diff --git a/.gitignore b/.gitignore index dacd12eaf..c940dfb11 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,7 @@ /nginx/htpasswd /htadmin/config.ini /htadmin/metadata +/elastalert/config/smtp-auth.yaml # development .vagrant diff --git a/Dockerfiles/moloch.Dockerfile b/Dockerfiles/moloch.Dockerfile index 78bb8e82f..f1740f6db 100644 --- a/Dockerfiles/moloch.Dockerfile +++ b/Dockerfiles/moloch.Dockerfile @@ -1,15 +1,14 @@ -FROM debian:stretch-slim AS build +FROM debian:buster-slim AS build # Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="Seth.Grover@inl.gov" ENV DEBIAN_FRONTEND noninteractive -ENV MOLOCH_VERSION "2.0.0" +ENV MOLOCH_VERSION "2.0.1" ENV MOLOCHDIR "/data/moloch" ENV ZEEK_VERSION "2.6.4" ENV ZEEK_DIR "/opt/bro" -ENV CYBERCHEF_VERSION "8.30.1" ENV ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER "1.2" ADD moloch/scripts/bs4_remove_div.py /data/ @@ -18,11 +17,10 @@ ADD README.md $MOLOCHDIR/doc/ ADD doc.css $MOLOCHDIR/doc/ ADD docs/images $MOLOCHDIR/doc/images/ ADD https://github.com/aol/moloch/archive/v$MOLOCH_VERSION.tar.gz /data/moloch.tar.gz -ADD https://github.com/gchq/CyberChef/releases/download/v$CYBERCHEF_VERSION/cyberchef.htm $MOLOCHDIR/doc/cyberchef.htm ADD https://www.zeek.org/downloads/bro-$ZEEK_VERSION.tar.gz /data/bro.tar.gz ADD https://github.com/corelight/bro-community-id/archive/$ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER.tar.gz /data/bro-community-id.tar.gz -RUN sed -i "s/stretch main/stretch main contrib non-free/g" /etc/apt/sources.list && \ +RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \ apt-get -q update && \ apt-get install -q -y --no-install-recommends \ bison \ @@ -42,7 +40,7 @@ RUN sed -i "s/stretch main/stretch main contrib non-free/g" /etc/apt/sources.lis libkrb5-dev \ libmaxminddb-dev \ libpcap0.8-dev \ - libssl1.0-dev \ + libssl-dev \ libtool \ libwww-perl \ libyaml-dev \ @@ -108,10 +106,6 @@ RUN sed -i "s/stretch main/stretch main contrib non-free/g" /etc/apt/sources.lis cp -v $MOLOCHDIR/doc/images/moloch/header_logo.png ./viewer/public/header_logo.png && \ cp -v $MOLOCHDIR/doc/images/moloch/header_logo.png ./viewer/vueapp/src/assets/logo.png && \ find $MOLOCHDIR/doc/images/screenshots -name "*.png" -delete && \ - cp -v $MOLOCHDIR/doc/cyberchef.htm ./viewer/public/cyberchef.htm && \ - rm -f ./viewer/public/cyberchef.htm.gz && \ - gzip ./viewer/public/cyberchef.htm && \ - chmod 664 ./viewer/public/cyberchef.htm.gz $MOLOCHDIR/doc/cyberchef.htm && \ export PATH="$MOLOCHDIR/bin:${PATH}" && \ ln -sf $MOLOCHDIR/bin/npm /usr/local/bin/npm && \ ln -sf $MOLOCHDIR/bin/node /usr/local/bin/node && \ @@ -130,7 +124,7 @@ RUN sed -i "s/stretch main/stretch main contrib non-free/g" /etc/apt/sources.lis /tmp/* \ /var/tmp/* -FROM debian:stretch-slim AS runtime +FROM debian:buster-slim AS runtime # Copyright (c) 2019 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="Seth.Grover@inl.gov" @@ -183,7 +177,7 @@ ENV ZEEK_EXTRACTOR_PATH $ZEEK_EXTRACTOR_PATH COPY --from=build $MOLOCHDIR $MOLOCHDIR COPY --from=build $ZEEK_DIR $ZEEK_DIR -RUN sed -i "s/stretch main/stretch main contrib non-free/" /etc/apt/sources.list && \ +RUN sed -i "s/buster main/buster main contrib non-free/" /etc/apt/sources.list && \ apt-get -q update && \ apt-get install -q -y --no-install-recommends \ cron \ @@ -218,7 +212,7 @@ RUN sed -i "s/stretch main/stretch main contrib non-free/" /etc/apt/sources.list ln -sf $MOLOCHDIR/bin/npm /usr/local/bin/npm && \ ln -sf $MOLOCHDIR/bin/node /usr/local/bin/node && \ ln -sf $MOLOCHDIR/bin/npx /usr/local/bin/npx && \ - apt-get -q -y --purge remove gcc gcc-6 cpp cpp-6 libssl1.0-dev && \ + apt-get -q -y --purge remove gcc gcc-8 cpp cpp-8 libssl-dev && \ apt-get -q -y autoremove && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* diff --git a/README.md b/README.md index 469a5172d..b8b14feff 100644 --- a/README.md +++ b/README.md @@ -112,17 +112,17 @@ You can then observe that the images have been retrieved by running `docker imag ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/moloch 1.5.1 xxxxxxxxxxxx 27 minutes ago 517MB -malcolmnetsec/htadmin 1.5.1 xxxxxxxxxxxx 2 hours ago 180MB -malcolmnetsec/nginx-proxy 1.5.1 xxxxxxxxxxxx 4 hours ago 53MB -malcolmnetsec/file-upload 1.5.1 xxxxxxxxxxxx 24 hours ago 198MB -malcolmnetsec/pcap-capture 1.5.1 xxxxxxxxxxxx 24 hours ago 111MB -malcolmnetsec/file-monitor 1.5.1 xxxxxxxxxxxx 24 hours ago 355MB -malcolmnetsec/logstash-oss 1.5.1 xxxxxxxxxxxx 25 hours ago 1.24GB -malcolmnetsec/curator 1.5.1 xxxxxxxxxxxx 25 hours ago 303MB -malcolmnetsec/kibana-oss 1.5.1 xxxxxxxxxxxx 33 hours ago 944MB -malcolmnetsec/filebeat-oss 1.5.1 xxxxxxxxxxxx 11 days ago 459MB -malcolmnetsec/elastalert 1.5.1 xxxxxxxxxxxx 11 days ago 276MB +malcolmnetsec/moloch 1.5.2 xxxxxxxxxxxx 27 minutes ago 517MB +malcolmnetsec/htadmin 1.5.2 xxxxxxxxxxxx 2 hours ago 180MB +malcolmnetsec/nginx-proxy 1.5.2 xxxxxxxxxxxx 4 hours ago 53MB +malcolmnetsec/file-upload 1.5.2 xxxxxxxxxxxx 24 hours ago 198MB +malcolmnetsec/pcap-capture 1.5.2 xxxxxxxxxxxx 24 hours ago 111MB +malcolmnetsec/file-monitor 1.5.2 xxxxxxxxxxxx 24 hours ago 355MB +malcolmnetsec/logstash-oss 1.5.2 xxxxxxxxxxxx 25 hours ago 1.24GB +malcolmnetsec/curator 1.5.2 xxxxxxxxxxxx 25 hours ago 303MB +malcolmnetsec/kibana-oss 1.5.2 xxxxxxxxxxxx 33 hours ago 944MB +malcolmnetsec/filebeat-oss 1.5.2 xxxxxxxxxxxx 11 days ago 459MB +malcolmnetsec/elastalert 1.5.2 xxxxxxxxxxxx 11 days ago 276MB docker.elastic.co/elasticsearch/elasticsearch-oss 6.8.3 xxxxxxxxxxxx 5 weeks ago 769MB ``` @@ -231,7 +231,7 @@ Then, go take a walk or something since it will be a while. When you're done, yo * `malcolmnetsec/htadmin` (based on `debian:buster-slim`) * `malcolmnetsec/kibana-oss` (based on `docker.elastic.co/kibana/kibana-oss`) * `malcolmnetsec/logstash-oss` (based on `centos:7`) -* `malcolmnetsec/moloch` (based on `debian:stretch-slim`) +* `malcolmnetsec/moloch` (based on `debian:buster-slim`) * `malcolmnetsec/nginx-proxy` (based on `jwilder/nginx-proxy:alpine`) * `malcolmnetsec/pcap-capture` (based on `debian:buster-slim`) @@ -312,7 +312,8 @@ Run `install.py malcolm_XXXXXXXX_XXXXXX_XXXXXXX.tar.gz` and follow the prompts. ## Preparing your system ### Recommended system requirements -Malcolm needs a reasonably up-to-date version of [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/). In theory this should be possible on Linux, macOS, and recent Windows 10 releases, although so far it's only been tested on Linux and macOS hosts. + +Malcolm runs on top of [Docker](https://www.docker.com/) which runs on recent releases of Linux, Apple macOS and Microsoft Windows 10. To quote the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/guide/current/hardware.html), "If there is one resource that you will run out of first, it will likely be memory." The same is true for Malcolm: you will want at least 16 gigabytes of RAM to run Malcolm comfortably. For processing large volumes of traffic, I'd recommend at a bare minimum a dedicated server with 16 cores and 16 gigabytes of RAM. Malcolm can run on less, but more is better. You're going to want as much hard drive space as possible, of course, as the amount of PCAP data you're able to analyze and store will be limited by your hard drive. @@ -1359,17 +1360,17 @@ Pulling nginx-proxy ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/moloch 1.5.1 xxxxxxxxxxxx 27 minutes ago 517MB -malcolmnetsec/htadmin 1.5.1 xxxxxxxxxxxx 2 hours ago 180MB -malcolmnetsec/nginx-proxy 1.5.1 xxxxxxxxxxxx 4 hours ago 53MB -malcolmnetsec/file-upload 1.5.1 xxxxxxxxxxxx 24 hours ago 198MB -malcolmnetsec/pcap-capture 1.5.1 xxxxxxxxxxxx 24 hours ago 111MB -malcolmnetsec/file-monitor 1.5.1 xxxxxxxxxxxx 24 hours ago 355MB -malcolmnetsec/logstash-oss 1.5.1 xxxxxxxxxxxx 25 hours ago 1.24GB -malcolmnetsec/curator 1.5.1 xxxxxxxxxxxx 25 hours ago 303MB -malcolmnetsec/kibana-oss 1.5.1 xxxxxxxxxxxx 33 hours ago 944MB -malcolmnetsec/filebeat-oss 1.5.1 xxxxxxxxxxxx 11 days ago 459MB -malcolmnetsec/elastalert 1.5.1 xxxxxxxxxxxx 11 days ago 276MB +malcolmnetsec/moloch 1.5.2 xxxxxxxxxxxx 27 minutes ago 517MB +malcolmnetsec/htadmin 1.5.2 xxxxxxxxxxxx 2 hours ago 180MB +malcolmnetsec/nginx-proxy 1.5.2 xxxxxxxxxxxx 4 hours ago 53MB +malcolmnetsec/file-upload 1.5.2 xxxxxxxxxxxx 24 hours ago 198MB +malcolmnetsec/pcap-capture 1.5.2 xxxxxxxxxxxx 24 hours ago 111MB +malcolmnetsec/file-monitor 1.5.2 xxxxxxxxxxxx 24 hours ago 355MB +malcolmnetsec/logstash-oss 1.5.2 xxxxxxxxxxxx 25 hours ago 1.24GB +malcolmnetsec/curator 1.5.2 xxxxxxxxxxxx 25 hours ago 303MB +malcolmnetsec/kibana-oss 1.5.2 xxxxxxxxxxxx 33 hours ago 944MB +malcolmnetsec/filebeat-oss 1.5.2 xxxxxxxxxxxx 11 days ago 459MB +malcolmnetsec/elastalert 1.5.2 xxxxxxxxxxxx 11 days ago 276MB docker.elastic.co/elasticsearch/elasticsearch-oss 6.8.3 xxxxxxxxxxxx 5 weeks ago 769MB ``` diff --git a/docker-compose-standalone-zeek-live.yml b/docker-compose-standalone-zeek-live.yml index b7875aab5..ddc815735 100644 --- a/docker-compose-standalone-zeek-live.yml +++ b/docker-compose-standalone-zeek-live.yml @@ -103,7 +103,7 @@ services: - ./elasticsearch:/usr/share/elasticsearch/data:delegated - ./elasticsearch-backup:/opt/elasticsearch/backup:delegated kibana: - image: malcolmnetsec/kibana-oss:1.5.1 + image: malcolmnetsec/kibana-oss:1.5.2 restart: "no" hostname: kibana environment: @@ -126,7 +126,7 @@ services: retries: 3 start_period: 200s elastalert: - image: malcolmnetsec/elastalert:1.5.1 + image: malcolmnetsec/elastalert:1.5.2 restart: "no" hostname: elastalert environment: @@ -147,10 +147,11 @@ services: start_period: 200s volumes: - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml + - ./elastalert/config/smtp-auth.yaml:/opt/elastalert/smtp-auth.yaml:ro - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules/:/opt/elastalert/rules/ curator: - image: malcolmnetsec/curator:1.5.1 + image: malcolmnetsec/curator:1.5.2 restart: "no" hostname: curator environment: @@ -160,7 +161,7 @@ services: depends_on: - elasticsearch logstash: - image: malcolmnetsec/logstash-oss:1.5.1 + image: malcolmnetsec/logstash-oss:1.5.2 restart: "no" hostname: logstash environment: @@ -188,7 +189,7 @@ services: - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro filebeat: - image: malcolmnetsec/filebeat-oss:1.5.1 + image: malcolmnetsec/filebeat-oss:1.5.2 restart: "no" hostname: filebeat environment: @@ -213,7 +214,7 @@ services: - ./filebeat/certs/client.crt:/certs/client.crt:ro - ./filebeat/certs/client.key:/certs/client.key:ro moloch: - image: malcolmnetsec/moloch:1.5.1 + image: malcolmnetsec/moloch:1.5.2 restart: "no" hostname: moloch env_file: @@ -245,7 +246,7 @@ services: - ./moloch-logs:/data/moloch/logs - ./moloch-raw:/data/moloch/raw file-monitor: - image: malcolmnetsec/file-monitor:1.5.1 + image: malcolmnetsec/file-monitor:1.5.2 restart: "no" hostname: filemon environment: @@ -256,7 +257,7 @@ services: - ./zeek-logs/extract_files:/data/zeek/extract_files - ./zeek-logs/current:/data/zeek/logs pcap-capture: - image: malcolmnetsec/pcap-capture:1.5.1 + image: malcolmnetsec/pcap-capture:1.5.2 restart: "no" network_mode: host ulimits: @@ -273,7 +274,7 @@ services: volumes: - ./pcap/upload:/pcap upload: - image: malcolmnetsec/file-upload:1.5.1 + image: malcolmnetsec/file-upload:1.5.2 restart: "no" hostname: upload env_file: @@ -290,7 +291,7 @@ services: volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files htadmin: - image: malcolmnetsec/htadmin:1.5.1 + image: malcolmnetsec/htadmin:1.5.2 restart: "no" hostname: htadmin environment: @@ -302,7 +303,7 @@ services: - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw nginx-proxy: - image: malcolmnetsec/nginx-proxy:1.5.1 + image: malcolmnetsec/nginx-proxy:1.5.2 restart: "no" hostname: nginx-proxy depends_on: diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 9fcd006cb..889893fbd 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -103,7 +103,7 @@ services: - ./elasticsearch:/usr/share/elasticsearch/data:delegated - ./elasticsearch-backup:/opt/elasticsearch/backup:delegated kibana: - image: malcolmnetsec/kibana-oss:1.5.1 + image: malcolmnetsec/kibana-oss:1.5.2 restart: "no" hostname: kibana environment: @@ -126,7 +126,7 @@ services: retries: 3 start_period: 200s elastalert: - image: malcolmnetsec/elastalert:1.5.1 + image: malcolmnetsec/elastalert:1.5.2 restart: "no" hostname: elastalert environment: @@ -147,10 +147,11 @@ services: start_period: 200s volumes: - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml + - ./elastalert/config/smtp-auth.yaml:/opt/elastalert/smtp-auth.yaml:ro - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules/:/opt/elastalert/rules/ curator: - image: malcolmnetsec/curator:1.5.1 + image: malcolmnetsec/curator:1.5.2 restart: "no" hostname: curator environment: @@ -160,7 +161,7 @@ services: depends_on: - elasticsearch logstash: - image: malcolmnetsec/logstash-oss:1.5.1 + image: malcolmnetsec/logstash-oss:1.5.2 restart: "no" hostname: logstash environment: @@ -188,7 +189,7 @@ services: - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro filebeat: - image: malcolmnetsec/filebeat-oss:1.5.1 + image: malcolmnetsec/filebeat-oss:1.5.2 restart: "no" hostname: filebeat environment: @@ -213,7 +214,7 @@ services: - ./filebeat/certs/client.crt:/certs/client.crt:ro - ./filebeat/certs/client.key:/certs/client.key:ro moloch: - image: malcolmnetsec/moloch:1.5.1 + image: malcolmnetsec/moloch:1.5.2 restart: "no" hostname: moloch env_file: @@ -245,7 +246,7 @@ services: - ./moloch-logs:/data/moloch/logs - ./moloch-raw:/data/moloch/raw file-monitor: - image: malcolmnetsec/file-monitor:1.5.1 + image: malcolmnetsec/file-monitor:1.5.2 restart: "no" hostname: filemon environment: @@ -256,7 +257,7 @@ services: - ./zeek-logs/extract_files:/data/zeek/extract_files - ./zeek-logs/current:/data/zeek/logs pcap-capture: - image: malcolmnetsec/pcap-capture:1.5.1 + image: malcolmnetsec/pcap-capture:1.5.2 restart: "no" network_mode: host ulimits: @@ -273,7 +274,7 @@ services: volumes: - ./pcap/upload:/pcap upload: - image: malcolmnetsec/file-upload:1.5.1 + image: malcolmnetsec/file-upload:1.5.2 restart: "no" hostname: upload env_file: @@ -290,7 +291,7 @@ services: volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files htadmin: - image: malcolmnetsec/htadmin:1.5.1 + image: malcolmnetsec/htadmin:1.5.2 restart: "no" hostname: htadmin environment: @@ -302,7 +303,7 @@ services: - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw nginx-proxy: - image: malcolmnetsec/nginx-proxy:1.5.1 + image: malcolmnetsec/nginx-proxy:1.5.2 restart: "no" hostname: nginx-proxy depends_on: diff --git a/docker-compose.yml b/docker-compose.yml index 843f7c053..8f1de86db 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,7 +106,7 @@ services: build: context: . dockerfile: Dockerfiles/kibana.Dockerfile - image: malcolmnetsec/kibana-oss:1.5.1 + image: malcolmnetsec/kibana-oss:1.5.2 restart: "no" hostname: kibana environment: @@ -132,7 +132,7 @@ services: build: context: . dockerfile: Dockerfiles/elastalert.Dockerfile - image: malcolmnetsec/elastalert:1.5.1 + image: malcolmnetsec/elastalert:1.5.2 restart: "no" hostname: elastalert environment: @@ -153,13 +153,14 @@ services: start_period: 200s volumes: - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml + - ./elastalert/config/smtp-auth.yaml:/opt/elastalert/smtp-auth.yaml:ro - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules/:/opt/elastalert/rules/ curator: build: context: . dockerfile: Dockerfiles/curator.Dockerfile - image: malcolmnetsec/curator:1.5.1 + image: malcolmnetsec/curator:1.5.2 restart: "no" hostname: curator environment: @@ -174,7 +175,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: malcolmnetsec/logstash-oss:1.5.1 + image: malcolmnetsec/logstash-oss:1.5.2 restart: "no" hostname: logstash environment: @@ -212,7 +213,7 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: malcolmnetsec/filebeat-oss:1.5.1 + image: malcolmnetsec/filebeat-oss:1.5.2 restart: "no" hostname: filebeat environment: @@ -241,7 +242,7 @@ services: build: context: . dockerfile: Dockerfiles/moloch.Dockerfile - image: malcolmnetsec/moloch:1.5.1 + image: malcolmnetsec/moloch:1.5.2 restart: "no" hostname: moloch env_file: @@ -279,7 +280,7 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: malcolmnetsec/file-monitor:1.5.1 + image: malcolmnetsec/file-monitor:1.5.2 restart: "no" hostname: filemon environment: @@ -293,7 +294,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: malcolmnetsec/pcap-capture:1.5.1 + image: malcolmnetsec/pcap-capture:1.5.2 restart: "no" network_mode: host ulimits: @@ -313,7 +314,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: malcolmnetsec/file-upload:1.5.1 + image: malcolmnetsec/file-upload:1.5.2 restart: "no" hostname: upload env_file: @@ -330,7 +331,7 @@ services: volumes: - ./pcap/upload:/var/www/upload/server/php/chroot/files htadmin: - image: malcolmnetsec/htadmin:1.5.1 + image: malcolmnetsec/htadmin:1.5.2 build: context: . dockerfile: Dockerfiles/htadmin.Dockerfile @@ -348,7 +349,7 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: malcolmnetsec/nginx-proxy:1.5.1 + image: malcolmnetsec/nginx-proxy:1.5.2 restart: "no" hostname: nginx-proxy depends_on: diff --git a/elastalert/sample-rules/weird.yaml b/elastalert/sample-rules/notice-email.yaml similarity index 50% rename from elastalert/sample-rules/weird.yaml rename to elastalert/sample-rules/notice-email.yaml index f0bd57bb6..3fa10f221 100644 --- a/elastalert/sample-rules/weird.yaml +++ b/elastalert/sample-rules/notice-email.yaml @@ -1,10 +1,10 @@ -# Alert on all Weird Zeek logs +# Alert (email) on all Notice Zeek logs (except SSL::Invalid_Server_Cert) # # see https://elastalert.readthedocs.io/en/latest/index.html # for rule trigger parameters, how to specify query for matching # events, transport and formatting for alerts, etc. -name: weird +name: notice ###################################### # Rule parameters @@ -12,10 +12,10 @@ name: weird ###################################### type: any -# Don't realert for 1 minute for the same connection ID/weird type +# Don't realert for 5 minutes for the same connection ID/notice type realert: - minutes: 1 -query_key: [zeek.uid, zeek_weird.name] + minutes: 5 +query_key: [zeek.uid, zeek_notice.note] ###################################### # Query parameters @@ -27,21 +27,28 @@ timestamp_type: iso filter: - query: query_string: - query: "zeek.logType: weird" + query: "zeek.logType:notice AND (NOT zeek_notice.note:\"SSL::Invalid_Server_Cert\")" ###################################### # Alert parameters # see https://elastalert.readthedocs.io/en/latest/ruletypes.html#alerts ###################################### -alert_subject: "weird-{}" -alert_subject_args: ["zeek_weird.name"] +alert_subject: "{0} notice from {1}" +alert_subject_args: ["zeek_notice.note", "host.name"] alert_text_type: alert_text_only -alert_text: "{0} [{1}]: {2}, {3}:{4} -> {5}:{6}" -alert_text_args: ["@timestamp", "zeek.uid", "zeek_weird.name", "srcIp", "srcPort", "dstIp", "dstPort"] - -pipe_alert_text: true +alert_text: "Network traffic captured by {0} generated a {1} notice at {2}: \"{3}\"" +alert_text_args: ["host.name", "zeek_notice.note", "zeek.ts", "zeek_notice.msg"] alert: - - command -command: ["/bin/cat"] +# - command + - email +#command: ["/bin/cat"] +#pipe_alert_text: true +email: + - "user@gmail.com" +smtp_host: "smtp.gmail.com" +smtp_port: 465 +smtp_ssl: true +from_addr: "user@gmail.com" +smtp_auth_file: "/opt/elastalert/smtp-auth.yaml" diff --git a/iso-build/build.sh b/iso-build/build.sh index 430298b67..25847fe19 100755 --- a/iso-build/build.sh +++ b/iso-build/build.sh @@ -153,6 +153,7 @@ if [ -d "$WORKDIR" ]; then --architectures amd64 \ --binary-images iso-hybrid \ --bootloaders "syslinux,grub-efi" \ + --memtest none \ --chroot-filesystem squashfs \ --backports false \ --security true \ diff --git a/iso-build/config/includes.chroot/usr/share/applications/malcolm-cyberchef.desktop b/iso-build/config/includes.chroot/usr/share/applications/malcolm-cyberchef.desktop index ace9fbeed..9c29059a8 100644 --- a/iso-build/config/includes.chroot/usr/share/applications/malcolm-cyberchef.desktop +++ b/iso-build/config/includes.chroot/usr/share/applications/malcolm-cyberchef.desktop @@ -1,7 +1,7 @@ [Desktop Entry] Version=1.0 Name=Malcolm - CyberChef -Exec=/usr/bin/chromium https://localhost/chef +Exec=/usr/bin/chromium https://localhost/cyberchef/ Terminal=false X-MultipleArgs=false Type=Application diff --git a/moloch/etc/config.ini b/moloch/etc/config.ini index 13c9d18cf..c2850b679 100644 --- a/moloch/etc/config.ini +++ b/moloch/etc/config.ini @@ -62,6 +62,11 @@ logFileCreation=true valueAutoComplete=false # enable right-click for ID field allowing viewing of JSON document for sessions and/or Zeek logs [right-click] -JSON=url:sessions.json?expression=id=%TEXT%&fields=*;name:JSON;fields:id -# still not working, work in progress: -# KIBANA=url:idmol2kib/_id=%TEXT%;name:Kibana;fields:id \ No newline at end of file +JSON=url:sessions.json?expression=id=%TEXT%&fields=*;name:View JSON Document;fields:id +KIBANA_CAT_IP=url:idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%;name:Filter %DBFIELD% in Kibana;category:ip +KIBANA_CAT_PORT=url:idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%;name:Filter %DBFIELD% in Kibana;category:port +KIBANA_CAT_COUNTRY=url:idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%;name:Filter %DBFIELD% in Kibana;category:country +KIBANA_CAT_HOST=url:idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%;name:Filter %DBFIELD% in Kibana;category:host +KIBANA_CAT_MD5=url:idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%;name:Filter %DBFIELD% in Kibana;category:md5 +KIBANA_CAT_USER=url:idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%;name:Filter %DBFIELD% in Kibana;category:user +KIBANA_FIELDS=url:idmol2kib/filter?start=%ISOSTART%&stop=%ISOSTOP%&field=%DBFIELD%&value=%TEXT%;name:Filter %DBFIELD% in Kibana;fields:communityId,host.name,ip.protocol,mac.dst,mac.src,node,oui.dst,oui.src,protocols,rootId,tags,zeek.community_id,zeek.destination_geo.city_name,zeek.destination_geo.country_name,zeek.destination_ip_reverse_dns,zeek.filename,zeek.filetype,zeek.fuid,zeek.logType,zeek.orig_h,zeek.orig_hostname,zeek.orig_l2_addr,zeek.orig_l2_oui,zeek.orig_p,zeek.orig_segment,zeek.proto,zeek.resp_h,zeek.resp_hostname,zeek.resp_l2_addr,zeek.resp_l2_oui,zeek.resp_p,zeek.resp_segment,zeek.service,zeek.source_geo.city_name,zeek.source_geo.country_name,zeek.source_ip_reverse_dns,zeek.uid,zeek.user,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.duration,zeek_conn.history,zeek_conn.inner_vlan,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.orig_bytes,zeek_conn.orig_ip_bytes,zeek_conn.orig_pkts,zeek_conn.resp_bytes,zeek_conn.resp_ip_bytes,zeek_conn.resp_pkts,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_dce_rpc.endpoint,zeek_dce_rpc.named_pipe,zeek_dce_rpc.operation,zeek_dce_rpc.rtt,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.mac,zeek_dhcp.trans_id,zeek_dnp3.fc_reply,zeek_dnp3.fc_request,zeek_dnp3.iin,zeek_dns.AA,zeek_dns.answers,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.query,zeek_dns.RA,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.RD,zeek_dns.rejected,zeek_dns.rtt,zeek_dns.TC,zeek_dns.trans_id,zeek_dns.TTLs,zeek_dns.Z,zeek_dpd.failure_reason,zeek_dpd.service,zeek_files.analyzers,zeek_files.conn_uids,zeek_files.depth,zeek_files.duration,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size,zeek_files.filename,zeek_files.fuid,zeek_files.is_orig,zeek_files.local_orig,zeek_files.md5,zeek_files.mime_type,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.parent_fuid,zeek_files.rx_hosts,zeek_files.seen_bytes,zeek_files.sha1,zeek_files.sha256,zeek_files.source,zeek_files.timedout,zeek_files.total_bytes,zeek_files.tx_hosts,zeek_ftp.arg,zeek_ftp.command,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p,zeek_ftp.file_size,zeek_ftp.fuid,zeek_ftp.mime_type,zeek_ftp.password,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_http.host,zeek_http.info_code,zeek_http.info_msg,zeek_http.method,zeek_http.orig_filenames,zeek_http.orig_fuids,zeek_http.orig_mime_types,zeek_http.password,zeek_http.proxied,zeek_http.referrer,zeek_http.request_body_len,zeek_http.resp_filenames,zeek_http.resp_fuids,zeek_http.resp_mime_types,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.tags,zeek_http.trans_depth,zeek_http.uri,zeek_http.user,zeek_http.user_agent,zeek_http.version,zeek_intel.file_description,zeek_intel.fuid,zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.matched,zeek_intel.mimetype,zeek_intel.seen_node,zeek_intel.seen_where,zeek_intel.sources,zeek_irc.addl,zeek_irc.command,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type,zeek_irc.fuid,zeek_irc.nick,zeek_irc.value,zeek_kerberos.cipher,zeek_kerberos.client_cert_fuid,zeek_kerberos.client_cert_subject,zeek_kerberos.cname,zeek_kerberos.error_msg,zeek_kerberos.forwardable,zeek_kerberos.from,zeek_kerberos.renewable,zeek_kerberos.server_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.till,zeek_modbus.exception,zeek_modbus.func,zeek_mysql.arg,zeek_mysql.cmd,zeek_mysql.response,zeek_mysql.rows,zeek_mysql.success,zeek_notice.actions,zeek_notice.dropped,zeek_notice.dst,zeek_notice.file_desc,zeek_notice.file_mime_type,zeek_notice.fuid,zeek_notice.msg,zeek_notice.n,zeek_notice.note,zeek_notice.p,zeek_notice.peer_descr,zeek_notice.remote_location_cityremote_location_latitude,zeek_notice.remote_location_country_code,zeek_notice.remote_location_longitude,zeek_notice.remote_location_region,zeek_notice.src,zeek_notice.sub,zeek_notice.suppress_for,zeek_ntlm.domain,zeek_ntlm.host,zeek_ntlm.status,zeek_ntlm.success,zeek_pe.compile_ts,zeek_pe.fuid,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.has_export_table,zeek_pe.has_import_table,zeek_pe.is_64bit,zeek_pe.is_exe,zeek_pe.machine,zeek_pe.os,zeek_pe.section_names,zeek_pe.subsystem,zeek_pe.uses_aslr,zeek_pe.uses_code_integrity,zeek_pe.uses_dep,zeek_pe.uses_seh,zeek_radius.connect_info,zeek_radius.framed_addr,zeek_radius.mac,zeek_radius.remote_ip,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.cert_type,zeek_rdp.client_build,zeek_rdp.client_dig_product_id,zeek_rdp.client_name,zeek_rdp.cookie,zeek_rdp.desktop_height,zeek_rdp.desktop_width,zeek_rdp.encryption_level,zeek_rdp.encryption_method,zeek_rdp.keyboard_layout,zeek_rdp.requested_color_depth,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rfb.auth,zeek_rfb.authentication_method,zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.desktop_name,zeek_rfb.height,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.share_flag,zeek_rfb.width,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.host_count,zeek_signatures.note,zeek_signatures.signature_count,zeek_signatures.signature_id,zeek_signatures.sub_message,zeek_sip.call_id,zeek_sip.content_type,zeek_sip.date,zeek_sip.method,zeek_sip.reply_to,zeek_sip.request_body_len,zeek_sip.request_from,zeek_sip.request_path,zeek_sip.request_to,zeek_sip.response_body_len,zeek_sip.response_from,zeek_sip.response_path,zeek_sip.response_to,zeek_sip.seq,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.subject,zeek_sip.trans_depth,zeek_sip.uri,zeek_sip.user_agent,zeek_sip.warning,zeek_smb_files.action,zeek_smb_files.fuid,zeek_smb_files.name,zeek_smb_files.path,zeek_smb_files.prev_name,zeek_smb_files.size,zeek_smb_files.times_accessed,zeek_smb_files.times_changed,zeek_smb_files.times_created,zeek_smb_files.times_modified,zeek_smb_mapping.native_file_system,zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.share_type,zeek_smtp.cc,zeek_smtp.date,zeek_smtp.first_received,zeek_smtp.from,zeek_smtp.fuids,zeek_smtp.helo,zeek_smtp.in_reply_to,zeek_smtp.is_webmail,zeek_smtp.last_reply,zeek_smtp.mailfrom,zeek_smtp.msg_id,zeek_smtp.path,zeek_smtp.rcptto,zeek_smtp.reply_to,zeek_smtp.second_received,zeek_smtp.subject,zeek_smtp.tls,zeek_smtp.to,zeek_smtp.trans_depth,zeek_smtp.user_agent,zeek_smtp.x_originating_ip,zeek_snmp.community,zeek_snmp.display_string,zeek_snmp.duration,zeek_snmp.get_bulk_requests,zeek_snmp.get_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.up_since,zeek_snmp.version,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port,zeek_socks.password,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.server_status,zeek_socks.version,zeek_software.name,zeek_software.software_type,zeek_software.unparsed_version,zeek_software.version_addl,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_ssh.auth_attempts,zeek_ssh.auth_success,zeek_ssh.cipher_alg,zeek_ssh.client,zeek_ssh.compression_alg,zeek_ssh.cshka,zeek_ssh.direction,zeek_ssh.hassh,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServer,zeek_ssh.hasshServerAlgorithms,zeek_ssh.host_key,zeek_ssh.host_key_alg,zeek_ssh.kex_alg,zeek_ssh.mac_alg,zeek_ssh.remote_location_city,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.remote_location_region,zeek_ssh.server,zeek_ssh.sshka,zeek_ssh.version,zeek_ssl.cert_chain_fuids,zeek_ssl.cipher,zeek_ssl.client_cert_chain_fuids,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.emailAddress,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.title,zeek_ssl.client_subject.C,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.emailAddress,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.L,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.title,zeek_ssl.curve,zeek_ssl.established,zeek_ssl.issuer.C,zeek_ssl.issuer.CN,zeek_ssl.issuer.DC,zeek_ssl.issuer.emailAddress,zeek_ssl.issuer.GN,zeek_ssl.issuer.initials,zeek_ssl.issuer.L,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.SN,zeek_ssl.issuer.ST,zeek_ssl.issuer.title,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.resumed,zeek_ssl.server_name,zeek_ssl.ssl_version,zeek_ssl.subject.C,zeek_ssl.subject.CN,zeek_ssl.subject.emailAddress,zeek_ssl.subject.GN,zeek_ssl.subject.initials,zeek_ssl.subject.L,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.SN,zeek_ssl.subject.ST,zeek_ssl.subject.title,zeek_ssl.validation_status,zeek_syslog.facility,zeek_syslog.message,zeek_syslog.severity,zeek_tunnel.action,zeek_tunnel.tunnel_type,zeek_weird.addl,zeek_weird.name,zeek_weird.notice,zeek_weird.peer,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len,zeek_x509.certificate_curve,zeek_x509.certificate_exponent,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.title,zeek_x509.certificate_key_alg,zeek_x509.certificate_key_length,zeek_x509.certificate_key_type,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_serial,zeek_x509.certificate_sig_alg,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.title,zeek_x509.certificate_version,zeek_x509.fuid,zeek_x509.san_dns,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.san_uri \ No newline at end of file diff --git a/moloch/patch/added-DBFIELD-replacer-for-right-click-811424e.patch b/moloch/patch/added-DBFIELD-replacer-for-right-click-811424e.patch new file mode 100644 index 000000000..2e09469fa --- /dev/null +++ b/moloch/patch/added-DBFIELD-replacer-for-right-click-811424e.patch @@ -0,0 +1,41 @@ +From c7c6070fc7075adf739382bd7f91c5fa833588a5 Mon Sep 17 00:00:00 2001 +From: SG <13872653+mmguero@users.noreply.github.com> +Date: Wed, 25 Sep 2019 09:12:39 -0600 +Subject: [PATCH] added %DBFIELD% replacer for right-click + +Adds %DBFIELD% -> info.dbField replacer for right-click actions (see https://molo.ch/settings#right-click) +--- + viewer/vueapp/src/components/sessions/SessionField.vue | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/viewer/vueapp/src/components/sessions/SessionField.vue b/viewer/vueapp/src/components/sessions/SessionField.vue +index b114ed15..bddcff32 100644 +--- a/viewer/vueapp/src/components/sessions/SessionField.vue ++++ b/viewer/vueapp/src/components/sessions/SessionField.vue +@@ -464,6 +464,7 @@ export default { + .replace('%ISOSTART%', isostart.toISOString()) + .replace('%ISOSTOP%', isostop.toISOString()) + .replace('%FIELD%', info.field) ++ .replace('%DBFIELD%', info.info.dbField) + .replace('%TEXT%', text) + .replace('%UCTEXT%', text.toUpperCase()) + .replace('%HOST%', host) +@@ -475,6 +477,7 @@ export default { + + name = (name) + .replace('%FIELD%', info.field) ++ .replace('%DBFIELD%', info.info.dbField) + .replace('%TEXT%', text) + .replace('%HOST%', host) + .replace('%URL%', url); +@@ -484,6 +488,7 @@ export default { + + value = (value) + .replace('%FIELD%', info.field) ++ .replace('%DBFIELD%', info.info.dbField) + .replace('%TEXT%', text) + .replace('%HOST%', host) + .replace('%URL%', url); +-- +2.20.1 + diff --git a/moloch/patch/help_links.patch b/moloch/patch/help_links.patch index 3f786278d..96475ceea 100644 --- a/moloch/patch/help_links.patch +++ b/moloch/patch/help_links.patch @@ -7,7 +7,7 @@ index ba43003a..89b292f0 100644
+ Malcolm README | -+ CyberChef | ++ CyberChef | Home Page | FAQ | Wiki | diff --git a/moloch/patch/improve-need-quotes-check-hopefully-fixes-1146-4de1686.patch b/moloch/patch/improve-need-quotes-check-hopefully-fixes-1146-4de1686.patch deleted file mode 100644 index db82c6c42..000000000 --- a/moloch/patch/improve-need-quotes-check-hopefully-fixes-1146-4de1686.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 4de16862943fb826a90c2ae967f9c90f6a89323a Mon Sep 17 00:00:00 2001 -From: Andy Wick -Date: Fri, 30 Aug 2019 09:43:00 -0400 -Subject: [PATCH] improve need quotes check hopefully, fixes #1146 - ---- - CHANGELOG | 3 +++ - viewer/vueapp/src/filters.js | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/viewer/vueapp/src/filters.js b/viewer/vueapp/src/filters.js -index 090049dd..9004fe72 100644 ---- a/viewer/vueapp/src/filters.js -+++ b/viewer/vueapp/src/filters.js -@@ -299,11 +299,11 @@ Vue.filter('searchFields', function (searchTerm, fields, excludeTokens) { - */ - Vue.filter('buildExpression', function (field, value, op) { - // for values required to be strings in the search expression -- const str = /[^(EXISTS!)-+a-zA-Z0-9_.@:*?/,[]]+/.test(value); -+ const needQuotes = value !== 'EXISTS!' && /[^-+a-zA-Z0-9_.@:*?/,\[\]]+/.test(value); - - // escape unescaped quotes - value = value.toString().replace(/\\([\s\S])|(")/g, '\\$1$2'); -- if (str) { value = `"${value}"`; } -+ if (needQuotes) { value = `"${value}"`; } - - return `${field} ${op} ${value}`; - }); --- -2.20.1 - diff --git a/nginx/nginx.conf b/nginx/nginx.conf index e4b386acc..131cbb050 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -8,6 +8,7 @@ events { worker_connections 1024; } http { + include /etc/nginx/mime.types; sendfile on; client_max_body_size 20m; fastcgi_buffers 16 16k; @@ -84,13 +85,6 @@ http { proxy_set_header Host moloch.malcolm.local; } - # Direct inline CyberChef - location /chef { - proxy_pass http://docker-malcolm-readme/cyberchef.htm; - proxy_redirect off; - proxy_set_header Host moloch.malcolm.local; - } - # Logstash statistics location ~* ^/logstash\b(.*) { proxy_pass http://docker-logstash-stats/_node/stats$1; @@ -99,16 +93,35 @@ http { } # Kibana shortcut + location ~* ^/idmol2kib(.*) { + + set $filter_start_time now-1d; + if ($arg_start != '') { + set $filter_start_time \'$arg_start\'; + } + + set $filter_stop_time now; + if ($arg_stop != '') { + set $filter_stop_time \'$arg_stop\'; + } - location ~* ^/idmol2kib\b(.*) { - # not working, work in progress - # see https://discuss.elastic.co/t/nginx-reverse-proxy-with-rewrite-and-app-kibana-discover/198461/1 - rewrite ^/idmol2kib(.*) /kibana/app/kibana#/discover; + set $filter_field undefined; + if ($arg_field != '') { + set $filter_field $arg_field; + } + + set $filter_value undefined; + if ($arg_value != '') { + set $filter_value $arg_value; + } + + rewrite ^/idmol2kib/(.*) /kibana/app/kibana#/discover?_g=(refreshInterval:(pause:!t,value:0),time:(from:$filter_start_time,mode:absolute,to:$filter_stop_time))&_a=(columns:!(_source),filters:!((meta:(alias:!n,disabled:!f,index:'sessions2-*',key:$filter_field,negate:!f,params:(query:'$filter_value',type:phrase),type:phrase,value:'$filter_value'),query:(match:($filter_field:(query:'$filter_value',type:phrase))))),index:'sessions2-*',interval:auto,query:(language:lucene,query:''),sort:!(firstPacket,desc)) redirect; proxy_pass http://docker-kibana; proxy_redirect off; proxy_set_header Host kibana.malcolm.local; } + # already prepended /kibana to match the server.basePath in kibana's YML config file location /kibana { proxy_pass http://docker-kibana; @@ -116,7 +129,7 @@ http { proxy_set_header Host kibana.malcolm.local; } - # otherwise (from old bookmarks), prepend /kibana to match the server.basePath in kibana's YML config file + # otherwise (from old kibana bookmarks), prepend /kibana to match the server.basePath in kibana's YML config file location /app { proxy_pass http://docker-kibana/kibana/app; proxy_redirect off; @@ -127,6 +140,21 @@ http { alias /etc/nginx/favicon.ico; } + # Fix cyberchef JS module(s) + # https://localhost/moloch/session/190924-KgO9H30qhdREw7ltsDXn1Rgp/modules/Regex.js + location ~* ^/moloch/session/.*/(modules/.*\.js) { + proxy_hide_header Content-Type; + proxy_set_header Content-Type "application/javascript"; + add_header Content-Type "application/javascript"; + default_type application/javascript; + add_header X-Content-Type-Options 'nosniff'; + proxy_pass http://docker-moloch/cyberchef/$1; + proxy_redirect off; + proxy_set_header Host moloch.malcolm.local; + proxy_set_header http_auth_http_user $remote_user; + proxy_set_header Authorization ""; + } + location / { proxy_pass http://docker-moloch; proxy_redirect off; @@ -177,16 +205,10 @@ http { proxy_set_header Host kibana.malcolm.local; } - # otherwise (from old bookmarks), prepend /kibana to match the server.basePath in kibana's YML config file - location /app { - proxy_pass http://docker-kibana/kibana/app; - proxy_redirect off; - proxy_set_header Host kibana.malcolm.local; - } - # otherwise prepend /kibana to match the server.basePath in kibana's YML config file location / { - proxy_pass http://docker-kibana/kibana; + rewrite ^/(.*) /kibana/$1; + proxy_pass http://docker-kibana; proxy_redirect off; proxy_set_header Host kibana.malcolm.local; } diff --git a/scripts/auth_setup.sh b/scripts/auth_setup.sh index a0a6b8a9c..0bd37feca 100755 --- a/scripts/auth_setup.sh +++ b/scripts/auth_setup.sh @@ -96,6 +96,17 @@ EOF touch metadata popd >/dev/null 2>&1 +if [[ ! -f ./elastalert/config/smtp-auth.yaml ]]; then + # create a sample smtp-auth.yaml for if/when we want to do elastalert email + pushd ./elastalert/config/ >/dev/null 2>&1 + cat < smtp-auth.yaml +user: "user@gmail.com" +password: "abcdefg1234567" +EOF + chmod 600 ./smtp-auth.yaml + popd >/dev/null 2>&1 +fi + unset CONFIRMATION echo "" read -p "(Re)generate self-signed certificates for HTTPS access [Y/n]? " CONFIRMATION diff --git a/scripts/start.sh b/scripts/start.sh index dddcb49d9..dd3ac5eba 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -49,6 +49,17 @@ fi [[ -f ./htadmin/metadata ]] || touch ./htadmin/metadata +if [[ ! -f ./elastalert/config/smtp-auth.yaml ]]; then + # create a sample smtp-auth.yaml for if/when we want to do elastalert email + pushd ./elastalert/config/ >/dev/null 2>&1 + cat < smtp-auth.yaml +user: "user@gmail.com" +password: "abcdefg1234567" +EOF + chmod 600 ./smtp-auth.yaml + popd >/dev/null 2>&1 +fi + # make sure a read permission is set correctly for the nginx worker processes chmod 644 ./nginx/htpasswd ./htadmin/config.ini ./htadmin/metadata >/dev/null 2>&1 diff --git a/shared/bin/configure-capture.py b/shared/bin/configure-capture.py index fb227e525..46a390325 100755 --- a/shared/bin/configure-capture.py +++ b/shared/bin/configure-capture.py @@ -326,7 +326,7 @@ def input_elasticsearch_connection_info(forwarder, retcode, message, output = test_connection(protocol=return_dict[Constants.BEAT_KIBANA_PROTOCOL], host=return_dict[Constants.BEAT_KIBANA_HOST], port=return_dict[Constants.BEAT_KIBANA_PORT], - uri="status", + uri="api/status", username=return_dict[Constants.BEAT_HTTP_USERNAME] if (len(return_dict[Constants.BEAT_HTTP_USERNAME]) > 0) else None, password=return_dict[Constants.BEAT_HTTP_PASSWORD] if (len(return_dict[Constants.BEAT_HTTP_PASSWORD]) > 0) else None, ssl_verify=return_dict[Constants.BEAT_KIBANA_SSL_VERIFY]) diff --git a/shared/bin/zeek-carve-monitor.py b/shared/bin/zeek-carve-monitor.py index 6cddde80c..2a6d649b0 100755 --- a/shared/bin/zeek-carve-monitor.py +++ b/shared/bin/zeek-carve-monitor.py @@ -45,6 +45,7 @@ ################################################################################################### debug = False debugToggled = False +pdbFlagged = False args = None scriptName = os.path.basename(__file__) scriptPath = os.path.dirname(os.path.realpath(__file__)) @@ -60,8 +61,8 @@ def shutdown_handler(signum, frame): ################################################################################################### # handle sigusr1 for a pdb breakpoint def pdb_handler(sig, frame): - import pdb - pdb.Pdb().set_trace(frame) + global pdbFlagged + pdbFlagged = True ################################################################################################### # handle sigusr2 for toggling debug @@ -201,6 +202,7 @@ def main(): global args global debug global debugToggled + global pdbFlagged global shuttingDown parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) @@ -354,10 +356,19 @@ def main(): while (not shuttingDown): + if pdbFlagged: + pdbFlagged = False + breakpoint() + processedEvents = 0 # processed files for which checking is finished while (not shuttingDown) and (processedEvents < (MAX_PROCESSED_BATCH_SIZE // 2)): + + if pdbFlagged: + pdbFlagged = False + breakpoint() + try: fileEvent = finishedFileQueue.popleft() except IndexError: @@ -420,6 +431,11 @@ def main(): # process new hashed files to be checked queuedDupes = deque() while (not shuttingDown) and (processedEvents < MAX_PROCESSED_BATCH_SIZE): + + if pdbFlagged: + pdbFlagged = False + breakpoint() + try: fileEvent = hashedFileQueue.popleft() except IndexError: @@ -491,6 +507,11 @@ def main(): # put duplicated processing events back into the hashedFileQueue to check again in a bit dupeEvents = 0 while (len(queuedDupes) > 0): + + if pdbFlagged: + pdbFlagged = False + breakpoint() + dupeEvents += 1 hashedFileQueue.append(queuedDupes.popleft())