-
Notifications
You must be signed in to change notification settings - Fork 0
/
Install.sh
executable file
·247 lines (181 loc) · 7.9 KB
/
Install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
#!/bin/bash
echo " "
echo " "
echo -e "This script \033[4mMUST\033[0m be run with sudo permissions"
echo " "
echo "This script may take a few hours to run."
echo " "
echo "This script will automatically start in 30 seconds..."
countdown=30
while [ $countdown -gt 0 ]; do
printf "\rCountdown: %2d seconds remaining" $countdown
sleep 1
countdown=$((countdown - 1))
done
echo " "
echo "Starting Script..."
# Import RPM GPG key
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
# Setup extra repositories
dnf config-manager --set-enabled crb
dnf install epel-release -y
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
###Update packages
sudo dnf update -y
###Install needed dependencies
sudo dnf install tar htop git vim wget util-linux-user net-tools unzip expect -y
###Install needed zeek dependencies
sudo dnf install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python3 python3-devel swig zlib-devel -y
###Install needed suricata dependencies
sudo dnf install pcre-devel libyaml-devel jansson-devel lua-devel file-devel nspr-devel nss-devel libcap-ng-devel libmaxminddb-devel lz4-devel rustc cargo python3-pyyaml -y
#Set Elastic Stack Version
ELASTIC_VERSION="8.7.0"
################### Elasticsearch ####################
###Set maxmapcount for Elasticsearch
sudo sysctl -w vm.max_map_count=262144
sudo echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf | sudo sudo sysctl -p
##Install Elasticsearch
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELASTIC_VERSION}-x86_64.rpm
sudo rpm --install elasticsearch-${ELASTIC_VERSION}-x86_64.rpm
##Copy elasticsearch.yml
mv /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.old
cp elasticsearch.yml /etc/elasticsearch/elasticsearch.yml
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
##Start Elasticsearch
sudo systemctl start elasticsearch.service
echo "Changing default elastic password..."
sleep 30
# Set the elastic user password to 'password'
# Run the elasticsearch-reset-password command using expect
/usr/bin/expect <<EOD
spawn sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i
expect "Please confirm that you would like to continue"
send "y\r"
expect "Please enter new password for user \\[elastic\\]: "
send "password\r"
expect "Please confirm new password for user \\[elastic\\]: "
send "password\r"
expect eof
EOD
# Set the kibana_system password to 'password'
/usr/bin/expect <<EOD
spawn sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system -i
expect "Please confirm that you would like to continue"
send "y\r"
expect "Please enter new password for user \\[kibana_system\\]: "
send "password\r"
expect "Please confirm new password for user \\[kibana_system\\]: "
send "password\r"
expect eof
EOD
#################### Kibana #######################
##Install Kibana
wget https://artifacts.elastic.co/downloads/kibana/kibana-${ELASTIC_VERSION}-x86_64.rpm
sudo rpm --install kibana-${ELASTIC_VERSION}-x86_64.rpm
##Copy Kibana.yml
mv /etc/kibana/kibana.yml /etc/kibana/kibana.yml.old
cp kibana.yml /etc/kibana/kibana.yml
# Get the host IP
HOST_IP=$(hostname -I | awk '{print $1}')
# Set the server.host value in the configuration file
CONFIG_FILE="/etc/kibana/kibana.yml"
sed -i "s/^server\.host:.*/server.host: \"$HOST_IP\"/g" "$CONFIG_FILE"
echo "server.host has been set to $HOST_IP in $CONFIG_FILE"
sudo systemctl daemon-reload
sudo systemctl enable kibana.service
# Start Kibana
sudo systemctl start kibana.service
####################### Zeek #######################
##Alternative way to pull down zeek (not currently working)
#wget https://github.com/zeek/zeek/archive/refs/tags/v5.2.0.tar.gz
#wget https://github.com/zeek/zeek/archive/refs/tags/v5.2.0.zip
#tar xzvf v5.2.0.tar.gz
#cd zeek-5.2.0
##Pull down zeek
git clone --recurse-submodules -b release/5.2 https://github.com/zeek/zeek.git
cd zeek
##Install Zeek
./configure --prefix=/opt/zeek --localstatedir=/var/log/zeek --conf-files-dir=/etc/zeek --disable-spicy
make -j$(nproc)
make install
cd ..
##Configure Zeek
sudo mv /etc/zeek/node.cfg /etc/zeek/node.cfg.old
sudo cp node.cfg /etc/zeek/node.cfg
#Set Zeek to output logs in JSON format for elasticsearch
echo "@load /opt/zeek/share/zeek/policy/tuning/json-logs.zeek" >> /opt/zeek/share/zeek/site/local.zeek
sudo sed -i 's|SitePolicyScripts = local.zeek|SitePolicyScripts = local.zeek, json-logs.zeek|' /etc/zeek/zeekctl.cfg
echo "The default node.cfg file has been created at /etc/zeek/node.cfg"
##Add zeek binaries to the global PATH
#Define the Zeek binary path
zeek_bin_path="/opt/zeek/bin"
#If it's not present, add it
echo "export PATH=\"$zeek_bin_path:\$PATH\"" >> /etc/profile
echo "Zeek binary path added to /etc/profile"
export PATH=/opt/zeek/bin:$PATH
source ~/.bashrc
####################### Suricata #######################
##Pull down Suricata
curl -L -O https://www.openinfosecfoundation.org/download/suricata-6.0.10.tar.gz
tar xzvf suricata-6.0.10.tar.gz
cd suricata-6.0.10
##Install Suricata
./configure --prefix=/opt/suricata --enable-lua --enable-geoip --localstatedir=/var/ --sysconfdir=/etc --disable-gccmarch-native --enable-profiling --enable-http2-decompression --enable-python --enable-af-packet
make -j$(nproc)
make install-full
cd ..
##Configure Suricata
mv /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.old
cp suricata.yaml /etc/suricata/suricata.yaml
echo "The default suricata.yaml file has been created at /etc/suricata.yaml"
#Create the systemd service file for Suricata
sudo mv suricata.service /etc/systemd/system/suricata.service
#Reload systemd configuration
systemctl daemon-reload
#Enable Suricata service to start at boot
systemctl enable suricata.service
echo "Suricata systemd service file has been created and enabled."
####################### Filebeat #######################
##Install Filebeat
sudo curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELASTIC_VERSION}-x86_64.rpm
sudo rpm -vi filebeat-${ELASTIC_VERSION}-x86_64.rpm
##Copy over filebeat configs
sudo mv /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.old
sudo cp filebeat.yml /etc/filebeat/filebeat.yml
##Set IP for filebeat to connect to
FILEBEAT_CONFIG_FILE="/etc/filebeat/filebeat.yml"
sed -i "s/^setup\.kibana\.host:.*/setup.kibana.host: \"$HOST_IP:5601\"/g" "$FILEBEAT_CONFIG_FILE"
echo "setup.kibana.host has been set to $HOST_IP:5601 in $FILEBEAT_CONFIG_FILE"
sudo mv /etc/filebeat/modules.d/zeek.yml.disabled /etc/filebeat/modules.d/zeek.yml.disabled.old
sudo cp zeek.yml.disabled /etc/filebeat/modules.d/zeek.yml.disabled
sudo mv /etc/filebeat/modules.d/suricata.yml.disabled /etc/filebeat/modules.d/suricata.yml.disabled.old
sudo cp suricata.yml.disabled /etc/filebeat/modules.d/suricata.yml.disabled
####################### Configure Firewall Rules #######################
sudo firewall-cmd --add-port 5601/tcp --permanent
sudo firewall-cmd --add-port 9200/tcp --permanent
sudo firewall-cmd --reload
###Start Services###
echo " "
echo " "
echo "The sensor is now installed and configured"
echo " "
echo "Starting Services in 10 seconds..."
countdown=10
while [ $countdown -gt 0 ]; do
printf "\rCountdown: %2d seconds remaining" $countdown
sleep 1
countdown=$((countdown - 1))
done
sudo filebeat modules enable suricata zeek
sudo filebeat setup -e
sudo systemctl start filebeat
####################### Comments #######################
echo "The default node.cfg file has been created at /etc/zeek/node.cfg"
echo "zeek has been installed at /opt/zeek (which has been added to your PATH variable). You can interact with zeek via zeekctl."
echo " "
echo "The default suricata.yaml file has been created at /etc/suricata.yaml"
echo "A systemd file has been created for suricata. You can now interact with suricata via systemctl"
echo " "
############### URL for more PCAP to analyze ####################
#### https://www.malware-traffic-analysis.net/training-exercises.html