├── .bashrc ├── LICENSE ├── README.md ├── addons ├── itop │ └── itop_post_conf.sh ├── littlebeat_6.1.001_addons.sh ├── littlebeat_addons.sh ├── littlebeat_addons_5.5.001_test.sh ├── main-dash.json ├── osquery │ ├── etc │ │ └── logstash │ │ │ └── conf.d │ │ │ └── 03-osquery.conf │ ├── install_osquery.bat │ ├── kibana │ │ └── osquery-dash.json │ ├── osquery.conf │ ├── osquery.ico │ ├── osquery.man │ ├── osquery.msi │ ├── osquery.xml │ ├── osquery_no_tls.flags │ ├── osqueryd.exe │ ├── osqueryi.exe │ ├── packs │ │ ├── unwanted-chrome-extensions.conf │ │ ├── windows-application-security.conf │ │ ├── windows-attacks.conf │ │ ├── windows-compliance.conf │ │ └── windows-registry-monitoring.conf │ ├── set_acl.ps1 │ ├── uninstall_osquery.bat │ └── winlogbeat.yml ├── ossec │ ├── install_ossec.sh │ ├── kibana │ │ └── wazuh_dash.json │ └── logstash │ │ ├── conf.d │ │ └── 02-wazuh.conf │ │ └── templates │ │ └── wazuh-elastic6-template-alerts.json └── ueba │ ├── kibana │ └── ueba-dash.json │ ├── lib │ └── systemd │ │ └── system │ │ └── littlebeat-ueba.service │ ├── ueba.py │ └── ueba_lib │ ├── __init__.py │ ├── garbage_collector.py │ ├── margin_corrector.py │ └── wlogon.py ├── agents ├── LICENSE.txt ├── NOTICE.txt ├── README.md ├── bin │ ├── checkos.bat │ ├── littlebeat_agent.exe │ ├── littlebeat_agent_32.msi │ └── littlebeat_agent_64.msi ├── fields.yml ├── install-agents.ps1 ├── install.bat ├── littlebeat_agent_32.xml ├── littlebeat_agent_64.xml ├── uninstall-agents.ps1 ├── uninstall.bat ├── win-audit-set.bat ├── winlogbeat.yml ├── x32 │ └── winlogbeat.exe └── x64 │ └── winlogbeat.exe ├── backups ├── index ├── indices │ └── .kibana │ │ ├── 0 │ │ ├── __0 │ │ ├── __1 │ │ ├── __2 │ │ ├── __3 │ │ ├── __4 │ │ ├── __5 │ │ ├── __6 │ │ ├── __7 │ │ ├── __8 │ │ ├── __9 │ │ ├── __a │ │ ├── __b │ │ ├── __c │ │ ├── __d │ │ ├── __e │ │ ├── __f │ │ ├── __g │ │ ├── index-0 │ │ └── snap-snapshot_kibana.dat │ │ └── meta-snapshot_kibana.dat ├── meta-snapshot_kibana.dat └── snap-snapshot_kibana.dat ├── bin ├── .bashrc ├── addons.sh ├── elastic_console.sh ├── kibana_init_config.sh ├── main.sh ├── main_menu.sh ├── nmap-rep.sh ├── nmap_config.sh ├── snipet.sh └── win_proc.sh ├── console.png ├── data ├── dashboards │ ├── Main.json │ ├── NMAP-dash.json │ ├── Winlogbeat-overview.json │ ├── win-hi-level.json │ ├── windows-logons.json │ └── windows-proc.json ├── kibana.svg └── proc_list.txt ├── etc ├── default │ ├── elasticsearch │ ├── kibana │ ├── logstash │ └── nginx ├── logstash │ ├── conf.d │ │ ├── 01-beats.conf │ │ └── 08-nmap.conf │ └── templates │ │ ├── nmap-6.x-template.json │ │ ├── win-proc-list-template.json │ │ └── winlogbeat-6.1.3-template.json └── nginx │ └── sites-available │ └── default ├── pkgs ├── wazuh-api_3.1.0-1_amd64.deb ├── wazuh-manager_3.1.0-1_amd64.deb └── wazuhapp.zip ├── putty.png ├── py ├── get_proc_list.py ├── get_proc_list_full.py └── set_proc_list.py └── run.sh /.bashrc: -------------------------------------------------------------------------------- 1 | # ~/.bashrc: executed by bash(1) for non-login shells. 2 | # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) 3 | # for examples 4 | 5 | # If not running interactively, don't do anything 6 | case $- in 7 | *i*) ;; 8 | *) return;; 9 | esac 10 | 11 | # don't put duplicate lines or lines starting with space in the history. 12 | # See bash(1) for more options 13 | HISTCONTROL=ignoreboth 14 | 15 | # append to the history file, don't overwrite it 16 | shopt -s histappend 17 | 18 | # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) 19 | HISTSIZE=1000 20 | HISTFILESIZE=2000 21 | 22 | # check the window size after each command and, if necessary, 23 | # update the values of LINES and COLUMNS. 24 | shopt -s checkwinsize 25 | 26 | # If set, the pattern "**" used in a pathname expansion context will 27 | # match all files and zero or more directories and subdirectories. 28 | #shopt -s globstar 29 | 30 | # make less more friendly for non-text input files, see lesspipe(1) 31 | [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" 32 | 33 | # set variable identifying the chroot you work in (used in the prompt below) 34 | if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then 35 | debian_chroot=$(cat /etc/debian_chroot) 36 | fi 37 | 38 | # set a fancy prompt (non-color, unless we know we "want" color) 39 | case "$TERM" in 40 | xterm-color|*-256color) color_prompt=yes;; 41 | esac 42 | 43 | # uncomment for a colored prompt, if the terminal has the capability; turned 44 | # off by default to not distract the user: the focus in a terminal window 45 | # should be on the output of commands, not on the prompt 46 | #force_color_prompt=yes 47 | 48 | if [ -n "$force_color_prompt" ]; then 49 | if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then 50 | # We have color support; assume it's compliant with Ecma-48 51 | # (ISO/IEC-6429). (Lack of such support is extremely rare, and such 52 | # a case would tend to support setf rather than setaf.) 53 | color_prompt=yes 54 | else 55 | color_prompt= 56 | fi 57 | fi 58 | 59 | if [ "$color_prompt" = yes ]; then 60 | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' 61 | else 62 | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' 63 | fi 64 | unset color_prompt force_color_prompt 65 | 66 | # If this is an xterm set the title to user@host:dir 67 | case "$TERM" in 68 | xterm*|rxvt*) 69 | PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" 70 | ;; 71 | *) 72 | ;; 73 | esac 74 | 75 | # enable color support of ls and also add handy aliases 76 | if [ -x /usr/bin/dircolors ]; then 77 | test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" 78 | alias ls='ls --color=auto' 79 | #alias dir='dir --color=auto' 80 | #alias vdir='vdir --color=auto' 81 | 82 | alias grep='grep --color=auto' 83 | alias fgrep='fgrep --color=auto' 84 | alias egrep='egrep --color=auto' 85 | fi 86 | 87 | # colored GCC warnings and errors 88 | #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' 89 | 90 | # some more ls aliases 91 | alias ll='ls -alF' 92 | alias la='ls -A' 93 | alias l='ls -CF' 94 | 95 | # Add an "alert" alias for long running commands. Use like so: 96 | # sleep 10; alert 97 | alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' 98 | 99 | # Alias definitions. 100 | # You may want to put all your additions into a separate file like 101 | # ~/.bash_aliases, instead of adding them here directly. 102 | # See /usr/share/doc/bash-doc/examples in the bash-doc package. 103 | 104 | if [ -f ~/.bash_aliases ]; then 105 | . ~/.bash_aliases 106 | fi 107 | 108 | # enable programmable completion features (you don't need to enable 109 | # this, if it's already enabled in /etc/bash.bashrc and /etc/profile 110 | # sources /etc/bash.bashrc). 111 | if ! shopt -oq posix; then 112 | if [ -f /usr/share/bash-completion/bash_completion ]; then 113 | . /usr/share/bash-completion/bash_completion 114 | elif [ -f /etc/bash_completion ]; then 115 | . /etc/bash_completion 116 | fi 117 | fi 118 | homedir="/opt/littlebeat" 119 | if [ -e $homedir/bin/main.sh ]; then 120 | chmod +x -R $homedir/bin 121 | $homedir/bin/main.sh 122 | fi 123 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LittleBeat 2 | Это готовый к работе аплаенс для сбора и анализа журналов событий Windows на базе стека ELK, предназначенный для небольших компаний (от 5 до 500 хостов). 3 | 4 | ## Требования к системе 5 | 6 | Виртуальная или физическая машина Ubuntu Server 16.04 LTS. 7 | Минимально необходимо 4 процессорных ядра, 8 GB RAM, 100 GB HDD. Если вы хотите хранить логи долго, дисковый массив должен быть больше. Объем диска считайте по формуле (к-во хостов)*(к-во дней)*0.02 GB. В качестве процессора годится даже Intel Atom. То есть, китайский barebone вполне подойдет для малых сетей (до 100 хостов). Для сетей побольше, лучше иметь настоящий сервер. Физическая машина, как понятно, предпочтительнее виртуальной в производительности. Для больших сетей, рекомендуется больше оперативной памяти на сервере. Вплоть до 16 GB. 8 | 9 | Рекомендуется минимальная установка системы с дистрибутива, с выбором только сервера SSH и стандартных системных утилит, в качестве дополнительных опций. 10 | 11 | Рекомендуется статическая настройка IP или фиксация адреса на сервере DHCP. 12 | 13 | Обязательно иметь в сети сервер DNS. Эту функцию может выполнять домашний WiFi Router. 14 | 15 | В DNS обязательно должна быть внесена запись с адресом хоста littlebeat (так и должен называться). 16 | 17 | Рекомендуется иметь в DNS настроенные записи PTR для хостов, но это не обязательно. 18 | 19 | Во время установки необходим доступ в Интернет. Как к репозиториям Ubuntu и Elastic, так и к GitHub. 20 | 21 | Коммуникации между агентами и сервером закрываются посредством SSL. Используется самоподписанный сертификат сервера, который создается в процессе установки и конфигурации аплаенса. 22 | 23 | Более подробная документация на [LittleBeat.wiki](https://github.com/ESGuardian/LittleBeat/wiki) 24 | 25 | ## Установка 26 | 27 | Во время установки на вашем сервере будет создан пользователь `little` (пароль вы зададите сами). Этому пользователю будут заданы uid=0 и gid=0, то есть он станет рутом 28 | 29 | Предпочтительно использовать PuTTy в качестве SSH консоли. Поскольку все скрипты используют утилиту dialog и псевдографику, чтобы она не выглядела смещно, необходимо в PuTTy для сессии с littlebeat вписать значение "linux" для параметра "Terminal-type-string", как показано на картинке: 30 | 31 | ![putty](putty.png) 32 | 33 | Подключитесь к консоли вашего сервера и заделайтесь рутом (sudo su). Введите команды: 34 | ``` 35 | sudo su 36 | cd /tmp 37 | wget https://raw.githubusercontent.com/ESGuardian/LittleBeat/v-6.1.001/run.sh 38 | bash run.sh 39 | ``` 40 | Далее следуйте инструкциям на экране. 41 | 42 | После выполнения маленького скрипта машина перезагрузится. Повторно подключитесь к серверу указав имя пользователя "little' и пароль, который придумали и задали на предыдущем этапе. Увидите меню установки и настройки системы. 43 | 44 | Установка не полностью автоматическая. В двух местах необходимо вводить пароли создаваемых пользователей. В разных местах надо нажимать кнопочку "Ок". Больше ничего особенного делать не надо. 45 | 46 | Ах, да. После установки всей системы рекомендуется настроить и запустить обзор локальной сети утилитой nmap. Это делается в меню, которое появится в конце установки. 47 | 48 | ![console](console.png) 49 | 50 | В дальнейшем при подключении к консоли аплаенса от имени пользователя "little" вы всегда будете видеть это меню. 51 | 52 | В браузере на своей рабочей машине заходите на `https://littlebeat/`. 53 | 54 | Более подробная документация на [LittleBeat.wiki](https://github.com/ESGuardian/LittleBeat/wiki) 55 | 56 | ## История версий 57 | Это версия 6.1.001 она является результатом переноса на ELK 6.1.3 версии LittleBeat 5.5.001. Поскольку в новой версии ёлки произошли очень большие изменения, простого способа апгрейда с версии 5.5 нет. Кроме того многое изменилось в дизайне системы. Например я сделал msi файлы для установки агентов winlogbeat. Это позволяет разворачивать их групповыми политиками. 58 | 59 | Это рабочая стабильная версия. Изменения будут вноситься только в файлы документации и еще появится новый Wazuh Addon (возможны и другие дополнения). 60 | 61 | 62 | 63 | esguardian@outlook.com 64 | -------------------------------------------------------------------------------- /addons/itop/itop_post_conf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | tz=$(cat /etc/timezone) 3 | docker exec -it my-itop bash -c "sed -i \"s#'timezone' => 'Europe/Paris'#'timezone' => '$tz'#\" conf/production/config-itop.php; sed -i \"s/form|basic|external/form|basic|external|url/\" conf/production/config-itop.php;" 4 | docker exec -it my-itop bash -c 'sed -i "s/http:\/\/littlebeat/https:\/\/littlebeat/" conf/production/config-itop.php' 5 | sed -i "s/# ssl/ssl/" /etc/nginx/sites-available/default 6 | service nginx restart 7 | 8 | -------------------------------------------------------------------------------- /addons/littlebeat_6.1.001_addons.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | homedir="/opt/littlebeat" 3 | install_dir="$homedir/install" 4 | log="$install_dir/install.log" 5 | errlog="$install_dir/install.err" 6 | github_url="https://raw.githubusercontent.com/ESGuardian/LittleBeat/v-6.1.001" 7 | addons_menu=("Facebook osquery LittleBeat Addon" "" "Wazuh (OSSEC) LittleBeat Addon" "" "iTop CMDB LittleBeat Addon" "" "UEBA LittleBeat Addon (ALFA)" "") 8 | 9 | dialog --title "LITTLEBEAT" --backtitle "Выбор дополнений для установки" --menu " " 15 50 ${#addons_menu[@]} "${addons_menu[@]}" 2>/tmp/choise.$$ 10 | response=$? 11 | case $response in 12 | 0) 13 | choise=`cat /tmp/choise.$$` 14 | rm /tmp/choise.$$ 15 | ;; 16 | 1) 17 | choise="" 18 | ;; 19 | 255) 20 | choise="" 21 | ;; 22 | esac 23 | if [ "$choise" == "Facebook osquery LittleBeat Addon" ]; then 24 | clear 25 | 26 | if [ ! -e "$install_dir/osquery_addon_installed" ]; then 27 | cd /tmp 28 | if [ -e "osquery-dash.json" ]; then 29 | rm osquery-dash.json 30 | fi 31 | wget $github_url/addons/osquery/kibana/osquery-dash.json 32 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/index-pattern/winlogbeat-* 33 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @osquery-dash.json 34 | if [ -e "main-dash.json" ]; then 35 | rm main-dash.json 36 | fi 37 | wget $github_url/addons/main-dash.json 38 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/visualization/f24a7060-0a7b-11e8-a2ce-b9829bf5932d 39 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @main-dash.json 40 | cd /etc/logstash/conf.d 41 | if [ -e "03-osquery.conf" ]; then 42 | rm 03-osquery.conf 43 | fi 44 | wget $github_url/addons/osquery/etc/logstash/conf.d/03-osquery.conf 45 | cd /tmp 46 | service logstash restart 47 | touch $install_dir/osquery_addon_installed 48 | fi 49 | dialog --title "LITTLEBEAT" --backtitle "Установка дополнений" --msgbox "Facebook osquery LittleBeat Addon установлен\nПочитайте LittleBeat.wiki прежде чем начинать с ним работать" 10 70 50 | clear 51 | fi 52 | if [ "$choise" == "Wazuh (OSSEC) LittleBeat Addon" ]; then 53 | clear 54 | 55 | if [ ! -e "$install_dir/wazuh_addon_installed" ]; then 56 | apt update 57 | apt install docker.io -y 58 | docker volume create ossec-data 59 | docker run -d --restart=always -p 1514:1514/udp -p 1515:1515/tcp -v ossec-data:/var/ossec/data --name ossec-server esguardian/ossec-docker 60 | chmod 711 /var/lib/docker/volumes 61 | cd /tmp 62 | if [ -e "wazuh_dash.json" ]; then 63 | rm wazuh_dash.json 64 | fi 65 | wget $github_url/addons/ossec/kibana/wazuh_dash.json 66 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/index-pattern/wazuh-alerts-* 67 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @wazuh_dash.json 68 | 69 | if [ -e "main-dash.json" ]; then 70 | rm main-dash.json 71 | fi 72 | wget $github_url/addons/main-dash.json 73 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/visualization/f24a7060-0a7b-11e8-a2ce-b9829bf5932d 74 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @main-dash.json 75 | cd /etc/logstash/templates 76 | if [ ! -e "/etc/logstash/templates/wazuh-elastic6-template-alerts.json" ]; then 77 | wget $github_url/addons/ossec/logstash/templates/wazuh-elastic6-template-alerts.json 78 | else 79 | rm /etc/logstash/templates/wazuh-elastic6-template-alerts.json 80 | wget $github_url/addons/ossec/logstash/templates/wazuh-elastic6-template-alerts.json 81 | fi 82 | cd /etc/logstash/conf.d 83 | if [ ! -e "/etc/logstash/conf.d/02-wazuh.conf" ]; then 84 | wget $github_url/addons/ossec/logstash/conf.d/02-wazuh.conf 85 | else 86 | rm /etc/logstash/conf.d/02-wazuh.conf 87 | wget $github_url/addons/ossec/logstash/conf.d/02-wazuh.conf 88 | fi 89 | service logstash restart 90 | if ! grep -q "update_ruleset" /etc/crontab; then 91 | echo '0 3 * * 2 root docker exec -it ossec-server bash -c "cd /var/ossec/bin; ./update_ruleset -r"' >> /etc/crontab 92 | fi 93 | touch $install_dir/wazuh_addon_installed 94 | fi 95 | dialog --title "LITTLEBEAT" --backtitle "Установка дополнений" --msgbox "Wazuh (OSSEC) LittleBeat Addon установлен\nПочитайте LittleBeat.wiki прежде чем начинать с ним работать" 10 70 96 | clear 97 | fi 98 | 99 | if [ "$choise" == "iTop CMDB LittleBeat Addon" ]; then 100 | clear 101 | 102 | if [ ! -e "$install_dir/itop_addon_installed" ]; then 103 | apt update 104 | apt install docker.io -y 105 | docker run --restart=always -d -p 127.0.0.1:3306:3306 --name=my-itop-db -e MYSQL_DATABASE=itop -e MYSQL_USER=itop -e MYSQL_PASSWORD=itop -e MYSQL_RANDOM_ROOT_PASSWORD=yes mysql:5 106 | docker run --restart=always -d -p 127.0.0.1:8081:80 --link=my-itop-db:db --name=my-itop supervisions/itop:latest 107 | echo 'server {' >> /etc/nginx/sites-available/default 108 | echo ' listen *:81;' >> /etc/nginx/sites-available/default 109 | echo ' server_name littlebeat-cmdb;' >> /etc/nginx/sites-available/default 110 | echo ' access_log /var/log/nginx/cmdb-access.log;' >> /etc/nginx/sites-available/default 111 | echo ' # ssl on;' >> /etc/nginx/sites-available/default 112 | echo ' # ssl_certificate /etc/logstash/logstash.crt;' >> /etc/nginx/sites-available/default 113 | echo ' # ssl_certificate_key /etc/logstash/logstash.pem;' >> /etc/nginx/sites-available/default 114 | echo ' location / {' >> /etc/nginx/sites-available/default 115 | echo ' proxy_pass http://127.0.0.1:8081/;' >> /etc/nginx/sites-available/default 116 | echo ' proxy_redirect off;' >> /etc/nginx/sites-available/default 117 | echo ' proxy_set_header X-Real-IP $remote_addr;' >> /etc/nginx/sites-available/default 118 | echo ' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' >> /etc/nginx/sites-available/default 119 | echo ' proxy_set_header Host $http_host;' >> /etc/nginx/sites-available/default 120 | echo ' proxy_pass_header Set-Cookie;' >> /etc/nginx/sites-available/default 121 | echo ' }' >> /etc/nginx/sites-available/default 122 | echo '}' >> /etc/nginx/sites-available/default 123 | cd /opt/littlebeat/bin 124 | if [ ! -e "/opt/littlebeat/bin/itop_post_conf.sh" ]; then 125 | wget $github_url/addons/itop/itop_post_conf.sh 126 | else 127 | rm /opt/littlebeat/bin/itop_post_conf.sh 128 | wget $github_url/addons/itop/itop_post_conf.sh 129 | fi 130 | chmod +x /opt/littlebeat/bin/itop_post_conf.sh 131 | service nginx restart 132 | touch $install_dir/itop_addon_installed 133 | fi 134 | dialog --title "LITTLEBEAT" --backtitle "Установка дополнений" --msgbox "iTop CMDB LittleBeat Addon установлен\nТребуется конфигурация через веб-интерфейс\nЗайдите на http://littlebeat:81/setup\nДля справки смотрите LittleBeat.wiki" 12 70 135 | clear 136 | fi 137 | if [ "$choise" == "UEBA LittleBeat Addon (ALFA)" ]; then 138 | clear 139 | 140 | if [ ! -e "$install_dir/ueba_alfa_addon_installed" ]; then 141 | apt update 142 | apt install redis-server -y 143 | cd $homedir/bin 144 | if [ ! -e "ueba" ]; then 145 | mkdir ueba 146 | fi 147 | cd ueba 148 | if [ -e "ueba.py" ]; then 149 | rm ueba.py 150 | fi 151 | wget $github_url/addons/ueba/ueba.py 152 | if [ ! -e "ueba_lib" ]; then 153 | mkdir ueba_lib 154 | fi 155 | cd ueba_lib 156 | if [ -e "__init__.py" ]; then 157 | rm __init__.py 158 | fi 159 | wget $github_url/addons/ueba/ueba_lib/__init__.py 160 | if [ -e "wlogon.py" ]; then 161 | rm wlogon.py 162 | rm margin_corrector.py 163 | rm garbage_collector.py 164 | fi 165 | wget $github_url/addons/ueba/ueba_lib/wlogon.py 166 | wget $github_url/addons/ueba/ueba_lib/margin_corrector.py 167 | wget $github_url/addons/ueba/ueba_lib/garbage_collector.py 168 | chmod -R +x $homedir/bin/ueba 169 | cd /lib/systemd/system 170 | if [ -e "littlebeat-ueba.service" ]; then 171 | rm littlebeat-ueba.service 172 | fi 173 | wget $github_url/addons/ueba/lib/systemd/system/littlebeat-ueba.service 174 | cd /tmp 175 | pip install IPy 176 | pip install iso8601utils 177 | pip install redis 178 | systemctl daemon-reload 179 | systemctl enable littlebeat-ueba.service 180 | service littlebeat-ueba start 181 | 182 | cd /tmp 183 | if [ -e "ueba-dash.json" ]; then 184 | rm ueba-dash.json 185 | fi 186 | wget $github_url/addons/ueba/kibana/ueba-dash.json 187 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/index-pattern/ueba-* 188 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @ueba-dash.json 189 | 190 | if [ -e "main-dash.json" ]; then 191 | rm main-dash.json 192 | fi 193 | wget $github_url/addons/main-dash.json 194 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/visualization/f24a7060-0a7b-11e8-a2ce-b9829bf5932d 195 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @main-dash.json 196 | 197 | touch $install_dir/ueba_alfa_addon_installed 198 | fi 199 | dialog --title "LITTLEBEAT" --backtitle "Установка дополнений" --msgbox "UEBA LittleBeat Addon (ALFA) установлен\nПочитайте LittleBeat.wiki прежде чем начинать с ним работать" 10 70 200 | clear 201 | fi 202 | -------------------------------------------------------------------------------- /addons/littlebeat_addons.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | homedir="/opt/littlebeat" 3 | dialog --title "LITTLEBEAT" --backtitle "Дополнения" --msgbox "Никаких дополнений пока нет :(" 7 70 -------------------------------------------------------------------------------- /addons/littlebeat_addons_5.5.001_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | homedir="/opt/littlebeat" 3 | install_dir="$homedir/install" 4 | log="$install_dir/install.log" 5 | errlog="$install_dir/install.err" 6 | addons_menu=("Wazuh HostIDS (OSSEC)" "") 7 | 8 | dialog --title "LITTLEBEAT" --backtitle "Выбор дополнений для установки" --menu " " 15 50 ${#addons_menu[@]} "${addons_menu[@]}" 2>/tmp/choise.$$ 9 | response=$? 10 | case $response in 11 | 0) 12 | choise=`cat /tmp/choise.$$` 13 | rm /tmp/choise.$$ 14 | ;; 15 | 1) 16 | choise="" 17 | ;; 18 | 255) 19 | choise="" 20 | ;; 21 | esac 22 | if [ "$choise" == "Wazuh HostIDS (OSSEC)" ]; then 23 | clear 24 | # Установка Wazuh HostIDS (OSSEC) 25 | 26 | if [ ! -e "$instal_dir/wazuh_ids_installed" ]; then 27 | if [ ! -e "$homedir/pkgs/wazuh-manager_2.0-1xenial_amd64.deb" ]; then 28 | wget https://github.com/ESGuardian/LittleBeat/raw/master/pkgs/wazuh-manager_2.0-1xenial_amd64.deb 29 | mv wazuh-manager_2.0-1xenial_amd64.deb $homedir/pkgs/wazuh-manager_2.0-1xenial_amd64.deb 30 | fi 31 | if [ ! -e "$homedir/pkgs/wazuh-api_2.0-1xenial_amd64.deb" ]; then 32 | wget https://github.com/ESGuardian/LittleBeat/raw/master/pkgs/wazuh-api_2.0-1xenial_amd64.deb 33 | mv wazuh-api_2.0-1xenial_amd64.deb $homedir/pkgs/wazuh-api_2.0-1xenial_amd64.deb 34 | fi 35 | 36 | dpkg --install $homedir/pkgs/wazuh-manager_2.0-1xenial_amd64.deb 37 | usermod -a -G ossec logstash 38 | if [ ! -e "$instal_dir/nodejs_installed" ]; then 39 | curl -sL https://deb.nodesource.com/setup_6.x -o nodesource_setup.sh 40 | bash nodesource_setup.sh 41 | apt-get install nodejs 42 | touch $instal_dir/nodejs_installed 43 | fi 44 | dpkg --install $homedir/pkgs/wazuh-api_2.0-1xenial_amd64.deb 45 | echo "Необходимо настроить параметры Wazuh API." 46 | echo "Запомните или запишите имя юзера и пароль для соединения с API." 47 | echo "Вам также понадобится снйчас ввести параметры для генерации" 48 | echo "сертификата если вы захотите использовать SSL при соединении с API." 49 | echo "По умолчанию визард выбирает SSL." 50 | bash /var/ossec/api/scripts/configure_api.sh 51 | if [ ! -e "/etc/logstash/conf.d/02-wazuh.conf" ]; then 52 | curl -so /etc/logstash/conf.d/02-wazuh.conf https://raw.githubusercontent.com/ESGuardian/LittleBeat/master/addons/wazuh-ids/02-wazuh.conf 53 | fi 54 | if [ ! -e "/etc/logstash/templates/wazuh-elastic5-template.json" ]; then 55 | curl -so /etc/logstash/templates/wazuh-elastic5-template.json https://raw.githubusercontent.com/ESGuardian/LittleBeat/master/addons/wazuh-ids/wazuh-elastic5-template.json 56 | fi 57 | wget https://raw.githubusercontent.com/ESGuardian/LittleBeat/master/addons/wazuh-ids/kibana_init_config.sh 58 | echo "Настройка индексов Kibana" 59 | bash kibana_init_config.sh 60 | service logstash restart 61 | echo "Установка wazuh plugin для kibana" 62 | echo "Это займет некоторое время ..." 63 | service kibana stop 64 | /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip 65 | service kibana start 66 | touch $instal_dir/wazuh_ids_installed 67 | fi 68 | dialog --title "LITTLEBEAT" --backtitle "Установка дополнений" --msgbox "Wazuh HostIDS (OSSEC) установлен\nПочитайте LittleBeat.wiki прежде чем начинать с ним работать" 6 70 69 | clear 70 | fi 71 | 72 | -------------------------------------------------------------------------------- /addons/main-dash.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "6.1.3", 3 | "objects": [ 4 | { 5 | "id": "Number-of-Events", 6 | "type": "visualization", 7 | "updated_at": "2018-02-05T15:14:23.492Z", 8 | "version": 1, 9 | "attributes": { 10 | "title": "Number of Events", 11 | "visState": "{\"title\":\"Number of Events\",\"type\":\"metric\",\"params\":{\"fontSize\":60,\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":20}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}", 12 | "uiStateJSON": "{}", 13 | "description": "", 14 | "version": 1, 15 | "kibanaSavedObjectMeta": { 16 | "searchSourceJSON": "{\"index\":\"winlogbeat-*\",\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" 17 | } 18 | } 19 | }, 20 | { 21 | "id": "Number-of-Events-Over-Time-By-Event-Log", 22 | "type": "visualization", 23 | "updated_at": "2018-02-05T15:14:23.492Z", 24 | "version": 1, 25 | "attributes": { 26 | "description": "", 27 | "kibanaSavedObjectMeta": { 28 | "searchSourceJSON": "{\n \"index\": \"winlogbeat-*\",\n \"query\": {\n \"query_string\": {\n \"query\": \"*\",\n \"analyze_wildcard\": true\n }\n },\n \"filter\": []\n}" 29 | }, 30 | "title": "Number of Events Over Time By Event Log", 31 | "uiStateJSON": "{}", 32 | "version": 1, 33 | "visState": "{\n \"type\": \"histogram\",\n \"params\": {\n \"shareYAxis\": true,\n \"addTooltip\": true,\n \"addLegend\": true,\n \"scale\": \"linear\",\n \"mode\": \"stacked\",\n \"times\": [],\n \"addTimeMarker\": false,\n \"defaultYExtents\": false,\n \"setYExtents\": false,\n \"yAxis\": {}\n },\n \"aggs\": [\n {\n \"id\": \"1\",\n \"type\": \"count\",\n \"schema\": \"metric\",\n \"params\": {}\n },\n {\n \"id\": \"2\",\n \"type\": \"date_histogram\",\n \"schema\": \"segment\",\n \"params\": {\n \"field\": \"@timestamp\",\n \"interval\": \"auto\",\n \"customInterval\": \"2h\",\n \"min_doc_count\": 1,\n \"extended_bounds\": {}\n }\n },\n {\n \"id\": \"3\",\n \"type\": \"terms\",\n \"schema\": \"group\",\n \"params\": {\n \"field\": \"log_name\",\n \"size\": 6,\n \"order\": \"desc\",\n \"orderBy\": \"1\"\n }\n }\n ],\n \"listeners\": {}\n}" 34 | } 35 | }, 36 | { 37 | "id": "NMAP-hosts-by-subnet-table", 38 | "type": "visualization", 39 | "updated_at": "2018-02-05T15:14:26.585Z", 40 | "version": 1, 41 | "attributes": { 42 | "savedSearchId": "NMAP-common-search", 43 | "description": "", 44 | "uiStateJSON": "{}", 45 | "title": "NMAP-хосты-по-сетям", 46 | "version": 1, 47 | "kibanaSavedObjectMeta": { 48 | "searchSourceJSON": "{\"filter\":[]}" 49 | }, 50 | "visState": "{\"title\":\"NMAP-хосты-по-сетям\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"ipv4\",\"customLabel\":\"Кол-во IP адресов\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"headers.http_x_nmap_target\",\"size\":100,\"order\":\"asc\",\"orderBy\":\"_term\",\"customLabel\":\"Сети\"}}],\"listeners\":{}}" 51 | } 52 | }, 53 | { 54 | "id": "f24a7060-0a7b-11e8-a2ce-b9829bf5932d", 55 | "type": "visualization", 56 | "updated_at": "2018-02-18T17:43:47.623Z", 57 | "version": 5, 58 | "attributes": { 59 | "title": "reffer", 60 | "visState": "{\"title\":\"reffer\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"# LittleBeat 6.1\\n### Список ссылок\\n_используйте правую кнопку мыши, чтобы открывать ссылку в новой вкладке браузера_ \\n_Для возврата к этой панели нажмите на логотип в левом верхнем углу_\\n\\n| Ссылка |     | Описание |\\n| ------------ | --- | -------------- | \\n| [Обнаруженные хосты](/app/kibana#/dashboard/NMAP-dash) |  | эта панель содержит данные о хостах обнаруженных в сети и открытых портах.|\\n| [Общая панель Windows](/app/kibana#/dashboard/Winlogbeat-Dashboard) |  | эта панель содержит данные о всех событиях, зарегистрированных на хостах Windows|\\n| [Панель Windows Logon](/app/kibana#/dashboard/2a808400-0a5a-11e8-a2ce-b9829bf5932d) |  | эта панель содержит информацию о событиях входа пользователей Windows (удачных и неудачных)|\\n| [Панель процессов и служб](/app/kibana#/dashboard/ceb2fb80-0a5e-11e8-a2ce-b9829bf5932d) |  | эта панель содержит данные о запуске процессов и установке системных служб на хостах Windows|\\n| [Windows High Level](/app/kibana#/dashboard/d5ebbbc0-0a69-11e8-a2ce-b9829bf5932d) |  | эта панель содержит данные журналов событий Windows на которые следует обращать особое внимание, согласно рекомендациям компании Microsoft.| \\n|**Дополнения**| |**Эти ссылки доступны, если вы установили соответствующие дополнения LittleBeat**| \\n| [Facebook OSquery](/app/kibana#/dashboard/43105da0-100f-11e8-876c-2f771c016d56) |  | эта панель содержит результаты запросов OSquery| \\n| [Wazuh Alerts](/app/kibana#/dashboard/wazuh-main) |  | эта панель содержит содержит события собираемые от агентов Wazuh (OSSEC) c хостов Linux |\\n| [UEBA (ALFA)](/app/kibana#/dashboard/8eb75bd0-1a2a-11e8-ab95-711bc24f9c90) |  | это альфа-версия UEBA, сейчас включает только модуль отслеживания событий windows logon, модули будут дополняться |\\n\\n### Краткая инструкция:\\n\\nЕсли вы не видите событий Windows, значит, вы не установили агенты **LittleBeat** на компьютеры. Как это сделать?\\n\\n**Способ первый. Групповые политики**\\n\\nЕсли у вас есть контроллер домена AD, вы можете развернуть агента на все компьютеры в домене с помощью групповых политик. \\nДля этого вам нужно загрузить два файла [littlebeat_agent_32.msi](https://github.com/ESGuardian/LittleBeat/raw/v-6.1.001/agents/bin/littlebeat_agent_32.msi) и [littlebeat_agent_64.msi](https://github.com/ESGuardian/LittleBeat/raw/v-6.1.001/agents/bin/littlebeat_agent_64.msi). их можно использовать в групповых политиках \\\"на компьютер\\\" для систем соответствующей разрядности.\\n\\n**Способ второй. Установка на отдельный компьютер**\\n\\nВам следует использовать файл [littlebeat_agent.exe](https://github.com/ESGuardian/LittleBeat/raw/v-6.1.001/agents/bin/littlebeat_agent.exe). Это SFX архив с упомянутыми файлами msi и небольшим батником, который определяет версию системы и вызывает установщик Windows с нужной версией пакета. Запускать от имени администратора.\\n\\n**Способ третий. Централизованная установка с использованием утилиты PsExec**\\n\\nВы можете загрузить утилиту PsExec [отсюда](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).\\n\\n1. На рабочей станции windows, с которой вы будете производить\\n установку на другие компьютеры создайте каталог `c:\\\\work`\\n (можно с любым другим именем).\\n\\n2. Cкопируйте в этот каталог файлы: \\n```\\nlittlebeat_agent.exe\\nPsExec.exe\\n```\\n3. Подготовьте в этом каталоге файл `list.txt` со списками имен (или IP адресов) компьютеров,\\n на которые вы хотите установить агентов. Формат\\n списка: одно имя (или IP адрес) в строке.\\n\\n4. Запустите командную строку (cmd.exe) и перейдите в каталог c:\\\\work\\n``` \\ncd \\\\work\\n```\\n5. Выполните команду:\\n``` \\npsexec @list.txt -u domain\\\\adminuser -p password -c -h -f littlebeat_agent.exe\\n```\\n где `domain\\\\adminuser` - имя пользователя с административными правами на хостах\\n (например, администратора домена), \\n `password` - пароль этого пользователя\\n\\n**Если вы ничего не видите на дашборде NMAP**, значит вы не настроили обзор сетей на консоли Littlebeat или ни разу не запускали его. Обзор сетей запускается автоматически каждые два часа, но вы можете запустить его прямо сейчас с консоли сервера Littlebeat. Имеется ввиду физическая консоль или консоль SSH. \\n\\n**Совет:** если вы используете PuTTY, то в окне конфигурации в разделе `Connection`, в подразделе `Data`, в окошке `terminal-type string` напишите `linux` вместо `xterm`, иначе псевдографика в меню будет выглядеть смешно. \\n\\nЕсли на дашборде NMAP вы не увидели имена хостов, только IP адреса, значит на вашем сервере DNS нет записей PTR. Это не страшно, просто неудобно, лучше иметь. \\n\\n**Если у вас установлен Facebook OSquery Addon**\\n\\nДля того, чтобы им воспользоваться, вы должны загрузить [osquery.msi](https://github.com/ESGuardian/LittleBeat/raw/v-6.1.001/addons/osquery/osquery.msi) и установить его на свои компьютеры аналогично агенту LittleBeat, с той лишь разницей, что не надо выбирать разрядность системы, это 32-х разрядная утилита, запускается на версиях х32 и х64.\\n\\nБудьте внимательны, во-первых osquery может работать только на Windows 8 (Server 2012) и более новых версиях ОС. Во-вторых, следует использовать именно этот установщик, \\\"родной\\\" установщик на русские версии ОС вообще не ставится, там принципиально не верно собран пакет wix. Пришлось переделать.\\n \\n\\nБолее подробную документацию следует смотреть на [LittleBeat Wiki](https://github.com/ESGuardian/LittleBeat/wiki).\\n\\n**Если у вас установлен Wazuh (OSSEC) Addon**\\n\\nЧтобы от него была польза, вам следует установить агенты Wazuh на хосты с Linux (или Mac OS), как это сделать , смотрите на [LittleBeat Wiki](https://github.com/ESGuardian/LittleBeat/wiki).\"},\"aggs\":[]}", 61 | "uiStateJSON": "{}", 62 | "description": "", 63 | "version": 1, 64 | "kibanaSavedObjectMeta": { 65 | "searchSourceJSON": "{}" 66 | } 67 | } 68 | }, 69 | { 70 | "id": "NMAP-common-search", 71 | "type": "search", 72 | "updated_at": "2018-02-05T15:14:26.585Z", 73 | "version": 1, 74 | "attributes": { 75 | "title": "NMAP-common-search", 76 | "description": "", 77 | "hits": 0, 78 | "columns": [ 79 | "ipv4", 80 | "port.number", 81 | "hostname.name", 82 | "port.service.name", 83 | "port.state" 84 | ], 85 | "sort": [ 86 | "@timestamp", 87 | "desc" 88 | ], 89 | "version": 1, 90 | "kibanaSavedObjectMeta": { 91 | "searchSourceJSON": "{\"index\":\"nmap-*\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" 92 | } 93 | } 94 | }, 95 | { 96 | "id": "0064c570-0a6c-11e8-a2ce-b9829bf5932d", 97 | "type": "dashboard", 98 | "updated_at": "2018-02-18T17:44:09.628Z", 99 | "version": 2, 100 | "attributes": { 101 | "title": "Main Dashboard", 102 | "hits": 0, 103 | "description": "", 104 | "panelsJSON": "[{\"gridData\":{\"h\":2,\"i\":\"1\",\"w\":3,\"x\":0,\"y\":0},\"id\":\"Number-of-Events\",\"panelIndex\":\"1\",\"title\":\"Windows к-во событий\",\"type\":\"visualization\",\"version\":\"6.1.3\"},{\"gridData\":{\"h\":3,\"i\":\"2\",\"w\":3,\"x\":0,\"y\":2},\"id\":\"Number-of-Events-Over-Time-By-Event-Log\",\"panelIndex\":\"2\",\"title\":\"Windows Timeline\",\"type\":\"visualization\",\"version\":\"6.1.3\"},{\"gridData\":{\"h\":3,\"i\":\"3\",\"w\":3,\"x\":0,\"y\":5},\"id\":\"NMAP-hosts-by-subnet-table\",\"panelIndex\":\"3\",\"title\":\"Хостов в сети\",\"type\":\"visualization\",\"version\":\"6.1.3\"},{\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":9,\"x\":3,\"y\":0},\"id\":\"f24a7060-0a7b-11e8-a2ce-b9829bf5932d\",\"panelIndex\":\"4\",\"title\":\"Ссылки и Справка\",\"type\":\"visualization\",\"version\":\"6.1.3\"}]", 105 | "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", 106 | "uiStateJSON": "{\"P-2\":{\"vis\":{\"legendOpen\":false}},\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", 107 | "version": 1, 108 | "timeRestore": true, 109 | "timeTo": "now", 110 | "timeFrom": "now-24h", 111 | "refreshInterval": { 112 | "display": "Off", 113 | "pause": false, 114 | "value": 0 115 | }, 116 | "kibanaSavedObjectMeta": { 117 | "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}" 118 | } 119 | } 120 | } 121 | ] 122 | } -------------------------------------------------------------------------------- /addons/osquery/etc/logstash/conf.d/03-osquery.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [@metadata][beat] == "winlogbeat" { 3 | if [log_name] == "osquery" { 4 | if [event_data][Location] == ":0" { 5 | ruby { code => " 6 | require 'json' 7 | obj = JSON.parse(event.get('[event_data][Message]')) 8 | event.set('[osquery_result]', obj) 9 | "} 10 | if [osquery_result][columns] { 11 | ruby { 12 | code => " 13 | not_empty = 0 14 | columns = event.get('[osquery_result][columns]') 15 | columns.each do |key,value| 16 | if !value.to_s.empty? 17 | not_empty = 1 18 | value = value.gsub('\\\\x', '\\ \\x') 19 | value = value.gsub(/\\x([\da-fA-F]{2})/) {|m| [$1].pack('H*')} 20 | if value.force_encoding('utf-8').valid_encoding? 21 | value = value.force_encoding('utf-8').encode('utf-8') 22 | else 23 | value = value.force_encoding('windows-1251').encode('utf-8') 24 | end 25 | columns[key] = value 26 | end 27 | end 28 | if not_empty == 0 29 | event.set('[osquery_result][empty_flag]', 1) 30 | else 31 | event.set('[osquery_result][columns]', columns) 32 | end 33 | " 34 | } 35 | if [osquery_result][empty_flag] { drop {} } 36 | } 37 | 38 | } else { drop {} } 39 | mutate {remove_field => ["[event_data][Location]", "[event_data][Message]"]} 40 | } 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /addons/osquery/install_osquery.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | cd \ProgramData\osquery 3 | rem PowerShell.exe Invoke-WebRequest -Uri "http://littlebeat/doorman/logstash.crt" -OutFile "\ProgramData\osquery\logstash.crt" 4 | PowerShell.exe -ExecutionPolicy Bypass -File .\set_acl.ps1 5 | wevtutil im C:\ProgramData\osquery\osquery.man 6 | sc.exe create osqueryd type=own start=auto error=normal binpath="C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile=\ProgramData\osquery\osquery_no_tls.flags" displayname=osqueryd 7 | ping 127.0.0.1 -n 6 > nul 8 | sc.exe start osqueryd 9 | sc.exe stop LittleBeat 10 | ping 127.0.0.1 -n 6 > nul 11 | del "\Program Files\LittleBeat Agent\winlogbeat.yml" 12 | copy \ProgramData\osquery\winlogbeat.yml "\Program Files\LittleBeat Agent\winlogbeat.yml" 13 | sc.exe start LittleBeat 14 | 15 | -------------------------------------------------------------------------------- /addons/osquery/osquery.conf: -------------------------------------------------------------------------------- 1 | { 2 | "options": { 3 | "schedule_splay_percent": 10 4 | }, 5 | "platform": "windows", 6 | "schedule": { 7 | "chocolatey_packages": { 8 | "query": "SELECT * FROM chocolatey_packages;", 9 | "interval": 3600, 10 | "description": "List installed Chocolatey packages" 11 | }, 12 | "chrome_extensions": { 13 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid);", 14 | "interval": 3600, 15 | "description": "List installed Chrome Extensions for all users" 16 | }, 17 | "drivers": { 18 | "query": "SELECT * FROM drivers;", 19 | "interval": 3600, 20 | "description": "List in-use Windows drivers" 21 | }, 22 | "etc_hosts": { 23 | "query": "SELECT * FROM etc_hosts;", 24 | "interval": 3600, 25 | "description": "List the contents of the Windows hosts file" 26 | }, 27 | "ie_extensions": { 28 | "query": "SELECT * FROM ie_extensions;", 29 | "interval": 3600, 30 | "description": "List installed Internet Explorer extensions" 31 | }, 32 | "kernel_info": { 33 | "query": "SELECT * FROM kernel_info;", 34 | "interval": 3600, 35 | "description": "List the kernel path, version, etc." 36 | }, 37 | "os_version": { 38 | "query": "SELECT * FROM os_version;", 39 | "interval": 3600, 40 | "description": "List the version of the resident operating system" 41 | }, 42 | "patches": { 43 | "query": "SELECT * FROM patches;", 44 | "interval": 3600, 45 | "description": "Lists all the patches applied" 46 | }, 47 | "programs": { 48 | "query": "SELECT * FROM programs;", 49 | "interval": 3600, 50 | "description": "Lists installed programs" 51 | }, 52 | "scheduled_tasks": { 53 | "query": "SELECT * FROM scheduled_tasks;", 54 | "interval": 3600, 55 | "description": "Lists all of the tasks in the Windows task scheduler" 56 | }, 57 | "services": { 58 | "query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';", 59 | "interval": 3600, 60 | "description": "Lists all installed services configured to start automatically at boot" 61 | }, 62 | "shared_resources": { 63 | "query": "SELECT * FROM shared_resources;", 64 | "interval": 28800, 65 | "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device." 66 | }, 67 | "system_info": { 68 | "query": "SELECT * FROM system_info;", 69 | "interval": 3600, 70 | "description": "System information for identification." 71 | }, 72 | "uptime": { 73 | "query": "SELECT * FROM uptime;", 74 | "interval": 3600, 75 | "description": "System uptime" 76 | }, 77 | "users": { 78 | "query": "SELECT * FROM users;", 79 | "interval": 3600, 80 | "description": "Local system users." 81 | }, 82 | "wmi_cli_event_consumers": { 83 | "query": "SELECT * FROM wmi_cli_event_consumers;", 84 | "interval": 3600, 85 | "description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." 86 | }, 87 | "wmi_event_filters": { 88 | "query": "SELECT * FROM wmi_event_filters;", 89 | "interval": 3600, 90 | "description": "Lists WMI event filters." 91 | }, 92 | "wmi_filter_consumer_binding": { 93 | "query": "SELECT * FROM wmi_filter_consumer_binding;", 94 | "interval": 3600, 95 | "description": "Lists the relationship between event consumers and filters." 96 | }, 97 | "wmi_script_event_consumers": { 98 | "query": "SELECT * FROM wmi_script_event_consumers;", 99 | "interval": 3600, 100 | "description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." 101 | }, 102 | "process_on_memory_only": { 103 | "query": "SELECT * FROM processes WHERE on_disk = 0;", 104 | "interval": 300, 105 | "description": "Check the processes that have a deleted executable" 106 | }, 107 | "check_all_interfaces_listners": { 108 | "query": "SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';", 109 | "interval": 300, 110 | "description": "Get the process name, port, and PID, for processes listening on all interfaces" 111 | } 112 | }, 113 | "packs": { 114 | "unwanted-chrome-extensions": "packs/unwanted-chrome-extensions.conf", 115 | "windows-application-security": "packs/windows-application-security.conf", 116 | "windows-compliance": "packs/windows-compliance.conf", 117 | "windows-registry-monitoring": "packs/windows-registry-monitoring.conf", 118 | "windows-attacks": "packs/windows-attacks.conf" 119 | } 120 | } 121 | -------------------------------------------------------------------------------- /addons/osquery/osquery.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/addons/osquery/osquery.ico -------------------------------------------------------------------------------- /addons/osquery/osquery.man: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /addons/osquery/osquery.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/addons/osquery/osquery.msi -------------------------------------------------------------------------------- /addons/osquery/osquery.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 15 | 16 | 25 | 26 | 27 | 28 | 30 | 31 | 32 | NOT NEWERVERSIONDETECTED 33 | 34 | 35 | 36 | Privileged 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 47 | 48 | 52 | 53 | 54 | 55 | 59 | 62 | 65 | 68 | 71 | 74 | 77 | 80 | 81 | 82 | 83 | 84 | 86 | 87 | 90 | 93 | 96 | 99 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | NOT Installed 130 | Installed 131 | 132 | 133 | -------------------------------------------------------------------------------- /addons/osquery/osquery_no_tls.flags: -------------------------------------------------------------------------------- 1 | --allow_unsafe 2 | --config_path=c:\ProgramData\osquery\osquery.conf 3 | --disable_events=true 4 | --disable_tables=windows_events 5 | --host_identifier=hostname 6 | --logger_min_status=1 7 | --logger_plugin=windows_event_log 8 | --verbose=true 9 | -------------------------------------------------------------------------------- /addons/osquery/osqueryd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/addons/osquery/osqueryd.exe -------------------------------------------------------------------------------- /addons/osquery/osqueryi.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/addons/osquery/osqueryi.exe -------------------------------------------------------------------------------- /addons/osquery/packs/unwanted-chrome-extensions.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows,darwin", 3 | "queries": { 4 | "Unwanted_Chrome_Extension_BetternetVPN": { 5 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='gjknjjomckknofjidppipffbpoekiipm';", 6 | "interval": 3600, 7 | "description": "https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/", 8 | "snapshot": true 9 | }, 10 | "Unwanted_Chrome_Extension_ChangeHTTPHeader": { 11 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='ppmibgfeefcglejjlpeihfdimbkfbbnm';", 12 | "interval": 3600, 13 | "description": "Reports from a vendor that this Chrome Extension was beaconing to a sinkhole", 14 | "snapshot": true 15 | }, 16 | "Unwanted_Chrome_Extension_Chrometana": { 17 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='kaicbfmipfpfpjmlbpejaoaflfdnabnc';", 18 | "interval": 3600, 19 | "description": "https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/", 20 | "snapshot": true 21 | }, 22 | "Unwanted_Chrome_Extension_CopyFish": { 23 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='eenjdnjldapjajjofmldgmkjaienebbj';", 24 | "interval": 3600, 25 | "description": "https://www.bleepingcomputer.com/news/security/copyfish-chrome-extension-hijacked-to-show-adware/", 26 | "snapshot": true 27 | }, 28 | "Unwanted_Chrome_Extension_Giphy": { 29 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='kaicbfmipfpfpjmlbpejaoaflfdnabnc';", 30 | "interval": 3600, 31 | "description": "https://www.reddit.com/r/chrome/comments/6htzan/psawarning_giphy_extension_6172017_is_now_malware/", 32 | "snapshot": true 33 | }, 34 | "Unwanted_Chrome_Extension_Grammarly": { 35 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='kbfnbcaeplbcioakkpcpgfkobkghlhen';", 36 | "interval": 3600, 37 | "description": "Has the potential to collect and exfil keystrokes from the browser - (https://www.grammarly.com/terms)", 38 | "snapshot": true 39 | }, 40 | "Unwanted_Chrome_Extension_HolaVPN": { 41 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='gkojfkhlekighikafcpjkiklfbnlmeio';", 42 | "interval": 3600, 43 | "description": "http://adios-hola.org", 44 | "snapshot": true 45 | }, 46 | "Unwanted_Chrome_Extension_InfinityNewTab": { 47 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='dbfmnekepjoapopniengjbcpnbljalfg';", 48 | "interval": 3600, 49 | "description": "https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/", 50 | "snapshot": true 51 | }, 52 | "Unwanted_Chrome_Extension_SocialFixer": { 53 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='ifmhoabcaeehkljcfclfiieohkohdgbb';", 54 | "interval": 3600, 55 | "description": "https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/", 56 | "snapshot": true 57 | }, 58 | "Unwanted_Chrome_Extension_TorrentStream": { 59 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='icocmgpofpimcojhefbcfbdldkmndpgj';", 60 | "interval": 3600, 61 | "description": "May violate company policies", 62 | "snapshot": true 63 | }, 64 | "Unwanted_Chrome_Extension_TouchVPN": { 65 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='bihmplhobchoageeokmgbdihknkjbknd';", 66 | "interval": 3600, 67 | "description": "https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/", 68 | "snapshot": true 69 | }, 70 | "Unwanted_Chrome_Extension_WebDeveloper": { 71 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='bfbameneiokkgbdmiekhjnmfkcnldhhm';", 72 | "interval": 3600, 73 | "description": "https://www.bleepingcomputer.com/news/security/chrome-extension-with-over-one-million-users-hijacked-to-serve-adware/", 74 | "snapshot": true 75 | }, 76 | "Unwanted_Chrome_Extension_WebPaint": { 77 | "query": "SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='emeokgokialpjadjaoeiplmnkjoaegng';", 78 | "interval": 3600, 79 | "description": "https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/", 80 | "snapshot": true 81 | } 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /addons/osquery/packs/windows-application-security.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows", 3 | "queries": { 4 | "Bitlocker_AutoEncrypt_Settings_Registry": { 5 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Bitlocker\\%%';", 6 | "interval": 3600, 7 | "description": "Controls Bitlocker full-disk encryption settings." 8 | }, 9 | "Bitlocker_FDE_Settings_Registry": { 10 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\%%';", 11 | "interval": 3600, 12 | "description": "Controls Bitlocker full-disk encryption settings." 13 | }, 14 | "Chrome_Extension_ForceList_Registry": { 15 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist';", 16 | "interval": 3600, 17 | "description": "Controls Google Chrome plugins that are forcibly installed." 18 | }, 19 | "EMET_Settings_Registry": { 20 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\EMET\\%%';", 21 | "interval": 3600, 22 | "description": "Controls EMET-protected applications and system settings." 23 | }, 24 | "Microsoft_LAPS_Settings_Registry": { 25 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft Services\\AdmPwd';", 26 | "interval": 3600, 27 | "description": "Controls Local Administrative Password Solution (LAPS) settings." 28 | }, 29 | "Passport_For_Work_Settings_Registry": { 30 | "query": "SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\PassportForWork\\%%';", 31 | "interval": 3600, 32 | "description": "Controls Windows Passport for Work (Hello) settings." 33 | }, 34 | "UAC_Settings_Registry": { 35 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA';", 36 | "interval": 3600, 37 | "description": "Controls UAC. A setting of 0 indicates that UAC is disabled." 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /addons/osquery/packs/windows-attacks.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows", 3 | "queries": { 4 | "StickyKeys_File_Replace_Backdoor": { 5 | "query": "SELECT * FROM hash WHERE (path='c:\\windows\\system32\\osk.exe' OR path='c:\\windows\\system32\\sethc.exe' OR path='c:\\windows\\system32\\narrator.exe' OR path='c:\\windows\\system32\\magnify.exe' OR path='c:\\windows\\system32\\displayswitch.exe') AND sha256 IN (SELECT sha256 FROM hash WHERE path='c:\\windows\\system32\\cmd.exe' OR path='c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' OR path='c:\\windows\\system32\\explorer.exe') AND sha256!='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';", 6 | "interval": 3600, 7 | "description": "Checks the hashes of accessibility tools to ensure they don't match the hashes of cmd.exe, powershell.exe, or explorer.exe. More info: https://github.com/TrullJ/sticky-keys-scanner/blob/master/TestFor-StickyKey.ps1" 8 | }, 9 | "StickyKeys_Registry_Backdoor": { 10 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%%' and name='Debugger';", 11 | "interval": 3600, 12 | "description": "Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/" 13 | }, 14 | "conhost.exe_incorrect_path": { 15 | "query": "SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';", 16 | "interval": 3600, 17 | "description": "Detect processes masquerading as legitimate Windows processes" 18 | }, 19 | "dllhost.exe_incorrect_path": { 20 | "query": "SELECT * FROM processes WHERE LOWER(name)='dllhost.exe' AND LOWER(path)!='c:\\windows\\system32\\dllhost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\dllhost.exe' AND path!='';", 21 | "interval": 3600, 22 | "description": "Detect processes masquerading as legitimate Windows processes" 23 | }, 24 | "lsass.exe_incorrect_path": { 25 | "query": "SELECT * FROM processes WHERE LOWER(name)='lsass.exe' AND LOWER(path)!='c:\\windows\\system32\\lsass.exe' AND path!='';", 26 | "interval": 3600, 27 | "description": "Detect processes masquerading as legitimate Windows processes" 28 | }, 29 | "services.exe_incorrect_parent_process": { 30 | "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='services.exe') AND LOWER(name)!='wininit.exe';", 31 | "interval": 3600, 32 | "description": "Detect processes masquerading as legitimate Windows processes" 33 | }, 34 | "svchost.exe_incorrect_path": { 35 | "query": "SELECT * FROM processes WHERE LOWER(name)='svchost.exe' AND LOWER(path)!='c:\\windows\\system32\\svchost.exe' AND LOWER(path)!='c:\\windows\\syswow64\\svchost.exe' AND path!='';", 36 | "interval": 3600, 37 | "description": "Detect processes masquerading as legitimate Windows processes" 38 | }, 39 | "svchost.exe_incorrect_parent_process": { 40 | "query": "SELECT name FROM processes WHERE pid=(SELECT parent FROM processes WHERE LOWER(name)='svchost.exe') AND LOWER(name)!='services.exe';", 41 | "interval": 3600, 42 | "description": "Detect processes masquerading as legitimate Windows processes" 43 | } 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /addons/osquery/packs/windows-compliance.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows", 3 | "queries": { 4 | "Command_Line_Auditing_Registry": { 5 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit';", 6 | "interval": 3600, 7 | "description": "Controls Windows command-line auditing" 8 | }, 9 | "Crash_Dump_Registry": { 10 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled';", 11 | "interval": 3600, 12 | "description": "Controls enabling/disabling crash dumps. This key has a default value of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 13 | }, 14 | "DNS_Plugin_DLL_Registry": { 15 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll';", 16 | "interval": 3600, 17 | "description": "This registry key specifies the path to a DLL to be loaded by a Windows DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83" 18 | }, 19 | "Dr_Watson_Registry": { 20 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug';", 21 | "interval": 3600, 22 | "description": "This key (and subkeys) exist by default and are required to allow post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 23 | }, 24 | "Error_Display_UI_Registry": { 25 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PCHealth\\ErrorReporting\\ShowUI';", 26 | "interval": 3600, 27 | "description": "This key does not exist by default and controls enabling/disabling error reporting display. Some malware creates this key and sets the value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 28 | }, 29 | "Error_Mode_Registry": { 30 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode';", 31 | "interval": 3600, 32 | "description": "Controls the suppression of error dialog boxes. The default value is 0 (all messages are visible), but some malware sets this value to 2 (all messages are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 33 | }, 34 | "Error_Report_Registry": { 35 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PCHealth\\ErrorReporting\\DoReport';", 36 | "interval": 3600, 37 | "description": "This key does not exist by default and controls enabling/disabling error reporting. Some malware creates this key sets the value to 0 (disables error reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 38 | }, 39 | "Event_Log_Settings_Registry": { 40 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\%%';", 41 | "interval": 3600, 42 | "description": "Controls behavior, size, and rotation strategy for primary windows event log files." 43 | }, 44 | "FileRenameOperations_Registry": { 45 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations';", 46 | "interval": 3600, 47 | "description": "Entries for the FileRenameOperation support the MoveFileEx delayed-rename and delayed-delete capabilities. Sometimes used as a self-deletion technique for malware." 48 | }, 49 | "KnownDLLs_Registry": { 50 | "query": "SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs\\%%';", 51 | "interval": 3600, 52 | "description": "The KnownDlls key defines the set of DLLs that are first searched during system startup." 53 | }, 54 | "Local_Security_Authority_Registry": { 55 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\%%';", 56 | "interval": 3600, 57 | "description": "Controls which security packages store credentials in LSA memory, secure boot, etc." 58 | }, 59 | "Log_Errors_Registry": { 60 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent';", 61 | "interval": 3600, 62 | "description": "This key exists by default and has a default value of 1. Setting this key to 0 disables logging errors/crashes to the System event channel. Some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html" 63 | }, 64 | "Per_User_TS_Session_Registry": { 65 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser';", 66 | "interval": 3600, 67 | "description": "Controls how many simultaneous terminal services sessions can use the same account" 68 | }, 69 | "Powershell_Settings_Registry": { 70 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\%%';", 71 | "interval": 3600, 72 | "description": "Controls Powershell execution policy, script execution, logging, and more." 73 | }, 74 | "SMBv1_Registry": { 75 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1';", 76 | "interval": 3600, 77 | "description": "Controls enabling/disabling SMBv1. Setting this key to 0 disables the SMBv1 protocol on the host." 78 | }, 79 | "Secure_Boot_Registry": { 80 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot';", 81 | "interval": 3600, 82 | "description": "Lists information about SecureBoot status." 83 | }, 84 | "Security_Providers_Registry": { 85 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\%%';", 86 | "interval": 3600, 87 | "description": "Controls Windows security provider configurations" 88 | }, 89 | "Send_Error_Alert_Registry": { 90 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\SendAlert';", 91 | "interval": 3600, 92 | "description": "Controls sending administrative notifications after a crash. Some malware sets this value to 0" 93 | }, 94 | "TPM_Registry": { 95 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\TPM';", 96 | "interval": 3600, 97 | "description": "Controls system TPM settings" 98 | }, 99 | "Terminal_Service_Deny_Registry": { 100 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections';", 101 | "interval": 3600, 102 | "description": "This key exists by default and has a default value of 1. Terminal service connections are allowed to the host when the key value is set to 0" 103 | }, 104 | "WinRM_Settings_Registry": { 105 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\%%';", 106 | "interval": 3600, 107 | "description": "Controls local WinRM client configuration and security." 108 | }, 109 | "Windows_Update_Settings_Registry": { 110 | "query": "SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\%%';", 111 | "interval": 3600, 112 | "description": "Controls Windows Update server location and installation behavior." 113 | } 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /addons/osquery/packs/windows-registry-monitoring.conf: -------------------------------------------------------------------------------- 1 | { 2 | "platform": "windows", 3 | "queries": { 4 | "Bitlocker_Encryption_Settings_Registry_Misconfigured": { 5 | "query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\ShouldEncryptOSDrive' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\OSDriveProtector') AND data!=1;", 6 | "interval": 3600, 7 | "description": "Returns the content of the key if it does not match the expected value", 8 | "platform": "windows" 9 | }, 10 | "Bitlocker_MBAM_Endpoint_Registry_Misconfigured": { 11 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\KeyRecoveryServiceEndPoint' AND data!='https://mbam.server.com/MBAMRecoveryAndHardwareService/CoreService.svc';", 12 | "interval": 3600, 13 | "description": "Returns the content of the key if it does not match the expected value", 14 | "platform": "windows" 15 | }, 16 | "Bitlocker_MBAM_Registry_Misconfigured": { 17 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\UseMBAMServices' AND data!=1;", 18 | "interval": 3600, 19 | "description": "Returns the content of the key if it does not match the expected value", 20 | "platform": "windows" 21 | }, 22 | "Command_Line_Auditing_Registry_Misconfigured": { 23 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\ProcessCreationIncludeCmdLine_Enabled' AND data!=1;", 24 | "interval": 3600, 25 | "description": "Returns the content of the key if it does not match the expected value", 26 | "platform": "windows" 27 | }, 28 | "Command_Line_Auditing_Registry_Missing": { 29 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\ProcessCreationIncludeCmdLine_Enabled') WHERE key_exists!=1;", 30 | "interval": 3600, 31 | "description": "Returns 0 as a result if the registry key does not exist", 32 | "platform": "windows" 33 | }, 34 | "Crash_Dump_Registry_Misconfigured": { 35 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled' AND data=0;", 36 | "interval": 3600, 37 | "description": "Returns the content of the key if it does not match the expected value", 38 | "platform": "windows" 39 | }, 40 | "Crash_Dump_Registry_Missing": { 41 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled') WHERE key_exists!=1;", 42 | "interval": 3600, 43 | "description": "Returns 0 as a result if the registry key does not exist", 44 | "platform": "windows" 45 | }, 46 | "DNS_Plugin_DLL_Registry_Exists": { 47 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll';", 48 | "interval": 3600, 49 | "description": "Returns the content of this key if it exists, which it shouldn't by default", 50 | "platform": "windows" 51 | }, 52 | "Dr_Watson_Registry_Missing": { 53 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug') WHERE key_exists!=2;", 54 | "interval": 3600, 55 | "description": "Returns 0 as a result if the registry key does not exist", 56 | "platform": "windows" 57 | }, 58 | "Error_Display_UI_Registry_Exists": { 59 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PCHealth\\ErrorReporting\\ShowUI';", 60 | "interval": 3600, 61 | "description": "Returns the content of this key if it exists, which it shouldn't by default", 62 | "platform": "windows" 63 | }, 64 | "Error_Mode_Registry_Misconfigured": { 65 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode' AND data=2;", 66 | "interval": 3600, 67 | "description": "Returns the content of the key if it does not match the expected value", 68 | "platform": "windows" 69 | }, 70 | "Error_Mode_Registry_Missing": { 71 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode') WHERE key_exists!=1;", 72 | "interval": 3600, 73 | "description": "Returns 0 as a result if the registry key does not exist", 74 | "platform": "windows" 75 | }, 76 | "Log_Errors_Registry_Misconfigured": { 77 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent' AND data!=1;", 78 | "interval": 3600, 79 | "description": "Returns the content of the key if it does not match the expected value", 80 | "platform": "windows" 81 | }, 82 | "Log_Errors_Registry_Missing": { 83 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent') WHERE key_exists!=1;", 84 | "interval": 3600, 85 | "description": "Returns 0 as a result if the registry key does not exist", 86 | "platform": "windows" 87 | }, 88 | "Per_User_TS_Session_Registry_Misconfigured": { 89 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser' AND data!=1;", 90 | "interval": 3600, 91 | "description": "Returns the content of the key if it does not match the expected value", 92 | "platform": "windows" 93 | }, 94 | "Per_User_TS_Session_Registry_Missing": { 95 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser') WHERE key_exists!=1;", 96 | "interval": 3600, 97 | "description": "Returns 0 as a result if the registry key does not exist", 98 | "platform": "windows" 99 | }, 100 | "Powershell_InvocationHeader_Registry_Missing": { 101 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableInvocationHeader') WHERE key_exists!=1;", 102 | "interval": 3600, 103 | "description": "Returns 0 as a result if the registry key does not exist", 104 | "platform": "windows" 105 | }, 106 | "Powershell_Logging_Registry_Misconfigured": { 107 | "query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ModuleLogging\\EnableModuleLogging' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ScriptBlockLogging\\EnableScriptBlockLogging' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableTranscripting' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableInvocationHeader') AND data!=1;", 108 | "interval": 3600, 109 | "description": "Returns the content of the key if it does not match the expected value", 110 | "platform": "windows" 111 | }, 112 | "Powershell_ModuleLogging_Registry_Missing": { 113 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ModuleLogging\\EnableModuleLogging') WHERE key_exists!=1;", 114 | "interval": 3600, 115 | "description": "Returns 0 as a result if the registry key does not exist", 116 | "platform": "windows" 117 | }, 118 | "Powershell_ScriptBlockLogging_Registry_Missing": { 119 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ScriptBlockLogging\\EnableScriptBlockLogging') WHERE key_exists!=1;", 120 | "interval": 3600, 121 | "description": "Returns 0 as a result if the registry key does not exist", 122 | "platform": "windows" 123 | }, 124 | "Powershell_TranscriptingLogging_Registry_Missing": { 125 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableTranscripting') WHERE key_exists!=1;", 126 | "interval": 3600, 127 | "description": "Returns 0 as a result if the registry key does not exist", 128 | "platform": "windows" 129 | }, 130 | "SMBv1_Registry_Misconfigured": { 131 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1' AND data!=0;", 132 | "interval": 3600, 133 | "description": "", 134 | "platform": "windows" 135 | }, 136 | "SMBv1_Registry_Missing": { 137 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1') WHERE key_exists!=1;", 138 | "interval": 3600, 139 | "description": "Returns 0 as a result if the registry key does not exist", 140 | "platform": "windows" 141 | }, 142 | "Send_Error_Alert_Registry_Exists": { 143 | "query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\SendAlert';", 144 | "interval": 3600, 145 | "description": "Returns the content of this key if it exists, which it shouldn't by default", 146 | "platform": "windows" 147 | }, 148 | "Subscription_Manager_Registry_Misconfigured": { 149 | "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager\\1' AND (data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC' AND data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC');", 150 | "interval": 3600, 151 | "description": "Returns the content of the key if it does not match the expected value", 152 | "platform": "windows" 153 | }, 154 | "Subscription_Manager_Registry_Missing": { 155 | "query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager\\1') WHERE key_exists!=1;", 156 | "interval": 3600, 157 | "description": "Returns 0 as a result if the registry key does not exist", 158 | "platform": "windows" 159 | }, 160 | "WinRM_Settings_Registry_Misconfigured": { 161 | "query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowBasic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowCredSSP' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowUnencryptedTraffic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowDigest' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowBasic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowCredSSP' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowUnencryptedTraffic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\WinRS\\AllowRemoteShellAccess') AND data!=0; ", 162 | "interval": 3600, 163 | "description": "Returns the content of the key if it does not match the expected value", 164 | "platform": "windows" 165 | } 166 | } 167 | } 168 | -------------------------------------------------------------------------------- /addons/osquery/set_acl.ps1: -------------------------------------------------------------------------------- 1 | $target = "\ProgramData\osquery\osqueryd" 2 | $acl = Get-Acl $target 3 | # First, to ensure success, we remove the entirety of the ACL 4 | $acl.SetAccessRuleProtection($true, $false) 5 | foreach ($access in $acl.Access) { 6 | $acl.RemoveAccessRule($access) 7 | } 8 | Set-Acl $target $acl 9 | 10 | $acl = Get-Acl $target 11 | $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit 12 | $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None 13 | $permType = [System.Security.AccessControl.AccessControlType]::Allow 14 | 15 | # "Safe" permissions in osquery entail the containing folder and binary both 16 | # are owned by the Administrators group, as well as no account has Write 17 | # permissions except for the Administrators group and SYSTEM account 18 | $systemSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-18') 19 | $systemUser = $systemSid.Translate([System.Security.Principal.NTAccount]) 20 | 21 | $adminsSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544') 22 | $adminsGroup = $adminsSid.Translate([System.Security.Principal.NTAccount]) 23 | 24 | $usersSid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-545') 25 | $usersGroup = $usersSid.Translate([System.Security.Principal.NTAccount]) 26 | 27 | $permGroups = @($systemUser, $adminsGroup, $usersGroup) 28 | foreach ($accnt in $permGroups) { 29 | $grantedPerm = '' 30 | if ($accnt -eq $usersGroup) { 31 | $grantedPerm = 'ReadAndExecute' 32 | } else { 33 | $grantedPerm = 'FullControl' 34 | } 35 | $permission = $accnt.Value, $grantedPerm, $inheritanceFlag, $propagationFlag, $permType 36 | $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission 37 | $acl.SetAccessRule($accessRule) 38 | } 39 | $acl.SetOwner($adminsGroup) 40 | Set-Acl $target $acl 41 | 42 | # Finally set the Administrators group as the owner for all items 43 | $items = Get-ChildItem -Recurse -Path $target 44 | foreach ($item in $items) { 45 | $acl = Get-Acl -Path $item.FullName 46 | $acl.SetOwner($adminsGroup) 47 | Set-Acl $item.FullName $acl 48 | } 49 | -------------------------------------------------------------------------------- /addons/osquery/uninstall_osquery.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | cd "\ProgramData\osquery" 3 | sc.exe stop osqueryd 4 | ping 127.0.0.1 -n 6 > nul 5 | sc.exe delete osqueryd 6 | if exist \ProgramData\osquery\osqueryd.pidfile del \ProgramData\osquery\osqueryd.pidfile 7 | wevtutil um C:\ProgramData\osquery\osquery.man 8 | if exist \ProgramData\osquery\osquery.db rmdir /s /q \ProgramData\osquery\osquery.db 9 | -------------------------------------------------------------------------------- /addons/osquery/winlogbeat.yml: -------------------------------------------------------------------------------- 1 | winlogbeat.event_logs: 2 | - name: Application 3 | ignore_older: 72h 4 | - name: Security 5 | - name: System 6 | - name: osquery 7 | 8 | 9 | output.logstash: 10 | hosts: ["littlebeat:5044"] 11 | ssl.enabled: true 12 | ssl.verification_mode: none 13 | -------------------------------------------------------------------------------- /addons/ossec/install_ossec.sh: -------------------------------------------------------------------------------- 1 | github_url="https://raw.githubusercontent.com/ESGuardian/LittleBeat/v-6.1.001" 2 | apt update 3 | apt install docker.io -y 4 | docker volume create ossec-data 5 | docker run -d --restart=always -p 1514:1514/udp -p 1515:1515/tcp -v ossec-data:/var/ossec/data --name ossec-server esguardian/ossec-docker 6 | chmod 711 /var/lib/docker/volumes 7 | cd /tmp 8 | if [ -e "wazuh_dash.json" ]; then 9 | rm wazuh_dash.json 10 | fi 11 | wget $github_url/addons/ossec/kibana/wazuh_dash.json 12 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/index-pattern/wazuh-alerts-* 13 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @wazuh_dash.json 14 | 15 | if [ -e "main-dash.json" ]; then 16 | rm main-dash.json 17 | fi 18 | wget $github_url/addons/main-dash.json 19 | curl -s -H "kbn-version: $(dpkg -l | grep kibana | awk '{print $3}')" -H 'Content-Type: application/json' -XDELETE 127.0.0.1:5601/api/saved_objects/visualization/f24a7060-0a7b-11e8-a2ce-b9829bf5932d 20 | curl -XPOST 127.0.0.1:5601/api/kibana/dashboards/import -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d @main-dash.json 21 | cd /etc/logstash/templates 22 | if [ ! -e "/etc/logstash/templates/wazuh-elastic6-template-alerts.json" ]; then 23 | wget $github_url/addons/ossec/logstash/templates/wazuh-elastic6-template-alerts.json 24 | else 25 | rm /etc/logstash/templates/wazuh-elastic6-template-alerts.json 26 | wget $github_url/addons/ossec/logstash/templates/wazuh-elastic6-template-alerts.json 27 | fi 28 | cd /etc/logstash/conf.d 29 | if [ ! -e "/logstash/conf.d/02-wazuh.conf" ]; then 30 | wget $github_url/addons/ossec/logstash/conf.d/02-wazuh.conf 31 | else 32 | rm /logstash/conf.d/02-wazuh.conf 33 | wget $github_url/addons/ossec/logstash/conf.d/02-wazuh.conf 34 | fi 35 | service logstash restart 36 | 37 | -------------------------------------------------------------------------------- /addons/ossec/logstash/conf.d/02-wazuh.conf: -------------------------------------------------------------------------------- 1 | #----AUTHOR'S COMMENTS----- 2 | # 3 | # codec => json {charset => "Windows-1251"} 4 | # Это на случай, если какая-нибудь сволочь установит OSSEC Агент на Windows 5 | # 6 | #-----END OF AUTHOR'S COMMENTS----- 7 | 8 | input { 9 | file { 10 | tags => ["wazuh-alerts"] 11 | path => "/var/lib/docker/volumes/ossec-data/_data/logs/alerts/alerts.json" 12 | start_position => "beginning" 13 | sincedb_path => "/var/log/logstash/wazuh_sincedb" 14 | codec => json {charset => "Windows-1251"} 15 | } 16 | } 17 | filter { 18 | if "wazuh-alerts" in [tags] { 19 | if [data][srcip] { 20 | mutate { 21 | add_field => [ "@src_ip", "%{[data][srcip]}" ] 22 | } 23 | } 24 | if [data][aws][sourceIPAddress] { 25 | mutate { 26 | add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] 27 | } 28 | } 29 | geoip { 30 | source => "@src_ip" 31 | target => "GeoLocation" 32 | fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] 33 | } 34 | date { 35 | match => ["timestamp", "ISO8601"] 36 | target => "@timestamp" 37 | } 38 | mutate { 39 | remove_field => [ "timestamp", "beat", "input_type", "count", "@version", "log", "offset", "type","@src_ip"] 40 | } 41 | } 42 | } 43 | 44 | output { 45 | if "wazuh-alerts" in [tags] { 46 | elasticsearch { 47 | hosts => ["http://localhost:9200"] 48 | index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" 49 | template => "/etc/logstash/templates/wazuh-elastic6-template-alerts.json" 50 | template_name => "wazuh" 51 | template_overwrite => true 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /addons/ueba/lib/systemd/system/littlebeat-ueba.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=LittleBeat UEBA 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | Restart=always 8 | RestartSec=10 9 | 10 | 11 | WorkingDirectory=/opt/littlebeat/bin/ueba 12 | ExecStart=/opt/littlebeat/bin/ueba/ueba.py 13 | 14 | PermissionsStartOnly=true 15 | StandardOutput=syslog 16 | StandardError=syslog 17 | SyslogIdentifier=LittleBeat-UEBA 18 | 19 | [Install] 20 | WantedBy=multi-user.target 21 | -------------------------------------------------------------------------------- /addons/ueba/ueba.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf8 -*- 3 | import logging 4 | from elasticsearch import Elasticsearch 5 | from datetime import date, timedelta, datetime 6 | from iso8601utils import parsers 7 | from ueba_lib.wlogon import wlogon 8 | # from ueba_lib.sysnet import sysnet # ACRC Only 9 | from ueba_lib.margin_corrector import margin_corrector_wlogon 10 | from ueba_lib.garbage_collector import garbage_collector 11 | import codecs 12 | import redis 13 | import time 14 | 15 | KIBANA_BASE_URL = 'https://littlebeat' 16 | WATCHER_INDEX = "ueba-" 17 | WATCHER_INDEX_TEMPLATE_NAME = "ueba" 18 | WATCHER_INDEX_TEMPLATE = { 19 | "order": 1, 20 | "settings": { 21 | "index": { 22 | "mapping": { 23 | "total_fields": { 24 | "limit": 10000 25 | } 26 | }, 27 | "number_of_shards": 1, 28 | "refresh_interval": "5s" 29 | } 30 | }, 31 | "index_patterns": [ 32 | "ueba-*" 33 | ], 34 | "mappings": { 35 | "doc": { 36 | "dynamic_templates": [ 37 | { 38 | "strings_as_keyword": { 39 | "mapping": { 40 | "ignore_above": 1024, 41 | "type": "keyword" 42 | }, 43 | "match_mapping_type": "string" 44 | } 45 | } 46 | ], 47 | "properties": { 48 | "tags": { 49 | "type": "text" 50 | }, 51 | "@timestamp": { 52 | "type": "date" 53 | }, 54 | "source_ip": { 55 | "type": "ip" 56 | }, 57 | "dest_ip": { 58 | "type": "ip" 59 | }, 60 | "days": { 61 | "type": "integer" 62 | }, 63 | "count": { 64 | "type": "integer" 65 | }, 66 | "severity": { 67 | "type": "integer" 68 | }, 69 | "period": { 70 | "type": "keyword" 71 | }, 72 | "source_url": { 73 | "type": "keyword" 74 | }, 75 | "event_desc": { 76 | "type": "keyword" 77 | }, 78 | "@version": { 79 | "type": "keyword" 80 | } 81 | } 82 | } 83 | } 84 | } 85 | elastic_not_connected = True 86 | while elastic_not_connected : 87 | try: 88 | es = Elasticsearch() 89 | if es.ping() : 90 | elastic_not_connected = False 91 | else: 92 | time.sleep(60) 93 | except: 94 | pass 95 | time.sleep(60) 96 | 97 | if not es.indices.exists_template(name=WATCHER_INDEX_TEMPLATE_NAME): 98 | # записываем шаблон индекса 99 | res=es.indices.put_template(name=WATCHER_INDEX_TEMPLATE_NAME, body=WATCHER_INDEX_TEMPLATE) 100 | 101 | r = redis.StrictRedis(host='localhost', port=6379, db=0) 102 | wl = wlogon(es,r,WATCHER_INDEX,KIBANA_BASE_URL) 103 | # sn = sysnet(es,r,WATCHER_INDEX,KIBANA_BASE_URL) # ACRC Only 104 | mc_wl = margin_corrector_wlogon(es,r,WATCHER_INDEX) 105 | gc = garbage_collector(r) 106 | mc_wl_counter = 0 107 | gc_counter = 0 108 | 109 | while True : 110 | wl.search() 111 | # sn.search() # ACRC Only 112 | mc_wl_counter += 1 113 | gc_counter += 1 114 | if mc_wl_counter > 120 : 115 | mc_wl.search() 116 | mc_wl_counter = 0 117 | if gc_counter > 120*24 : 118 | gc.collect() 119 | gc_counter = 0 120 | time.sleep(30) 121 | -------------------------------------------------------------------------------- /addons/ueba/ueba_lib/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /addons/ueba/ueba_lib/garbage_collector.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf8 -*- 3 | from datetime import date, timedelta, datetime 4 | from iso8601utils import parsers 5 | import codecs 6 | import time 7 | from IPy import IP 8 | 9 | class garbage_collector (object): 10 | def __init__(self, redis_conn): 11 | self.r = redis_conn 12 | 13 | def collect (self) : 14 | cursor = 0 15 | donext = True 16 | margin = int(time.mktime(datetime.now().timetuple())) - 3600*24*60 17 | for item in self.r.scan_iter(): 18 | if self.r.type(item) == 'zset' : 19 | self.r.zremrangebyscore(item, 0, margin) 20 | -------------------------------------------------------------------------------- /addons/ueba/ueba_lib/margin_corrector.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf8 -*- 3 | from datetime import date, timedelta, datetime 4 | from iso8601utils import parsers 5 | import codecs 6 | import time 7 | from IPy import IP 8 | 9 | class margin_corrector_wlogon(object): 10 | def __init__(self, conn_elasticsearch,conn_redis, index): 11 | self.watcher_index = index 12 | self.es = conn_elasticsearch 13 | self.r = conn_redis 14 | self.counter_types = { 15 | 'wlogon_020':{'counters':[{'entity_field':'username','values':{'hour':6,'day':10,'week':100},'common_sufix':'valid_logon|network|per_user|','comment':'targets per user'}]}, 16 | 'wlogon_021':{'counters':[{'entity_field':'source_ip','values':{'hour':6,'day':10,'week':100},'common_sufix':'valid_logon|network|per_source_ip|','comment':'targets per source ip'}]}, 17 | 'wlogon_031':{'counters':[{'entity_field':'username','values':{'hour':6,'day':10,'week':100},'common_sufix':'valid_logon|interactive|per_user|','comment':'targets per user interactive'}]}, 18 | } 19 | self.elastic_query_get_entity = { 20 | "query":{ 21 | "bool": { 22 | "must": [ 23 | {"term":{"event_id":"event_id"}}, 24 | {"term":{"period":"period"}}, 25 | {"range":{"@timestamp":{"gte":"now-30d"}}} 26 | ] 27 | } 28 | }, 29 | "size":"10000", 30 | "aggs": { 31 | "by_entity": { 32 | "terms": {"field": "entity"}, 33 | "aggs" : { 34 | "counter_stats" : { 35 | "stats" : { "field" :"count" } 36 | } 37 | } 38 | } 39 | } 40 | } 41 | 42 | 43 | 44 | 45 | def search(self): 46 | def iter_margin (margin_value, iter_query) : 47 | iter_query['query']['bool']['must'][3]["range"]["count"]["gt"] = margin_value 48 | iter_res = self.es.search(index=self.watcher_index + "*", body=iter_query) 49 | if iter_res['aggregations']['counter_stats']['count'] < 5 : 50 | return margin_value 51 | margin_value = int(iter_res['aggregations']['counter_stats']['avg']) + 1 52 | return iter_margin (margin_value, iter_query) 53 | 54 | for key, value in self.counter_types.iteritems(): 55 | self.elastic_query_get_entity['query']['bool']['must'][0]['term']['event_id'] = key 56 | for counter in value['counters']: 57 | self.elastic_query_get_entity['aggs']['by_entity']['terms']['field'] = counter['entity_field'] 58 | for counter_name,counter_default_value in counter['values'].iteritems(): 59 | self.elastic_query_get_entity['query']['bool']['must'][1]['term']['period'] = counter_name 60 | res = self.es.search(index=self.watcher_index + "*", body=self.elastic_query_get_entity) 61 | for bucket in res['aggregations']['by_entity']['buckets']: 62 | redis_key = "wlogon_top_margin|" + counter['common_sufix'] + bucket['key'] + "|" + counter_name 63 | old_margin = self.r.get(redis_key) 64 | new_margin = old_margin 65 | if bucket["counter_stats"]['count'] > 10: 66 | new_margin = int(bucket["counter_stats"]['avg']) + 1 67 | iter_query = { 68 | "query":{ 69 | "bool": { 70 | "must": [ 71 | {"term":{"event_id":"wlogon_021"}}, 72 | {"term":{counter['entity_field']:bucket['key']}}, 73 | {"term":{"period":"counter_name"}}, 74 | {"range":{"count":{"gt":new_margin}}}, 75 | {"range":{"@timestamp":{"gte":"now-30d"}}} 76 | ] 77 | } 78 | }, 79 | "size":"10000", 80 | "aggs" : { 81 | "counter_stats" : { 82 | "stats" : { "field" :"count" } } 83 | } 84 | } 85 | new_margin = iter_margin(new_margin, iter_query) 86 | 87 | 88 | if ((old_margin is None) and (new_margin is not None)) or (old_margin != new_margin): 89 | self.r.set(redis_key, new_margin) 90 | self.r.expire(redis_key, 3600*24*20) 91 | 92 | for item in self.r.scan_iter(match='wlogon_top_margin\|*'): 93 | if self.r.ttl(item) < 7200 : 94 | cur_margin = int(self.r.get(item)) 95 | delta = int(cur_margin/10) 96 | if delta == 0 : 97 | delta = 1 98 | cur_margin = cur_margin - delta 99 | if cur_margin == 0 : 100 | cur_margin = 1 101 | self.r.set(item, cur_margin) 102 | self.r.expire(redis_key, 3600*24*5) 103 | 104 | -------------------------------------------------------------------------------- /agents/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2012–2017 Elastic 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /agents/README.md: -------------------------------------------------------------------------------- 1 | # Welcome to winlogbeat 6.1.3 2 | 3 | Winlogbeat ships Windows event logs to Elasticsearch or Logstash. 4 | 5 | ## Getting Started 6 | 7 | To get started with winlogbeat, you need to set up Elasticsearch on your localhost first. After that, start winlogbeat with: 8 | 9 | ./winlogbeat -c winlogbeat.yml -e 10 | 11 | This will start the beat and send the data to your Elasticsearch instance. To load the dashboards for winlogbeat into Kibana, run: 12 | 13 | ./winlogbeat setup -e 14 | 15 | For further steps visit the [Getting started](https://www.elastic.co/guide/en/beats/winlogbeat/6.1/winlogbeat-getting-started.html) guide. 16 | 17 | ## Documentation 18 | 19 | Visit [Elastic.co Docs](https://www.elastic.co/guide/en/beats/winlogbeat/6.1/index.html) for the full winlogbeat documentation. 20 | 21 | ## Release notes 22 | 23 | https://www.elastic.co/guide/en/beats/libbeat/6.1/release-notes-6.1.3.html 24 | -------------------------------------------------------------------------------- /agents/bin/checkos.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | echo Check operating system ... 4 | if defined PROGRAMFILES(X86) ( 5 | msiexec /i littlebeat_agent_64.msi 6 | ) else ( 7 | mswexec /i littlebeat_agent_32.msi 8 | ) 9 | -------------------------------------------------------------------------------- /agents/bin/littlebeat_agent.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/agents/bin/littlebeat_agent.exe -------------------------------------------------------------------------------- /agents/bin/littlebeat_agent_32.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/agents/bin/littlebeat_agent_32.msi -------------------------------------------------------------------------------- /agents/bin/littlebeat_agent_64.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/agents/bin/littlebeat_agent_64.msi -------------------------------------------------------------------------------- /agents/fields.yml: -------------------------------------------------------------------------------- 1 | 2 | - key: beat 3 | title: Beat 4 | description: > 5 | Contains common beat fields available in all event types. 6 | fields: 7 | 8 | - name: beat.name 9 | description: > 10 | The name of the Beat sending the log messages. If the Beat name is 11 | set in the configuration file, then that value is used. If it is not 12 | set, the hostname is used. To set the Beat name, use the `name` 13 | option in the configuration file. 14 | - name: beat.hostname 15 | description: > 16 | The hostname as returned by the operating system on which the Beat is 17 | running. 18 | - name: beat.timezone 19 | description: > 20 | The timezone as returned by the operating system on which the Beat is 21 | running. 22 | - name: beat.version 23 | description: > 24 | The version of the beat that generated this event. 25 | 26 | - name: "@timestamp" 27 | type: date 28 | required: true 29 | format: date 30 | example: August 26th 2016, 12:35:53.332 31 | description: > 32 | The timestamp when the event log record was generated. 33 | 34 | - name: tags 35 | description: > 36 | Arbitrary tags that can be set per Beat and per transaction 37 | type. 38 | 39 | - name: fields 40 | type: object 41 | object_type: keyword 42 | description: > 43 | Contains user configurable fields. 44 | 45 | - name: error 46 | type: group 47 | description: > 48 | Error fields containing additional info in case of errors. 49 | fields: 50 | - name: message 51 | type: text 52 | description: > 53 | Error message. 54 | - name: code 55 | type: long 56 | description: > 57 | Error code. 58 | - name: type 59 | type: keyword 60 | description: > 61 | Error type. 62 | - key: cloud 63 | title: Cloud provider metadata 64 | description: > 65 | Metadata from cloud providers added by the add_cloud_metadata processor. 66 | fields: 67 | 68 | - name: meta.cloud.provider 69 | example: ec2 70 | description: > 71 | Name of the cloud provider. Possible values are ec2, gce, or digitalocean. 72 | 73 | - name: meta.cloud.instance_id 74 | description: > 75 | Instance ID of the host machine. 76 | 77 | - name: meta.cloud.instance_name 78 | description: > 79 | Instance name of the host machine. 80 | 81 | - name: meta.cloud.machine_type 82 | example: t2.medium 83 | description: > 84 | Machine type of the host machine. 85 | 86 | - name: meta.cloud.availability_zone 87 | example: us-east-1c 88 | description: > 89 | Availability zone in which this host is running. 90 | 91 | - name: meta.cloud.project_id 92 | example: project-x 93 | description: > 94 | Name of the project in Google Cloud. 95 | 96 | - name: meta.cloud.region 97 | description: > 98 | Region in which this host is running. 99 | - key: docker 100 | title: Docker 101 | description: > 102 | beta[] 103 | 104 | Docker stats collected from Docker. 105 | short_config: false 106 | anchor: docker-processor 107 | fields: 108 | - name: docker 109 | type: group 110 | fields: 111 | - name: container.id 112 | type: keyword 113 | description: > 114 | Unique container id. 115 | - name: container.image 116 | type: keyword 117 | description: > 118 | Name of the image the container was built on. 119 | - name: container.name 120 | type: keyword 121 | description: > 122 | Container name. 123 | - name: container.labels 124 | type: object 125 | object_type: keyword 126 | description: > 127 | Image labels. 128 | - key: kubernetes 129 | title: Kubernetes 130 | description: > 131 | beta[] 132 | 133 | Kubernetes metadata added by the kubernetes processor 134 | short_config: false 135 | anchor: kubernetes-processor 136 | fields: 137 | - name: kubernetes 138 | type: group 139 | fields: 140 | - name: pod.name 141 | type: keyword 142 | description: > 143 | Kubernetes pod name 144 | 145 | - name: namespace 146 | type: keyword 147 | description: > 148 | Kubernetes namespace 149 | 150 | - name: labels 151 | type: object 152 | description: > 153 | Kubernetes labels map 154 | 155 | - name: annotations 156 | type: object 157 | description: > 158 | Kubernetes annotations map 159 | 160 | - name: container.name 161 | type: keyword 162 | description: > 163 | Kubernetes container name 164 | 165 | - name: container.image 166 | type: keyword 167 | description: > 168 | Kubernetes container image 169 | - key: common 170 | title: "Common Winlogbeat" 171 | description: > 172 | Contains common fields available in all event types. 173 | fields: 174 | - name: type 175 | required: true 176 | description: > 177 | The event log API type used to read the record. The possible values are 178 | "wineventlog" for the Windows Event Log API or "eventlogging" for the 179 | Event Logging API. 180 | 181 | The Event Logging API was designed for Windows Server 2003, Windows XP, 182 | or Windows 2000 operating systems. In Windows Vista, the event logging 183 | infrastructure was redesigned. On Windows Vista or later operating 184 | systems, the Windows Event Log API is used. Winlogbeat automatically 185 | detects which API to use for reading event logs. 186 | 187 | 188 | - key: eventlog 189 | title: Event log record 190 | description: > 191 | Contains data from a Windows event log record. 192 | fields: 193 | - name: activity_id 194 | type: keyword 195 | required: false 196 | description: > 197 | A globally unique identifier that identifies the current activity. The 198 | events that are published with this identifier are part of the same 199 | activity. 200 | 201 | - name: computer_name 202 | type: keyword 203 | required: true 204 | description: > 205 | The name of the computer that generated the record. When using Windows 206 | event forwarding, this name can differ from the `beat.hostname`. 207 | 208 | - name: event_data 209 | type: object 210 | object_type: keyword 211 | required: false 212 | description: > 213 | The event-specific data. This field is mutually exclusive with 214 | `user_data`. If you are capturing event data on versions prior 215 | to Windows Vista, the parameters in `event_data` are named `param1`, 216 | `param2`, and so on, because event log parameters are unnamed in 217 | earlier versions of Windows. 218 | 219 | - name: event_id 220 | type: long 221 | required: true 222 | description: > 223 | The event identifier. The value is specific to the source of the event. 224 | 225 | - name: keywords 226 | type: keyword 227 | required: false 228 | description: > 229 | The keywords are used to classify an event. 230 | 231 | - name: log_name 232 | type: keyword 233 | required: true 234 | description: > 235 | The name of the event log from which this record was read. This value is 236 | one of the names from the `event_logs` collection in the configuration. 237 | 238 | - name: level 239 | type: keyword 240 | required: false 241 | description: > 242 | The level of the event. There are five levels of events that can be 243 | logged: Success, Information, Warning, Error, Audit Success, and Audit 244 | Failure. 245 | 246 | - name: message 247 | type: text 248 | required: false 249 | description: > 250 | The message from the event log record. 251 | 252 | - name: message_error 253 | type: keyword 254 | required: false 255 | description: > 256 | The error that occurred while reading and formatting the message from 257 | the log. 258 | 259 | - name: record_number 260 | type: keyword 261 | required: true 262 | description: > 263 | The record number of the event log record. The first record written 264 | to an event log is record number 1, and other records are numbered 265 | sequentially. If the record number reaches the maximum value (2^32^ 266 | for the Event Logging API and 2^64^ for the Windows Event Log API), 267 | the next record number will be 0. 268 | 269 | - name: related_activity_id 270 | type: keyword 271 | required: false 272 | description: > 273 | A globally unique identifier that identifies the activity to which 274 | control was transferred to. The related events would then have this 275 | identifier as their `activity_id` identifier. 276 | 277 | - name: opcode 278 | type: keyword 279 | required: false 280 | description: > 281 | The opcode defined in the event. Task and opcode are typically used to 282 | identify the location in the application from where the event was 283 | logged. 284 | 285 | - name: provider_guid 286 | type: keyword 287 | required: false 288 | description: > 289 | A globally unique identifier that identifies the provider that logged 290 | the event. 291 | 292 | - name: process_id 293 | type: long 294 | required: false 295 | description: > 296 | The process_id identifies the process that generated the event. 297 | 298 | - name: source_name 299 | type: keyword 300 | required: true 301 | description: > 302 | The source of the event log record (the application or service that 303 | logged the record). 304 | 305 | - name: task 306 | type: keyword 307 | required: false 308 | description: > 309 | The task defined in the event. Task and opcode are typically used to 310 | identify the location in the application from where the event was 311 | logged. The category used by the Event Logging API (on pre Windows Vista 312 | operating systems) is written to this field. 313 | 314 | - name: thread_id 315 | type: long 316 | required: false 317 | description: > 318 | The thread_id identifies the thread that generated the event. 319 | 320 | - name: user_data 321 | type: object 322 | object_type: keyword 323 | required: false 324 | description: > 325 | The event specific data. This field is mutually exclusive with 326 | `event_data`. 327 | 328 | - name: user.identifier 329 | type: keyword 330 | required: false 331 | example: S-1-5-21-3541430928-2051711210-1391384369-1001 332 | description: > 333 | The Windows security identifier (SID) of the account associated with 334 | this event. 335 | 336 | 337 | If Winlogbeat cannot resolve the SID to a name, then the `user.name`, 338 | `user.domain`, and `user.type` fields will be omitted from the event. 339 | If you discover Winlogbeat not resolving SIDs, review the log for 340 | clues as to what the problem may be. 341 | 342 | - name: user.name 343 | type: keyword 344 | required: false 345 | description: > 346 | The name of the account associated with this event. 347 | 348 | - name: user.domain 349 | type: keyword 350 | required: false 351 | description: > 352 | The domain that the account associated with this event is a member of. 353 | 354 | - name: user.type 355 | type: keyword 356 | required: false 357 | description: > 358 | The type of account associated with this event. 359 | 360 | - name: version 361 | type: long 362 | required: false 363 | description: The version number of the event's definition. 364 | 365 | - name: xml 366 | type: keyword 367 | type: text 368 | required: false 369 | description: > 370 | The raw XML representation of the event obtained from Windows. This 371 | field is only available on operating systems supporting the Windows 372 | Event Log API (Microsoft Windows Vista and newer). This field is not 373 | included by default and must be enabled by setting `include_xml: true` 374 | as a configuration option for an individual event log. 375 | 376 | 377 | The XML representation of the event is useful for troubleshooting 378 | purposes. The data in the fields reported by Winlogbeat can be compared 379 | to the data in the XML to diagnose problems. 380 | -------------------------------------------------------------------------------- /agents/install-agents.ps1: -------------------------------------------------------------------------------- 1 | # delete service if it already exists 2 | if (Get-Service LittleBeat -ErrorAction SilentlyContinue) { 3 | $service = Get-WmiObject -Class Win32_Service -Filter "name='LittleBeat'" 4 | $service.StopService() 5 | Start-Sleep -s 1 6 | $service.delete() 7 | } 8 | 9 | $workdir = "C:\Program Files\LittleBeat Agent" 10 | 11 | # create new service 12 | New-Service -name LittleBeat ` 13 | -displayName LittleBeat ` 14 | -binaryPathName "`"$workdir\winlogbeat.exe`" -c `"$workdir\winlogbeat.yml`" -path.home `"$workdir`" -path.data `"C:\ProgramData\LittleBeat`" -path.logs `"C:\ProgramData\LittleBeat\logs`"" 15 | # start service 16 | Start-Sleep -s 5 17 | Start-Service -Name LittleBeat 18 | 19 | -------------------------------------------------------------------------------- /agents/install.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | cd "\Program Files\LittleBeat Agent" 3 | PowerShell.exe Set-ExecutionPolicy Bypass -Force 4 | PowerShell.exe .\install-agents.ps1 5 | PowerShell.exe Set-ExecutionPolicy Restricted -Force 6 | -------------------------------------------------------------------------------- /agents/littlebeat_agent_32.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | NOT Installed 40 | NOT Installed 41 | Installed 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /agents/littlebeat_agent_64.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | NOT Installed 40 | NOT Installed 41 | Installed 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /agents/uninstall-agents.ps1: -------------------------------------------------------------------------------- 1 | # delete service if it exists 2 | if (Get-Service LittleBeat -ErrorAction SilentlyContinue) { 3 | $service = Get-WmiObject -Class Win32_Service -Filter "name='LittleBeat'" 4 | $service.delete() 5 | } 6 | -------------------------------------------------------------------------------- /agents/uninstall.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | cd "\Program Files\LittleBeat Agent" 3 | PowerShell.exe Set-ExecutionPolicy Bypass -Force 4 | PowerShell.exe .\uninstall-agents.ps1 5 | PowerShell.exe Set-ExecutionPolicy Restricted -Force 6 | 7 | -------------------------------------------------------------------------------- /agents/win-audit-set.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | rem audit set 3 | rem ** Система ** 4 | rem Расширение системы безопасности 5 | auditpol /set /subcategory:"{0CCE9211-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable 6 | rem Изменение состояния безопасности 7 | auditpol /set /subcategory:"{0CCE9210-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable 8 | rem Целостность системы 9 | auditpol /set /subcategory:"{0CCE9212-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 10 | rem Другие системные события 11 | auditpol /set /subcategory:"{0CCE9214-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 12 | 13 | rem ** Вход/выход ** 14 | rem Вход в систему 15 | auditpol /set /subcategory:"{0CCE9215-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 16 | rem Выход из системы 17 | auditpol /set /subcategory:"{0CCE9216-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 18 | rem Блокировка учетной записи 19 | auditpol /set /subcategory:"{0CCE9217-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 20 | rem Специальный вход 21 | auditpol /set /subcategory:"{0CCE921B-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 22 | rem Другие события входа и выхода 23 | auditpol /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 24 | rem Сервер сетевых политик 25 | auditpol /set /subcategory:"{0CCE9243-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 26 | 27 | rem ** Доступ к объектам ** 28 | rem Файловая система 29 | auditpol /set /subcategory:"{0CCE921D-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable 30 | rem Реестр 31 | auditpol /set /subcategory:"{0CCE921E-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable 32 | rem Объект-задание 33 | auditpol /set /subcategory:"{0CCE921F-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable 34 | rem Службы сертификации 35 | auditpol /set /subcategory:"{0CCE9221-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable 36 | rem Создано приложением 37 | auditpol /set /subcategory:"{0CCE9222-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 38 | rem Общий файловый ресурс 39 | auditpol /set /subcategory:"{0CCE9224-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 40 | rem Съемные носители 41 | auditpol /set /subcategory:"{0CCE9245-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 42 | 43 | 44 | rem ** Подробное отслеживание ** 45 | rem Создание процесса 46 | auditpol /set /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 47 | rem Завершение процесса 48 | auditpol /set /subcategory:"{0CCE922C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 49 | rem Активность DPAPI 50 | auditpol /set /subcategory:"{0CCE922D-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 51 | 52 | rem ** Изменение политики ** 53 | rem Аудит изменения политики 54 | auditpol /set /subcategory:"{0CCE922F-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 55 | rem Изменение политики проверки подлинности 56 | auditpol /set /subcategory:"{0CCE9230-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 57 | rem Изменение политики авторизации 58 | auditpol /set /subcategory:"{0CCE9231-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 59 | 60 | rem ** Учетные записи ** 61 | rem Управление учетными записями 62 | auditpol /set /subcategory:"{0CCE9235-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 63 | rem Управление учетной записью компьютера 64 | auditpol /set /subcategory:"{0CCE9236-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 65 | rem Управление группой безопасности 66 | auditpol /set /subcategory:"{0CCE9237-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 67 | rem Управление группой распространения 68 | auditpol /set /subcategory:"{0CCE9238-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 69 | rem Управление группой приложений 70 | auditpol /set /subcategory:"{0CCE9239-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 71 | rem Другие события управления учетной записью 72 | auditpol /set /subcategory:"{0CCE923A-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 73 | 74 | rem ** Вход учетной записи ** 75 | rem Проверка учетных данных 76 | auditpol /set /subcategory:"{0CCE923F-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 77 | rem Операции с билетами службы Kerberos 78 | auditpol /set /subcategory:"{0CCE9240-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable 79 | rem Другие события входа учетных записей 80 | auditpol /set /subcategory:"{0CCE9241-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable 81 | rem Служба проверки подлинности Kerberos 82 | auditpol /set /subcategory:"{0CCE9242-69AE-11D9-BED3-505054503030}" /success:disable /failure:enable -------------------------------------------------------------------------------- /agents/winlogbeat.yml: -------------------------------------------------------------------------------- 1 | winlogbeat.event_logs: 2 | - name: Application 3 | ignore_older: 72h 4 | - name: Security 5 | - name: System 6 | 7 | 8 | output.logstash: 9 | hosts: ["littlebeat:5044"] 10 | ssl.enabled: true 11 | ssl.verification_mode: none 12 | -------------------------------------------------------------------------------- /agents/x32/winlogbeat.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/agents/x32/winlogbeat.exe -------------------------------------------------------------------------------- /agents/x64/winlogbeat.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/agents/x64/winlogbeat.exe -------------------------------------------------------------------------------- /backups/index: -------------------------------------------------------------------------------- 1 | {"snapshots":["snapshot_kibana"]} -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__0 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__1 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__2 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__3 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__4 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__5 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__6 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__7 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__8 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__9 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__a -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__b -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__c -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__d -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__e: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__e -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__f: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__f -------------------------------------------------------------------------------- /backups/indices/.kibana/0/__g: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/__g -------------------------------------------------------------------------------- /backups/indices/.kibana/0/index-0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/index-0 -------------------------------------------------------------------------------- /backups/indices/.kibana/0/snap-snapshot_kibana.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/0/snap-snapshot_kibana.dat -------------------------------------------------------------------------------- /backups/indices/.kibana/meta-snapshot_kibana.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/indices/.kibana/meta-snapshot_kibana.dat -------------------------------------------------------------------------------- /backups/meta-snapshot_kibana.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/meta-snapshot_kibana.dat -------------------------------------------------------------------------------- /backups/snap-snapshot_kibana.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/backups/snap-snapshot_kibana.dat -------------------------------------------------------------------------------- /bin/.bashrc: -------------------------------------------------------------------------------- 1 | # ~/.bashrc: executed by bash(1) for non-login shells. 2 | # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) 3 | # for examples 4 | 5 | # If not running interactively, don't do anything 6 | case $- in 7 | *i*) ;; 8 | *) return;; 9 | esac 10 | 11 | # don't put duplicate lines or lines starting with space in the history. 12 | # See bash(1) for more options 13 | HISTCONTROL=ignoreboth 14 | 15 | # append to the history file, don't overwrite it 16 | shopt -s histappend 17 | 18 | # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) 19 | HISTSIZE=1000 20 | HISTFILESIZE=2000 21 | 22 | # check the window size after each command and, if necessary, 23 | # update the values of LINES and COLUMNS. 24 | shopt -s checkwinsize 25 | 26 | # If set, the pattern "**" used in a pathname expansion context will 27 | # match all files and zero or more directories and subdirectories. 28 | #shopt -s globstar 29 | 30 | # make less more friendly for non-text input files, see lesspipe(1) 31 | [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" 32 | 33 | # set variable identifying the chroot you work in (used in the prompt below) 34 | if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then 35 | debian_chroot=$(cat /etc/debian_chroot) 36 | fi 37 | 38 | # set a fancy prompt (non-color, unless we know we "want" color) 39 | case "$TERM" in 40 | xterm-color|*-256color) color_prompt=yes;; 41 | esac 42 | 43 | # uncomment for a colored prompt, if the terminal has the capability; turned 44 | # off by default to not distract the user: the focus in a terminal window 45 | # should be on the output of commands, not on the prompt 46 | #force_color_prompt=yes 47 | 48 | if [ -n "$force_color_prompt" ]; then 49 | if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then 50 | # We have color support; assume it's compliant with Ecma-48 51 | # (ISO/IEC-6429). (Lack of such support is extremely rare, and such 52 | # a case would tend to support setf rather than setaf.) 53 | color_prompt=yes 54 | else 55 | color_prompt= 56 | fi 57 | fi 58 | 59 | if [ "$color_prompt" = yes ]; then 60 | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' 61 | else 62 | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' 63 | fi 64 | unset color_prompt force_color_prompt 65 | 66 | # If this is an xterm set the title to user@host:dir 67 | case "$TERM" in 68 | xterm*|rxvt*) 69 | PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" 70 | ;; 71 | *) 72 | ;; 73 | esac 74 | 75 | # enable color support of ls and also add handy aliases 76 | if [ -x /usr/bin/dircolors ]; then 77 | test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" 78 | alias ls='ls --color=auto' 79 | #alias dir='dir --color=auto' 80 | #alias vdir='vdir --color=auto' 81 | 82 | alias grep='grep --color=auto' 83 | alias fgrep='fgrep --color=auto' 84 | alias egrep='egrep --color=auto' 85 | fi 86 | 87 | # colored GCC warnings and errors 88 | #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' 89 | 90 | # some more ls aliases 91 | alias ll='ls -alF' 92 | alias la='ls -A' 93 | alias l='ls -CF' 94 | 95 | # Add an "alert" alias for long running commands. Use like so: 96 | # sleep 10; alert 97 | alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' 98 | 99 | # Alias definitions. 100 | # You may want to put all your additions into a separate file like 101 | # ~/.bash_aliases, instead of adding them here directly. 102 | # See /usr/share/doc/bash-doc/examples in the bash-doc package. 103 | 104 | if [ -f ~/.bash_aliases ]; then 105 | . ~/.bash_aliases 106 | fi 107 | 108 | # enable programmable completion features (you don't need to enable 109 | # this, if it's already enabled in /etc/bash.bashrc and /etc/profile 110 | # sources /etc/bash.bashrc). 111 | if ! shopt -oq posix; then 112 | if [ -f /usr/share/bash-completion/bash_completion ]; then 113 | . /usr/share/bash-completion/bash_completion 114 | elif [ -f /etc/bash_completion ]; then 115 | . /etc/bash_completion 116 | fi 117 | fi 118 | -------------------------------------------------------------------------------- /bin/addons.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | homedir="/opt/littlebeat" 3 | dialog --title "LITTLEBEAT" --backtitle "Дополнения" --infobox "Идем за дополнениями на github" 7 70 4 | wget https://raw.githubusercontent.com/ESGuardian/LittleBeat/v-6.1.001/addons/littlebeat_6.1.001_addons.sh >/dev/nul 2>&1 5 | rm $homedir/addons/littlebeat_6.1.001_addons.sh >/dev/nul 2>&1 6 | cp littlebeat_6.1.001_addons.sh $homedir/addons/littlebeat_6.1.001_addons.sh >/dev/nul 2>&1 7 | rm littlebeat_6.1.001_addons.sh >/dev/nul 2>&1 8 | chmod +x $homedir/addons/littlebeat_6.1.001_addons.sh >/dev/nul 2>&1 9 | bash $homedir/addons/littlebeat_6.1.001_addons.sh 10 | 11 | -------------------------------------------------------------------------------- /bin/elastic_console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | elk_menu=("Статус Elastic" "" "Индексы и шарды" "" "Удалить индексы" "" "Загрузить шаблон" "" "Отключить лишние реплики" "" "Проверить конфиг Logstash" "" "Рестартовать Logstash" "") 3 | while true; do 4 | dialog --title "LITTLEBEAT" --menu " " 14 50 ${#elk_menu[@]} "${elk_menu[@]}" 2>/tmp/choise.$$ 5 | response=$? 6 | case $response in 7 | 0) 8 | choise=`cat /tmp/choise.$$` 9 | rm /tmp/choise.$$ 10 | ;; 11 | 1) 12 | exit 13 | ;; 14 | 255) 15 | exit 16 | ;; 17 | esac 18 | if [ "$choise" == "Статус Elastic" ]; then 19 | curl -XGET 'http://localhost:9200/_cluster/stats?human&pretty' >/tmp/curl.$$ 2>/dev/nul 20 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK" --textbox /tmp/curl.$$ 20 78 21 | fi 22 | if [ "$choise" == "Индексы и шарды" ]; then 23 | curl -s localhost:9200/_cat/shards?v >/tmp/curl.$$ 2>/dev/nul 24 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK" --textbox /tmp/curl.$$ 20 78 25 | fi 26 | if [ "$choise" == "Удалить индексы" ]; then 27 | 28 | index_name=`dialog --stdout --title "LITTLEBEAT" --backtitle "Консоль ELK. Удалить индекс." --inputbox "Имя индекса (можно использовать паттерн *)?" 10 70` 29 | case $? in 30 | 0) 31 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK. Удалить индекс." \ 32 | --yesno "Вы уверены, что хотите удалить индекс $index_name?" 8 70 2>/tmp/yesno.$$ 33 | case $? in 34 | 0) 35 | curl -XDELETE "http://localhost:9200/$index_name/" >/tmp/curl.$$ 2>/dev/nul 36 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK. Результат операции." --textbox /tmp/curl.$$ 10 70 37 | ;; 38 | 1) 39 | : 40 | ;; 41 | 255) 42 | : 43 | ;; 44 | esac 45 | ;; 46 | 1) 47 | : 48 | ;; 49 | 255) 50 | : 51 | ;; 52 | esac 53 | 54 | fi 55 | if [ "$choise" == "Загрузить шаблон" ]; then 56 | 57 | template=`dialog --stdout --title "LITTLEBEAT" --backtitle "Консоль ELK. Выбор файла с шаблоном" --fselect / 10 70` 58 | case $? in 59 | 0) 60 | template_name=`dialog --stdout --title "LITTLEBEAT" --backtitle "Консоль ELK. Загрузить шаблон." --inputbox "Имя шаблона?" 8 70` 61 | case $? in 62 | 0) 63 | curl -XPUT "http://localhost:9200/_template/$template_name" -d@$template >/tmp/curl.$$ 2>/dev/nul 64 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK. Результат загрузки" --textbox /tmp/curl.$$ 10 70 65 | 66 | ;; 67 | 1) 68 | : 69 | ;; 70 | 255) 71 | : 72 | ;; 73 | esac 74 | ;; 75 | 1) 76 | :;; 77 | 255) 78 | :;; 79 | esac 80 | 81 | fi 82 | 83 | if [ "$choise" == "Отключить лишние реплики" ]; then 84 | curl -XPUT 'localhost:9200/_settings' -d ' 85 | { 86 | "index" : { 87 | "number_of_replicas" : 0 88 | } 89 | }' >/dev/nul 2>/dev/nul 90 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK" --msgbox "Отключены резервные реплики. В нашей конфигурации они не нужны." 7 70 91 | fi 92 | if [ "$choise" == "Проверить конфиг Logstash" ]; then 93 | 94 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK. Проверка конфига Logstash" --infobox "Проверка запущена. Подождите ..." 7 70 95 | /usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d >/tmp/result.$$ 2>/dev/nul 96 | 97 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK. Проверка конфига Logstash" --textbox /tmp/result.$$ 18 78 98 | 99 | fi 100 | if [ "$choise" == "Рестартовать Logstash" ]; then 101 | service logstash restart >/dev/nul 2>&1 102 | dialog --title "LITTLEBEAT" --backtitle "Консоль ELK" --msgbox "Logstash перезапущен." 7 70 103 | fi 104 | 105 | done; 106 | -------------------------------------------------------------------------------- /bin/main_menu.sh: -------------------------------------------------------------------------------- 1 | # Основное меню 2 | homedir="/opt/littlebeat" 3 | while true; do 4 | main_menu=("Настройка обзора сети" "" "Консоль ELK" "" "Индекс процессов Windows" "" "Дополнения" "" "Выход в Shell" "" "Перезагрузка" "" "Отключение машины" "") 5 | 6 | dialog --title "LITTLEBEAT" --backtitle "Главная консоль" --menu " " 15 50 ${#main_menu[@]} "${main_menu[@]}" 2>/tmp/choise.$$ 7 | response=$? 8 | case $response in 9 | 0) 10 | choise=`cat /tmp/choise.$$` 11 | rm /tmp/choise.$$ 12 | ;; 13 | 1) 14 | choise="" 15 | ;; 16 | 255) 17 | choise="" 18 | ;; 19 | esac 20 | if [ "$choise" == "Настройка обзора сети" ]; then 21 | ($homedir/bin/nmap_config.sh) 22 | fi 23 | if [ "$choise" == "Дополнения" ]; then 24 | ($homedir/bin/addons.sh) 25 | fi 26 | if [ "$choise" == "Консоль ELK" ]; then 27 | ($homedir/bin/elastic_console.sh) 28 | fi 29 | if [ "$choise" == "Индекс процессов Windows" ]; then 30 | ($homedir/bin/win_proc.sh) 31 | fi 32 | 33 | if [ "$choise" == "Выход в Shell" ]; then 34 | clear 35 | echo "Выход в OS shell. Чтобы вернуться в меню, наберите exit." 36 | (/bin/bash --rcfile $homedir/bin/.bashrc) 37 | fi 38 | if [ "$choise" == "Перезагрузка" ]; then 39 | clear 40 | echo "Перезагрузка машины" 41 | reboot now 42 | fi 43 | if [ "$choise" == "Отключение машины" ]; then 44 | clear 45 | echo "Выключение машины" 46 | shutdown -h now 47 | fi 48 | 49 | done 50 | -------------------------------------------------------------------------------- /bin/nmap-rep.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | 3 | -------------------------------------------------------------------------------- /bin/nmap_config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #nmap -T4 -F 192.168.1.0/24 -oX - | curl -H "x-nmap-target: user-subnet" http://localhost:1080 -d @- 3 | homedir="/opt/littlebeat" 4 | net_conf_menu=("Добавить сеть" "" "Список сетей" "" "Запустить обзор сейчас" "") 5 | while true; do 6 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Что будем делать?" --menu "Что будем делать?" 12 50 ${#net_conf_menu[@]} "${net_conf_menu[@]}" 2>/tmp/choise.$$ 7 | response=$? 8 | case $response in 9 | 0) 10 | choise=`cat /tmp/choise.$$` 11 | rm /tmp/choise.$$ 12 | ;; 13 | 1) 14 | exit 15 | ;; 16 | 255) 17 | exit 18 | ;; 19 | esac 20 | 21 | if [ "$choise" == "Добавить сеть" ]; then 22 | while true; do 23 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Добавляем сеть." \ 24 | --inputbox "Введите адрес сети в формате CIDR (192.168.1.10/24)\nВ качестве ip адреса укажите адрес хоста, который, по Вашему мнению, должен быть сейчас доступен (это для проверки)." \ 25 | 20 70 "" 2>/tmp/cidr.$$ 26 | 27 | if [ $? -eq 0 ]; then 28 | cidr=`cat /tmp/cidr.$$` 29 | adr=${cidr%\/*} 30 | check=$(ping -c 2 $adr | grep "bytes from $adr") 31 | if [ "$check" == "" ]; then 32 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Добавляем сеть." \ 33 | --yesno "При проверке пингом адрес $adr оказался недоступен\nВы уверены, что следует оставить эту сеть?" 20 70 2>/tmp/yesno.$$ 34 | 35 | if [ $? -eq 1 ]; then 36 | cidr="" 37 | fi 38 | fi 39 | if [ "$cidr" != "" ]; then 40 | name="" 41 | while [ "$name" == "" ]; do 42 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Добавляем сеть." \ 43 | --inputbox "Введите краткое название сети, например: Домашняя сеть" \ 44 | 10 70 "" 2>/tmp/name.$$ 45 | name=`cat /tmp/name.$$` 46 | 47 | done 48 | echo "nmap -T4 -F $cidr -oX - | curl -H \"x-nmap-target: $name\" http://localhost:1080 -d @-" >> $homedir/bin/nmap-rep.sh 49 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Добавляем сеть." \ 50 | --msgbox "Сеть $cidr c меткой $name добавлена" 10 70 51 | break 52 | fi 53 | fi 54 | done 55 | fi 56 | 57 | if [ "$choise" == "Список сетей" ]; then 58 | while true 59 | do 60 | ip_ar=($(grep -oP "(\d+\.\d+\.\d+\.\d+/\d+)" $homedir/bin/nmap-rep.sh)) 61 | oldIFS=$IFS 62 | IFS="\"" 63 | name_ar=($(grep -oP "(x-nmap-target: .*\")" $homedir/bin/nmap-rep.sh)) 64 | IFS=$oldIFS 65 | n=${#name_ar[@]} 66 | if [ $n -eq 0 ]; then 67 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Список и удаление лишних" --msgbox "Список сетей пуст. Надо сначала добавить сеть" 10 70 68 | break 69 | fi 70 | for ((i=0;i<$n;i++)) 71 | do 72 | name_ar[$i]=${name_ar[$i]#*: } 73 | done 74 | options=() 75 | for ((i=0;i<$n;i++)) 76 | do 77 | options+=("${ip_ar[$i]}" "${name_ar[$i]}" "off") 78 | done 79 | 80 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Список и удаление лишних" --checklist "Здесь можно выбрать сети для удаления" 10 70 $n "${options[@]}" 2>/tmp/nets_to_delete.$$ 81 | if [ $? -eq 0 ]; then 82 | nets_to_delete=($(cat /tmp/nets_to_delete.$$)) 83 | for str in ${nets_to_delete[@]} 84 | do 85 | str=${str%\/*} 86 | sed -i "/$str/d" $homedir/bin/nmap-rep.sh 87 | done 88 | else 89 | break 90 | fi 91 | done 92 | fi 93 | 94 | if [ "$choise" == "Запустить обзор сейчас" ]; then 95 | nohup $homedir/bin/nmap-rep.sh >/dev/null 2>&1 & 96 | dialog --title "LITTLEBEAT" --backtitle "Настройка обзора сети. Запустить обзор сейчас." \ 97 | --msgbox "Обзор сетей запущен в фоновом режиме" 10 70 98 | exit 99 | fi 100 | done 101 | 102 | -------------------------------------------------------------------------------- /bin/snipet.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | chown -R elasticsearch:elasticsearch /opt/littlebeat/backups 4 | curl -XPUT 'http://localhost:9200/_snapshot/littlebeat' -d '{ 5 | "type": "fs", 6 | "settings": { 7 | "location": "/opt/littlebeat/backups", 8 | "compress": true 9 | } 10 | }' 11 | 12 | 13 | curl -XPUT 'localhost:9200/_snapshot/littlebeat/snapshot_kibana?pretty' -H 'Content-Type: application/json' -d'{ 14 | "indices": ".kibana", 15 | "ignore_unavailable": true, 16 | "include_global_state": false 17 | }' 18 | 19 | 20 | curl -XPOST 'localhost:9200/_snapshot/littlebeat/snapshot_kibana/_restore?pretty' 21 | -------------------------------------------------------------------------------- /bin/win_proc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | homedir="/opt/littlebeat" 3 | win_proc_menu=("Выгрузить неизвестные процессы" "" "Выгрузить все процессы" "" "Загрузить список процессов" "") 4 | while true; do 5 | dialog --title "LITTLEBEAT" --backtitle "Управление индексом процессов Windows" --menu "Что будем делать?" 12 50 ${#win_proc_menu[@]} "${win_proc_menu[@]}" 2>/tmp/choise.$$ 6 | response=$? 7 | case $response in 8 | 0) 9 | choise=`cat /tmp/choise.$$` 10 | rm /tmp/choise.$$ 11 | ;; 12 | 1) 13 | exit 14 | ;; 15 | 255) 16 | exit 17 | ;; 18 | esac 19 | 20 | if [ "$choise" == "Выгрузить неизвестные процессы" ]; then 21 | dais=`dialog --stdout --title "LITTLEBEAT" --backtitle "Управление индексом процессов Windows" --inputbox "За какое количество дней выгрузить обнаруженные процессы?" 7 70 "1"` 22 | case $? in 23 | 0) 24 | dialog --title "LITTLEBEAT" --backtitle "Управление индексом процессов Windows" --infobox "Выгружаем неизвестные процессы за последние $dais дней" 7 70 25 | $homedir/py/get_proc_list.py $dais 26 | 27 | ;; 28 | 1) 29 | : 30 | ;; 31 | 255) 32 | : 33 | ;; 34 | esac 35 | fi 36 | 37 | if [ "$choise" == "Выгрузить все процессы" ]; then 38 | dais=`dialog --stdout --title "LITTLEBEAT" --backtitle "Управление индексом процессов Windows" --inputbox "За какое количество дней выгрузить обнаруженные процессы?" 7 70 "1"` 39 | case $? in 40 | 0) 41 | dialog --title "LITTLEBEAT" --backtitle "Управление индексом процессов Windows" --infobox "Выгружаем все процессы, обнаруженные за последние $dais дней" 7 70 42 | $homedir/py/get_proc_list_full.py $dais 43 | 44 | ;; 45 | 1) 46 | : 47 | ;; 48 | 255) 49 | : 50 | ;; 51 | esac 52 | fi 53 | 54 | if [ "$choise" == "Загрузить список процессов" ]; then 55 | dialog --title "LITTLEBEAT" --backtitle "Управление индексом процессов Windows" --infobox "Загружаем список процессов" 7 70 56 | $homedir/py/set_proc_list.py 57 | dialog --title "LITTLEBEAT" --backtitle "Управление индексом процессов Windows" --msgbox "Список процессов загружен" 7 70 58 | 59 | fi 60 | done 61 | 62 | -------------------------------------------------------------------------------- /console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/console.png -------------------------------------------------------------------------------- /data/dashboards/NMAP-dash.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "6.1.3", 3 | "objects": [ 4 | { 5 | "id": "NMAP-by-ip-table", 6 | "type": "visualization", 7 | "updated_at": "2018-02-04T14:12:01.310Z", 8 | "version": 1, 9 | "attributes": { 10 | "savedSearchId": "NMAP-common-search", 11 | "description": "", 12 | "uiStateJSON": "{}", 13 | "title": "NMAP-IP-адреса", 14 | "version": 1, 15 | "kibanaSavedObjectMeta": { 16 | "searchSourceJSON": "{\"filter\":[]}" 17 | }, 18 | "visState": "{\"title\":\"NMAP-IP-адреса\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"port.service.name\",\"customLabel\":\"Кол-во сервисов\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ipv4\",\"size\":300,\"order\":\"asc\",\"orderBy\":\"_term\",\"customLabel\":\"IP адреса\"}}],\"listeners\":{}}" 19 | } 20 | }, 21 | { 22 | "id": "NMAP-hosts-by-subnet-table", 23 | "type": "visualization", 24 | "updated_at": "2018-02-04T14:12:01.310Z", 25 | "version": 1, 26 | "attributes": { 27 | "savedSearchId": "NMAP-common-search", 28 | "description": "", 29 | "uiStateJSON": "{}", 30 | "title": "NMAP-хосты-по-сетям", 31 | "version": 1, 32 | "kibanaSavedObjectMeta": { 33 | "searchSourceJSON": "{\"filter\":[]}" 34 | }, 35 | "visState": "{\"title\":\"NMAP-хосты-по-сетям\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"ipv4\",\"customLabel\":\"Кол-во IP адресов\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"headers.http_x_nmap_target\",\"size\":100,\"order\":\"asc\",\"orderBy\":\"_term\",\"customLabel\":\"Сети\"}}],\"listeners\":{}}" 36 | } 37 | }, 38 | { 39 | "id": "02c215b0-0432-11e8-b731-87e30402f6f8", 40 | "type": "visualization", 41 | "updated_at": "2018-02-04T14:12:01.310Z", 42 | "version": 1, 43 | "attributes": { 44 | "title": "nmap-hosts", 45 | "visState": "{\"title\":\"nmap-hosts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"к-во\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.name\",\"size\":10000,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Хост\"}}]}", 46 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 47 | "description": "", 48 | "version": 1, 49 | "kibanaSavedObjectMeta": { 50 | "searchSourceJSON": "{\"index\":\"nmap-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}" 51 | } 52 | } 53 | }, 54 | { 55 | "id": "a8178630-0432-11e8-b731-87e30402f6f8", 56 | "type": "visualization", 57 | "updated_at": "2018-02-04T14:12:01.310Z", 58 | "version": 1, 59 | "attributes": { 60 | "title": "nmap-ports", 61 | "visState": "{\"title\":\"nmap-ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"к-во\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ports.number\",\"size\":10000,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Порт\"}}]}", 62 | "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", 63 | "description": "", 64 | "version": 1, 65 | "kibanaSavedObjectMeta": { 66 | "searchSourceJSON": "{\"index\":\"nmap-*\",\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" 67 | } 68 | } 69 | }, 70 | { 71 | "id": "NMAP-common-search", 72 | "type": "search", 73 | "updated_at": "2018-02-05T11:46:27.910Z", 74 | "version": 2, 75 | "attributes": { 76 | "title": "NMAP-common-search", 77 | "description": "", 78 | "hits": 0, 79 | "columns": [ 80 | "ipv4", 81 | "port.number", 82 | "hostname.name", 83 | "port.service.name", 84 | "port.state" 85 | ], 86 | "sort": [ 87 | "@timestamp", 88 | "desc" 89 | ], 90 | "version": 1, 91 | "kibanaSavedObjectMeta": { 92 | "searchSourceJSON": "{\"index\":\"nmap-*\",\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647},\"highlightAll\":true,\"version\":true}" 93 | } 94 | } 95 | }, 96 | { 97 | "id": "NMAP-dash", 98 | "type": "dashboard", 99 | "updated_at": "2018-02-05T11:47:52.937Z", 100 | "version": 2, 101 | "attributes": { 102 | "title": "NMAP-dash", 103 | "hits": 0, 104 | "description": "", 105 | "panelsJSON": "[{\"panelIndex\":\"3\",\"gridData\":{\"x\":8,\"y\":0,\"w\":4,\"h\":6,\"i\":\"3\"},\"id\":\"NMAP-by-ip-table\",\"type\":\"visualization\",\"version\":\"6.1.2\"},{\"panelIndex\":\"4\",\"gridData\":{\"x\":4,\"y\":0,\"w\":4,\"h\":3,\"i\":\"4\"},\"id\":\"NMAP-hosts-by-subnet-table\",\"type\":\"visualization\",\"version\":\"6.1.2\"},{\"panelIndex\":\"8\",\"gridData\":{\"x\":0,\"y\":0,\"w\":4,\"h\":6,\"i\":\"8\"},\"id\":\"02c215b0-0432-11e8-b731-87e30402f6f8\",\"type\":\"visualization\",\"version\":\"6.1.2\"},{\"panelIndex\":\"9\",\"gridData\":{\"x\":4,\"y\":3,\"w\":4,\"h\":3,\"i\":\"9\"},\"id\":\"a8178630-0432-11e8-b731-87e30402f6f8\",\"type\":\"visualization\",\"version\":\"6.1.2\"},{\"panelIndex\":\"10\",\"gridData\":{\"x\":0,\"y\":6,\"w\":12,\"h\":5,\"i\":\"10\"},\"version\":\"6.1.3\",\"type\":\"search\",\"id\":\"NMAP-common-search\"}]", 106 | "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":true,\"useMargins\":true}", 107 | "uiStateJSON": "{\"P-3\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-4\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"spy\":{\"mode\":{\"fill\":false,\"name\":null}}},\"P-8\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-9\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", 108 | "version": 1, 109 | "timeRestore": true, 110 | "timeTo": "now", 111 | "timeFrom": "now-24h", 112 | "refreshInterval": { 113 | "display": "Off", 114 | "pause": false, 115 | "value": 0 116 | }, 117 | "kibanaSavedObjectMeta": { 118 | "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}" 119 | } 120 | } 121 | } 122 | ] 123 | } -------------------------------------------------------------------------------- /data/kibana.svg: -------------------------------------------------------------------------------- 1 | 2 | image/svg+xmlKibana-Full-LogoLittleBeat 108 | -------------------------------------------------------------------------------- /etc/default/elasticsearch: -------------------------------------------------------------------------------- 1 | ################################ 2 | # Elasticsearch 3 | ################################ 4 | 5 | # Elasticsearch home directory 6 | ES_HOME=/usr/share/elasticsearch 7 | 8 | # Elasticsearch configuration directory 9 | CONF_DIR=/etc/elasticsearch 10 | 11 | # Elasticsearch data directory 12 | DATA_DIR=/var/lib/elasticsearch 13 | 14 | # Elasticsearch logs directory 15 | LOG_DIR=/var/log/elasticsearch 16 | 17 | # Elasticsearch PID directory 18 | #PID_DIR=/var/run/elasticsearch 19 | 20 | # Heap size defaults to 256m min, 1g max 21 | # Set ES_HEAP_SIZE to 50% of available RAM, but no more than 31g 22 | ES_HEAP_SIZE=8g 23 | 24 | # Heap new generation 25 | #ES_HEAP_NEWSIZE= 26 | 27 | # Maximum direct memory 28 | #ES_DIRECT_SIZE= 29 | 30 | # Additional Java OPTS 31 | #ES_JAVA_OPTS= 32 | 33 | # Configure restart on package upgrade (true, every other setting will lead to not restarting) 34 | #RESTART_ON_UPGRADE=true 35 | 36 | # Path to the GC log file 37 | #ES_GC_LOG_FILE=/var/log/elasticsearch/gc.log 38 | 39 | ################################ 40 | # Elasticsearch service 41 | ################################ 42 | 43 | # SysV init.d 44 | # 45 | # When executing the init script, this user will be used to run the elasticsearch service. 46 | # The default value is 'elasticsearch' and is declared in the init.d file. 47 | # Note that this setting is only used by the init script. If changed, make sure that 48 | # the configured user can read and write into the data, work, plugins and log directories. 49 | # For systemd service, the user is usually configured in file /usr/lib/systemd/system/elasticsearch.service 50 | #ES_USER=elasticsearch 51 | #ES_GROUP=elasticsearch 52 | 53 | # The number of seconds to wait before checking if Elasticsearch started successfully as a daemon process 54 | ES_STARTUP_SLEEP_TIME=5 55 | 56 | ################################ 57 | # System properties 58 | ################################ 59 | 60 | # Specifies the maximum file descriptor number that can be opened by this process 61 | # When using Systemd, this setting is ignored and the LimitNOFILE defined in 62 | # /usr/lib/systemd/system/elasticsearch.service takes precedence 63 | MAX_OPEN_FILES=500000 64 | 65 | # The maximum number of bytes of memory that may be locked into RAM 66 | # Set to "unlimited" if you use the 'bootstrap.memory_lock: true' option 67 | # in elasticsearch.yml (ES_HEAP_SIZE must also be set). 68 | # When using Systemd, the LimitMEMLOCK property must be set 69 | # in /usr/lib/systemd/system/elasticsearch.service 70 | MAX_LOCKED_MEMORY=unlimited 71 | 72 | # Maximum number of VMA (Virtual Memory Areas) a process can own 73 | # When using Systemd, this setting is ignored and the 'vm.max_map_count' 74 | # property is set at boot time in /usr/lib/sysctl.d/elasticsearch.conf 75 | MAX_MAP_COUNT=262144 76 | -------------------------------------------------------------------------------- /etc/default/kibana: -------------------------------------------------------------------------------- 1 | user="kibana" 2 | group="kibana" 3 | chroot="/" 4 | chdir="/" 5 | nice="" 6 | 7 | 8 | # If this is set to 1, then when `stop` is called, if the process has 9 | # not exited within a reasonable time, SIGKILL will be sent next. 10 | # The default behavior is to simply log a message "program stop failed; still running" 11 | KILL_ON_STOP_TIMEOUT=0 12 | -------------------------------------------------------------------------------- /etc/default/logstash: -------------------------------------------------------------------------------- 1 | ############################### 2 | # Default settings for logstash 3 | ############################### 4 | 5 | # Override Java location 6 | #JAVACMD=/usr/bin/java 7 | 8 | # Set a home directory 9 | #LS_HOME=/var/lib/logstash 10 | 11 | # Arguments to pass to logstash agent 12 | #LS_OPTS="" 13 | 14 | # Arguments to pass to java 15 | #LS_HEAP_SIZE="1g" 16 | #LS_JAVA_OPTS="-Djava.io.tmpdir=$HOME" 17 | 18 | # pidfiles aren't used for upstart; this is for sysv users. 19 | #LS_PIDFILE=/var/run/logstash.pid 20 | 21 | # user id to be invoked as; for upstart: edit /etc/init/logstash.conf 22 | #LS_USER=logstash 23 | 24 | # logstash logging 25 | #LS_LOG_FILE=/var/log/logstash/logstash.log 26 | #LS_USE_GC_LOGGING="true" 27 | #LS_GC_LOG_FILE=/var/log/logstash/gc.log 28 | 29 | # logstash configuration directory 30 | #LS_CONF_DIR=/etc/logstash/conf.d 31 | 32 | # Open file limit; cannot be overridden in upstart 33 | #LS_OPEN_FILES=16384 34 | 35 | # Nice level 36 | #LS_NICE=19 37 | 38 | # If this is set to 1, then when `stop` is called, if the process has 39 | # not exited within a reasonable time, SIGKILL will be sent next. 40 | # The default behavior is to simply log a message "program stop failed; still running" 41 | KILL_ON_STOP_TIMEOUT=0 42 | -------------------------------------------------------------------------------- /etc/default/nginx: -------------------------------------------------------------------------------- 1 | # Note: You may want to look at the following page before setting the ULIMIT. 2 | # http://wiki.nginx.org/CoreModule#worker_rlimit_nofile 3 | # Set the ulimit variable if you need defaults to change. 4 | # Example: ULIMIT="-n 4096" 5 | #ULIMIT="-n 4096" 6 | 7 | # Define the stop schedule for nginx 8 | # see the start-stop-daemon --retry documentation for more information 9 | # 10 | #STOP_SCHEDULE="QUIT/5/TERM/5/KILL/5" 11 | -------------------------------------------------------------------------------- /etc/logstash/conf.d/01-beats.conf: -------------------------------------------------------------------------------- 1 | input { 2 | beats { 3 | port => 5044 4 | ssl => true 5 | ssl_certificate => "/etc/logstash/logstash.crt" 6 | ssl_key => "/etc/logstash/logstash.pem" 7 | } 8 | } 9 | 10 | filter { 11 | if [beat][hostname] { 12 | ruby {code => "s = event.get('[beat][hostname]').downcase; event.set('[beat][hostname]', s);"} 13 | } 14 | if [@metadata][beat] == "winlogbeat" { 15 | 16 | if [event_data][LogonType] { 17 | mutate { add_field => {"[event_data][LogonTypeDesc]" => "Неизвестный"} } 18 | ruby { 19 | code => "dict = {'0'=>'Системный', '1'=>'Неизвестный', '2'=>'Интерактивный', '3'=>'Сетевой', '4'=>'Пакетный', '5'=>'Как Сервис', '6'=>'Прокси', '7'=>'Снятие блокировки (локально)', '8'=>'Сетевой (открытый текст)', '9'=>'Новая учетная запись', '10'=>'Интерактивный (удаленно)', '11'=>'Интерактивный (из кэша)', '12'=>'Интерактивный (удаленно, из кэша)', '13'=>'Снятие блокировки (из кэша)'}; key = event.get('[event_data][LogonType]'); event.set('[event_data][LogonTypeDesc]', dict[key]);" 20 | } 21 | } 22 | if [event_data][NewProcessName] { 23 | mutate { 24 | add_field => { 25 | "[event_data][NewProcessBareName]" => "NewProcessBareName" 26 | "[event_data][NewProcessSeverity]" => "Неизвестный" 27 | "[event_data][NewProcessSeverityComment]" => "Авто" 28 | } 29 | } 30 | ruby { 31 | code => "s=event.get('[event_data][NewProcessName]').split('\\')[-1].downcase; event.set('[event_data][NewProcessBareName]', s);" 32 | } 33 | elasticsearch { 34 | index => "win-proc-list" 35 | query => "proc_name:%{[event_data][NewProcessBareName]}" 36 | 37 | fields => [["severity","[event_data][NewProcessSeverity]"], ["comment","[event_data][NewProcessSeverityComment]"]] 38 | } 39 | 40 | 41 | } 42 | 43 | } 44 | 45 | } 46 | 47 | output { 48 | if [@metadata][beat] == "winlogbeat" { 49 | elasticsearch { 50 | hosts => ["http://localhost:9200"] 51 | index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" 52 | template => "/etc/logstash/templates/winlogbeat-6.1.3-template.json" 53 | template_name => "winlogbeat-6.1.3" 54 | template_overwrite => true 55 | } 56 | 57 | } 58 | 59 | } 60 | -------------------------------------------------------------------------------- /etc/logstash/conf.d/08-nmap.conf: -------------------------------------------------------------------------------- 1 | input { 2 | http { 3 | host => "127.0.0.1" 4 | port => 1080 5 | codec => nmap 6 | tags => ["nmap"] 7 | } 8 | } 9 | 10 | filter { 11 | if "nmap" in [tags] { 12 | if [status][state] == "down" { 13 | drop {} 14 | } 15 | mutate {remove_field => ["times", "run_stats", "[headers][content_length]", "[headers][content_type]", "[headers][http_accept]", "[headers][http_expect]", "[headers][http_host]", "[headers][http_user_agent]", "[headers][http_version]", "[headers][request_method]", "[headers][request_path]", "[headers][request_uri]", "host"]} 16 | } 17 | } 18 | 19 | 20 | output { 21 | if "nmap" in [tags] { 22 | elasticsearch { 23 | hosts => ["localhost:9200"] 24 | index => "nmap-6.x-%{+YYYY.MM.dd}" 25 | template => "/etc/logstash/templates/nmap-6.x-template.json" 26 | template_name => "nmap-6.x" 27 | template_overwrite => true 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /etc/logstash/templates/nmap-6.x-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "order": 1, 3 | "settings": { 4 | "index": { 5 | "mapping": { 6 | "total_fields": { 7 | "limit": 10000 8 | } 9 | }, 10 | "number_of_shards": 1, 11 | "refresh_interval": "5s" 12 | } 13 | }, 14 | "index_patterns": [ 15 | "nmap-6.x-*" 16 | ], 17 | "mappings": { 18 | "doc": { 19 | "dynamic_templates": [ 20 | { 21 | "strings_as_keyword": { 22 | "mapping": { 23 | "ignore_above": 1024, 24 | "type": "keyword" 25 | }, 26 | "match_mapping_type": "string" 27 | } 28 | } 29 | ], 30 | "properties": { 31 | "tags": { 32 | "type": "text" 33 | }, 34 | "@timestamp": { 35 | "type": "date" 36 | }, 37 | "ipv4": { 38 | "type": "ip" 39 | }, 40 | "ipv6": { 41 | "type": "ip" 42 | }, 43 | "@version": { 44 | "type": "keyword" 45 | } 46 | } 47 | } 48 | } 49 | } 50 | 51 | -------------------------------------------------------------------------------- /etc/logstash/templates/win-proc-list-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "order": 0, 3 | "template": "win-proc-list", 4 | "settings": { 5 | "index.refresh_interval": "60s", 6 | "number_of_shards" : 1, 7 | "number_of_replicas" : 0 8 | }, 9 | "mappings": { 10 | "win-proc-list": { 11 | "properties": { 12 | "proc_name": { 13 | "ignore_above": 1024, 14 | "type": "keyword" 15 | }, 16 | "severity": { 17 | "ignore_above": 1024, 18 | "type": "keyword" 19 | }, 20 | "comment": { 21 | "type": "text" 22 | }, 23 | "@timestamp": { 24 | "type": "date" 25 | }, 26 | "@version": { 27 | "type": "keyword" 28 | } 29 | } 30 | } 31 | } 32 | } 33 | 34 | -------------------------------------------------------------------------------- /etc/logstash/templates/winlogbeat-6.1.3-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "index_patterns": [ 3 | "winlogbeat-6.1.3-*" 4 | ], 5 | "mappings": { 6 | "doc": { 7 | "_meta": { 8 | "version": "6.1.3" 9 | }, 10 | "date_detection": false, 11 | "dynamic_templates": [ 12 | { 13 | "fields": { 14 | "mapping": { 15 | "type": "keyword" 16 | }, 17 | "match_mapping_type": "string", 18 | "path_match": "fields.*" 19 | } 20 | }, 21 | { 22 | "docker.container.labels": { 23 | "mapping": { 24 | "type": "keyword" 25 | }, 26 | "match_mapping_type": "string", 27 | "path_match": "docker.container.labels.*" 28 | } 29 | }, 30 | { 31 | "event_data": { 32 | "mapping": { 33 | "type": "keyword" 34 | }, 35 | "match_mapping_type": "string", 36 | "path_match": "event_data.*" 37 | } 38 | }, 39 | { 40 | "user_data": { 41 | "mapping": { 42 | "type": "keyword" 43 | }, 44 | "match_mapping_type": "string", 45 | "path_match": "user_data.*" 46 | } 47 | }, 48 | { 49 | "strings_as_keyword": { 50 | "mapping": { 51 | "ignore_above": 1024, 52 | "type": "keyword" 53 | }, 54 | "match_mapping_type": "string" 55 | } 56 | } 57 | ], 58 | "properties": { 59 | "@timestamp": { 60 | "type": "date" 61 | }, 62 | "activity_id": { 63 | "ignore_above": 1024, 64 | "type": "keyword" 65 | }, 66 | "beat": { 67 | "properties": { 68 | "hostname": { 69 | "ignore_above": 1024, 70 | "type": "keyword" 71 | }, 72 | "name": { 73 | "ignore_above": 1024, 74 | "type": "keyword" 75 | }, 76 | "timezone": { 77 | "ignore_above": 1024, 78 | "type": "keyword" 79 | }, 80 | "version": { 81 | "ignore_above": 1024, 82 | "type": "keyword" 83 | } 84 | } 85 | }, 86 | "computer_name": { 87 | "ignore_above": 1024, 88 | "type": "keyword" 89 | }, 90 | "docker": { 91 | "properties": { 92 | "container": { 93 | "properties": { 94 | "id": { 95 | "ignore_above": 1024, 96 | "type": "keyword" 97 | }, 98 | "image": { 99 | "ignore_above": 1024, 100 | "type": "keyword" 101 | }, 102 | "labels": { 103 | "type": "object" 104 | }, 105 | "name": { 106 | "ignore_above": 1024, 107 | "type": "keyword" 108 | } 109 | } 110 | } 111 | } 112 | }, 113 | "error": { 114 | "properties": { 115 | "code": { 116 | "type": "long" 117 | }, 118 | "message": { 119 | "norms": false, 120 | "type": "text" 121 | }, 122 | "type": { 123 | "ignore_above": 1024, 124 | "type": "keyword" 125 | } 126 | } 127 | }, 128 | "event_data": { 129 | "type": "object" 130 | }, 131 | "event_id": { 132 | "type": "long" 133 | }, 134 | "fields": { 135 | "type": "object" 136 | }, 137 | "keywords": { 138 | "ignore_above": 1024, 139 | "type": "keyword" 140 | }, 141 | "kubernetes": { 142 | "properties": { 143 | "annotations": { 144 | "type": "object" 145 | }, 146 | "container": { 147 | "properties": { 148 | "image": { 149 | "ignore_above": 1024, 150 | "type": "keyword" 151 | }, 152 | "name": { 153 | "ignore_above": 1024, 154 | "type": "keyword" 155 | } 156 | } 157 | }, 158 | "labels": { 159 | "type": "object" 160 | }, 161 | "namespace": { 162 | "ignore_above": 1024, 163 | "type": "keyword" 164 | }, 165 | "pod": { 166 | "properties": { 167 | "name": { 168 | "ignore_above": 1024, 169 | "type": "keyword" 170 | } 171 | } 172 | } 173 | } 174 | }, 175 | "level": { 176 | "ignore_above": 1024, 177 | "type": "keyword" 178 | }, 179 | "log_name": { 180 | "ignore_above": 1024, 181 | "type": "keyword" 182 | }, 183 | "message": { 184 | "norms": false, 185 | "type": "text" 186 | }, 187 | "message_error": { 188 | "ignore_above": 1024, 189 | "type": "keyword" 190 | }, 191 | "meta": { 192 | "properties": { 193 | "cloud": { 194 | "properties": { 195 | "availability_zone": { 196 | "ignore_above": 1024, 197 | "type": "keyword" 198 | }, 199 | "instance_id": { 200 | "ignore_above": 1024, 201 | "type": "keyword" 202 | }, 203 | "instance_name": { 204 | "ignore_above": 1024, 205 | "type": "keyword" 206 | }, 207 | "machine_type": { 208 | "ignore_above": 1024, 209 | "type": "keyword" 210 | }, 211 | "project_id": { 212 | "ignore_above": 1024, 213 | "type": "keyword" 214 | }, 215 | "provider": { 216 | "ignore_above": 1024, 217 | "type": "keyword" 218 | }, 219 | "region": { 220 | "ignore_above": 1024, 221 | "type": "keyword" 222 | } 223 | } 224 | } 225 | } 226 | }, 227 | "opcode": { 228 | "ignore_above": 1024, 229 | "type": "keyword" 230 | }, 231 | "process_id": { 232 | "type": "long" 233 | }, 234 | "provider_guid": { 235 | "ignore_above": 1024, 236 | "type": "keyword" 237 | }, 238 | "record_number": { 239 | "ignore_above": 1024, 240 | "type": "keyword" 241 | }, 242 | "related_activity_id": { 243 | "ignore_above": 1024, 244 | "type": "keyword" 245 | }, 246 | "source_name": { 247 | "ignore_above": 1024, 248 | "type": "keyword" 249 | }, 250 | "tags": { 251 | "ignore_above": 1024, 252 | "type": "keyword" 253 | }, 254 | "task": { 255 | "ignore_above": 1024, 256 | "type": "keyword" 257 | }, 258 | "thread_id": { 259 | "type": "long" 260 | }, 261 | "type": { 262 | "ignore_above": 1024, 263 | "type": "keyword" 264 | }, 265 | "user": { 266 | "properties": { 267 | "domain": { 268 | "ignore_above": 1024, 269 | "type": "keyword" 270 | }, 271 | "identifier": { 272 | "ignore_above": 1024, 273 | "type": "keyword" 274 | }, 275 | "name": { 276 | "ignore_above": 1024, 277 | "type": "keyword" 278 | }, 279 | "type": { 280 | "ignore_above": 1024, 281 | "type": "keyword" 282 | } 283 | } 284 | }, 285 | "user_data": { 286 | "type": "object" 287 | }, 288 | "version": { 289 | "type": "long" 290 | }, 291 | "xml": { 292 | "norms": false, 293 | "type": "text" 294 | } 295 | } 296 | } 297 | }, 298 | "order": 1, 299 | "settings": { 300 | "index": { 301 | "mapping": { 302 | "total_fields": { 303 | "limit": 10000 304 | } 305 | }, 306 | "number_of_routing_shards": 30, 307 | "number_of_shards": 1, 308 | "refresh_interval": "5s" 309 | } 310 | } 311 | } 312 | -------------------------------------------------------------------------------- /etc/nginx/sites-available/default: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; #Listen on IPv4 3 | listen [::]:80; #Listen on IPv6 4 | return 301 https://$host$request_uri; 5 | } 6 | 7 | server { 8 | listen *:443; 9 | listen [::]:443; 10 | ssl on; 11 | ssl_certificate /etc/logstash/logstash.crt; 12 | ssl_certificate_key /etc/logstash/logstash.pem; 13 | server_name littlebeat; 14 | access_log /var/log/nginx/kibana.access.log; 15 | error_log /var/log/nginx/kibana.error.log; 16 | set $kibana 127.0.0.1; 17 | location / { 18 | auth_basic "Restricted"; 19 | auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; 20 | proxy_pass http://$kibana:5601; 21 | proxy_set_header Host $host; 22 | proxy_set_header Referer ""; 23 | proxy_set_header X-Real-IP $remote_addr; 24 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 25 | proxy_http_version 1.1; 26 | proxy_connect_timeout 150; 27 | proxy_send_timeout 100; 28 | proxy_read_timeout 100; 29 | proxy_buffers 16 64k; 30 | proxy_busy_buffers_size 64k; 31 | client_max_body_size 256k; 32 | client_body_buffer_size 128k; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /pkgs/wazuh-api_3.1.0-1_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/pkgs/wazuh-api_3.1.0-1_amd64.deb -------------------------------------------------------------------------------- /pkgs/wazuh-manager_3.1.0-1_amd64.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/pkgs/wazuh-manager_3.1.0-1_amd64.deb -------------------------------------------------------------------------------- /pkgs/wazuhapp.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/pkgs/wazuhapp.zip -------------------------------------------------------------------------------- /putty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ESGuardian/LittleBeat/40f9be3ff84a094bab81ba26aa5f712488f42179/putty.png -------------------------------------------------------------------------------- /py/get_proc_list.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf8 -*- 3 | # 4 | # этот скрипт создает текстовый файл /opt/littlebeat/install/proc_list.txt 5 | # со строками вида proc_name:severity:comment 6 | # файл создается на основе поиска имен процессов записанных в индексе winlogbeat-* 7 | # и сопоставления из со списком известных процессов в индексе win-proc-list. 8 | # Следует использовать совместно со скриптом set_proc_list.py. 9 | # Способ использования такой: 10 | # 1) запускаем get_proc_list.py 11 | # 2) открываем файл proc_list.txt в текстовом редакторе и заменяем "Неизвестный" на 12 | # что-нибудь более причличное, например, "Обычный","Разрешенный" или "Зловредный" 13 | # 3) запускаем set_proc_list.py и он корректирует данные в индексе win-proc-list 14 | # 15 | # командная строка get_proc_list.py [int_days] [0|1] 16 | # int_days - кол-во суток от сегодня, за которое смотреть события в winlogbeat-* 17 | # 0 - выводить только список процессов с severity Неизвестный 18 | # 1 - выводить весь список процессов (удобно, если хотим переопределить severity) 19 | # 20 | # esguardian@outlook.com 21 | # https://github.com/ESGuardian 22 | # 23 | 24 | 25 | import sys 26 | from datetime import date, timedelta, datetime 27 | from pytz import timezone 28 | from elasticsearch import Elasticsearch 29 | import codecs 30 | 31 | def getindexes (es,prefix,dates) : 32 | indexes = [] 33 | for strdate in dates: 34 | testindex = prefix + strdate 35 | if es.indices.exists(index=testindex): 36 | indexes.append(testindex) 37 | return indexes 38 | 39 | def check_process (es,name) : 40 | name_query = {"query":{"term":{ "proc_name":name}}} 41 | if es.indices.exists(index="win-proc-list") : 42 | try: 43 | res = es.search(index="win-proc-list",body=name_query) 44 | for hit in res['hits']['hits']: 45 | return (hit["_source"]["severity"],hit["_source"]["comment"]) 46 | 47 | except Exception as e: 48 | return (u"Ошибка ", unicode(e)) 49 | return (u"Неизвестный",u"Авто") 50 | 51 | period = 1 52 | full = 0 53 | if len(sys.argv) > 2: 54 | full = int(sys.argv[1]) 55 | if len(sys.argv) > 1: 56 | period = int(sys.argv[1]) 57 | 58 | today = datetime.utcnow().date() 59 | enddate=today.strftime('%Y.%m.%d') 60 | startdate=(today - timedelta(days=period)).strftime('%Y.%m.%d') 61 | dates = [] 62 | for i in xrange(0,period+1): 63 | dates.append((today - timedelta(days=i)).strftime('%Y.%m.%d')) 64 | 65 | es = Elasticsearch() 66 | myquery = {"query":\ 67 | {\ 68 | "constant_score":{ "filter":{"bool":{"must":{"term":{"log_name":"Security"}},"should":{"term":{ "event_id":4688 }}}} }\ 69 | },\ 70 | "aggs": {\ 71 | "by_procname": {"terms": {"field": "event_data.NewProcessBareName", "size":10000}}\ 72 | }\ 73 | } 74 | proc_list = [] 75 | 76 | outfilename='proc_list.txt' 77 | outfullpath='/opt/littlebeat/data/' + outfilename 78 | with codecs.open(outfullpath, 'w', encoding="utf8") as out: 79 | try: 80 | res = es.search(index=getindexes(es,"winlogbeat-",dates),body=myquery,request_timeout=60) 81 | for procname in res['aggregations']['by_procname']['buckets']: 82 | new_proc_name = procname['key'] 83 | if not new_proc_name in proc_list: 84 | proc_list.append(new_proc_name) 85 | (severity,comment) = check_process (es,new_proc_name) 86 | if severity == u"Неизвестный" or full != 0 : 87 | str = new_proc_name + u":" + severity + u":" + comment + "\n" 88 | out.write(str) 89 | 90 | except Exception as e: 91 | print "ERROR: " + unicode(e) 92 | pass 93 | out.close 94 | -------------------------------------------------------------------------------- /py/get_proc_list_full.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf8 -*- 3 | # 4 | # этот скрипт создает текстовый файл /opt/littlebeat/install/proc_list.txt 5 | # со строками вида proc_name:severity:comment 6 | # файл создается на основе поиска имен процессов записанных в индексе winlogbeat-* 7 | # и сопоставления из со списком известных процессов в индексе win-proc-list. 8 | # Следует использовать совместно со скриптом set_proc_list.py. 9 | # Способ использования такой: 10 | # 1) запускаем get_proc_list.py 11 | # 2) открываем файл proc_list.txt в текстовом редакторе и заменяем "Неизвестный" на 12 | # что-нибудь более причличное, например, "Обычный","Разрешенный" или "Зловредный" 13 | # 3) запускаем set_proc_list.py и он корректирует данные в индексе win-proc-list 14 | # 15 | # командная строка get_proc_list.py [int_days] [0|1] 16 | # int_days - кол-во суток от сегодня, за которое смотреть события в winlogbeat-* 17 | # 0 - выводить только список процессов с severity Неизвестный 18 | # 1 - выводить весь список процессов (удобно, если хотим переопределить severity) 19 | # 20 | # esguardian@outlook.com 21 | # https://github.com/ESGuardian 22 | # 23 | 24 | 25 | import sys 26 | from datetime import date, timedelta, datetime 27 | from pytz import timezone 28 | from elasticsearch import Elasticsearch 29 | import codecs 30 | 31 | def getindexes (es,prefix,dates) : 32 | indexes = [] 33 | for strdate in dates: 34 | testindex = prefix + strdate 35 | if es.indices.exists(index=testindex): 36 | indexes.append(testindex) 37 | return indexes 38 | 39 | def check_process (es,name) : 40 | name_query = {"query":{"term":{ "proc_name":name}}} 41 | if es.indices.exists(index="win-proc-list") : 42 | try: 43 | res = es.search(index="win-proc-list",body=name_query) 44 | for hit in res['hits']['hits']: 45 | return (hit["_source"]["severity"],hit["_source"]["comment"]) 46 | 47 | except Exception as e: 48 | return (u"Ошибка ", unicode(e)) 49 | return (u"Неизвестный",u"Авто") 50 | 51 | period = 1 52 | full = 1 53 | if len(sys.argv) > 2: 54 | full = int(sys.argv[1]) 55 | if len(sys.argv) > 1: 56 | period = int(sys.argv[1]) 57 | 58 | today = datetime.utcnow().date() 59 | enddate=today.strftime('%Y.%m.%d') 60 | startdate=(today - timedelta(days=period)).strftime('%Y.%m.%d') 61 | dates = [] 62 | for i in xrange(0,period+1): 63 | dates.append((today - timedelta(days=i)).strftime('%Y.%m.%d')) 64 | 65 | es = Elasticsearch() 66 | myquery = {"query":\ 67 | {\ 68 | "constant_score":{ "filter":{"bool":{"must":{"term":{"log_name":"Security"}},"should":{"term":{ "event_id":4688 }}}} }\ 69 | },\ 70 | "aggs": {\ 71 | "by_procname": {"terms": {"field": "event_data.NewProcessBareName", "size":10000}}\ 72 | }\ 73 | } 74 | proc_list = [] 75 | 76 | outfilename='proc_list.txt' 77 | outfullpath='/opt/littlebeat/data/' + outfilename 78 | with codecs.open(outfullpath, 'w', encoding="utf8") as out: 79 | try: 80 | res = es.search(index=getindexes(es,"winlogbeat-",dates),body=myquery,request_timeout=60) 81 | for procname in res['aggregations']['by_procname']['buckets']: 82 | new_proc_name = procname['key'] 83 | if not new_proc_name in proc_list: 84 | proc_list.append(new_proc_name) 85 | (severity,comment) = check_process (es,new_proc_name) 86 | if severity == u"Неизвестный" or full != 0 : 87 | str = new_proc_name + u":" + severity + u":" + comment + "\n" 88 | out.write(str) 89 | 90 | except Exception as e: 91 | print "ERROR: " + unicode(e) 92 | pass 93 | out.close 94 | -------------------------------------------------------------------------------- /py/set_proc_list.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding: utf8 -*- 3 | # 4 | # этот скрипт читает текстовый файл /opt/littlebeat/install/proc_list.txt 5 | # со строками вида proc_name:severity:comment 6 | # и обновляет данные индекса win-proc-list данными из файла 7 | # Следует использовать совместно со скриптом get_proc_list.py. 8 | # Способ использования такой: 9 | # 1) запускаем get_proc_list.py 10 | # 2) открываем файл proc_list.txt в текстовом редакторе и заменяем "Неизвестный" на 11 | # что-нибудь более причличное, например, "Обычный","Разрешенный" или "Зловредный" 12 | # 3) запускаем set_proc_list.py и он корректирует данные в индексе win-proc-list 13 | # 14 | # командная строка: set_proc_list.py 15 | # 16 | # esguardian@outlook.com 17 | # https://github.com/ESGuardian 18 | # 19 | 20 | 21 | import sys 22 | from datetime import date, timedelta, datetime 23 | from pytz import timezone 24 | from elasticsearch import Elasticsearch 25 | import codecs 26 | 27 | 28 | 29 | es = Elasticsearch() 30 | 31 | outfilename='proc_list.txt' 32 | outfullpath='/opt/littlebeat/data/' + outfilename 33 | with codecs.open(outfullpath, 'r', encoding="utf8") as source: 34 | content = source.readlines() 35 | content = [x.strip() for x in content] 36 | source.close 37 | 38 | index = "win-proc-list" 39 | 40 | 41 | for item in content: 42 | (proc_name,severity,comment) = item.split(":") 43 | if es.indices.exists(index=index): 44 | # удаляем старые документы с этим proc_name, если они есть 45 | res = es.search(index=index, body={"query": {"match":{"proc_name":proc_name}}}) 46 | ids = [x['_id'] for x in res['hits']['hits']] 47 | if len(ids) > 0: 48 | for id in ids : 49 | res = es.delete(index=index, doc_type=index, id=id) 50 | es.indices.refresh(index=index) 51 | # вставляем новый документ 52 | doc = { 53 | 'proc_name': proc_name, 54 | 'severity': severity, 55 | 'comment': comment, 56 | '@timestamp':datetime.utcnow() 57 | } 58 | res = es.index(index=index, doc_type=index, body=doc) 59 | 60 | 61 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | github_url="https://raw.githubusercontent.com/ESGuardian/LittleBeat/v-6.1.001" 3 | echo "Что сейчас произойдет?" 4 | echo "Сейчас мы создадим пользователя little, установим ему UID=0" 5 | echo "и разрешим подключаться по SSH." 6 | echo "У этого пользователя будет специальный .bashrc, в котором" 7 | echo "он будет запускать консоль управления LittleBeat." 8 | echo -n "Для продолжения нажмите ENTER" 9 | read 10 | adduser little 11 | sed -i -e "s#little:x:.*#little:x:0:0:little:/home/little:/bin/bash#" /etc/passwd 12 | sed -i -e "s/^#PermitRootLogin .*/PermitRootLogin yes/" /etc/ssh/sshd_config 13 | sed -i -e "s/^PermitRootLogin .*/PermitRootLogin yes/" /etc/ssh/sshd_config 14 | echo "Сделано." 15 | echo "Подготовка к запуску LittleBeat ..." 16 | mkdir /opt/littlebeat 17 | mkdir /opt/littlebeat/bin 18 | cd /home/little/ 19 | rm .bashrc 20 | wget $github_url/.bashrc 21 | chmod +x .bashrc 22 | cd /opt/littlebeat/bin 23 | wget $github_url/bin/main.sh 24 | echo "Сделано." 25 | echo "Еще для работы меню нам нужна утилита dialog." 26 | echo "Сейчас мы выполним update списка пакетов и установку dialog." 27 | echo -n "Для продолжения нажмите ENTER" 28 | read 29 | cd /tmp 30 | apt-get update 31 | apt-get -y install dialog 32 | echo "Сделано." 33 | 34 | echo "Чтобы запустить LITTLEBEAT вы должны выполнить вход" 35 | echo "как юзер little" 36 | echo -n "Нажмите ENTER чтобы перезапустить машину." 37 | read 38 | reboot now 39 | 40 | --------------------------------------------------------------------------------