From cc88c4c35ff314e99eef45e093548d4f9da74420 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 26 Aug 2020 17:39:11 -0400
Subject: [PATCH 1/4] adding so-analyst script to create analyst workstatin

---
 setup/so-analyst | 102 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 setup/so-analyst

diff --git a/setup/so-analyst b/setup/so-analyst
new file mode 100644
index 000000000..4dff6a89c
--- /dev/null
+++ b/setup/so-analyst
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# Copyright 2014-2020 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Install misc utils
+yum -y install wget curl unzip epel-release;
+
+# Install xWindows
+yum -y groupinstall "X Window System";
+yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts;
+unlink /etc/systemd/system/default.target;
+ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target;
+
+# Install Mono - prereq for NetworkMiner
+rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef";
+su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo';
+yum -y install mono-devel;
+
+# Install NetworkMiner
+wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
+unzip /tmp/nm.zip -d /opt/;
+cd /opt/NetworkMiner*;
+sudo chmod +x NetworkMiner.exe;
+sudo chmod -R go+w AssembledFiles/;
+sudo chmod -R go+w Captures/;
+rm /tmp/nm.zip;
+
+# Install Wireshark for Gnome
+yum -y install wireshark-gnome; 
+
+# Install dnsiff
+yum -y install dsniff;
+
+# Install hping3
+yum -y install hping3;
+
+# Install netsed
+yum -y isntall netsed;
+
+# Install netcat
+#nmap-ncat or socat?
+
+# Install ngrep
+yum -y install ngrep;
+
+# Install scapy
+yum -y install python36-scapy;
+
+# Install ssldump
+yum -y install ssldump;
+
+# Install tcpdump
+yum -y install tcpdump;
+
+# Install tcpflow
+yum -y install tcpflow;
+
+# Install tcpxtract
+yum -y install tcpxtract;
+
+# Install whois
+yum -y install whois;
+
+# Install foremost
+sudo yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
+
+# Install Google Chrome
+wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm;
+yum localinstall google-chrome-stable_current_x86_64.rpm;
+rm google-chrome-stable_current_x86_64.rpm;
+
+# Install tcpstat
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm;
+
+# Install tcptrace
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm;
+
+# Install sslsniff
+yum -y install boost-filesystem boost-thread log4cpp;
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsniff-0.8.0/securityonion-sslsniff-0.8.0.rpm;
+
+# Install Bit-Twist
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
+
+# Install chaosreader
+yum -y install perl-IO-compress perl-Net-DNS;
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
+
+reboot
\ No newline at end of file

From 16c3b9539bf4de0cd95c71823e5e881f34883826 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 26 Aug 2020 17:51:04 -0400
Subject: [PATCH 2/4] fix a couple things, add another package

---
 setup/so-analyst | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/setup/so-analyst b/setup/so-analyst
index 4dff6a89c..f43cb8e08 100644
--- a/setup/so-analyst
+++ b/setup/so-analyst
@@ -30,6 +30,7 @@ su -c 'curl https://download.mono-project.com/repo/centos7-stable.repo | tee /et
 yum -y install mono-devel;
 
 # Install NetworkMiner
+yum -y install libcanberra-gtk2;
 wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
 unzip /tmp/nm.zip -d /opt/;
 cd /opt/NetworkMiner*;
@@ -79,7 +80,7 @@ sudo yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.
 
 # Install Google Chrome
 wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm;
-yum localinstall google-chrome-stable_current_x86_64.rpm;
+yum -y localinstall google-chrome-stable_current_x86_64.rpm;
 rm google-chrome-stable_current_x86_64.rpm;
 
 # Install tcpstat
@@ -96,7 +97,7 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
 
 # Install chaosreader
-yum -y install perl-IO-compress perl-Net-DNS;
+yum -y install perl-IO-Compress perl-Net-DNS;
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
 
-reboot
\ No newline at end of file
+reboot;
\ No newline at end of file

From e9b7538ee8265a5d50fcc188933fc13a95721713 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 26 Aug 2020 17:58:27 -0400
Subject: [PATCH 3/4] fix a couple things, add another package

---
 setup/so-analyst | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/setup/so-analyst b/setup/so-analyst
index f43cb8e08..7bb2db26c 100644
--- a/setup/so-analyst
+++ b/setup/so-analyst
@@ -51,9 +51,6 @@ yum -y install hping3;
 # Install netsed
 yum -y isntall netsed;
 
-# Install netcat
-#nmap-ncat or socat?
-
 # Install ngrep
 yum -y install ngrep;
 
@@ -90,6 +87,7 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm;
 
 # Install sslsniff
+# This is unmainted with many PRs waiting. Perhaps we should consider https://github.com/droe/sslsplit instead
 yum -y install boost-filesystem boost-thread log4cpp;
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsniff-0.8.0/securityonion-sslsniff-0.8.0.rpm;
 

From dbb1390c42c65e517691c1b442cb4f98fbeefb46 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 27 Aug 2020 14:32:51 -0400
Subject: [PATCH 4/4] move README to /

---
 files/analyst/README | 82 ++++++++++++++++++++++++++++++++++++++++++++
 setup/so-analyst     | 11 +++---
 2 files changed, 88 insertions(+), 5 deletions(-)
 create mode 100644 files/analyst/README

diff --git a/files/analyst/README b/files/analyst/README
new file mode 100644
index 000000000..4ddb682c1
--- /dev/null
+++ b/files/analyst/README
@@ -0,0 +1,82 @@
+The following tools are available on the analyst workstation.
+
+
+NetworkMiner
+  url: https://www.netresec.com
+  Running NetworkMiner: Open terminal and run: mono /opt/NetworkMiner_2-5/NetworkMiner.exe --noupdatecheck
+
+Wireshark
+  url: https://www.wireshark.org/
+  Running Wireshark: Applications > Internet > Wireshark Network Analyzer
+
+dnsiff
+  url: https://www.monkey.org/~dugsong/dsniff/
+  Running dsniff: Open terminal and run: dsniff -h
+
+hping3
+  url: http://www.hping.org/hping3.html
+  Running hping3: Open terminal and run: hping3 -h
+
+netsed
+  url: http://silicone.homelinux.org/projects/netsed/
+  Running netsed: Open terminal and run: netsed -h
+
+ngrep
+  url: https://github.com/jpr5/ngrep
+  Running ngrep: Open terminal and run: ngrep -h
+
+scapy
+  url: http://www.secdev.org/projects/scapy/
+  Running scapy: Open terminal and run: scapy
+
+ssldump
+  url: http://www.rtfm.com/ssldump/
+  Running ssldump: Open terminal and run: ssldump -h
+
+tcpdump
+  url: http://www.tcpdump.org
+  Running tcpdump: Open terminal and run: tcpdump -h
+
+tcpflow
+  url: https://github.com/simsong/tcpflow
+  Running tcpflow: Open terminal and run: tcpflow -h
+
+tcpxtract
+  url: http://tcpxtract.sourceforge.net/
+  Running tcpxtract: Open terminal and run: tcpxtract -h
+
+whois
+  url: http://www.linux.it/~md/software/
+  Running whois: Open terminal and run: whois -h
+
+foremost
+  url: http://foremost.sourceforge.net
+  Running foremost: Open terminal and run: foremost -h
+
+tcpstat
+  url: https://frenchfries.net/paul/tcpstat/
+  Running tcpstat: Open terminal and run: tcpstat -h
+
+tcptrace
+  url: http://www.tcptrace.org
+  Running tcptract: Open terminal and run: tcptrace -h
+
+sslsplit
+  url: https://github.com/droe/sslsplit
+  Running sslsplit: Open terminal and run: sslsplit -h
+
+bit-twist
+  url: http://bittwist.sourceforge.net
+  Running bit-twist: Open terminal and run: bittwist -h
+
+chaosreader
+  url: http://chaosreader.sourceforge.net
+  Running chaosreader: Open terminal and run: perl /usr/bin/chaosreader -h
+  
+Google Chrome
+  url: https://www.google.com/chrome/
+  Running Google Chrome: Applications > Internet > Google Chrome
+
+
+
+
diff --git a/setup/so-analyst b/setup/so-analyst
index 7bb2db26c..6311f0d23 100644
--- a/setup/so-analyst
+++ b/setup/so-analyst
@@ -49,7 +49,7 @@ yum -y install dsniff;
 yum -y install hping3;
 
 # Install netsed
-yum -y isntall netsed;
+yum -y install netsed;
 
 # Install ngrep
 yum -y install ngrep;
@@ -86,10 +86,9 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
 # Install tcptrace
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm;
 
-# Install sslsniff
-# This is unmainted with many PRs waiting. Perhaps we should consider https://github.com/droe/sslsplit instead
-yum -y install boost-filesystem boost-thread log4cpp;
-yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsniff-0.8.0/securityonion-sslsniff-0.8.0.rpm;
+# Install sslsplit
+yum -y install libevent;
+yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-sslsplit-0.5.5/securityonion-sslsplit-0.5.5.rpm;
 
 # Install Bit-Twist
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
@@ -98,4 +97,6 @@ yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-
 yum -y install perl-IO-Compress perl-Net-DNS;
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
 
+cp ../files/analyst/README /;
+
 reboot;
\ No newline at end of file