search

rocknsm / rock-dashboards

Dashboards and loader for ROCK NSM dashboards
http://rocknsm.io
Apache License 2.0
47 stars 17 forks source link

Fix hard coded IP in index patterns #62

Closed webhead404 closed 4 years ago

webhead404 commented 4 years ago

The hardcoded IP address addressed here in commit: 2c73726 still applies to ecs index patterns

https://github.com/rocknsm/rock-dashboards/blob/master/ecs-configuration/kibana/index-pattern/ecs-all.ndjson

peasead commented 4 years ago

Verified, this is an artifact of the export script from the VM that it was collected from.

@bndabbs @dcode do you know what this should be or how to sanitize it?

peasead commented 4 years ago

image

@bndabbs @dcode any thoughts on how to sanitize this? Likely an artifact of the export script for dashboards. This prevents Docket from working.

dcode commented 4 years ago

In the calculated field in the index pattern (each of the index patterns), make the URL relative to the host... i.e. /app/docket/uri/blah or whatever. Delete all the http://1.2.3.4.

peasead commented 4 years ago 
{"attributes":{"fieldFormatMap":"{\"event.duration\":{\"id\":\"duration\",\"params\":{\"parsedUrl\":
{\"origin\":\"https://172.16.181.137\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"inputFormat\":
\"nanoseconds\"}},\"conn.duration\":{\"id\":\"duration\",\"params\":{\"parsedUrl\":
{\"origin\":\"https://172.16.181.137\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"inputFormat\":
\"nanoseconds\"}},\"files.duration\":{\"id\":\"duration\",\"params\":{\"parsedUrl\":
{\"origin\":\"https://172.16.181.137\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"pcap.query\"
:{\"id\":\"url\",\"params\":{\"parsedUrl\":
...

That won't fix the build. It needs to be fixed in the repo so that when ROCK is built, it uses the URL relative to the host.

peasead commented 4 years ago

@bndabbs and I are working on this.

peasead commented 4 years ago

Needs to be done in ecs-all... and ecs-suricata...

peasead commented 4 years ago

pushed a fix into master. doing tests.

peasead commented 4 years ago

Appears to be fix't in this release: https://mirror.rocknsm.io/isos/testing/rocknsm-20200607-18:58:06.iso

Recommended pushing into Stable.

peasead commented 4 years ago

As a workaround, you can do this:

  1. download ecs-all.ndjson and ecs-suricata.ndjson. You can do this manually or from the sensor using curl 
    curl -OL https://raw.githubusercontent.com/rocknsm/rock-dashboards/master/ecs-configuration/kibana/index-pattern/ecs-suricata-all.ndjson
curl -OL https://raw.githubusercontent.com/rocknsm/rock-dashboards/master/ecs-configuration/kibana/index-pattern/ecs-all.ndjson
  2. Copy these index patterns so they can be deployed 
    sudo cp ecs-suricata-all.ndjson ecs-all.ndjson /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/index-pattern/
sudo chmod 664 /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/index-pattern/ecs-suricata-all.ndjson
sudo chmod 664 /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/index-pattern/ecs-all.ndjson
  3. Run the import script to reload the corrected Index Patterns 
    cd /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/
sudo sh import-saved-items.sh

    Should work. LMK

We're building this into the ISO, final testing happening.