rylagek
commented
2 years ago Hardware Requirements (Airgapped standalone) 12 Gb RAM 105 Gb Disk 2+ NIC
Open rylagek opened 2 years ago
rylagek
commented
2 years ago Hardware Requirements (Airgapped standalone) 12 Gb RAM 105 Gb Disk 2+ NIC
rylagek
commented
2 years ago Base system needs two static ip addresses prior to full installation
rylagek
commented
2 years ago Qs through installation: Optional components: grafana osquery wazuh thehive playbook strelka
number of zeek processes & suricata processes?
rylagek
commented
2 years ago Default eval services - eval is recommended for classroom/small lab
Missing - logstash, Arkime, Snort, Nmap
Logstash might be included but not shown
Snort functionality might be included based on installation config Qs (rule list) but isn't explicitly running or configured
Arkime and Nmap definitely need installed
rylagek
commented
2 years ago Logstash is included in Security Onion but not used in the eval installation. Only in the standalone and distributed
This is explained in the Architecture documentation
rylagek
commented
2 years ago rylagek
commented
2 years ago rylagek
commented
2 years ago Rebuilt as standalone
rylagek
commented
2 years ago rylagek
commented
2 years ago Install nmap for centos:
sudo yum install nmap -y
Install open-vm-tools for centos:
sudo yum install open-vm-tools -y
rylagek
commented
2 years ago Qs through installation: Optional components: grafana osquery wazuh thehive playbook strelka
number of zeek processes & suricata processes?
None of the optional components are necessary
3 and 1 respectfully for now
rylagek
commented
2 years ago Snort is unnecessary as Suricata can use the Snort rules we would have students write
rylagek
commented
2 years ago Explicit differences according to the Suricata Docs
rylagek
commented
2 years ago Helpful commands finding middle ground b/w airgap and standard install methods - might still need open-vm-tools
vi /etc/sysconfig/network-scripts/ifcfg-ensXXX // location of dhcp variable
systemctl restart network // restart for settings to take effect
vi /etc/resolve.conf // add preferred dns server
route add default gw x.x.x.x ensXXX // add default route
rpm -vhU https://nmap.org/dist/nmap-7.92-1.x86_64.rpm
yum reinstall centos-release // fix dependency installation issues from airgapped install
sudo yum install -y https://s3.amazonaws.com/files.molo.ch/builds/centos-7/arkime-3.3.1-1.x86_64.rpm // install arkime and dependenciesElasticsearch is 7.9.3 by default - needs to be greater than 7.10.0 to support Arkime
rylagek
commented
2 years ago rylagek
commented
2 years ago Airgapped config is tricky - set up route for internet access and then:
yum reinstall http://mirror.centos.org/centos/7/updates/x86_64/Packages/centos-release-7-9.2009.1.el7.centos.x86_64.rpm
rylagek
commented
2 years ago then yum install <whatever> should work if it's included in the base repo
rylagek
commented
2 years ago After a reboot the vsphere registers that the tools are installed
rylagek
commented
2 years ago Just noticed our security onion iso version is 2.3.21 and the newest is 2.3.100 - rebuilding with newer iso should resolve the issue with arkime
rylagek
commented
2 years ago rylagek
commented
2 years ago Security Onion 2.3.100 Setup
sign in
pw again
[ENTER]
enter (install)
standalone
seconion
no description
management nic
static
ip w/ cidr mask
gw
dns addresses (default)
dns search domain (default)
airgap
monitor nic (remaining one)
home networks (non-internet)
basic manageer install
zeek
etopen
no osquery, wazuh, playbook or strelka
default docker range
email
pw, confirm pw
ip to access
set soremote user pw
confirm
basic
zeek processes (3)
suricata processes (3)
ntp servers - no
nodebasic search node
allow web access
ip address
confirm config options
let setup run
rylagek
commented
2 years ago has to be set up with static addressing that matches assigned addressing (can't be contacted by dhcp server) then switched over to internet acces
sudo ip a add 192.168.100.xx/22 dev ens192
sudo ip route add default via 192.168.103.254 dev ens192
rpm -q centos-release
sudo yum reinstall http://mirror.centos.org/centos/7/updates/x86_64/Packages/centos-release-7-9.2009.1.el7.cnetos.x86_64.rpm
sudo yum install -y open-vm-tools, nmap
sudo yum install -7 https://s3.amazonaws.com/files.molo.ch/builds/centos-7/arkime-3.3.1-1.x86_64.rpmonce all internet dependencies are fulfilled, remove non-airgap artifacts
sudo ip a del 192.168.100.xx/22 dev ens192
sudo ip route del default via 192.168.103.254 dev ens192set up arkime
/opt/arkime/db/db.pl http://ESHOST:9200 init
rylagek
commented
2 years ago https://docs.securityonion.net/en/16.04/setup.html use this for setup automation
rylagek
commented
2 years ago /opt/arkime/db/db.pl http://ESHOST:9200 init wasn't finding ES running, trying to give access with sudo so-allow followed by the e option
rylagek
commented
2 years ago That didn't change the inability to run the arkime command
so-elasticsearch-query works but unsure why anything else is not working
rylagek
commented
2 years ago Looking likely that it is from security updates in the new version https://stackoverflow.com/questions/35921195/curl-52-empty-reply-from-server-timeout-when-querying-elastiscsearch
rylagek
commented
2 years ago Something like this might do it
curl -X GET "https://localhost:9200/_cluster/health?wait_for_status=yellow&timeout=50s&pretty" --key certificates/elasticsearch-ca.pem -k -u elasticuser
rylagek
commented
2 years ago Security Onion is in fact using self signed certificates
rylagek
commented
2 years ago curl -X GET "https://localhost:9200/_cluster/health?wait_for_status=yellow&timeout=50s&pretty" --key certificates/elasticsearch-ca.pem -k -u seconion@mail.mil and then typing the password when prompted worked
rylagek
commented
2 years ago need to update the arkime setup db file to use the snake oil ssl and creds
rylagek
commented
2 years ago global options seem to have the options we need, but might need to actually edit arkime config file
marissaeinhorn
commented
2 years ago /opt/arkime/.etc/config.inimarissaeinhorn
commented
2 years ago Syntax opt/arkime/db/db.pl --clientkey <key> --esuser <user> https://localhost:9200 init - still doesnt find elasticsearch running
marissaeinhorn
commented
2 years ago Modifying /opt/so/conf/elasticsearch/elasticsearch.yml
marissaeinhorn
commented
2 years ago Tried disabling authentication for elasticsearch sudo so-elastic-auth false Elastic-auth allows kibana, elastic search and other services to authenticate with the same set of credentials. Renabled the service
marissaeinhorn
commented
2 years ago Followed this guide to install arkime and elasticsearch on ubuntu article
no ssl certs and arkime inits to database
rylagek
commented
2 years ago That article uses arkime version 2.7. Does it work with the current version 3? @marissaeinhorn
marissaeinhorn
commented
2 years ago Yes you just have to change the package names at install
marissaeinhorn
commented
2 years ago Arkime installed on ubuntu 20
su root
apt-get update -y
apt-get install gnupg2 curl wget -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch --no-check-certificate | apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list
apt-get update -y
apt-get install elasticsearch -y
systemctl enable --now elasticsearch
wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/arkime_3.4.0-1_amd64.deb
apt install -y ./arkime_3.4.0-1_amd64.deb
/opt/arkime/bin/ConfigureLast command will be harder to automate, Configure script has prompts. May be easier to replace /opt/arkime/etc/configure.ini file
/opt/arkime/db/db.pl http://localhost:9200 init
/opt/arkime/bin/arkime_add_user.sh admin "SuperAdmin" admin --admin
crontab -e
@reboot sleep 120 && systemctl start arkimecapture.service
@reboot sleep 120 && systemctl start arkimeviewer.serviceSet static ip 172.16.50.3/24 Manual configuration complete & tested creating template for terraform testing
Implementing #99
Configured to run