-
Notifications
You must be signed in to change notification settings - Fork 6
/
README.md.bak
241 lines (163 loc) · 9.64 KB
/
README.md.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
# Impulse XDR
## Security Monitoring, Threat Detection & Response for Servers & Endpoints
Impulse provides advanced host & network intrusion detection via self-hosted security events manager and fleet of sensors that monitor and interact with hosts to protect them.
Whether your goal is to secure a single VPS server or large cloud network, Impulse will help you get there. Set up deep visibility and protection for your VPS / VPC / VMs / Droplets or Desktop in two steps:
1. Install the self-hosted manager on one of your existing instances. It runs on all major Linux distributions and requires close to zero configuration.
2. Deploy a light or heavy sensor on each endpoint, depending on the capabilities that you need, and point it to the IP of the manager.
That's it. Security analytics start flowing to your screen!
# Overview
<!-- Impulese provides intrusion detection by monitoring every aspect of your environment - files, processes, connections, ports, users, authentications, installed packages, kernel modules, etc. every variable that could be an indicator of compromise is tracked, stored and analysed.
It consists of sensors, built on top of performant telemetry extraction and transportation tools (osquery, rsyslog, grpc), that run on your monitored endpoints and forward data to a self-hosted security events manager. The manager indexes, aggregates and analyzes the incoming information, then provides analytics, insights and active response. -->
Impulse consists of a self-hosted events manager that acts as a database, indexer, analytics engine and visualiser; and two open-source sensors built on top of OSquery and Suricata. The manager receives security telemetry from the sensors and provides threat detection, insights and active response.
Thanks to its high-performance architecture and ability to pre-filter noise at the edge, Impulse provides a cost-effective setup that works very well with typical VPC configurations, allowing you to monitor, for example, 15 hosts from a cheap 2gb/1cpu VM for the manager.
## Threat Detection
It does NOT use system & application log parsing for threat detection. INSTEAD it looks for bursts of pre-defined signals that are tracked via osquery and fed into a detections program.
This approach helps avoid some of the pitfals of signature-based HIDS and lets you spot anomalous activity that is outside the scope of parsing rules of legacy HIDS systems.
Even if an event or series of events don't trigger a detection, they still get added to a visibility chain of events called "IOCs History" which provides integrity monitoring for every aspect of the environment. It serves to determine if the server has been tampered with.
<!-- It provides intrusion detection by monitoring every aspect of your environment - files, processes, connections, ports, users, authentications, installed packages, kernel modules, etc. every variable that could be an indicator of compromise is tracked, stored and analysed. -->
## Features:
#### Security Analytics
Ingests telemetry data from its fleet of monitoring sensors and provides security analytics & insights.
#### Indicators of Compormise
Built-in core indicators of compromise track security events on hosts and alert you in case of anomalous activity.
#### Network Visibility & IDS
Monitors network flows, detects intrusion attempts and automatically blocks offenders with active response.
#### File Integrity Monitoring
Tracks changes on the filesystem tree and notifies you about file or permission modifications.
#### Security Policies
Monitors system configuration settings to ensure compliance with preset core security policies.
#### Active Response
Automatically blocks suspicious IPs, stops processes, closes ports and quarantines files.
#### Fleet firewall
Fleet firewall blocks offenders across the fleet.
#### Malware scanner
Integrated with VirursTotal to scan for malicious files on your hosts.
#### Threat Intel
Integrated with several high-quality threat intelligence providers to enrich your context data.
#### Self-Hosted & Open-Core
Data never leaves you servers.
## Deployment Scenarios
### Standalone mode on VPS Server / local VM / Laptop / PC
To just test, install in stadalone mode with "heavy".
If you don't care about what's happening on the network and just want to track key indicators of compromise and be alerted about anomalous activity on the machine, simply deploy the manager in standalone "light" mode.
In that configuration it will use about 500mb RAM. Alternatively, to reduce resource consumption, deploy the manager on another host and install light sensor on the target device pointing to the public IP of the host. Light sensor's resource usage is about 100mb RAM which could be reduced further by increasing the time interval for events checks.
impulse.conf should look like this:
```
...
IP_MANAGER=<PUBLIC_IP_MANAGER>
SETUP_TYPE=manager
AGENT_TYPE=light
...
```
If you want NIDS capabilities later on, change AGENT_TYPE to heavy and restart the manager.
NOTE: to change the sensor type from light to heavy, you must regenerate it on the UI and then redeploy on the instance.
### VPC cloud network
Deploy the manager in standalone "light" mode inside the VPC (or on a VPS server somewhere else; it could be a different network and provider), and place light on every instance inside the VPC apart from the gateway instance, which should have a "heavy" to monitor traffic for the network.
### Cluster of VPS server
Be aware that monitoring a large amount of servers in a cluster configuration with heavy sensors requires a powerful host with background workers because network visibility and IDS generate 50x more events.
However, a 4GB RAM, 2CPUs manager can easily handle IOCs monitoring for 20-30 servers with light sensors. Thanks to events pre-filtering done on the edge, the manager only receives meaningful security-related events, typically about 2k per day/host.
# Install the Manager
## Download
Download Impulse from the official GitHub repository
```
wget https://github.com/bgenev/impulse-xdr/releases/download/v.1.2/impulse_xdr_v1.2.tar.gz
```
## Move to /opt
Move the archive in /opt (must be in /opt)
## Untar
```
tar -xf impulse_xdr_v1.2.tar.gz
```
## Enter your system's configuration values
cd into /opt/impulse and modify the values in impulse.conf. Use your system's values for IP_MANAGER and HOST_INTERFACE.
To get the IP and interface:
```
ip a
```
e.g. impulse.conf manager:
```
...
IP_MANAGER=192.168.1.37
HOST_INTERFACE=eth1
...
```
## Start Installation
Start the installation process with:
```
./install_manager.sh
```
It will ask you a few questions to verify the setup and then proceed. If you don't have Docker installed, it will install it for you.
# Post-Install
## Login credentials
Your impulse admin user credentials are generated automatically and will be displayed in the terminal window.
You can also find them in:
```
/var/impulse/data/manager/manager_creds.txt
```
## Access User Interface
You can login to the manager's interface by going to:
```
https://<MANAGER_IP>:7001/
```
You will see a standard browser notification informing you that you are loading a website with self-signed certificate. After clicking proceed, you will be redirected to the login screen where you can authenticate using the credentials that were generated during the build.
## IOCs baseline
When you first login expect to see a lot of IOC events and 1 detection with 100+ signals. This is normal and is just the baseline that osquery builds when it is first installed on the system. There will be a lot less events afterwards.
## Check status, stop or start the manager
```
/opt/impulse/impulse-control.sh status
```
```
/opt/impulse/impulse-control.sh stop
```
```
/opt/impulse/impulse-control.sh start
```
## IOCs whitelisting
If you notice that some of the software that you are running creates too many events, create an IOC exception for it by going to the IOC event -> Add Rule Exception and choosing the parameter that you want to exclude on.
## NOTE: default whitelisted events
A number of standard system-generated events are whitelisted by default in the core osquery ruleset to reduce noise - OS processes, sock events, calls to the threat intel APIs, etc. that add up to tens of thousands per day.
## Create free AbuseIPDB and VirusTotal accounts
Add your keys to /opt/impulse/impulse.conf
```
ABUSEIPDB_API_KEY=<key_string>
VIRUS_TOTAL_API_KEY=<key_string>
```
Then restart the manager
```
/opt/impulse/impulse-control.sh stop
/opt/impulse/impulse-control.sh start
```
You might get a Docker networking issue preventing the manager from starting. In this case simply restart Docker, then restart the manager.
## Generate system events to test the installation
Open new port:
```
nc -lvp 4003
```
Create new group:
```
addgroup rdmgroup1
```
Add new file:
```
touch /etc/program1.sh
```
Add new background task:
```
touch /etc/cron.d/malicious_cron
printf "*/10 * * * * sh /opt/example.sh" >> /etc/cron.d/malicious_cron
```
Install some package to generate many events for an all-around test:
```
apt install -y wordpress
```
Sensors check for new events every 30 seconds, so expect a little delay. After that you will see the events appear in the "IOCs History" card of the /instance screen.
# More great features coming soon:
#### - Bidirectional streaming for sensors to allow more flexible NAT management.
#### - Automated system hardening covering CIS standard.
#### - Automated asset posture management scripts.
#### - Ability to trigger syst config actions on items within Asset Posture.
#### - Custom Suricata rules.
#### - Invetory Page.
#### - Discovering CVEs for installed packages across the fleet.
#### - Traffic accounting
#### - Executive reports