Visualiseerimine - Labor 1: Difference between revisions
No edit summary |
No edit summary |
||
| Line 25: | Line 25: | ||
Paigaldame stabiilse java versiooni. Kui küsitakse litsentsi nõusolekut, siis tuleb nõustuda. | Paigaldame stabiilse java versiooni. Kui küsitakse litsentsi nõusolekut, siis tuleb nõustuda. | ||
apt-get install oracle-java7-installer | apt-get install oracle-java7-installer | ||
=== Elasticsearchi paigaldamine === | |||
Alguses läheme rootkausta, kui seda pole varem teinud. | |||
cd | |||
Laadime alla Elasticsearchi uusima versiooni: | |||
wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.6.0.deb | |||
Paigaldame Elasticsearchi: | |||
dpkg -i elasticsearch-1.6.0.deb | |||
=== Logstashi paigaldamine === | |||
Laadime alla Logstashi uusima versiooni: | |||
wget http://download.elastic.co/logstash/logstash/packages/debian/logstash_1.5.0-1_all.deb | |||
Paigaldame Logstashi: | |||
dpgk -i logstash_1.5.0-1_all.deb | |||
Logstashi konfigureerimiseks loome uue faili logstash.conf | |||
touch /etc/logstash/conf.d/logstash.conf | |||
Avame uue loodud faili sobiva tekstiredaktoriga. Näiteks on kasutatud nano | |||
nano /etc/logstash/conf.d/logstash.conf | |||
Lisame järgneva konfiguratsiooni: | |||
input { | |||
file { | |||
path => ["/var/log/suricata/eve.json"] | |||
sincedb_path => ["/var/lib/logstash/"] | |||
codec => json | |||
type => "SuricataIDPS" | |||
} | |||
} | |||
filter { | |||
if [type] == "SuricataIDPS" { | |||
date { | |||
match => [ "timestamp", "ISO8601" ] | |||
} | |||
ruby { | |||
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" | |||
} | |||
} | |||
if [src_ip] { | |||
geoip { | |||
source => "src_ip" | |||
target => "geoip" | |||
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" | |||
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] | |||
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] | |||
} | |||
mutate { | |||
convert => [ "[geoip][coordinates]", "float" ] | |||
} | |||
if ![geoip.ip] { | |||
if [dest_ip] { | |||
geoip { | |||
source => "dest_ip" | |||
target => "geoip" | |||
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" | |||
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] | |||
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] | |||
} | |||
mutate { | |||
convert => [ "[geoip][coordinates]", "float" ] | |||
} | |||
} | |||
} | |||
} | |||
} | |||
output { | |||
elasticsearch { | |||
host => localhost | |||
#protocol => http | |||
} | |||
} | |||
Konfigureerime automaatselt käivituma: | |||
update-rc.d elasticsearch defaults 95 10 | |||
update-rc.d logstash defaults | |||
Taaskäivitame teenused: | |||
service apache2 restart | |||
service elasticsearch start | |||
service logstash start | |||
Revision as of 13:16, 10 June 2015
Labor 1
Esimeses laboris paigaldatakse IDS serverile ründetuvastussüsteem Suricata, kasutades juhendit IDS_Systeemid_-_Labor_1.
Veebiserveri ettevalmistus*
Veebiserverile tuleb paigaldada DVWA, kuhu tehakse ründeid. DVWA paigaldusjuhendi leiab DVWA.
"*" - Ei ole veel teada, kas jääb siia või on eelnevalt paigaldatud.
Ettevalmistused antud laborite jaoks
Kuna Elasticsearch ning Logstalgia nõuavad Java 7 olemasolu, siis tuleb tuleb see paigaldada.
NB! Kõik käsud tehakse root õigustes. Selleks, et root õigustesse minna saab kasutada käsku:
sudo -i
ning sisestage parool.
Esiteks lisame ppa apt-i repositooriumi:
add-apt-repository -y ppa:webupd8team/java
Nüüd uuendame repositooriumi:
apt-get update
Paigaldame stabiilse java versiooni. Kui küsitakse litsentsi nõusolekut, siis tuleb nõustuda.
apt-get install oracle-java7-installer
Elasticsearchi paigaldamine
Alguses läheme rootkausta, kui seda pole varem teinud.
cd
Laadime alla Elasticsearchi uusima versiooni:
wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.6.0.deb
Paigaldame Elasticsearchi:
dpkg -i elasticsearch-1.6.0.deb
Logstashi paigaldamine
Laadime alla Logstashi uusima versiooni:
wget http://download.elastic.co/logstash/logstash/packages/debian/logstash_1.5.0-1_all.deb
Paigaldame Logstashi:
dpgk -i logstash_1.5.0-1_all.deb
Logstashi konfigureerimiseks loome uue faili logstash.conf
touch /etc/logstash/conf.d/logstash.conf
Avame uue loodud faili sobiva tekstiredaktoriga. Näiteks on kasutatud nano
nano /etc/logstash/conf.d/logstash.conf
Lisame järgneva konfiguratsiooni:
input {
file {
path => ["/var/log/suricata/eve.json"]
sincedb_path => ["/var/lib/logstash/"]
codec => json
type => "SuricataIDPS"
}
}
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
output {
elasticsearch {
host => localhost
#protocol => http
}
}
Konfigureerime automaatselt käivituma:
update-rc.d elasticsearch defaults 95 10 update-rc.d logstash defaults
Taaskäivitame teenused:
service apache2 restart service elasticsearch start service logstash start
