text below)
  113.  
  114. enable json output in the Output section
  115.  
  116. #In the Outputs section:
  117.  
  118. alert_json =
  119. {
  120.     fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data',
  121.     file = true
  122. }
  123.  
  124. #Configure Snort to log to /var/log/snort
  125. #Create /var/log/snort
  126. sudo mkdir /var/log/snort
  127.  
  128. #Edit /etc/systemd/system/snort.service to add the logging directory
  129. sudo gedit /etc/systemd/system/snort.service
  130.  
  131. add -l /var/log/snort to the end of the line
  132.  
  133. sudo systemctl daemon-reload
  134. sudo systemctl restart snort
  135.  
  136. use ps -ef | grep snort to check the commandline
  137. (screenshot)
  138.  
  139. #Test the json output
  140. Run a nikto scan from Attacker-Kali
  141.  
  142. nikto
  143.  
  144. #Check /var/log/snort/alert_json.txt
  145. sudo tail /var/log/snort/alert_json.txt
  146.  
  147.  
  148. #Get these and put in the /etc/logstash/conf.d folder
  149. wget http://10.10.2.13/debs/03-snort-input.conf
  150. wget http://10.10.2.13/debs/11-snort-filter.conf
  151. wget http://10.10.2.13/debs/30-snort-output.conf
  152.  
  153. sudo cp 03-snort-input.conf /etc/logstash/conf.d
  154. sudo cp 11-snort-filter.conf /etc/logstash/conf.d
  155. sudo cp 30-snort-output.conf /etc/logstash/conf.d
  156.  
  157.  
  158. #Test your logstash config
  159. sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
  160.  
  161. You will receive several warnings but near the end you should see "Validation Result: OK"
  162.  
  163. Set permissions on the alert_json.txt file so logstash can access it
  164. sudo chmod 655 /var/log/snort/alert_json.txt
  165.  
  166. sudo systemctl start logstash
  167. sudo systemctl enable logstash
  168.  
  169.  
  170. Go to the browser and connect to localhost again (Kibana)
  171. At the welcome screen do not pick sample data - select "Expore on my own"
  172.  
  173. 1. Click on the gear (Management), Index Patterns, + Create Index Pattern, set the name logstash-snort3j,
  174. (screenshot)
  175. 2. On step 2 select @timestamp as youre "Time filter field name" and then click "Create index pattern".
  176. (screenshot)
  177.  
  178. 3. On the next screen scroll down and click the pencil by the b64_data field. Set Format = String and Transform = Base64 Decode, and then click "Save field".
  179. (screenshot)
  180.  
  181. You are finished configuring the data sources.  Now click the Discover icon (screenshot) to see the Snort data.  If you have been looping the Nikto tool on Attacker-Kali you should have some historical data showing already.
  182. (screenshot)
  183.  
  184. At this point you can create Visualizations and Dashboards if desired.
  185.  
  186. # To generate lots of alerts for ELK
  187. while true; do nikto -h 10.10.2.13 -C all -nointeractive -ask no -Display P; sleep 60; done;
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top