All done on Ubuntu 12 server. Pretty much followed this guide: https://code.google.com/p/collective-intelligence-framework/wiki/ServerInstall_Ubuntu12_v1 Ran into a few issues… Had to force some perl modules. cpanm Net::Abuse::Utils –force And version 1.7 of Linux::Cpuinfo wouldn’t install. Just removed the @1.7. cpanm git://github.com/gitpan/Linux-Cpuinfo.git –force Then you have to grab this Cpuinfo.pm and place it Read more…
CentOS6 again. Download the latest version of kibana from http://www.elasticsearch.org/overview/kibana/installation/cd /var/www/ wget http://www.elasticsearch.org/overview/kibana/installation/ tar zxvf kibana* rm kibana*.gz mv kibana* kibana3 Create a kibana configuration file for Apache. <VirtualHost YOURIP:80> ServerName FQDN DocumentRoot /var/www/kibana3 <Directory /var/www/kibana3> Allow from all Options -Multiviews </Directory> LogLevel debug ErrorLog /var/log/httpd/error_log CustomLog /var/log/httpd/access_log Read more…
I needed to determine the average traffic seen at the internet gateway in order to scope full packet capture, Bro and flow data.Then i needed to find traffic to eliminate and gain storage retention. Mon-Fri are peak, and Sat-Sun are idle times. Export flows for a 24 hour period to Read more…
All done on CentOS6 There are scripts to automate this, but I like installing everything from source to learn more about the packages. Here’s an example script along with a gui for SiLK rw commands.FlowBat Download the following source code files from the netsa CERT project home page Fixbuf, netsa-python, Read more…
Logstash InstallationThe Logstash package shares the same GPG Key as Elasticsearch, and we already installed that public key, so let’s create and edit a new Yum repository file for Logstash:sudo vi /etc/yum.repos.d/logstash.repo Add the following repository configuration:[logstash-1.4]name=logstash repository for 1.4.x packagesbaseurl=http://packages.elasticsearch.org/logstash/1.4/centosgpgcheck=1gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearchenabled=1 Save and exit.Install Logstash 1.4.2 with this command:sudo yum Read more…
These installs are on the latest CentOS6 as of October 2014. First we have to install PF_RING to take advantage of the performance boost and to load balance bro processes. Bro is not multithreaded. Package Prerequisites: sudo yum install subversion cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig Read more…
Let’s say you’re using Bro, and you have this bad assed app called ELSA to search through the mountains of logs produced. You find exactly what you’re looking for but you need the payload from the stream. One option is to integrate ELSA and Moloch. It’s super easy. edit /etc/elsa_web.conf Read more…