diff --git a/.env b/.env new file mode 100644 index 0000000..4e372fd --- /dev/null +++ b/.env @@ -0,0 +1,41 @@ +# Project namespace (defaults to the current folder name if not set) +#COMPOSE_PROJECT_NAME=myproject + + +# Password for the 'elastic' user (at least 6 characters) +ELASTIC_PASSWORD=changeme + + +# Password for the 'kibana_system' user (at least 6 characters) +KIBANA_PASSWORD=changeme + + +# Version of Elastic products +STACK_VERSION=8.7.1 + + +# Set the cluster name +CLUSTER_NAME=snort-cluster + + +# Set to 'basic' or 'trial' to automatically start the 30-day trial +LICENSE=basic +#LICENSE=trial + + +# Port to expose Elasticsearch HTTP API to the host +ES_PORT=9200 + + +# Port to expose Kibana to the host +KIBANA_PORT=5601 + + +# Increase or decrease based on the available host memory (in bytes) +ES_MEM_LIMIT=1073741824 +KB_MEM_LIMIT=1073741824 +LS_MEM_LIMIT=1073741824 + + +# SAMPLE Predefined Key only to be used in POC environments +ENCRYPTION_KEY=c34d38b3a14956121ff2170e5030b471551370178f43e5626eec58b04a30fae2 diff --git a/Dockerfile b/Dockerfile index ebe2726..71cf515 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,36 +6,28 @@ ENV HOME=/root RUN apt-get -y update && apt-get -y upgrade RUN apt-get -y install \ - wget git cmake make g++ bison flex cppcheck cpputest autoconf automake libtool curl gdb vim build-essential luajit hwloc openssl pkg-config openssh-server \ + wget git cmake make g++ bison flex cppcheck cpputest autoconf automake libtool curl gdb vim build-essential luajit hwloc openssl pkg-config \ strace perl libio-socket-ssl-perl libcrypt-ssleay-perl ca-certificates libwww-perl supervisor net-tools iputils-ping iproute2 ethtool \ libdumbnet-dev libdnet-dev libpcap-dev libtirpc-dev libmnl-dev libunwind-dev libpcre3-dev zlib1g-dev libnet1-dev liblzma-dev \ libssl-dev libhwloc-dev libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev autotools-dev libluajit-5.1-dev libfl-dev \ libpcre3 libpcre3-dbg libyaml-0-2 libyaml-dev zlib1g libcap-ng-dev libcap-ng0 libmagic-dev libnuma-dev -# Some network tweaks -RUN ip add sh eth0 - # Build libdaq WORKDIR $HOME -RUN git clone https://github.com/snort3/libdaq.git -WORKDIR $HOME/libdaq -RUN ./bootstrap && ./configure --prefix=${PREFIX_DIR} && make && make install +RUN git clone https://github.com/snort3/libdaq.git && \ + cd libdaq && ./bootstrap && ./configure --prefix=${PREFIX_DIR} && make && make install # Build gperftools WORKDIR $HOME -RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz && tar xzf gperftools-2.9.1.tar.gz - -WORKDIR $HOME/gperftools-2.9.1 -RUN ./configure && make && make install +RUN wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz && tar xzf gperftools-2.9.1.tar.gz && \ + cd gperftools-2.9.1 && ./configure && make && make install # Build snort WORKDIR $HOME -RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz && tar xzf 3.3.2.0.tar.gz -WORKDIR $HOME/snort3-3.3.2.0 -RUN ./configure_cmake.sh --prefix=${PREFIX_DIR} --enable-tcmalloc --disable-docs -WORKDIR $HOME/snort3-3.3.2.0/build -RUN make && make install -RUN ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ && \ +RUN wget https://github.com/snort3/snort3/archive/refs/tags/3.3.2.0.tar.gz && tar xzf 3.3.2.0.tar.gz && \ + cd snort3-3.3.2.0 && ./configure_cmake.sh --prefix=${PREFIX_DIR} --enable-tcmalloc --disable-docs && \ + cd build && make && make install && \ + ln -s /usr/local/lib/libtcmalloc.so.4 /lib/ && \ ln -s /usr/local/lib/libdaq.so.3 /lib/ && \ ldconfig @@ -48,22 +40,26 @@ RUN mkdir ${PREFIX_DIR}/etc/rules && \ touch ${PREFIX_DIR}/etc/lists/default.blocklist && \ mkdir /var/log/snort COPY snort3-community-rules.tar.gz ${HOME}/snort3-community-rules.tar.gz +COPY feodotracker.tar.gz ${HOME}/feodotracker.tar.gz +COPY appid-rules.tar.gz ${HOME}/appid-rules.tar.gz +COPY emerging-rules.tar.gz ${HOME}/emerging-rules.tar.gz RUN tar -xvzf snort3-community-rules.tar.gz && cd snort3-community-rules && mkdir ${PREFIX_DIR}/etc/rules/snort3-community-rules/ && cp * ${PREFIX_DIR}/etc/rules/snort3-community-rules/ + +WORKDIR $HOME +RUN tar -xvzf feodotracker.tar.gz && ls && cd feodotracker && mkdir ${PREFIX_DIR}/etc/rules/feodotracker/ && cp * ${PREFIX_DIR}/etc/rules/feodotracker/ + +WORKDIR $HOME +RUN tar -xvzf appid-rules.tar.gz && cd appid-rules && mkdir ${PREFIX_DIR}/etc/rules/appid-rules/ && cp * ${PREFIX_DIR}/etc/rules/appid-rules/ + +WORKDIR $HOME +RUN tar -xvzf emerging-rules.tar.gz && cd emerging-rules && mkdir ${PREFIX_DIR}/etc/rules/emerging-rules/ && cp * ${PREFIX_DIR}/etc/rules/emerging-rules/ + RUN snort --version # Install OpenAppID WORKDIR $HOME COPY snort-openappid.tar.gz ${HOME}/OpenAppId-23020.tar.gz -RUN tar -xzvf OpenAppId-23020.tar.gz && cp -R odp /usr/local/lib/ - -# Set up SSH -RUN mkdir /var/run/sshd -RUN echo 'root:screencast' | chpasswd -RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config -RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd -RUN echo "export VISIBLE=now" >> /etc/profile - -EXPOSE 22 +RUN tar -xzvf OpenAppId-23020.tar.gz && mkdir -p /usr/local/lib/openappid && cp -r odp /usr/local/lib/openappid COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf COPY entrypoint.sh ${HOME}/entrypoint.sh diff --git a/appid-rules.tar.gz b/appid-rules.tar.gz new file mode 100644 index 0000000..a3e9b77 Binary files /dev/null and b/appid-rules.tar.gz differ diff --git a/docker-compose.yml b/docker-compose.yml index 6a96862..444e479 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,20 +10,206 @@ services: volumes: - ./snort-conf:/usr/local/etc/snort - ./snort-rules.txt:/usr/local/etc/rules/local.rules - - ./logs:/var/log/snort - ports: - - 22:22 + #- ./logs:/var/log/snort + - ./logstash_ingest_data:/var/log/snort networks: snort_lan: -# ping: -# image: willfarrell/ping -# environment: -# HOSTNAME: snort -# TIMEOUT: 10 -# networks: -# snort_lan: + + setup: + image: elasticsearch:${STACK_VERSION} + volumes: + - certs:/usr/share/elasticsearch/config/certs + user: "0" + command: > + bash -c ' + if [ x${ELASTIC_PASSWORD} == x ]; then + echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; + exit 1; + elif [ x${KIBANA_PASSWORD} == x ]; then + echo "Set the KIBANA_PASSWORD environment variable in the .env file"; + exit 1; + fi; + if [ ! -f config/certs/ca.zip ]; then + echo "Creating CA"; + bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; + unzip config/certs/ca.zip -d config/certs; + fi; + if [ ! -f config/certs/certs.zip ]; then + echo "Creating certs"; + echo -ne \ + "instances:\n"\ + " - name: es01\n"\ + " dns:\n"\ + " - es01\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + " - name: kibana\n"\ + " dns:\n"\ + " - kibana\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + > config/certs/instances.yml; + bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; + unzip config/certs/certs.zip -d config/certs; + fi; + echo "Setting file permissions" + chown -R root:root config/certs; + find . -type d -exec chmod 750 \{\} \;; + find . -type f -exec chmod 640 \{\} \;; + echo "Waiting for Elasticsearch availability"; + until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; + echo "Setting kibana_system password"; + until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; + echo "All done!"; + ' + healthcheck: + test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] + interval: 1s + timeout: 5s + retries: 120 + networks: + snort_lan: + + es01: + depends_on: + setup: + condition: service_healthy + image: elasticsearch:${STACK_VERSION} + labels: + co.elastic.logs/module: elasticsearch + volumes: + - certs:/usr/share/elasticsearch/config/certs + - esdata01:/usr/share/elasticsearch/data + ports: + - ${ES_PORT}:9200 + environment: + - node.name=es01 + - cluster.name=${CLUSTER_NAME} + - discovery.type=single-node + - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} + - bootstrap.memory_lock=true + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es01/es01.key + - xpack.security.http.ssl.certificate=certs/es01/es01.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es01/es01.key + - xpack.security.transport.ssl.certificate=certs/es01/es01.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${ES_MEM_LIMIT} + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 + networks: + snort_lan: + + kibana: + depends_on: + es01: + condition: service_healthy + image: kibana:${STACK_VERSION} + labels: + co.elastic.logs/module: kibana + volumes: + - certs:/usr/share/kibana/config/certs + - kibanadata:/usr/share/kibana/data + ports: + - ${KIBANA_PORT}:5601 + environment: + - SERVERNAME=kibana + - ELASTICSEARCH_HOSTS=https://es01:9200 + - ELASTICSEARCH_USERNAME=kibana_system + - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt + - XPACK_SECURITY_ENCRYPTIONKEY=${ENCRYPTION_KEY} + - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=${ENCRYPTION_KEY} + - XPACK_REPORTING_ENCRYPTIONKEY=${ENCRYPTION_KEY} + mem_limit: ${KB_MEM_LIMIT} + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", + ] + interval: 10s + timeout: 10s + retries: 120 + networks: + snort_lan: + + filebeat01: + depends_on: + es01: + condition: service_healthy + image: elastic/filebeat:${STACK_VERSION} + user: root + volumes: + - certs:/usr/share/filebeat/certs + - filebeatdata01:/usr/share/filebeat/data + - "./filebeat_ingest_data/:/usr/share/filebeat/ingest_data/" + - "./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro" + - "/var/lib/docker/containers:/var/lib/docker/containers:ro" + - "/var/run/docker.sock:/var/run/docker.sock:ro" + environment: + - ELASTIC_USER=elastic + - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} + - ELASTIC_HOSTS=https://es01:9200 + - KIBANA_HOSTS=http://kibana:5601 + - LOGSTASH_HOSTS=http://logstash01:9600 + networks: + snort_lan: + + logstash01: + depends_on: + es01: + condition: service_healthy + kibana: + condition: service_healthy + image: logstash:${STACK_VERSION} + labels: + co.elastic.logs/module: logstash + user: root + volumes: + - certs:/usr/share/logstash/certs + - logstashdata01:/usr/share/logstash/data + - "./logstash_ingest_data/:/usr/share/logstash/ingest_data/" + - "./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro" + environment: + - xpack.monitoring.enabled=false + - ELASTIC_USER=elastic + - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} + - ELASTIC_HOSTS=https://es01:9200 + networks: + snort_lan: + + networks: snort_lan: driver: bridge -#volumes: -# snort: \ No newline at end of file + +volumes: + certs: + driver: local + esdata01: + driver: local + kibanadata: + driver: local + logstashdata01: + driver: local + filebeatdata01: + driver: local \ No newline at end of file diff --git a/emerging-rules.tar.gz b/emerging-rules.tar.gz new file mode 100644 index 0000000..e6b9279 Binary files /dev/null and b/emerging-rules.tar.gz differ diff --git a/entrypoint.sh b/entrypoint.sh index 045ac5e..d8da168 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,8 @@ -ip route del default -#ip route add default via 192.168.88.108 -ip route add default dev eth0 +interface="eth0" +ip route del default +ip add sh $interface +ip route add default dev $interface +ip link set dev $interface promisc on /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf \ No newline at end of file diff --git a/feodotracker.tar.gz b/feodotracker.tar.gz new file mode 100644 index 0000000..29a067b Binary files /dev/null and b/feodotracker.tar.gz differ diff --git a/filebeat.yml b/filebeat.yml new file mode 100644 index 0000000..6cebf9b --- /dev/null +++ b/filebeat.yml @@ -0,0 +1,30 @@ +filebeat.inputs: +- type: filestream + id: default-filestream + paths: + - ingest_data/*.txt + - ingest_data/*.log + + +filebeat.autodiscover: + providers: + - type: docker + hints.enabled: true + + +processors: +- add_docker_metadata: ~ + + +setup.kibana: + host: ${KIBANA_HOSTS} + username: ${ELASTIC_USER} + password: ${ELASTIC_PASSWORD} + + +output.elasticsearch: + hosts: ${ELASTIC_HOSTS} + username: ${ELASTIC_USER} + password: ${ELASTIC_PASSWORD} + ssl.enabled: true + ssl.certificate_authorities: "certs/ca/ca.crt" \ No newline at end of file diff --git a/logs/alert_csv.txt b/logs/alert_csv.txt new file mode 100644 index 0000000..e69de29 diff --git a/logs/alert_fast.txt b/logs/alert_fast.txt new file mode 100644 index 0000000..e69de29 diff --git a/logs/supervisor.log b/logs/supervisor.log new file mode 100644 index 0000000..eda849e --- /dev/null +++ b/logs/supervisor.log @@ -0,0 +1,613 @@ +-------------------------------------------------- +o")~ Snort++ 3.3.2.0 +-------------------------------------------------- +Loading /usr/local/etc/snort/snort.lua: +Loading snort_defaults.lua: +Finished snort_defaults.lua: + ssh + host_cache + pop + so_proxy + stream_tcp + mms + smtp + gtp_inspect + packets + dce_http_proxy + alert_fast + alert_csv + ips + stream_icmp + hosts + normalizer + binder + wizard + appid + js_norm + file_id + http2_inspect + http_inspect + stream_udp + ftp_data + ftp_server + search_engine + port_scan + dce_http_server + dce_tcp + dce_smb + iec104 + cip + telnet + ssl + sip + rpc_decode + netflow + modbus + host_tracker + stream_user + stream_ip + trace + back_orifice + classifications + dnp3 + active + process + ftp_client + daq + decode + alerts + stream + references + arp_spoof + output + network + dns + dce_udp + imap + file_policy + s7commplus + stream_file +Finished /usr/local/etc/snort/snort.lua: +Loading file_id.rules_file: +Loading file_magic.rules: +Finished file_magic.rules: +Finished file_id.rules_file: +Loading ips.rules: +Loading ../rules/snort3-community-rules/snort3-community.rules: +Finished ../rules/snort3-community-rules/snort3-community.rules: +Loading ../rules/local.rules: +Finished ../rules/local.rules: +Finished ips.rules: +-------------------------------------------------- +ips policies rule stats + id loaded shared enabled file + 0 4239 0 4239 /usr/local/etc/snort/snort.lua +-------------------------------------------------- +rule counts + total rules loaded: 4239 + text rules: 4239 + option chains: 4239 + chain headers: 325 + flowbits: 48 + flowbits not checked: 23 +-------------------------------------------------- +port rule counts + tcp udp icmp ip + any 472 58 148 22 + src 170 15 0 0 + dst 775 150 0 0 + both 6 11 0 0 + total 1423 234 148 22 +-------------------------------------------------- +service rule counts to-srv to-cli + dcerpc: 72 20 + dhcp: 2 2 + dns: 28 7 + file_id: 219 219 + ftp: 90 4 + ftp-data: 1 96 + http: 2084 255 + http2: 2084 255 + http3: 2084 255 + imap: 35 117 + irc: 5 2 + kerberos: 3 0 + ldap: 0 1 + mysql: 3 0 + netbios-dgm: 1 1 + netbios-ns: 4 3 + netbios-ssn: 69 17 + nntp: 2 0 + pop3: 23 117 + rdp: 5 0 + sip: 5 5 + smtp: 129 2 + snmp: 18 7 + ssdp: 3 0 + ssl: 20 42 + sunrpc: 68 4 + telnet: 12 6 + tftp: 1 0 + wins: 1 0 + total: 7071 1437 +-------------------------------------------------- +fast pattern groups + src: 114 + dst: 312 + any: 8 + to_server: 69 + to_client: 49 +-------------------------------------------------- +search engine (ac_bnfa) + instances: 335 + patterns: 10790 + pattern chars: 175259 + num states: 123288 + num match states: 10510 + memory scale: MB + total memory: 3.68362 + pattern memory: 0.578426 + match list memory: 1.33591 + transition memory: 1.72839 + fast pattern only: 7096 +appid: MaxRss diff: 226524 +appid: p-------------------------------------------------- +o")~ Snort++ 3.3.2.0 +-------------------------------------------------- +Loading /usr/local/etc/snort/snort.lua: +Loading snort_defaults.lua: +Finished snort_defaults.lua: + ssh + host_cache + pop + so_proxy + stream_tcp + mms + smtp + gtp_inspect + packets + dce_http_proxy + alert_fast + alert_csv + ips + stream_icmp + hosts + normalizer + binder + wizard + appid + js_norm + file_id + http2_inspect + http_inspect + stream_udp + ftp_data + ftp_server + search_engine + port_scan + dce_http_server + dce_tcp + dce_smb + iec104 + cip + telnet + ssl + sip + rpc_decode + netflow + modbus + host_tracker + stream_user + stream_ip + trace + back_orifice + classifications + dnp3 + active + process + ftp_client + daq + decode + alerts + stream + references + arp_spoof + output + network + dns + dce_udp + imap + file_policy + s7commplus + stream_file +Finished /usr/local/etc/snort/snort.lua: +Loading file_id.rules_file: +Loading file_magic.rules: +Finished file_magic.rules: +Finished file_id.rules_file: +Loading ips.rules: +Loading ../rules/snort3-community-rules/snort3-community.rules: +Finished ../rules/snort3-community-rules/snort3-community.rules: +Loading ../rules/local.rules: +Finished ../rules/local.rules: +Finished ips.rules: +-------------------------------------------------- +ips policies rule stats + id loaded shared enabled file + 0 4239 0 4239 /usr/local/etc/snort/snort.lua +-------------------------------------------------- +rule counts + total rules loaded: 4239 + text rules: 4239 + option chains: 4239 + chain headers: 325 + flowbits: 48 + flowbits not checked: 23 +-------------------------------------------------- +port rule counts + tcp udp icmp ip + any 472 58 148 22 + src 170 15 0 0 + dst 775 150 0 0 + both 6 11 0 0 + total 1423 234 148 22 +-------------------------------------------------- +service rule counts to-srv to-cli + dcerpc: 72 20 + dhcp: 2 2 + dns: 28 7 + file_id: 219 219 + ftp: 90 4 + ftp-data: 1 96 + http: 2084 255 + http2: 2084 255 + http3: 2084 255 + imap: 35 117 + irc: 5 2 + kerberos: 3 0 + ldap: 0 1 + mysql: 3 0 + netbios-dgm: 1 1 + netbios-ns: 4 3 + netbios-ssn: 69 17 + nntp: 2 0 + pop3: 23 117 + rdp: 5 0 + sip: 5 5 + smtp: 129 2 + snmp: 18 7 + ssdp: 3 0 + ssl: 20 42 + sunrpc: 68 4 + telnet: 12 6 + tftp: 1 0 + wins: 1 0 + total: 7071 1437 +-------------------------------------------------- +fast pattern groups + src: 114 + dst: 312 + any: 8 + to_server: 69 + to_client: 49 +-------------------------------------------------- +search engine (ac_bnfa) + instances: 335 + patterns: 10790 + pattern chars: 175259 + num states: 123288 + num match states: 10510 + memory scale: MB + total memory: 3.68362 + pattern memory: 0.578426 + match list memory: 1.33591 + transition memory: 1.72839 + fast pattern only: 7096 +appid: MaxRss diff: 225688 +appid: p-------------------------------------------------- +o")~ Snort++ 3.3.2.0 +-------------------------------------------------- +Loading /usr/local/etc/snort/snort.lua: +Loading snort_defaults.lua: +Finished snort_defaults.lua: + ssh + host_cache + pop + so_proxy + stream_tcp + mms + smtp + gtp_inspect + packets + dce_http_proxy + alert_fast + alert_csv + ips + stream_icmp + hosts + normalizer + binder + wizard + appid + js_norm + file_id + http2_inspect + http_inspect + stream_udp + ftp_data + ftp_server + search_engine + port_scan + dce_http_server + dce_tcp + dce_smb + iec104 + cip + telnet + ssl + sip + rpc_decode + netflow + modbus + host_tracker + stream_user + stream_ip + trace + back_orifice + classifications + dnp3 + active + process + ftp_client + daq + decode + alerts + stream + references + arp_spoof + output + network + dns + dce_udp + imap + file_policy + s7commplus + stream_file +Finished /usr/local/etc/snort/snort.lua: +Loading file_id.rules_file: +Loading file_magic.rules: +Finished file_magic.rules: +Finished file_id.rules_file: +Loading ips.rules: +Loading ../rules/snort3-community-rules/snort3-community.rules: +Finished ../rules/snort3-community-rules/snort3-community.rules: +Loading ../rules/local.rules: +Finished ../rules/local.rules: +Finished ips.rules: +-------------------------------------------------- +ips policies rule stats + id loaded shared enabled file + 0 4239 0 4239 /usr/local/etc/snort/snort.lua +-------------------------------------------------- +rule counts + total rules loaded: 4239 + text rules: 4239 + option chains: 4239 + chain headers: 325 + flowbits: 48 + flowbits not checked: 23 +-------------------------------------------------- +port rule counts + tcp udp icmp ip + any 472 58 148 22 + src 170 15 0 0 + dst 775 150 0 0 + both 6 11 0 0 + total 1423 234 148 22 +-------------------------------------------------- +service rule counts to-srv to-cli + dcerpc: 72 20 + dhcp: 2 2 + dns: 28 7 + file_id: 219 219 + ftp: 90 4 + ftp-data: 1 96 + http: 2084 255 + http2: 2084 255 + http3: 2084 255 + imap: 35 117 + irc: 5 2 + kerberos: 3 0 + ldap: 0 1 + mysql: 3 0 + netbios-dgm: 1 1 + netbios-ns: 4 3 + netbios-ssn: 69 17 + nntp: 2 0 + pop3: 23 117 + rdp: 5 0 + sip: 5 5 + smtp: 129 2 + snmp: 18 7 + ssdp: 3 0 + ssl: 20 42 + sunrpc: 68 4 + telnet: 12 6 + tftp: 1 0 + wins: 1 0 + total: 7071 1437 +-------------------------------------------------- +fast pattern groups + src: 114 + dst: 312 + any: 8 + to_server: 69 + to_client: 49 +-------------------------------------------------- +search engine (ac_bnfa) + instances: 335 + patterns: 10790 + pattern chars: 175259 + num states: 123288 + num match states: 10510 + memory scale: MB + total memory: 3.68362 + pattern memory: 0.578426 + match list memory: 1.33591 + transition memory: 1.72839 + fast pattern only: 7096 +appid: MaxRss diff: 228004 +appid: p-------------------------------------------------- +o")~ Snort++ 3.3.2.0 +-------------------------------------------------- +Loading /usr/local/etc/snort/snort.lua: +Loading snort_defaults.lua: +Finished snort_defaults.lua: + ssh + host_cache + pop + so_proxy + stream_tcp + mms + smtp + gtp_inspect + packets + dce_http_proxy + alert_fast + alert_csv + ips + stream_icmp + hosts + normalizer + binder + wizard + appid + js_norm + file_id + http2_inspect + http_inspect + stream_udp + ftp_data + ftp_server + search_engine + port_scan + dce_http_server + dce_tcp + dce_smb + iec104 + cip + telnet + ssl + sip + rpc_decode + netflow + modbus + host_tracker + stream_user + stream_ip + trace + back_orifice + classifications + dnp3 + active + process + ftp_client + daq + decode + alerts + stream + references + arp_spoof + output + network + dns + dce_udp + imap + file_policy + s7commplus + stream_file +Finished /usr/local/etc/snort/snort.lua: +Loading file_id.rules_file: +Loading file_magic.rules: +Finished file_magic.rules: +Finished file_id.rules_file: +Loading ips.rules: +Loading ../rules/snort3-community-rules/snort3-community.rules: +Finished ../rules/snort3-community-rules/snort3-community.rules: +Loading ../rules/local.rules: +Finished ../rules/local.rules: +Finished ips.rules: +-------------------------------------------------- +ips policies rule stats + id loaded shared enabled file + 0 4239 0 4239 /usr/local/etc/snort/snort.lua +-------------------------------------------------- +rule counts + total rules loaded: 4239 + text rules: 4239 + option chains: 4239 + chain headers: 325 + flowbits: 48 + flowbits not checked: 23 +-------------------------------------------------- +port rule counts + tcp udp icmp ip + any 472 58 148 22 + src 170 15 0 0 + dst 775 150 0 0 + both 6 11 0 0 + total 1423 234 148 22 +-------------------------------------------------- +service rule counts to-srv to-cli + dcerpc: 72 20 + dhcp: 2 2 + dns: 28 7 + file_id: 219 219 + ftp: 90 4 + ftp-data: 1 96 + http: 2084 255 + http2: 2084 255 + http3: 2084 255 + imap: 35 117 + irc: 5 2 + kerberos: 3 0 + ldap: 0 1 + mysql: 3 0 + netbios-dgm: 1 1 + netbios-ns: 4 3 + netbios-ssn: 69 17 + nntp: 2 0 + pop3: 23 117 + rdp: 5 0 + sip: 5 5 + smtp: 129 2 + snmp: 18 7 + ssdp: 3 0 + ssl: 20 42 + sunrpc: 68 4 + telnet: 12 6 + tftp: 1 0 + wins: 1 0 + total: 7071 1437 +-------------------------------------------------- +fast pattern groups + src: 114 + dst: 312 + any: 8 + to_server: 69 + to_client: 49 +-------------------------------------------------- +search engine (ac_bnfa) + instances: 335 + patterns: 10790 + pattern chars: 175259 + num states: 123288 + num match states: 10510 + memory scale: MB + total memory: 3.68362 + pattern memory: 0.578426 + match list memory: 1.33591 + transition memory: 1.72839 + fast pattern only: 7096 +appid: MaxRss diff: 226732 +appid: p \ No newline at end of file diff --git a/logstash.conf b/logstash.conf new file mode 100644 index 0000000..6f65bad --- /dev/null +++ b/logstash.conf @@ -0,0 +1,24 @@ +input { + file { + #https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html + #default is TAIL which assumes more data will come into the file. + #change to mode => "read" if the file is a compelte file. by default, the file will be removed once reading is complete -- backup your files if you need them. + mode => "tail" + path => "/usr/share/logstash/ingest_data/*" + } +} + + +filter { +} + + +output { + elasticsearch { + index => "logstash-%{+YYYY.MM.dd}" + hosts=> "${ELASTIC_HOSTS}" + user=> "${ELASTIC_USER}" + password=> "${ELASTIC_PASSWORD}" + cacert=> "certs/ca/ca.crt" + } +} diff --git a/logstash_ingest_data/alert_csv.txt b/logstash_ingest_data/alert_csv.txt new file mode 100644 index 0000000..e69de29 diff --git a/logstash_ingest_data/alert_fast.txt b/logstash_ingest_data/alert_fast.txt new file mode 100644 index 0000000..6ed4c6d --- /dev/null +++ b/logstash_ingest_data/alert_fast.txt @@ -0,0 +1,6 @@ +08/22-19:30:41.554941 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3 +08/22-19:30:42.578554 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3 +08/22-19:30:43.602594 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3 +08/22-19:30:44.626660 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3 +08/22-19:30:45.650654 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3 +08/22-19:30:46.674630 [**] [1:1000001:1] "ICMP connection test" [**] [Priority: 0] [AppID: ICMP] {ICMP} 192.168.57.1 -> 192.168.57.3 \ No newline at end of file diff --git a/logstash_ingest_data/supervisor.log b/logstash_ingest_data/supervisor.log new file mode 100644 index 0000000..8cb779f --- /dev/null +++ b/logstash_ingest_data/supervisor.log @@ -0,0 +1,154 @@ +-------------------------------------------------- +o")~ Snort++ 3.3.2.0 +-------------------------------------------------- +Loading /usr/local/etc/snort/snort.lua: +Loading snort_defaults.lua: +Finished snort_defaults.lua: + ssh + host_cache + pop + so_proxy + stream_tcp + mms + smtp + gtp_inspect + packets + dce_http_proxy + alert_fast + alert_csv + ips + stream_icmp + hosts + normalizer + binder + wizard + appid + js_norm + file_id + http2_inspect + http_inspect + stream_udp + ftp_data + ftp_server + search_engine + port_scan + dce_http_server + dce_tcp + dce_smb + iec104 + cip + telnet + ssl + sip + rpc_decode + netflow + modbus + host_tracker + stream_user + stream_ip + trace + back_orifice + classifications + dnp3 + active + process + ftp_client + daq + decode + alerts + stream + references + arp_spoof + output + network + dns + dce_udp + imap + file_policy + s7commplus + stream_file +Finished /usr/local/etc/snort/snort.lua: +Loading file_id.rules_file: +Loading file_magic.rules: +Finished file_magic.rules: +Finished file_id.rules_file: +Loading ips.rules: +Loading ../rules/snort3-community-rules/snort3-community.rules: +Finished ../rules/snort3-community-rules/snort3-community.rules: +Loading ../rules/local.rules: +Finished ../rules/local.rules: +Finished ips.rules: +-------------------------------------------------- +ips policies rule stats + id loaded shared enabled file + 0 4239 0 4239 /usr/local/etc/snort/snort.lua +-------------------------------------------------- +rule counts + total rules loaded: 4239 + text rules: 4239 + option chains: 4239 + chain headers: 325 + flowbits: 48 + flowbits not checked: 23 +-------------------------------------------------- +port rule counts + tcp udp icmp ip + any 472 58 148 22 + src 170 15 0 0 + dst 775 150 0 0 + both 6 11 0 0 + total 1423 234 148 22 +-------------------------------------------------- +service rule counts to-srv to-cli + dcerpc: 72 20 + dhcp: 2 2 + dns: 28 7 + file_id: 219 219 + ftp: 90 4 + ftp-data: 1 96 + http: 2084 255 + http2: 2084 255 + http3: 2084 255 + imap: 35 117 + irc: 5 2 + kerberos: 3 0 + ldap: 0 1 + mysql: 3 0 + netbios-dgm: 1 1 + netbios-ns: 4 3 + netbios-ssn: 69 17 + nntp: 2 0 + pop3: 23 117 + rdp: 5 0 + sip: 5 5 + smtp: 129 2 + snmp: 18 7 + ssdp: 3 0 + ssl: 20 42 + sunrpc: 68 4 + telnet: 12 6 + tftp: 1 0 + wins: 1 0 + total: 7071 1437 +-------------------------------------------------- +fast pattern groups + src: 114 + dst: 312 + any: 8 + to_server: 69 + to_client: 49 +-------------------------------------------------- +search engine (ac_bnfa) + instances: 335 + patterns: 10790 + pattern chars: 175259 + num states: 123288 + num match states: 10510 + memory scale: MB + total memory: 3.68362 + pattern memory: 0.578426 + match list memory: 1.33591 + transition memory: 1.72839 + fast pattern only: 7096 +appid: MaxRss diff: 230232 +appid: p \ No newline at end of file diff --git a/snort-conf/snort.lua b/snort-conf/snort.lua index e03c071..9905891 100644 --- a/snort-conf/snort.lua +++ b/snort-conf/snort.lua @@ -21,7 +21,7 @@ -- HOME_NET and EXTERNAL_NET must be set now -- setup the network addresses you are protecting -HOME_NET = '192.168.88.0/24' +HOME_NET = '[10.0.0.0/8, 192.0.0.0/8, 172.0.0.0/8]' -- set up the external network addresses. -- (leave as "any" in most situations) @@ -99,7 +99,7 @@ appid = { -- appid requires this to use appids in rules --app_detector_dir = 'directory to load appid detectors from' - app_detector_dir = '/usr/local/lib', + app_detector_dir = '/usr/local/lib/openappid', log_stats = true, } @@ -196,6 +196,9 @@ ips = include $RULE_PATH/snort3-community-rules/snort3-community.rules include $RULE_PATH/local.rules ]] + + --include $RULE_PATH/appid-rules/appid.rules + --include $RULE_PATH/feodotracker/feodotracker.rules } -- use these to configure additional rule actions @@ -255,11 +258,13 @@ rate_filter = -- event logging -- you can enable with defaults from the command line with -A -- uncomment below to set non-default configs ---alert_csv = { } +alert_csv = { + file = true, +} alert_fast = { - file = true, - packet = false, - limit = 10, + file = true, + packet = false, + limit = 10, } --alert_full = { } --alert_sfsocket = { } diff --git a/supervisord.conf b/supervisord.conf index b2103da..f6c7072 100644 --- a/supervisord.conf +++ b/supervisord.conf @@ -1,9 +1,6 @@ [supervisord] nodaemon=true -[program:sshd] -command=/usr/sbin/sshd -D - #[program:snort-agent] #command=/usr/bin/python3 /usr/local/src/snort-agent/snort-agent.py #stdout_logfile=/var/log/supervisor.log