mirror of https://github.com/infosecn1nja/HELK.git
HELK 6.2.3-041018
Docker-Compose File + Split helk-elk service in 3 (Logstash, Kibana, Logstash) HELK-base + New Docker Base image applied to all HELK's Docker images HELK-analytics + updated file due to new helk-base image HELK-elk + Removed Helk-elk folder HELK-kafka + Updated it to version 1.1.0 HELK-Logstash + Updated all files to point to helk-kafka and helk-elasticsearch (New image after splitting helk-elk) New Docker Images + helk-elasticsearch + helk-logstash + helk-kibana + helk-nginx HELK-nginx + Removed route to elasticsearch:8082. Cerebro now can point to 172.18.0.2 (Internal Docker IP) HELK-Install + organized script a little better by creating install_dockerl and install_docker_compose functions HELK-kibana + updated Kibana configuration to set Kibana server to the name of the service helk-kibana. It allows remote connections to it (internally among docer images) + Updated elasticsearch url to new docker image (helk-elasticsearch:9200) HELK-kafka + updated internal listeners on each broker to helk-kafkakeyword-vs-text-changes
parent
c43eaa08e3
commit
6054e2be9a
|
@ -1,10 +1,9 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
helk-elk:
|
||||
image: cyb3rward0g/helk-elk:6.2.3
|
||||
container_name: helk-elk
|
||||
helk-elasticsearch:
|
||||
image: cyb3rward0g/helk-elasticsearch:6.2.3
|
||||
container_name: helk-elasticsearch
|
||||
volumes:
|
||||
- esdata:/var/lib/elasticsearch
|
||||
environment:
|
||||
|
@ -14,18 +13,52 @@ services:
|
|||
soft: -1
|
||||
hard: -1
|
||||
ports:
|
||||
- "80:80"
|
||||
- "5044:5044"
|
||||
- "9000:9000"
|
||||
- "8082:8082"
|
||||
restart: always
|
||||
networks:
|
||||
helk:
|
||||
ipv4_address: 172.18.0.2
|
||||
aliases:
|
||||
- helk_elk.hunt.local
|
||||
- helk_elasticsearch.hunt.local
|
||||
helk-logstash:
|
||||
image: cyb3rward0g/helk-logstash:6.2.3
|
||||
container_name: helk-logstash
|
||||
ports:
|
||||
- "5044:5044"
|
||||
restart: always
|
||||
depends_on:
|
||||
- helk-elasticsearch
|
||||
networks:
|
||||
helk:
|
||||
ipv4_address: 172.18.0.5
|
||||
aliases:
|
||||
- helk_logstash.hunt.local
|
||||
helk-kibana:
|
||||
image: cyb3rward0g/helk-kibana:6.2.3
|
||||
container_name: helk-kibana
|
||||
restart: always
|
||||
depends_on:
|
||||
- helk-elasticsearch
|
||||
networks:
|
||||
helk:
|
||||
ipv4_address: 172.18.0.6
|
||||
aliases:
|
||||
- helk_kibana.hunt.local
|
||||
helk-nginx:
|
||||
image: cyb3rward0g/helk-nginx:0.0.1
|
||||
container_name: helk-nginx
|
||||
ports:
|
||||
- "80:80"
|
||||
restart: always
|
||||
depends_on:
|
||||
- helk-elasticsearch
|
||||
networks:
|
||||
helk:
|
||||
ipv4_address: 172.18.0.7
|
||||
aliases:
|
||||
- helk_nginx.hunt.local
|
||||
helk-kafka:
|
||||
image: cyb3rward0g/helk-kafka:1.0.1
|
||||
image: cyb3rward0g/helk-kafka:0.0.1
|
||||
container_name: helk-kafka
|
||||
env_file: ./helk.env
|
||||
ports:
|
||||
|
@ -35,21 +68,21 @@ services:
|
|||
- "9094:9094"
|
||||
restart: always
|
||||
depends_on:
|
||||
- helk-elk
|
||||
- helk-elasticsearch
|
||||
networks:
|
||||
helk:
|
||||
ipv4_address: 172.18.0.3
|
||||
aliases:
|
||||
- helk_kafka.hunt.local
|
||||
helk-analytics:
|
||||
image: cyb3rward0g/helk-analytics:0.0.2
|
||||
image: cyb3rward0g/helk-analytics:0.0.3
|
||||
container_name: helk-analytics
|
||||
ports:
|
||||
- "8880:8880"
|
||||
- "4040:4040"
|
||||
restart: always
|
||||
depends_on:
|
||||
- helk-elk
|
||||
- helk-elasticsearch
|
||||
networks:
|
||||
helk:
|
||||
ipv4_address: 172.18.0.4
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
FROM phusion/baseimage
|
||||
FROM cyb3rward0g/helk-base:0.0.1
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for HELK Analytics."
|
||||
|
||||
|
@ -16,20 +16,12 @@ RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
|
|||
&& echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
|
||||
&& apt-get install -qqy \
|
||||
openjdk-8-jre-headless \
|
||||
wget \
|
||||
sudo \
|
||||
nano \
|
||||
python3-pip \
|
||||
python-tk \
|
||||
unzip \
|
||||
zip \
|
||||
locales
|
||||
unzip
|
||||
|
||||
RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
|
||||
locale-gen
|
||||
RUN apt-get -qy clean \
|
||||
autoremove \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
autoremove
|
||||
|
||||
# *********** Upgrading PIP ***************
|
||||
RUN pip3 install --upgrade pip
|
||||
|
@ -55,7 +47,7 @@ RUN pip3 install scipy==1.0.0 \
|
|||
bokeh==0.12.14
|
||||
|
||||
# *********** Creating the right directories ***************
|
||||
RUN bash -c 'mkdir -pv /opt/helk/{scripts,training,es-hadoop,spark}'
|
||||
RUN bash -c 'mkdir -pv /opt/helk/{training,es-hadoop,spark}'
|
||||
|
||||
# *********** Adding HELK scripts and files to Container ***************
|
||||
ADD scripts/analytics-entrypoint.sh /opt/helk/scripts/
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
# HELK script: HELK Base Image Dockerfile
|
||||
# HELK build version: 0.9 (Alpha)
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
FROM phusion/baseimage:0.10.1
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base Image.."
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
# *********** Installing Prerequisites ***************
|
||||
# -qq : No output except for errors
|
||||
RUN echo "[HELK-DOCKER-BASE-INFO] Updating Ubuntu base image.." \
|
||||
&& apt-get update -qq \
|
||||
&& echo "[HELK-DOCKER-BASE-INFO] Extracting templates from packages.." \
|
||||
&& apt-get install -qqy \
|
||||
wget \
|
||||
sudo \
|
||||
nano
|
||||
|
||||
RUN apt-get -qy clean \
|
||||
autoremove \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# *********** Creating the right directories ***************
|
||||
RUN bash -c 'mkdir -pv /opt/helk/scripts'
|
||||
|
||||
CMD ["/sbin/my_init"]
|
|
@ -0,0 +1,70 @@
|
|||
# HELK script: HELK Elasticsearch Dockerfile
|
||||
# HELK build version: 0.9 (ALPHA)
|
||||
# HELK ELK version: 6.2.3
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# References:
|
||||
# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
|
||||
# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
|
||||
|
||||
FROM cyb3rward0g/helk-base:0.0.1
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for the HELK Elasticsearch."
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
# *********** Installing Prerequisites ***************
|
||||
# -qq : No output except for errors
|
||||
RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
|
||||
&& apt-get update -qq \
|
||||
&& echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
|
||||
&& apt-get install -qqy \
|
||||
openjdk-8-jre-headless
|
||||
|
||||
RUN apt-get -qy clean \
|
||||
autoremove
|
||||
|
||||
# *********** Creating the right directories ***************
|
||||
RUN bash -c 'mkdir -pv /opt/helk/{elasticsearch,cerebro}'
|
||||
|
||||
# *********** Adding HELK scripts and files to Container ***************
|
||||
ADD scripts/entrypoint.sh /opt/helk/scripts/
|
||||
RUN chmod +x /opt/helk/scripts/entrypoint.sh
|
||||
|
||||
# *********** ELK Version ***************
|
||||
ENV ELK_VERSION=6.2.3
|
||||
|
||||
# *********** Installing Elasticsearch ***************
|
||||
ENV ES_HELK_HOME=/opt/helk/elasticsearch
|
||||
ENV ES_HOME=/usr/share/elasticsearch
|
||||
ENV ES_PATH_CONF=/etc/elasticsearch
|
||||
ENV ES_PATH_DATA=/var/lib/elasticsearch
|
||||
ENV ES_PATH_LOGS=/var/log/elasticsearch
|
||||
ENV ES_GID=707
|
||||
ENV ES_UID=707
|
||||
|
||||
RUN wget -qO- https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${ES_HELK_HOME} --strip-components=1 \
|
||||
&& cp -r ${ES_HELK_HOME}/ ${ES_HOME}/ \
|
||||
&& mkdir -pv ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS} \
|
||||
&& mv /usr/share/elasticsearch/config/* ${ES_PATH_CONF}
|
||||
ADD elasticsearch /etc/default/elasticsearch
|
||||
ADD elasticsearch-init /etc/init.d/elasticsearch
|
||||
ADD elasticsearch.yml /etc/elasticsearch/
|
||||
RUN groupadd -r elasticsearch -g ${ES_GID} \
|
||||
&& useradd -r -s /usr/sbin/nologin -M -c "Elasticsearch user" -u ${ES_UID} -g elasticsearch elasticsearch \
|
||||
&& chown -R elasticsearch:elasticsearch ${ES_HOME} ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS}
|
||||
|
||||
VOLUME /var/lib/elasticsearch
|
||||
|
||||
# *********** Install Cerebro ***************
|
||||
ENV CEREBRO_HOME=/opt/helk/cerebro
|
||||
ENV CEREBRO_LOGS_PATH=/var/log/cerebro
|
||||
RUN wget -qO- https://github.com/lmenezes/cerebro/releases/download/v0.7.2/cerebro-0.7.2.tgz | sudo tar xvz -C ${CEREBRO_HOME} \
|
||||
&& mkdir -v $CEREBRO_LOGS_PATH
|
||||
ADD cerebro-init /etc/init.d/cerebro
|
||||
|
||||
# *********** RUN HELK ***************
|
||||
EXPOSE 9000
|
||||
WORKDIR "/opt/helk/scripts/"
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
|
@ -0,0 +1,41 @@
|
|||
#!/bin/sh
|
||||
|
||||
# HELK script: entrypoint.sh
|
||||
# HELK script description: Restarts and runs elasticsearch service
|
||||
# HELK build version: 0.9 (Alpha)
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# Start graceful termination of elasticsearch service that might be running before running the entrypoint script.
|
||||
_term() {
|
||||
echo "Terminating elasticsearch service"
|
||||
service elasticsearch stop
|
||||
service cerebro stop
|
||||
exit 0
|
||||
}
|
||||
trap _term SIGTERM
|
||||
|
||||
# Removing PID files just in case the graceful termination fails
|
||||
rm -f /var/run/elasticsearch/elasticsearch.pid
|
||||
|
||||
# *********** Setting ES Heap Size***************
|
||||
# https://serverfault.com/questions/881383/automatically-set-java-heap-size-for-elasticsearch-on-linux
|
||||
memoryInKb="$(awk '/MemTotal/ {print $2}' /proc/meminfo)"
|
||||
heapSize="$(expr $memoryInKb / 1024 / 1000 / 2)"
|
||||
sed -i "s/#*-Xmx[0-9]\+g/-Xmx${heapSize}g/g" /etc/elasticsearch/jvm.options
|
||||
sed -i "s/#*-Xms[0-9]\+g/-Xms${heapSize}g/g" /etc/elasticsearch/jvm.options
|
||||
|
||||
# *********** Start elasticsearch services ***************
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Elasticsearch service"
|
||||
service elasticsearch start
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
|
||||
until curl -s localhost:9200 -o /dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Cerebro service"
|
||||
service cerebro start
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Elasticsearch Logs to console.."
|
||||
tail -f /var/log/elasticsearch/*.log
|
|
@ -1,144 +0,0 @@
|
|||
# HELK script: HELK ELK Dockerfile
|
||||
# HELK build version: 0.9 (ALPHA)
|
||||
# HELK ELK version: 6.2.3
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# References:
|
||||
# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
|
||||
# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
|
||||
|
||||
FROM phusion/baseimage
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for the HELK ELK."
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
# *********** Installing Prerequisites ***************
|
||||
# -qq : No output except for errors
|
||||
RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
|
||||
&& apt-get update -qq \
|
||||
&& echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
|
||||
&& apt-get install -qqy \
|
||||
openjdk-8-jre-headless \
|
||||
wget \
|
||||
sudo \
|
||||
nano \
|
||||
python \
|
||||
python-pip \
|
||||
unzip
|
||||
|
||||
RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
|
||||
locale-gen
|
||||
RUN apt-get -qy clean \
|
||||
autoremove
|
||||
|
||||
# *********** Upgrading PIP ***************
|
||||
RUN pip install --upgrade pip
|
||||
|
||||
# *********** Installing HELK python packages ***************
|
||||
RUN pip install \
|
||||
OTXv2 \
|
||||
pandas==0.22.0
|
||||
|
||||
# *********** Creating the right directories ***************
|
||||
#RUN bash -c 'mkdir -pv /opt/helk/{scripts,training,otx,es-hadoop,spark,output_templates,dashboards,kafka,elasticsearch,logstash,kibana,cerebro,ksql}'
|
||||
RUN bash -c 'mkdir -pv /opt/helk/{scripts,otx,output_templates,dashboards,elasticsearch,logstash,kibana,cerebro,ksql}'
|
||||
|
||||
# *********** Adding HELK scripts and files to Container ***************
|
||||
ADD scripts/helk_otx.py /opt/helk/scripts/
|
||||
ADD scripts/elk-kibana-setup.sh /opt/helk/scripts/
|
||||
ADD scripts/elk-entrypoint.sh /opt/helk/scripts/
|
||||
RUN chmod +x /opt/helk/scripts/elk-kibana-setup.sh
|
||||
RUN chmod +x /opt/helk/scripts/elk-entrypoint.sh
|
||||
|
||||
# *********** ELK Version ***************
|
||||
ENV ELK_VERSION=6.2.3
|
||||
|
||||
# *********** Installing Elasticsearch ***************
|
||||
ENV ES_HELK_HOME=/opt/helk/elasticsearch
|
||||
ENV ES_HOME=/usr/share/elasticsearch
|
||||
ENV ES_PATH_CONF=/etc/elasticsearch
|
||||
ENV ES_PATH_DATA=/var/lib/elasticsearch
|
||||
ENV ES_PATH_LOGS=/var/log/elasticsearch
|
||||
ENV ES_GID=707
|
||||
ENV ES_UID=707
|
||||
|
||||
RUN wget -qO- https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${ES_HELK_HOME} --strip-components=1 \
|
||||
&& cp -r ${ES_HELK_HOME}/ ${ES_HOME}/ \
|
||||
&& mkdir -pv ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS} \
|
||||
&& mv /usr/share/elasticsearch/config/* ${ES_PATH_CONF}
|
||||
ADD elasticsearch/elasticsearch /etc/default/elasticsearch
|
||||
ADD elasticsearch/elasticsearch-init /etc/init.d/elasticsearch
|
||||
ADD elasticsearch/elasticsearch.yml /etc/elasticsearch/
|
||||
RUN groupadd -r elasticsearch -g ${ES_GID} \
|
||||
&& useradd -r -s /usr/sbin/nologin -M -c "Elasticsearch user" -u ${ES_UID} -g elasticsearch elasticsearch \
|
||||
&& chown -R elasticsearch:elasticsearch ${ES_HOME} ${ES_PATH_CONF} ${ES_PATH_DATA} ${ES_PATH_LOGS}
|
||||
|
||||
VOLUME /var/lib/elasticsearch
|
||||
|
||||
# *********** Installing Kibana ***************
|
||||
ENV KIBANA_HELK_HOME=/opt/helk/kibana
|
||||
ENV KIBANA_HOME=/usr/share/kibana
|
||||
ENV KIBANA_PATH_CONF=/etc/kibana
|
||||
ENV KIBANA_PATH_LOGS=/var/log/kibana
|
||||
ENV KIBANA_GID=708
|
||||
ENV KIBANA_UID=708
|
||||
|
||||
RUN wget -qO- https://artifacts.elastic.co/downloads/kibana/kibana-${ELK_VERSION}-linux-x86_64.tar.gz | sudo tar xvz -C ${KIBANA_HELK_HOME} --strip-components=1 \
|
||||
&& cp -r ${KIBANA_HELK_HOME}/ ${KIBANA_HOME}/ \
|
||||
&& mkdir -pv ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} \
|
||||
&& mv /usr/share/kibana/config/* ${KIBANA_PATH_CONF}
|
||||
ADD kibana/kibana-init /etc/init.d/kibana
|
||||
ADD kibana/kibana.yml ${KIBANA_PATH_CONF}
|
||||
ADD kibana/dashboards/ /opt/helk/dashboards/
|
||||
RUN groupadd -r kibana -g ${KIBANA_GID} \
|
||||
&& useradd -r -s /usr/sbin/nologin -M -c "Kibana user" -u ${KIBANA_UID} -g kibana kibana \
|
||||
&& chown -R kibana:kibana ${KIBANA_HOME} ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} /opt/helk/dashboards
|
||||
|
||||
# *********** Installing Logstash ***************
|
||||
ENV LOGSTASH_HELK_HOME=/opt/helk/logstash
|
||||
ENV LS_HOME=/usr/share/logstash
|
||||
ENV LS_SETTINGS_DIR=/etc/logstash
|
||||
ENV LS_CONF_PATH=/etc/logstash/pipeline
|
||||
ENV LS_LOGS_PATH=/var/log/logstash
|
||||
ENV LS_GID=709
|
||||
ENV LS_UID=709
|
||||
|
||||
RUN wget -qO- https://artifacts.elastic.co/downloads/logstash/logstash-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${LOGSTASH_HELK_HOME} --strip-components=1 \
|
||||
&& cp -r ${LOGSTASH_HELK_HOME}/ ${LS_HOME}/ \
|
||||
&& mkdir -pv ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} \
|
||||
&& mv /usr/share/logstash/config/* ${LS_SETTINGS_DIR}
|
||||
ADD logstash/logstash-init /etc/init.d/logstash
|
||||
ADD logstash/pipeline/* ${LS_CONF_PATH}/
|
||||
ADD logstash/logstash.yml ${LS_SETTINGS_DIR}
|
||||
ADD logstash/output_templates/* /opt/helk/output_templates/
|
||||
RUN groupadd -r logstash -g ${LS_GID} \
|
||||
&& useradd -r -s /usr/sbin/nologin -M -c "Logstash user" -u ${LS_UID} -g logstash logstash \
|
||||
&& chown -R logstash:logstash ${LS_HOME} ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} /opt/helk/output_templates
|
||||
|
||||
# *********** Installing Nginx ***************
|
||||
RUN apt-get install -qqy nginx \
|
||||
&& mv /etc/nginx/sites-available/default /etc/nginx/sites-available/backup_default
|
||||
ADD nginx/htpasswd.users /etc/nginx/
|
||||
ADD nginx/default /etc/nginx/sites-available/
|
||||
RUN apt-get update -qq
|
||||
|
||||
# *********** Copying Intel files to HELK ***************
|
||||
ADD enrichments/otx/ /opt/helk/otx/
|
||||
|
||||
# *********** Creating Cron Job to run OTX script every monday at 8AM and capture last 30 days of Intel *************
|
||||
RUN cronjob="0 8 * * 1 python /opt/helk/scripts/helk_otx.py" \
|
||||
&& echo "$cronjob" | crontab
|
||||
|
||||
# *********** Install Cerebro ***************
|
||||
ENV CEREBRO_HOME=/opt/helk/cerebro
|
||||
ENV CEREBRO_LOGS_PATH=/var/log/cerebro
|
||||
RUN wget -qO- https://github.com/lmenezes/cerebro/releases/download/v0.7.2/cerebro-0.7.2.tgz | sudo tar xvz -C ${CEREBRO_HOME} \
|
||||
&& mkdir -v $CEREBRO_LOGS_PATH
|
||||
ADD cerebro/cerebro-init /etc/init.d/cerebro
|
||||
|
||||
# *********** RUN HELK ***************
|
||||
EXPOSE 80 5044 9000 8082
|
||||
WORKDIR "/opt/helk/scripts/"
|
||||
ENTRYPOINT ["./elk-entrypoint.sh"]
|
|
@ -1 +0,0 @@
|
|||
E160EF8E55BB9D162DA4E266AFD9EEF3,CBT-Locker ransomeware
|
|
|
@ -1,263 +0,0 @@
|
|||
185.69.153.72,CVE-2016-7262 from Kyrgyzstan
|
||||
104.144.207.207,Cobalt Group Gaffe Reveals All Targets in Attack on Financial Institutions
|
||||
138.68.234.128,Cobalt Group Gaffe Reveals All Targets in Attack on Financial Institutions
|
||||
104.237.233.38,A dive into MuddyWater APT targeting Middle-East
|
||||
148.251.204.131,A dive into MuddyWater APT targeting Middle-East
|
||||
78.129.139.134,A dive into MuddyWater APT targeting Middle-East
|
||||
78.129.139.147,A dive into MuddyWater APT targeting Middle-East
|
||||
88.99.17.148,A dive into MuddyWater APT targeting Middle-East
|
||||
115.68.49.179,UBoatRAT Navigates East Asia
|
||||
115.68.49.180,UBoatRAT Navigates East Asia
|
||||
115.68.52.66,UBoatRAT Navigates East Asia
|
||||
122.147.187.173,UBoatRAT Navigates East Asia
|
||||
124.150.140.131,UBoatRAT Navigates East Asia
|
||||
60.248.190.36,UBoatRAT Navigates East Asia
|
||||
80.211.173.20,A New Mirai Variant is Spreading Quickly on Port 23 and 2323
|
||||
93.115.38.178,The New and Improved macOS Backdoor from OceanLotus
|
||||
106.187.38.21,Muddying the Water: Targeted Attacks in the Middle East
|
||||
138.201.75.227,Muddying the Water: Targeted Attacks in the Middle East
|
||||
144.76.109.88,Muddying the Water: Targeted Attacks in the Middle East
|
||||
148.251.204.131,Muddying the Water: Targeted Attacks in the Middle East
|
||||
151.80.14.194,Recent InPage Exploits Lead to Multiple Malware Families
|
||||
185.121.177.177,CHTHONIC and DIMNIE Campaign Targets Russia
|
||||
103.208.86.92,CHTHONIC and DIMNIE Campaign Targets Russia
|
||||
194.67.211.202,Fake Flash Player Update Linked to Watering Hole Attack on Popular News Site
|
||||
89.26.243.21,Fake Flash Player Update Linked to Watering Hole Attack on Popular News Site
|
||||
89.26.243.22,Fake Flash Player Update Linked to Watering Hole Attack on Popular News Site
|
||||
47.89.250.152,Locky ransomware adds anti sandbox feature
|
||||
185.10.58.170,Sofacys Komplex OS X Trojan
|
||||
169.255.137.203,Introducing WhiteBear
|
||||
217.171.86.137,Introducing WhiteBear
|
||||
66.178.107.140,Introducing WhiteBear
|
||||
169.255.137.203,Gazing at Gazer - Turlas new second stage backdoor
|
||||
217.171.86.137,Gazing at Gazer - Turlas new second stage backdoor
|
||||
185.162.235.121,Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
|
||||
74.91.19.122,Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
|
||||
27.255.83.3,Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures
|
||||
103.240.140.152,SSHPsychos
|
||||
162.218.112.7,SSHPsychos
|
||||
169.254.61.191,OPERATION QUANTUM ENTANGLEMENT
|
||||
169.254.163.19,OPERATION QUANTUM ENTANGLEMENT
|
||||
47.88.52.220,Ukranian Accounting Software Site Delivering Malware
|
||||
46.20.33.219,Ukranian Accounting Software Site Delivering Malware
|
||||
203.248.116.182,Paranoid PlugX
|
||||
138.201.44.3,Footprints of Fin7
|
||||
198.100.119.6,Footprints of Fin7
|
||||
5.149.250.235,Footprints of Fin7
|
||||
91.214.70.69,Malicious Scanbox Host
|
||||
138.68.242.68,Further Gaza Cybergang Activity
|
||||
165.194.123.67,Backdoor.Rifelku
|
||||
119.28.78.131,Gryphon Ransomware
|
||||
104.223.89.174,Dreambot post infection traffic
|
||||
37.1.202.26,Karagany.B
|
||||
37.1.219.31,Karagany.B
|
||||
5.61.39.179,Karagany.B
|
||||
45.125.12.147,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
|
||||
116.193.154.69,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
|
||||
103.242.134.243,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
|
||||
103.40.102.233,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
|
||||
112.10.117.47,It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
|
||||
164.132.50.32,Recent Emotet Malware
|
||||
173.212.192.45,Recent Emotet Malware
|
||||
178.62.175.211,Recent Emotet Malware
|
||||
178.79.132.214,Recent Emotet Malware
|
||||
192.81.212.79,Recent Emotet Malware
|
||||
74.208.17.10,Recent Emotet Malware
|
||||
93.180.157.92,Recent Emotet Malware
|
||||
158.69.199.223,Recent Emotet Malware
|
||||
176.119.28.74,"MARCHER GETS CLOSE TO USERS BY TARGETING MOBILE BANKING, ANDROID APPS, SOCIAL MEDIA, AND EMAIL"
|
||||
107.170.240.244,Microsoft Office OLE2Link vulnerability samples - a quick triage
|
||||
212.86.115.71,Microsoft Office OLE2Link vulnerability samples - a quick triage
|
||||
46.102.152.129,Microsoft Office OLE2Link vulnerability samples - a quick triage
|
||||
95.141.38.110,Microsoft Office OLE2Link vulnerability samples - a quick triage
|
||||
95.46.99.199,Microsoft Office OLE2Link vulnerability samples - a quick triage
|
||||
101.165.141.2,Dridex Malspam
|
||||
107.170.0.14,Dridex Malspam
|
||||
109.170.219.19,Dridex Malspam
|
||||
117.120.7.82,Dridex Malspam
|
||||
174.104.208.57,Dridex Malspam
|
||||
175.32.140.13,Dridex Malspam
|
||||
179.108.87.11,Dridex Malspam
|
||||
213.214.50.60,Dridex Malspam
|
||||
23.95.23.219,Dridex Malspam
|
||||
37.120.172.171,Dridex Malspam
|
||||
66.214.155.189,Dridex Malspam
|
||||
8.8.247.36,Dridex Malspam
|
||||
86.3.169.110,Dridex Malspam
|
||||
86.4.149.217,Dridex Malspam
|
||||
88.177.240.182,Dridex Malspam
|
||||
90.219.218.80,Dridex Malspam
|
||||
95.145.161.76,Dridex Malspam
|
||||
122.10.91.133,Recent PlugX Samples
|
||||
118.193.225.133,Flying Dragon Eye: Uyghur Themed Threat Activity
|
||||
118.193.240.195,Flying Dragon Eye: Uyghur Themed Threat Activity
|
||||
59.188.83.144,Flying Dragon Eye: Uyghur Themed Threat Activity
|
||||
118.193.240.218,Flying Dragon Eye: Uyghur Themed Threat Activity
|
||||
210.209.118.87,Flying Dragon Eye: Uyghur Themed Threat Activity
|
||||
212.47.254.187,A Mole exposing itself to sunlight
|
||||
80.78.251.138,Rurktar Backdoor
|
||||
80.78.251.148,Rurktar Backdoor
|
||||
46.148.18.122,LuaBot: Malware targeting cable modems
|
||||
80.87.205.92,LuaBot: Malware targeting cable modems
|
||||
193.169.252.102,MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks
|
||||
198.100.119.6,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
|
||||
198.100.119.7,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
|
||||
204.155.31.167,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
|
||||
204.155.31.174,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
|
||||
31.148.219.141,Similarities Between Carbanak and FIN7 Malware Suggest Actors Are Closely Related
|
||||
198.100.119.6,FIN7 Evolution and the Phishing LNK
|
||||
179.108.87.11,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
|
||||
185.25.184.214,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
|
||||
185.44.105.92,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
|
||||
23.95.23.219,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
|
||||
63.141.250.167,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
|
||||
64.79.205.100,Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day
|
||||
83.229.87.11,Snake: Coming soon in Mac OS X flavour
|
||||
138.201.44.30,EPS Processing Zero-Days Exploited by Multiple Threat Actors
|
||||
185.106.122.113,EPS Processing Zero-Days Exploited by Multiple Threat Actors
|
||||
84.200.2.12,EPS Processing Zero-Days Exploited by Multiple Threat Actors
|
||||
86.110.117.207,DiamondFox modular malware – a one-stop shop
|
||||
50.6.118.27,Operation Electric Powder – Who is targeting Israel Electric Company?
|
||||
82.211.30.186,Operation Electric Powder – Who is targeting Israel Electric Company?
|
||||
178.175.138.196,Spear Phishing attacks hits industrial companies
|
||||
138.201.7.140,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
136.243.203.174,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
192.99.102.35,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
85.117.204.18,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
178.33.94.47,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
158.69.57.61,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
136.243.214.247,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
136.243.203.141,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
31.3.225.55,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
83.142.230.138,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
149.202.230.140,"Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford"
|
||||
62.138.9.9,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
|
||||
62.138.9.11,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
|
||||
62.75.195.117,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
|
||||
109.236.87.82,Ursnif Banking Trojan Campaign Ups the Ante with New Sandbox Evasion Techniques
|
||||
69.64.77.51,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.193.2,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
138.201.210.182,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.63.219.5,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
69.175.20.4,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.213.215,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
69.175.20.3,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
188.138.70.8,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
92.222.122.55,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
107.6.177.5,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
137.74.148.228,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
92.222.122.54,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
172.86.179.110,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.234.59,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.99.205,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
185.49.68.151,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
108.175.8.33,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.99.201,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.78.150,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
85.25.237.52,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
51.254.30.226,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
51.254.30.225,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.193.19,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
108.175.12.108,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
198.71.51.101,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
185.140.33.81,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
176.31.151.177,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
176.31.151.176,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
5.196.208.235,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
46.105.81.161,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
85.93.93.161,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
63.143.53.134,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
69.175.7.219,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
74.208.77.4,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
209.126.118.6,Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted
|
||||
91.92.136.20,MONSOON APT campaign activity 7-6-2017
|
||||
184.154.150.66,Attack on Critical Infrastructure Leverages Template Injection
|
||||
5.153.58.45,Attack on Critical Infrastructure Leverages Template Injection
|
||||
62.8.193.206,Attack on Critical Infrastructure Leverages Template Injection
|
||||
78.47.96.17,New version of Hworm being used within multiple attacks
|
||||
136.243.104.200,New version of Hworm being used within multiple attacks
|
||||
52.42.161.75,New version of Hworm being used within multiple attacks
|
||||
81.130.131.55,"Dridex Banking Trojan Returns, Leverages New UAC Bypass Method"
|
||||
179.177.114.30,"Dridex Banking Trojan Returns, Leverages New UAC Bypass Method"
|
||||
84.234.75.108,"Dridex Banking Trojan Returns, Leverages New UAC Bypass Method"
|
||||
193.238.152.198,From RTF to Cobalt Strike passing via Flash
|
||||
108.61.117.31,Deep Dive On The DragonOK Rambo Backdoor
|
||||
116.193.154.28,Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government
|
||||
192.225.226.195,Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations
|
||||
160.16.243.129,Winnti Abuses GitHub for CC Communications
|
||||
174.139.203.18,Winnti Abuses GitHub for CC Communications
|
||||
174.139.203.20,Winnti Abuses GitHub for CC Communications
|
||||
174.139.203.22,Winnti Abuses GitHub for CC Communications
|
||||
174.139.203.27,Winnti Abuses GitHub for CC Communications
|
||||
174.139.203.34,Winnti Abuses GitHub for CC Communications
|
||||
174.139.62.58,Winnti Abuses GitHub for CC Communications
|
||||
174.139.62.60,Winnti Abuses GitHub for CC Communications
|
||||
174.139.62.61,Winnti Abuses GitHub for CC Communications
|
||||
61.195.98.245,Winnti Abuses GitHub for CC Communications
|
||||
67.198.161.250,Winnti Abuses GitHub for CC Communications
|
||||
67.198.161.251,Winnti Abuses GitHub for CC Communications
|
||||
67.198.161.252,Winnti Abuses GitHub for CC Communications
|
||||
210.244.79.219,Msposer.C Samples
|
||||
185.159.82.11,Nemucod Evolves Delivery and Obfuscation Techniques to Harvest Credentials
|
||||
122.9.52.215,APT Targets Financial Analysts with CVE-2017-0199
|
||||
185.82.202.102,Two Years of Pawn Storm
|
||||
193.169.244.35,Two Years of Pawn Storm
|
||||
46.166.162.90,Two Years of Pawn Storm
|
||||
46.183.217.74,Two Years of Pawn Storm
|
||||
80.255.3.94,Two Years of Pawn Storm
|
||||
87.121.52.145,Two Years of Pawn Storm
|
||||
144.76.108.61,DressCode Android Malware Finds Apparent Successor in MilkyDoor
|
||||
89.46.102.43,Callisto Group
|
||||
185.77.129.103,CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
|
||||
217.12.203.90,CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
|
||||
95.141.38.110,CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware
|
||||
217.12.203.100,CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
|
||||
46.102.152.129,CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
|
||||
95.141.38.110,CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
|
||||
103.43.18.105,Playing Cat & Mouse: Introducing the Felismus Malware
|
||||
45.76.128.71,Shamoon 2 Delivering Disttrack
|
||||
103.249.31.49,Conference Invite used as a Lure by Operation Lotus Blossom Actors
|
||||
74.200.214.226,CNACOM - Open Source Exploitation via Strategic Web Compromise
|
||||
104.171.117.216,Sednit Downloader DOWNDELPH
|
||||
141.255.160.52,Sednit Downloader DOWNDELPH
|
||||
69.90.132.215,Fancy Bear Tracking of Ukrainian Field Artillery Units
|
||||
5.200.52.198,When A Pony Walks Out Of A Pub
|
||||
195.22.127.233,When A Pony Walks Out Of A Pub
|
||||
192.169.136.121,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
203.31.216.214,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
45.42.243.20,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
39.40.44.245,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
175.107.13.215,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
155.254.225.24,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
175.107.5.247,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
175.107.6.174,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
39.47.84.127,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
39.40.67.219,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
39.47.125.110,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
39.40.141.25,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
175.107.7.69,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
175.107.7.50,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
119.160.68.178,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
139.190.6.180,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
182.191.90.91,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
175.110.165.110,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
182.191.90.92,URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING EMAILS TARGETING INDIAN EMBASSIES AND MINISTRY OF EXTERNAL AFFAIRS
|
||||
188.165.163.228,Updated Sundown Exploit Kit Uses Steganography
|
||||
101.200.147.153,Switcher: Android joins the attack-the-router club
|
||||
112.33.13.11,Switcher: Android joins the attack-the-router club
|
||||
120.76.249.59,Switcher: Android joins the attack-the-router club
|
||||
80.233.134.147,TeleBots: Analyzing disruptive KillDisk attacks
|
||||
95.141.37.3,TeleBots: Analyzing disruptive KillDisk attacks
|
||||
93.190.137.212,TeleBots: Analyzing disruptive KillDisk attacks
|
||||
5.45.70.34,Tordow v2.0 Android Malware
|
||||
85.69.197.19,Nuclear Bot
|
||||
210.172.213.117,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
|
||||
87.98.132.57,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
|
||||
85.214.207.16,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
|
||||
37.221.210.196,"DRIDEX IN THE SHADOWS - BLACKLISTING, STEALTH, AND CRYPTO-CURRENCY"
|
||||
58.222.39.215,PluginPhantom: New Android Trojan Abuses "DroidPlugin" Framework
|
||||
41.208.110.46,Investigating a Libyan Cyber Espionage Campaign Targeting High-Profile Influentials
|
||||
163.47.20.25,A RAT For The US Presidential Elections
|
||||
103.25.58.83,A RAT For The US Presidential Elections
|
||||
89.35.178.112,Windows Troubleshooting Platform Leveraged to Deliver Malware
|
||||
158.255.5.121,Linux.DDoS.93
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,58 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# HELK script: elk-entrypoint.sh
|
||||
# HELK script description: Restarts and runs ELK services
|
||||
# HELK build version: 0.9 (Alpha)
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# Start graceful termination of HELK services that might be running before running the entrypoint script.
|
||||
_term() {
|
||||
echo "Terminating HELK Services"
|
||||
service elasticsearch stop
|
||||
service logstash stop
|
||||
service kibana stop
|
||||
service cerebro stop
|
||||
exit 0
|
||||
}
|
||||
trap _term SIGTERM
|
||||
|
||||
# Removing PID files just in case the graceful termination fails
|
||||
rm -f /var/run/elasticsearch/elasticsearch.pid \
|
||||
/var/run/logstash.pid \
|
||||
/var/run/kibana.pid \
|
||||
/var/run/cerebro.pid
|
||||
|
||||
# *********** Setting ES Heap Size***************
|
||||
# https://serverfault.com/questions/881383/automatically-set-java-heap-size-for-elasticsearch-on-linux
|
||||
memoryInKb="$(awk '/MemTotal/ {print $2}' /proc/meminfo)"
|
||||
heapSize="$(expr $memoryInKb / 1024 / 1000 / 2)"
|
||||
sed -i "s/#*-Xmx[0-9]\+g/-Xmx${heapSize}g/g" /etc/elasticsearch/jvm.options
|
||||
sed -i "s/#*-Xms[0-9]\+g/-Xms${heapSize}g/g" /etc/elasticsearch/jvm.options
|
||||
|
||||
# *********** Setting Logstash Heap Size***************
|
||||
# https://www.elastic.co/guide/en/logstash/current/performance-troubleshooting.html
|
||||
sed -i "s/#*-Xmx[0-9]\+g/-Xmx2g/g" /etc/logstash/jvm.options
|
||||
sed -i "s/#*-Xms[0-9]\+g/-Xms2g/g" /etc/logstash/jvm.options
|
||||
|
||||
# *********** Start HELK services ***************
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting elasticsearch service"
|
||||
service elasticsearch start
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
|
||||
until curl -s localhost:9200 -o /dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting remaining services.."
|
||||
service kibana start
|
||||
service nginx restart
|
||||
service logstash start
|
||||
service cerebro start
|
||||
service cron start
|
||||
|
||||
# *********** Creating Kibana Dashboards, visualizations and index-patterns ***************
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Running helk_kibana_setup.sh script..."
|
||||
./elk-kibana-setup.sh
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing logstash Logs to console.."
|
||||
tail -f /var/log/logstash/*-plain.log
|
|
@ -1,82 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# HELK script: helk_otx.py
|
||||
# HELK script description: Pulling intelligence from OTX (AlienVault)
|
||||
# HELK build version: 0.9 (Alpha)
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
from OTXv2 import OTXv2
|
||||
from pandas.io.json import json_normalize
|
||||
|
||||
otx = OTXv2("API Key")
|
||||
time_range = 30
|
||||
timedelta_days = timedelta(days=int(time_range))
|
||||
pull_time = (datetime.now() - timedelta_days).isoformat()
|
||||
|
||||
def OTXEnrichment():
|
||||
pulses = otx.getsince(pull_time)
|
||||
data = []
|
||||
object = {}
|
||||
for p in pulses:
|
||||
for i in p['indicators']:
|
||||
object = {
|
||||
'industries': p['industries'],
|
||||
'tlp': p['tlp'],
|
||||
'description' : p['description'],
|
||||
'created' : p['created'],
|
||||
'pulse_name' : p['name'],
|
||||
'tags' : p['tags'],
|
||||
'author_name' : p['author_name'],
|
||||
'created': p['created'],
|
||||
'modified' : p['modified'],
|
||||
'targeted_countries' : p['targeted_countries'],
|
||||
'id' : p['id'],
|
||||
'extract_source' : p['extract_source'],
|
||||
'references' : p['references'],
|
||||
'adversary' : p['adversary'],
|
||||
'indicator_name': i['indicator'],
|
||||
'indicator_description': i['description'],
|
||||
'indicator_title': i['title'],
|
||||
'indicator_created': i['created'],
|
||||
'indicator_content': i['content'],
|
||||
'indicator_type': i['type'],
|
||||
'indicator_id': i['id']
|
||||
}
|
||||
data.append(object)
|
||||
|
||||
IPV4 = []
|
||||
IMPHASH = []
|
||||
MD5 = []
|
||||
SHA256 = []
|
||||
SHA1 = []
|
||||
|
||||
def pull_indicators(lst, name):
|
||||
object = {
|
||||
'indicator_name' : (i['indicator_name']).upper(),
|
||||
'pulse_name' : i['pulse_name'],
|
||||
'ioc_name': name
|
||||
}
|
||||
return object
|
||||
for i in data:
|
||||
if i['indicator_type'] == "IPv4":
|
||||
IPV4.append(pull_indicators(IPV4, 'ipv4'))
|
||||
elif i['indicator_type'] == "FileHash-MD5":
|
||||
MD5.append(pull_indicators(MD5, 'md5'))
|
||||
elif i['indicator_type'] == "FileHash-SHA1":
|
||||
SHA1.append(pull_indicators(SHA1, 'sha1'))
|
||||
elif i['indicator_type'] == "FileHash-SHA256":
|
||||
SHA256.append(pull_indicators(SHA256, 'sha256'))
|
||||
elif i['indicator_type'] == "FileHash-IMPHASH":
|
||||
IMPHASH.append(pull_indicators(IMPHASH, 'imphash'))
|
||||
|
||||
iocs = [IPV4, IMPHASH, MD5, SHA1, SHA256]
|
||||
for i in iocs:
|
||||
try:
|
||||
df = json_normalize(i)
|
||||
df.to_csv(('/opt/otx/otx_'+i[0]['ioc_name']+'_.csv'), index=False, header=False, encoding='utf-8', columns=("indicator_name", "pulse_name"))
|
||||
except:
|
||||
print "Not available Intelligence for one indicator in the past 30 days"
|
||||
|
||||
if __name__=="__main__":
|
||||
OTXEnrichment()
|
|
@ -3,12 +3,10 @@
|
|||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
FROM phusion/baseimage
|
||||
FROM cyb3rward0g/helk-base:0.0.1
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for the HELK Kafka."
|
||||
|
||||
USER root
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
# *********** Installing Prerequisites ***************
|
||||
|
@ -17,24 +15,20 @@ RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
|
|||
&& apt-get update -qq \
|
||||
&& echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
|
||||
&& apt-get install -qqy \
|
||||
openjdk-8-jre-headless \
|
||||
wget \
|
||||
sudo \
|
||||
nano
|
||||
RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
|
||||
locale-gen
|
||||
openjdk-8-jre-headless
|
||||
|
||||
RUN apt-get -qy clean \
|
||||
autoremove \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
autoremove
|
||||
|
||||
# *********** Creating the right directories ***************
|
||||
RUN bash -c 'mkdir -pv /opt/helk/{scripts,kafka}'
|
||||
RUN bash -c 'mkdir -pv /opt/helk/kafka'
|
||||
|
||||
# *********** Install Kafka ***************
|
||||
ENV KAFKA_VERSION=1.1.0
|
||||
ENV KAFKA_LOGS_PATH=/var/log/kafka
|
||||
ENV KAFKA_HOME=/opt/helk/kafka/kafka_2.11-1.0.1
|
||||
ENV KAFKA_HOME=/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}
|
||||
|
||||
RUN wget -qO- http://mirrors.advancedhosters.com/apache/kafka/1.0.1/kafka_2.11-1.0.1.tgz | sudo tar xvz -C /opt/helk/kafka/ \
|
||||
RUN wget -qO- http://mirrors.ocf.berkeley.edu/apache/kafka/1.1.0/kafka_2.11-${KAFKA_VERSION}.tgz | sudo tar xvz -C /opt/helk/kafka/ \
|
||||
&& mkdir -v $KAFKA_LOGS_PATH \
|
||||
&& mv ${KAFKA_HOME}/config/server.properties ${KAFKA_HOME}/config/backup_server.properties
|
||||
ADD *.properties ${KAFKA_HOME}/config/
|
||||
|
|
|
@ -32,7 +32,7 @@ if [ -r /etc/default/rcS ]; then
|
|||
. /etc/default/rcS
|
||||
fi
|
||||
|
||||
KAFKA_HOME=/opt/helk/kafka/kafka_2.11-1.0.1
|
||||
KAFKA_HOME=/opt/helk/kafka/kafka_2.11-1.1.0
|
||||
KAFKA_USER=root
|
||||
KAFKA_GROUP=root
|
||||
KAFKA_NICE=18
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
KAFKA_VERSION=2.11-1.0.1
|
||||
KAFKA_VERSION=1.1.0
|
||||
|
||||
# Start graceful termination of HELK services that might be running before running the entrypoint script.
|
||||
_term() {
|
||||
|
@ -24,14 +24,20 @@ rm -f /var/run/kafka_zookeeper.pid \
|
|||
|
||||
# *********** Start Kafka **************
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Setting current host IP to brokers server.properties files.."
|
||||
sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9092/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9092/g" /opt/helk/kafka/kafka_${KAFKA_VERSION}/config/server.properties
|
||||
sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9093/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9093/g" /opt/helk/kafka/kafka_${KAFKA_VERSION}/config/server-1.properties
|
||||
sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9094/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9094/g" /opt/helk/kafka/kafka_${KAFKA_VERSION}/config/server-2.properties
|
||||
sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9092/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9092/g" /opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/config/server.properties
|
||||
sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9093/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9093/g" /opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/config/server-1.properties
|
||||
sed -i "s/advertised\.listeners\=PLAINTEXT:\/\/HELKIP\:9094/advertised\.listeners\=PLAINTEXT\:\/\/${ADVERTISED_LISTENER}\:9094/g" /opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/config/server-2.properties
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Kafka.."
|
||||
service kafka start
|
||||
sleep 30
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Creating Kafka winlogbeat Topic.."
|
||||
/opt/helk/kafka/kafka_${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic winlogbeat
|
||||
/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic winlogbeat
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Creating Kafka winevent-sysmon-transformed Topic.."
|
||||
/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic sysmontransformed
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Creating Kafka winevent-security-transformed Topic.."
|
||||
/opt/helk/kafka/kafka_2.11-${KAFKA_VERSION}/bin/kafka-topics.sh --create --zookeeper $ADVERTISED_LISTENER:2181 --replication-factor 3 --partitions 1 --topic securitytransformed
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Spark Logs to console.."
|
||||
tail -f /var/log/kafka/helk-*.log
|
|
@ -30,7 +30,7 @@ broker.id=1
|
|||
# listeners = PLAINTEXT://your.host.name:9092
|
||||
#listeners=INSIDE://:9094,OUTSIDE://:9095
|
||||
#inter.broker.listener.name=INSIDE
|
||||
listeners=PLAINTEXT://:9093
|
||||
listeners=PLAINTEXT://helk-kafka:9093
|
||||
# Hostname and port the broker will advertise to producers and consumers. If not set,
|
||||
# it uses the value for "listeners" if configured. Otherwise, it will use the value
|
||||
# returned from java.net.InetAddress.getCanonicalHostName().
|
||||
|
|
|
@ -30,7 +30,7 @@ broker.id=2
|
|||
# listeners = PLAINTEXT://your.host.name:9092
|
||||
#listeners=INSIDE://:9096,OUTSIDE://:9097
|
||||
#inter.broker.listener.name=INSIDE
|
||||
listeners=PLAINTEXT://:9094
|
||||
listeners=PLAINTEXT://helk-kafka:9094
|
||||
# Hostname and port the broker will advertise to producers and consumers. If not set,
|
||||
# it uses the value for "listeners" if configured. Otherwise, it will use the value
|
||||
# returned from java.net.InetAddress.getCanonicalHostName().
|
||||
|
|
|
@ -30,7 +30,7 @@ broker.id=0
|
|||
# listeners = PLAINTEXT://your.host.name:9092
|
||||
#listeners=INSIDE://:9092,OUTSIDE://:9093
|
||||
#inter.broker.listener.name=INSIDE
|
||||
listeners=PLAINTEXT://:9092
|
||||
listeners=PLAINTEXT://helk-kafka:9092
|
||||
# Hostname and port the broker will advertise to producers and consumers. If not set,
|
||||
# it uses the value for "listeners" if configured. Otherwise, it will use the value
|
||||
# returned from java.net.InetAddress.getCanonicalHostName().
|
||||
|
|
|
@ -0,0 +1,65 @@
|
|||
# HELK script: HELK Kibana Dockerfile
|
||||
# HELK build version: 0.9 (ALPHA)
|
||||
# HELK ELK version: 6.2.3
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# References:
|
||||
# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
|
||||
# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
|
||||
|
||||
FROM cyb3rward0g/helk-base:0.0.1
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for the HELK Kibana."
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
# *********** Installing Prerequisites ***************
|
||||
# -qq : No output except for errors
|
||||
RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
|
||||
&& apt-get update -qq \
|
||||
&& echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
|
||||
&& apt-get install -qqy \
|
||||
openjdk-8-jre-headless
|
||||
|
||||
RUN apt-get -qy clean \
|
||||
autoremove
|
||||
|
||||
# *********** Creating the right directories ***************
|
||||
RUN bash -c 'mkdir -pv /opt/helk/{dashboards,kibana}'
|
||||
|
||||
# *********** Adding HELK scripts and files to Container ***************
|
||||
ADD scripts/entrypoint.sh /opt/helk/scripts/
|
||||
RUN chmod +x /opt/helk/scripts/entrypoint.sh
|
||||
|
||||
# *********** Adding HELK scripts and files to Container ***************
|
||||
ADD scripts/elk-kibana-setup.sh /opt/helk/scripts/
|
||||
ADD scripts/entrypoint.sh /opt/helk/scripts/
|
||||
RUN chmod +x /opt/helk/scripts/elk-kibana-setup.sh
|
||||
RUN chmod +x /opt/helk/scripts/entrypoint.sh
|
||||
|
||||
# *********** ELK Version ***************
|
||||
ENV ELK_VERSION=6.2.3
|
||||
|
||||
# *********** Installing Kibana ***************
|
||||
ENV KIBANA_HELK_HOME=/opt/helk/kibana
|
||||
ENV KIBANA_HOME=/usr/share/kibana
|
||||
ENV KIBANA_PATH_CONF=/etc/kibana
|
||||
ENV KIBANA_PATH_LOGS=/var/log/kibana
|
||||
ENV KIBANA_GID=708
|
||||
ENV KIBANA_UID=708
|
||||
|
||||
RUN wget -qO- https://artifacts.elastic.co/downloads/kibana/kibana-${ELK_VERSION}-linux-x86_64.tar.gz | sudo tar xvz -C ${KIBANA_HELK_HOME} --strip-components=1 \
|
||||
&& cp -r ${KIBANA_HELK_HOME}/ ${KIBANA_HOME}/ \
|
||||
&& mkdir -pv ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} \
|
||||
&& mv /usr/share/kibana/config/* ${KIBANA_PATH_CONF}
|
||||
ADD kibana-init /etc/init.d/kibana
|
||||
ADD kibana.yml ${KIBANA_PATH_CONF}
|
||||
ADD dashboards/ /opt/helk/dashboards/
|
||||
RUN groupadd -r kibana -g ${KIBANA_GID} \
|
||||
&& useradd -r -s /usr/sbin/nologin -M -c "Kibana user" -u ${KIBANA_UID} -g kibana kibana \
|
||||
&& chown -R kibana:kibana ${KIBANA_HOME} ${KIBANA_PATH_CONF} ${KIBANA_PATH_LOGS} /opt/helk/dashboards
|
||||
|
||||
# *********** RUN HELK ***************
|
||||
WORKDIR "/opt/helk/scripts/"
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
|
@ -4,7 +4,7 @@
|
|||
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
|
||||
# The default is 'localhost', which usually means remote machines will not be able to connect.
|
||||
# To allow connections from remote users, set this parameter to a non-loopback address.
|
||||
server.host: "localhost"
|
||||
server.host: "helk-kibana"
|
||||
|
||||
# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
|
||||
# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
|
||||
|
@ -18,7 +18,7 @@ server.host: "localhost"
|
|||
#server.name: "your-hostname"
|
||||
|
||||
# The URL of the Elasticsearch instance to use for all your queries.
|
||||
#elasticsearch.url: "http://localhost:9200"
|
||||
elasticsearch.url: "http://helk-elasticsearch:9200"
|
||||
|
||||
# When this setting's value is true Kibana uses the hostname specified in the server.host
|
||||
# setting. When the value of this setting is false, Kibana uses the hostname of the host
|
|
@ -13,7 +13,7 @@
|
|||
# https://github.com/elastic/kibana/issues/14872
|
||||
|
||||
# *********** Setting Variables ***************
|
||||
KIBANA="http://localhost:5601"
|
||||
KIBANA="http://helk-kibana:5601"
|
||||
TIME_FIELD="@timestamp"
|
||||
DEFAULT_INDEX="logs-endpoint-winevent-sysmon-*"
|
||||
DIR=/opt/helk/dashboards
|
||||
|
@ -22,7 +22,7 @@ DIR=/opt/helk/dashboards
|
|||
declare -a index_patterns=("logs-endpoint-*" "logs-*" "logs-endpoint-winevent-sysmon-*" "logs-endpoint-winevent-security-*" "logs-endpoint-winevent-system-*" "logs-endpoint-winevent-application-*" "logs-endpoint-winevent-wmiactivity-*" "logs-endpoint-winevent-powershell-*")
|
||||
|
||||
# *********** Waiting for Kibana to be available ***************
|
||||
until curl -s localhost:5601 -o /dev/null; do
|
||||
until curl -s helk-kibana:5601 -o /dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
#!/bin/sh
|
||||
|
||||
# HELK script: entrypoint.sh
|
||||
# HELK script description: Restarts and runs Kibana service
|
||||
# HELK build version: 0.9 (Alpha)
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# Start graceful termination of kibana services that might be running before running the entrypoint script.
|
||||
_term() {
|
||||
echo "Terminating Kibana Service"
|
||||
service kibana stop
|
||||
exit 0
|
||||
}
|
||||
trap _term SIGTERM
|
||||
|
||||
# Removing PID files just in case the graceful termination fails
|
||||
rm -f /var/run/kibana.pid
|
||||
|
||||
# *********** Start Kibana services ***************
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
|
||||
until curl -s helk-elasticsearch:9200 -o /dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Kibana service.."
|
||||
service kibana start
|
||||
|
||||
# *********** Creating Kibana Dashboards, visualizations and index-patterns ***************
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Running helk_kibana_setup.sh script..."
|
||||
./elk-kibana-setup.sh
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Kibana logs to console.."
|
||||
tail -f /var/log/kibana/kibana.log
|
|
@ -0,0 +1,63 @@
|
|||
# HELK script: HELK Logstash Dockerfile
|
||||
# HELK build version: 0.9 (ALPHA)
|
||||
# HELK ELK version: 6.2.3
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# References:
|
||||
# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
|
||||
# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
|
||||
|
||||
FROM cyb3rward0g/helk-base:0.0.1
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for the HELK Logstash."
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
# *********** Installing Prerequisites ***************
|
||||
# -qq : No output except for errors
|
||||
RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
|
||||
&& apt-get update -qq \
|
||||
&& echo "[HELK-DOCKER-INSTALLATION-INFO] Extracting templates from packages.." \
|
||||
&& apt-get install -qqy \
|
||||
openjdk-8-jre-headless \
|
||||
python-pip
|
||||
|
||||
RUN apt-get -qy clean \
|
||||
autoremove
|
||||
|
||||
# *********** Creating the right directories ***************
|
||||
RUN bash -c 'mkdir -pv /opt/helk/{output_templates,logstash}'
|
||||
|
||||
# *********** Adding HELK scripts and files to Container ***************
|
||||
ADD scripts/entrypoint.sh /opt/helk/scripts/
|
||||
RUN chmod +x /opt/helk/scripts/entrypoint.sh
|
||||
|
||||
# *********** ELK Version ***************
|
||||
ENV ELK_VERSION=6.2.3
|
||||
|
||||
# *********** Installing Logstash ***************
|
||||
ENV LOGSTASH_HELK_HOME=/opt/helk/logstash
|
||||
ENV LS_HOME=/usr/share/logstash
|
||||
ENV LS_SETTINGS_DIR=/etc/logstash
|
||||
ENV LS_CONF_PATH=/etc/logstash/pipeline
|
||||
ENV LS_LOGS_PATH=/var/log/logstash
|
||||
ENV LS_GID=709
|
||||
ENV LS_UID=709
|
||||
|
||||
RUN wget -qO- https://artifacts.elastic.co/downloads/logstash/logstash-${ELK_VERSION}.tar.gz | sudo tar xvz -C ${LOGSTASH_HELK_HOME} --strip-components=1 \
|
||||
&& cp -r ${LOGSTASH_HELK_HOME}/ ${LS_HOME}/ \
|
||||
&& mkdir -pv ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} \
|
||||
&& mv /usr/share/logstash/config/* ${LS_SETTINGS_DIR}
|
||||
ADD logstash-init /etc/init.d/logstash
|
||||
ADD pipeline/* ${LS_CONF_PATH}/
|
||||
ADD logstash.yml ${LS_SETTINGS_DIR}
|
||||
ADD output_templates/* /opt/helk/output_templates/
|
||||
RUN groupadd -r logstash -g ${LS_GID} \
|
||||
&& useradd -r -s /usr/sbin/nologin -M -c "Logstash user" -u ${LS_UID} -g logstash logstash \
|
||||
&& chown -R logstash:logstash ${LS_HOME} ${LS_SETTINGS_DIR} ${LS_CONF_PATH} ${LS_LOGS_PATH} /opt/helk/output_templates
|
||||
|
||||
# *********** RUN HELK ***************
|
||||
EXPOSE 5044
|
||||
WORKDIR "/opt/helk/scripts/"
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
|
@ -6,7 +6,7 @@
|
|||
input {
|
||||
kafka
|
||||
{
|
||||
bootstrap_servers => "172.18.0.3:9092,172.18.0.3:9093,172.18.0.3:9094"
|
||||
bootstrap_servers => "helk-kafka:9092,helk-kafka:9093,helk-kafka:9094"
|
||||
topics => ["winlogbeat"]
|
||||
decorate_events => true
|
||||
codec => "json"
|
|
@ -49,21 +49,6 @@ filter {
|
|||
prefix => "hash_"
|
||||
transform_key => "lowercase"
|
||||
}
|
||||
translate {
|
||||
field => "hash_md5"
|
||||
destination => "otx_md5"
|
||||
dictionary_path => "/opt/helk/otx/otx_md5_.csv"
|
||||
}
|
||||
translate {
|
||||
field => "hash_sha1"
|
||||
destination => "otx_sha1"
|
||||
dictionary_path => "/opt/helk/otx/otx_sha1_.csv"
|
||||
}
|
||||
translate {
|
||||
field => "hash_sha256"
|
||||
destination => "otx_sha256"
|
||||
dictionary_path => "/opt/helk/otx/otx_sha256_.csv"
|
||||
}
|
||||
}
|
||||
if [event_data][TargetImage] {
|
||||
grok {
|
||||
|
@ -141,11 +126,6 @@ filter {
|
|||
"[event_data][SourcePortName]" => "src_port_name"
|
||||
}
|
||||
}
|
||||
translate {
|
||||
field => "dst_ip"
|
||||
destination => "[otx][ip]"
|
||||
dictionary_path => "/opt/helk/otx/otx_ipv4_.csv"
|
||||
}
|
||||
geoip {
|
||||
source => "dst_ip"
|
||||
remove_field => "[geoip][ip]"
|
|
@ -6,12 +6,17 @@
|
|||
output {
|
||||
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
|
||||
elasticsearch {
|
||||
hosts => ["127.0.0.1:9200"]
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-sysmon-%{+YYYY.MM.dd}"
|
||||
template => "/opt/helk/output_templates/winevent-sysmon-template.json"
|
||||
template_name => "logs-endpoint-winevent-sysmon"
|
||||
template_overwrite => true
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
}
|
||||
kafka {
|
||||
bootstrap_servers => "helk-kafka:9092,helk-kafka:9093,helk-kafka:9094"
|
||||
codec => "json"
|
||||
topic_id => "sysmontransformed"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -6,12 +6,17 @@
|
|||
output {
|
||||
if [log_name] == "Security"{
|
||||
elasticsearch {
|
||||
hosts => ["127.0.0.1:9200"]
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-security-%{+YYYY.MM.dd}"
|
||||
template => "/opt/helk/output_templates/winevent-security-template.json"
|
||||
template_name => "logs-endpoint-winevent-security"
|
||||
template_overwrite => true
|
||||
document_id => "%{[@metadata][log_hash]}"
|
||||
}
|
||||
kafka {
|
||||
bootstrap_servers => "helk-kafka:9092,helk-kafka:9093,helk-kafka:9094"
|
||||
codec => "json"
|
||||
topic_id => "securitytransformed"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -6,7 +6,7 @@
|
|||
output {
|
||||
if [log_name] == "System"{
|
||||
elasticsearch {
|
||||
hosts => ["127.0.0.1:9200"]
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-system-%{+YYYY.MM.dd}"
|
||||
template => "/opt/helk/output_templates/winevent-system-template.json"
|
||||
template_name => "logs-endpoint-winevent-system"
|
|
@ -6,7 +6,7 @@
|
|||
output {
|
||||
if [log_name] == "Application"{
|
||||
elasticsearch {
|
||||
hosts => ["127.0.0.1:9200"]
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-application-%{+YYYY.MM.dd}"
|
||||
template => "/opt/helk/output_templates/winevent-application-template.json"
|
||||
template_name => "logs-endpoint-winevent-application"
|
|
@ -6,7 +6,7 @@
|
|||
output {
|
||||
if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell"{
|
||||
elasticsearch {
|
||||
hosts => ["127.0.0.1:9200"]
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
manage_template => false
|
||||
index => "logs-endpoint-winevent-powershell-%{+YYYY.MM.dd}"
|
||||
document_id => "%{[@metadata][log_hash]}"
|
|
@ -6,7 +6,7 @@
|
|||
output {
|
||||
if [log_name] == "Microsoft-Windows-WMI-Activity/Operational"{
|
||||
elasticsearch {
|
||||
hosts => ["127.0.0.1:9200"]
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-winevent-wmiactivity-%{+YYYY.MM.dd}"
|
||||
template => "/opt/helk/output_templates/winevent-wmiactivity-template.json"
|
||||
template_name => "logs-endpoint-winevent-wmiactivity"
|
|
@ -6,7 +6,7 @@
|
|||
output {
|
||||
if [@metadata][source] == "beats"{
|
||||
elasticsearch {
|
||||
hosts => ["127.0.0.1:9200"]
|
||||
hosts => ["helk-elasticsearch:9200"]
|
||||
index => "logs-endpoint-beats-%{+YYYY.MM.dd}"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
#!/bin/sh
|
||||
|
||||
# HELK script: entrypoint.sh
|
||||
# HELK script description: Restarts and runs Logstash service
|
||||
# HELK build version: 0.9 (Alpha)
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# Start graceful termination of Logstash services that might be running before running the entrypoint script.
|
||||
_term() {
|
||||
echo "Terminating HELK Services"
|
||||
service logstash stop
|
||||
exit 0
|
||||
}
|
||||
trap _term SIGTERM
|
||||
|
||||
# Removing PID files just in case the graceful termination fails
|
||||
rm -f /var/run/logstash.pid
|
||||
|
||||
# *********** Setting Logstash Heap Size***************
|
||||
# https://www.elastic.co/guide/en/logstash/current/performance-troubleshooting.html
|
||||
sed -i "s/#*-Xmx[0-9]\+g/-Xmx2g/g" /etc/logstash/jvm.options
|
||||
sed -i "s/#*-Xms[0-9]\+g/-Xms2g/g" /etc/logstash/jvm.options
|
||||
|
||||
# *********** Start HELK services ***************
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Waiting for elasticsearch URI to be accessible.."
|
||||
until curl -s helk-elasticsearch:9200 -o /dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting Logstash services.."
|
||||
service logstash start
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Logstash Logs to console.."
|
||||
tail -f /var/log/logstash/*-plain.log
|
|
@ -0,0 +1,39 @@
|
|||
# HELK script: HELK Nginx Dockerfile
|
||||
# HELK build version: 0.9 (ALPHA)
|
||||
# HELK ELK version: 6.2.3
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# References:
|
||||
# https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html
|
||||
# https://github.com/spujadas/elk-docker/blob/master/Dockerfile
|
||||
|
||||
FROM cyb3rward0g/helk-base:0.0.1
|
||||
LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
|
||||
LABEL description="Dockerfile base for the HELK Nginx."
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
# *********** Installing Prerequisites ***************
|
||||
# -qq : No output except for errors
|
||||
RUN echo "[HELK-DOCKER-INSTALLATION-INFO] Updating Ubuntu base image.." \
|
||||
&& apt-get update -qq
|
||||
|
||||
RUN apt-get -qy clean \
|
||||
autoremove
|
||||
|
||||
# *********** Adding HELK scripts and files to Container ***************
|
||||
ADD scripts/entrypoint.sh /opt/helk/scripts/
|
||||
RUN chmod +x /opt/helk/scripts/entrypoint.sh
|
||||
|
||||
# *********** Installing Nginx ***************
|
||||
RUN apt-get install -qqy nginx \
|
||||
&& mv /etc/nginx/sites-available/default /etc/nginx/sites-available/backup_default
|
||||
ADD htpasswd.users /etc/nginx/
|
||||
ADD default /etc/nginx/sites-available/
|
||||
RUN apt-get update -qq
|
||||
|
||||
# *********** RUN HELK ***************
|
||||
EXPOSE 80
|
||||
WORKDIR "/opt/helk/scripts/"
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
|
@ -1,20 +1,3 @@
|
|||
server {
|
||||
listen 8082;
|
||||
|
||||
server_name 127.0.0.1;
|
||||
|
||||
auth_basic "Restricted Access";
|
||||
auth_basic_user_file /etc/nginx/htpasswd.users;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:9200;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection 'upgrade';
|
||||
proxy_set_header Host $host;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
}
|
||||
}
|
||||
server {
|
||||
proxy_connect_timeout 900;
|
||||
proxy_send_timeout 600;
|
||||
|
@ -28,7 +11,7 @@ server {
|
|||
auth_basic_user_file /etc/nginx/htpasswd.users;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:5601;
|
||||
proxy_pass http://helk-kibana:5601;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection 'upgrade';
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/sh
|
||||
|
||||
# HELK script: entrypoint.sh
|
||||
# HELK script description: Restarts and runs Nginx service
|
||||
# HELK build version: 0.9 (Alpha)
|
||||
# Author: Roberto Rodriguez (@Cyb3rWard0g)
|
||||
# License: BSD 3-Clause
|
||||
|
||||
# Start graceful termination of HELK services that might be running before running the entrypoint script.
|
||||
_term() {
|
||||
echo "Terminating Nginx Services"
|
||||
service nginx stop
|
||||
exit 0
|
||||
}
|
||||
trap _term SIGTERM
|
||||
|
||||
until curl -s helk-elasticsearch:9200 -o /dev/null; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Starting remaining services.."
|
||||
service nginx restart
|
||||
|
||||
echo "[HELK-DOCKER-INSTALLATION-INFO] Pushing Nginx Logs to console.."
|
||||
tail -f /var/log/nginx/*.log
|
137
helk_install.sh
137
helk_install.sh
|
@ -22,7 +22,7 @@ echoerror() {
|
|||
systemKernel="$(uname -s)"
|
||||
|
||||
# *********** Getting Jupyter Token ***************
|
||||
get_token(){
|
||||
get_jupyter_token(){
|
||||
echo "[HELK-INSTALLATION-INFO] Waiting for HELK services and Jupyter Server to start.."
|
||||
until curl -s localhost:8880 -o /dev/null; do
|
||||
sleep 1
|
||||
|
@ -48,7 +48,7 @@ install_curl(){
|
|||
}
|
||||
|
||||
# *********** Building and Running HELK Images ***************
|
||||
build_run(){
|
||||
install_helk(){
|
||||
echo "[HELK-INSTALLATION-INFO] Building HELK via docker-compose"
|
||||
echo "ADVERTISED_LISTENER=$host_ip" >> helk.env
|
||||
docker-compose build >> $LOGFILE 2>&1
|
||||
|
@ -66,23 +66,62 @@ build_run(){
|
|||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# *********** Showing HELK Docker menu options ***************
|
||||
show_banner() {
|
||||
echo " "
|
||||
echo "**********************************************"
|
||||
echo "** HELK - THE HUNTING ELK **"
|
||||
echo "** **"
|
||||
echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **"
|
||||
echo "** HELK build version: 0.9 (Alpha) **"
|
||||
echo "** HELK ELK version: 6.2.3 **"
|
||||
echo "** License: BSD 3-Clause **"
|
||||
echo "**********************************************"
|
||||
echo " "
|
||||
|
||||
install_docker(){
|
||||
# ****** Installing via convenience script ***********
|
||||
echo "[HELK-INSTALLATION-INFO] Installing docker via convenience script.."
|
||||
curl -fsSL get.docker.com -o get-docker.sh >> $LOGFILE 2>&1
|
||||
chmod +x get-docker.sh >> $LOGFILE 2>&1
|
||||
./get-docker.sh >> $LOGFILE 2>&1
|
||||
ERROR=$?
|
||||
if [ $ERROR -ne 0 ]; then
|
||||
echoerror "Could not install docker via convenience script (Error Code: $ERROR)."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
install_docker_compose(){
|
||||
echo "[HELK-INSTALLATION-INFO] Installing docker-compose.."
|
||||
curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose >> $LOGFILE 2>&1
|
||||
chmod +x /usr/local/bin/docker-compose >> $LOGFILE 2>&1
|
||||
ERROR=$?
|
||||
if [ $ERROR -ne 0 ]; then
|
||||
echoerror "Could not install docker-compose (Error Code: $ERROR)."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
get_host_ip(){
|
||||
# *********** Getting Host IP ***************
|
||||
# https://github.com/Invoke-IR/ACE/blob/master/ACE-Docker/start.sh
|
||||
echo "[HELK-INSTALLATION-INFO] Obtaining current host IP.."
|
||||
case "${systemKernel}" in
|
||||
Linux*) host_ip=$(ip route get 1 | awk '{print $NF;exit}');;
|
||||
Darwin*) host_ip=$(ifconfig en0 | grep inet | grep -v inet6 | cut -d ' ' -f2);;
|
||||
*) host_ip="UNKNOWN:${unameOut}"
|
||||
esac
|
||||
}
|
||||
|
||||
set_helk_ip(){
|
||||
# *********** Accepting Defaults or Allowing user to set HELK IP ***************
|
||||
local ip_choice
|
||||
local read_input
|
||||
read -t 30 -p "[HELK-INSTALLATION-INFO] Set HELK IP. Default value is your current IP: " -e -i ${host_ip} ip_choice
|
||||
read_input=$?
|
||||
ip_choice="${ip_choice:-$host_ip}"
|
||||
if [ $ip_choice != $host_ip ]; then
|
||||
host_ip=$ip_choice
|
||||
fi
|
||||
if [ $read_input = 142 ]; then
|
||||
echo -e "\n[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}"
|
||||
else
|
||||
echo "[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}"
|
||||
fi
|
||||
}
|
||||
|
||||
prepare_helk(){
|
||||
get_host_ip
|
||||
set_helk_ip
|
||||
if [ "$systemKernel" == "Linux" ]; then
|
||||
# Reference: https://get.docker.com/
|
||||
echo "[HELK-INSTALLATION-INFO] HELK identified Linux as the system kernel"
|
||||
|
@ -148,17 +187,8 @@ prepare_helk(){
|
|||
|
||||
# ****** Install Curl if it is not installed *********
|
||||
install_curl
|
||||
|
||||
# ****** Installing via convenience script ***********
|
||||
echo "[HELK-INSTALLATION-INFO] Installing docker via convenience script.."
|
||||
curl -fsSL get.docker.com -o scripts/get-docker.sh >> $LOGFILE 2>&1
|
||||
chmod +x scripts/get-docker.sh >> $LOGFILE 2>&1
|
||||
scripts/get-docker.sh >> $LOGFILE 2>&1
|
||||
ERROR=$?
|
||||
if [ $ERROR -ne 0 ]; then
|
||||
echoerror "Could not install docker via convenience script (Error Code: $ERROR)."
|
||||
exit 1
|
||||
fi
|
||||
# ****** Installing Docker if it is not installed *********
|
||||
install_docker
|
||||
fi
|
||||
# ********** Check if docker-compose is installed *******
|
||||
if [ -x "$(command -v docker-compose)" ]; then
|
||||
|
@ -168,16 +198,8 @@ prepare_helk(){
|
|||
|
||||
# ****** Install Curl if it is not installed *********
|
||||
install_curl
|
||||
|
||||
# ****** Installing docker-compose ***********
|
||||
echo "[HELK-INSTALLATION-INFO] Installing docker-compose .."
|
||||
curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose >> $LOGFILE 2>&1
|
||||
chmod +x /usr/local/bin/docker-compose >> $LOGFILE 2>&1
|
||||
ERROR=$?
|
||||
if [ $ERROR -ne 0 ]; then
|
||||
echoerror "Could not install docker-compose (Error Code: $ERROR)."
|
||||
exit 1
|
||||
fi
|
||||
# ****** Installing Docker-Compose *******************
|
||||
install_docker_compose
|
||||
fi
|
||||
else
|
||||
# *********** Check if docker is installed ***************
|
||||
|
@ -200,38 +222,23 @@ prepare_helk(){
|
|||
fi
|
||||
}
|
||||
|
||||
get_host_ip(){
|
||||
# *********** Getting Host IP ***************
|
||||
# https://github.com/Invoke-IR/ACE/blob/master/ACE-Docker/start.sh
|
||||
echo "[HELK-INSTALLATION-INFO] Obtaining current host IP.."
|
||||
case "${systemKernel}" in
|
||||
Linux*) host_ip=$(ip route get 1 | awk '{print $NF;exit}');;
|
||||
Darwin*) host_ip=$(ifconfig en0 | grep inet | grep -v inet6 | cut -d ' ' -f2);;
|
||||
*) host_ip="UNKNOWN:${unameOut}"
|
||||
esac
|
||||
|
||||
# *********** Accepting Defaults or Allowing user to set HELK IP ***************
|
||||
local ip_choice
|
||||
local read_input
|
||||
read -t 30 -p "[HELK-INSTALLATION-INFO] Set HELK IP. Default value is your current IP: " -e -i ${host_ip} ip_choice
|
||||
read_input=$?
|
||||
ip_choice="${ip_choice:-$host_ip}"
|
||||
if [ $ip_choice != $host_ip ]; then
|
||||
host_ip=$ip_choice
|
||||
fi
|
||||
if [ $read_input = 142 ]; then
|
||||
echo -e "\n[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}"
|
||||
else
|
||||
echo "[HELK-INSTALLATION-INFO] HELK IP set to ${host_ip}"
|
||||
fi
|
||||
}
|
||||
# *********** Showing HELK Docker menu options ***************
|
||||
echo " "
|
||||
echo "**********************************************"
|
||||
echo "** HELK - THE HUNTING ELK **"
|
||||
echo "** **"
|
||||
echo "** Author: Roberto Rodriguez (@Cyb3rWard0g) **"
|
||||
echo "** HELK build version: 0.9 (Alpha) **"
|
||||
echo "** HELK ELK version: 6.2.3 **"
|
||||
echo "** License: BSD 3-Clause **"
|
||||
echo "**********************************************"
|
||||
echo " "
|
||||
|
||||
# *********** Running selected option ***************
|
||||
show_banner
|
||||
prepare_helk
|
||||
build_run
|
||||
get_token
|
||||
sleep 20
|
||||
install_helk
|
||||
get_jupyter_token
|
||||
sleep 45
|
||||
|
||||
echo " "
|
||||
echo " "
|
||||
|
|
Binary file not shown.
Loading…
Reference in New Issue