CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,414 Commits 24 Branches 119 Tags
a9113a99a697b24fd5eeae30e458493af6bfb7c4
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Mike Reeves a9113a99a6 cmd.script cleanup
2019-09-19 08:52:44 -04:00
files
Common Module - Add utils
2018-11-15 16:35:27 -05:00
install_scripts
Further fixes for network offloading
2019-08-15 16:14:21 -04:00
pillar
Firewall Module - Add so-allow
2019-07-23 10:08:09 -04:00
salt
cmd.script cleanup
2019-09-19 08:52:44 -04:00
.gitignore
Update Git Ignore
2018-05-16 17:21:34 -04:00
exclude-list.txt
Suricata Meta Data Option
2018-11-13 11:25:30 -05:00
README.md
Merge branch 'master' into master
2019-07-25 16:04:02 -04:00
so-setup-network.sh
Further fixes for network offloading
2019-08-15 16:14:21 -04:00
updatemaster.sh
Update Script Points to prod
2018-11-14 14:56:51 -05:00
VERSION
Version 1.0.6 Release
2019-01-25 11:02:14 -05:00

README.md

Hybrid Hunter Alpha 1.1.0

Changes:

  • Alpha is here!! Check out the Hybrid Hunter Quick Start Guide.
  • There is a new PCAP interface called Sensoroni. Pivoting is done via Kibana. See details here.
  • Bond interface setup now uses nmcli for better compatibility in the network based setup script.
  • Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions.
  • Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components.
  • Add users to the web interface via so-user-add and follow the prompts.
  • so-allow now exists to make your life easier.
  • Bro 2.6.2.
  • All Docker images were updated to reflect Alpha status.
  • Disabled DEBUG logging on a lot of components to reduce space usage.
  • Added a rule update cron job so the master pulls new rules down every day at 7AM UTC.
  • You can now manually run a rule update using the so-rule-update command.

Warnings and Disclaimers

  • This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!
  • If this breaks your system, you get to keep both pieces!
  • This script is a work in progress and is in constant flux.
  • This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final - release.
  • Do NOT run this on a system that you care about!
  • Do NOT run this on a system that has data that you care about!
  • This script should only be run on a TEST box with TEST data!
  • This script is only designed for standalone boxes and does NOT support distributed deployments.
  • Use of this script may result in nausea, vomiting, or a burning sensation.

Requirements

Evaluation Mode:

  • Single VM running Ubuntu 16.04 or CentOS 7
  • Minimum 8GB of RAM
  • Minimum 4 CPU cores
  • Minimum 2 NICs

Distributed:

  • 3 VMs running Ubuntu 16.04 or CentOS 7 (You can mix and match)
  • Minimum 8GB of RAM per VM
  • Minimum 4 CPU cores per VM
  • Minimum 2 NICs for forward nodes

Prerequisites

If you are running CentOS 7 there are a couple of prerequisites:

sudo yum -y install git bind-utils
sudo hostnamectl set-hostname YOURHOSTNAME
sudo reboot

Installation

Once you resolve those requirements or are using Ubuntu 16.04 do the following:

git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
cd securityonion-saltstack
sudo bash so-setup-network.sh

Follow the prompts and reboot if asked to do so.

Want to try the bleeding edge? You can install the following:

git clone https://github.com/TOoSmOotH/securityonion-saltstack
cd securityonion-saltstack
sudo bash so-setup-network.sh

This is an active development repo so many things can and will be broken.

Allow Access to Kibana

Once Setup is complete and services have initialized, you can then allow access to Kibana as follows.

For a single host:

sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.1

For a network range:

sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh analyst 192.168.30.0/24

Then connect to your master via https://YOURMASTER

FAQ

See the FAQ on the Hybrid Hunter wiki.

Feedback

If you have questions, problems, or other feedback regarding Hybrid Hunter, please post to our subreddit and prefix the title with [Hybrid Hunter]:
https://www.reddit.com/r/securityonion/

Reference in New Issue View Git Blame Copy Permalink
Description
Security Onion 2 - Linux distro for threat hunting, enterprise security monitoring, and log management
Readme 125 MiB
Languages
Shell 51%
Jinja 22.2%
SaltStack 12%
Python 8.7%
CSS 2%
Other 4%