Ergo Witness

Create a Capture Server

In order to actually send data to Logstash, we need a device that can grab the information that we want. For this project, I used Bro, Filebeat, and Packetbeat. Again, these commands are for an RPM distribution of Linux.

Checkout these scripts on GitHub

Install Packetbeat

sudo yum install libpcap curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-5.2.2-x86_64.rpm sudo rpm -vi packetbeat-5.2.2-x86_64.rpm

That's really it, from here you need to change the configuration to your liking. Something that you will definitely need to do is change the interface that your are listening on, and the output to Logstash. If you want a more real time visualization, also change the packetbeat flow reporting period to something small, like 1 second. If you need to know what interfaces you have available, you can use this command:

ip a

Install Bro

These steps can also be found in a repo [here](https://github.com/bah8892/NetworkMonitorVisConfig/blob/master/rpm/InstallBroScript.sh).

Update the system yum update -y && yum upgrade -y yum install git vim curl -y

Install Dependencies

yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel git -y

Install Bro

cd /opt git clone --recursive git://git.bro.org/bro cd bro ./configure make make install export PATH=/usr/local/bro/bin:$PATH

Configure Bro

broInterface=$(ip a | grep '2:' | grep 'en' | awk '{print $2}' |rev | cut -c 2- | rev) echo $broInterface sed -i "s#interface=eth0#interface=$broInterface#g" /usr/local/bro/etc/node.cfg Enable Bro JSON logging sed -i 's#const use_json = F#const use_json = T#g' /usr/local/bro/share/bro/base/frameworks/logging/writers/ascii.bro

In order for the bro logs to work with the visualization, we need to change the default delimiter of a “.” to a “_”, this makes them C# friendly. We can do this in file below:

/usr/local/bro/share/bro/base/frameworks/logging/main.bro

List all your possibe interfaces for Bro:

ip a

Change the interface that Bro is monitoring here:

/usr/local/bro/etc/node.cfg

Completed Install setup (without NGINX)

Here is a full set of installation steps for the server.

##################################### Install Java ################################## yum install wget -y yum install java-devel -y ##################################### Install/Setup Elasticsearch ##################################### sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch echo '[elasticsearch-5.x] name=Elasticsearch repository for 5.x packages baseurl=https://artifacts.elastic.co/packages/5.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md ' | sudo tee /etc/yum.repos.d/elasticsearch.repo sudo yum -y install elasticsearch sed -i 's/#network.host: 192.168.0.1/network.host: 0.0.0.0/g' /etc/elasticsearch/elasticsearch.yml systemctl enable elasticsearch systemctl start elasticsearch ##################################### Install/Setup Kibana ##################################### echo '[kibana-4.4] name=Kibana repository for 4.4.x packages baseurl=http://packages.elastic.co/kibana/4.4/centos gpgcheck=1 gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch enabled=1 ' | sudo tee /etc/yum.repos.d/kibana.repo sudo yum -y install kibana sudo vi /opt/kibana/config/kibana.yml ## In the kibana config file, find the line that specifies server.host and replace the ip with "localhost" ## server.host: "localhost" sudo systemctl start kibana sudo chkconfig kibana on ###################################### Allow firewall connections ################################# firewall-cmd --zone=public --add-port=5601/tcp --permanent firewall-cmd --zone=public --add-port=5400/tcp --permanent firewall-cmd --zone=public --add-port=9200/tcp --permanent firewall-cmd --zone=public --add-port=9600/tcp --permanent firewall-cmd --add-service=http firewall-cmd --add-service=https firewall-cmd --runtime-to-permanent firewall-cmd --reload ##################################### Install/Setup Logstash ##################################### echo '[logstash-5.x] name=Elastic repository for 5.x packages baseurl=https://artifacts.elastic.co/packages/5.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md ' | sudo tee /etc/yum.repos.d/logstash.repo sudo yum -y install logstash systemctl restart logstash systemctl enable logstash ##################################### Install/Setup Packetbeat ##################################### sudo yum install libpcap curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-5.2.2-x86_64.rpm sudo rpm -vi packetbeat-5.2.2-x86_64.rpm mv /etc/packetbeat/packetbeat.yml /etc/packetbeat/packetbeat.yml.back cat > /etc/packetbeat/packetbeat.yml << EOF #============================== Network device ================================ packetbeat.interfaces.device: any packetbeat.interfaces.type: pcap # If you want to us the af_packet style (which uses a lot of RAM, but is faster then PCAP) #packetbeat.interfaces.type: af_packet #================================== Flows ===================================== packetbeat.flows: timeout: 30s period: 1s #========================== Transaction protocols ============================= packetbeat.protocols.icmp: enabled: true packetbeat.protocols.amqp: ports: [5672] packetbeat.protocols.cassandra: ports: [9042] packetbeat.protocols.dns: ports: [53] include_authorities: true include_additionals: true packetbeat.protocols.http: ports: [80, 8080, 8000, 5000, 8002] packetbeat.protocols.memcache: ports: [11211] packetbeat.protocols.mysql: ports: [3306] packetbeat.protocols.pgsql: ports: [5432] packetbeat.protocols.redis: ports: [6379] packetbeat.protocols.thrift: ports: [9090] packetbeat.protocols.mongodb: ports: [27017] packetbeat.protocols.nfs: ports: [2049] #----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts hosts: ["127.0.0.1:5044"] logging.level: debug EOF ###### Disable SELinux ###### sudo setenforce 0