Graylog SIEM (SOC Level 2 of 3)

Get Graylog

• git clone https://github.com/Graylog2/docker-compose.git

Config

• cd docker-compose/cluster
  #set your_new_password
  #get your_new_password_sha from : echo -n your_new_password | shasum -a 256
• sudo nano .env.example
  keyin your_new_password and your_new_password_sha
• sudo mv .env.example .env

Run

• sudo docker-compose up -d
• sudo ufw open ports 9000,1514~1516(tcp/udp),12201(tcp/udp)
• http://yourip:9000/welcome

OpenVAS : Vulnerability Scanning

See 

• https://greenbone.github.io > Greenbone Community Containers
• https://greenbone.github.io/docs/latest/22.4/container/index.html

Ubuntu

• Install Docker
• sudo usermod -aG docker $USER && su $USER
• export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR
• curl -f -O -L https://greenbone.github.io/docs/latest/_static/compose.yaml --output-dir "$DOWNLOAD_DIR"
• sudo nano $DOWNLOAD_DIR/compose.yaml
• find 127.0.0.1:443:443 change 127.0.0.1 to 0.0.0.0
• find 127.0.0.1:9392:9392 change 127.0.0.1 to 0.0.0.0
• docker compose -f $DOWNLOAD_DIR/compose.yaml pull
• docker compose -f $DOWNLOAD_DIR/compose.yaml up -d
• docker compose -f $DOWNLOAD_DIR/compose.yaml logs -f
• Ctrl+C
• docker compose -f $DOWNLOAD_DIR/compose.yaml \
  exec -u gvmd gvmd gvmd --user=admin --new-password='<password>'

Test

• xdg-open "https://127.0.0.1" 2>/dev/null >/dev/null &

Firewall

• sudo ufw allow 9393/tcp
• sudo ufw reload

Config

• open https://ip:9393/dashboards
• admin
• Setting
• change utc to your timezone
• administration > feed status , all of those is newest
  #see scan db https://www.ichiayi.com/tech/openvas
• Configuration > Scan Configs, refresh to download items before is null
  # https://greenbone.github.io/docs/latest/22.4/container/workflows.html
• docker compose -f $DOWNLOAD_DIR/compose.yaml pull notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects
• docker compose -f $DOWNLOAD_DIR/compose.yaml up -d notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects

Scan Work

• open https://ip:9393/dashboards
• type1:take a scan, Scans > Tasks, click:Task Wizard, keyin ip and click scan of button
• type2:Authenticated Scan,
• Configuration > Credentials
• menu Username + Password or Username + ssh key
• Configuration > Targets, keyin name/ip/Credentials
• Scans > Tasks and click New Task
• Scan Targets choose above info
• Scan Config choose full and fast
• start after save
• report:Scans > Reports, click date and time to watch or download

Wazuh SIEM (SOC Level 1 of 3)

#Env Workstation, Ubuntu, Docker

:Install
# find last version
project: https://github.com/wazuh/wazuh-docker

#install git
git clone https://github.com/wazuh/wazuh-docker.git -b v4.12.0

cd wazuh-docker/single-node/

#change manager port 443(left) to your port
#modify memory limit find -Xms -Xmx 1 to 8 <= 50%
modify docker-compose.yml

sudo docker-compose -f generate-indexer-certs.yml run --rm generator

#-d backend run
sudo docker-compose up -d

#firewall config
TCP *9200, *1514, *1515, x 1516(array), *514, *55000, *9443
UPD x1514(no need), *514

sudo ufw allow 9200/tcp
sudo ufw allow 1514/tcp
sudo ufw allow 1515/tcp
#sudo ufw allow 1516/tcp x
sudo ufw allow 514/tcp
sudo ufw allow 55000/tcp
sudo ufw allow 9443/tcp
#sudo ufw allow 1514/udp x
sudo ufw allow 514/udp

#open https://ip:your_port or space(443) check status
#use default account admin and password SecretPassword to login

:Agent install, Windows or Ubuntu

Windows:install Agent and modify ip point to wazuh ip before start service

Linux:
linux agent: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html

sudo -s

#check curl be install

GPG Key:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

REPO:
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

sudo apt-get update

CONFIG:
sudo apt-get install gnupg apt-transport-https

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

#echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

INSTALL: 0.0.0.0 is your wazuh ip
WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent

#if happen error is:The list of sources could not be read.
sudo nano /etc/apt/sources.list.d/wazuh.list, keep only one line as below:

deb [signed-by=/etc/apt/keyrings/wazuh-archive-keyring.gpg] https://packages.wazuh.com/4.x/apt/ stable main

sudo apt-get update

WAZUH_MANAGER="0.0.0.0" apt-get install wazuh-agent

SERVICE:
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

STOP UPDATE: agent update use manager control panel
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list

sudo apt-get update

echo "wazuh-agent hold" | dpkg --set-selections
=================
sudo nano /var/ossec/etc/ossec.conf
#<ossec_config>
<client>
<server>
<address>Wazuh_IP</address>

sudo tail -f /var/ossec/logs/ossec.log

:flooded
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash

#yum install nano -y

nano /var/ossec/etc/ossec.conf
# modify 3 to 5
<alerts>
<log_alert_level>5</log_alert_level>
</alerts>

#create Group:Server,Linux(Server) and ...default(PCs)

:general device
cd /var/ossec/etc/shared/default
nano internal_options.conf
#file content below
agent.buffer_send_interval=300
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768

#if you need after add it
logall=no
log_level=2
rule_level=5
log_alert_level=5

:import device
cd /var/ossec/etc/shared/[Group Name]
nano internal_options.conf
#file content below
agent.buffer_send_interval=60
agent.buffer_max_events=1000
agent.buffer_flush_size=1024
queue_size=32768

#if you need after add it
logall=no
log_level=2

/var/ossec/bin/wazuh-control restart

:client update
on agent client
/var/ossec/bin/agent_control -u
tail -n 50 /var/ossec/logs/ossec.log
see INFO: Downloaded file '/default/internal_options.conf'

:alarm log
connect wazuh server
sudo docker ps, see NAMES
sudo docker exec -it single-node_wazuh.manager_1 /bin/bash

cd /var/ossec/etc/rules
nano local_rules.xml

# set number law <rule id="110001 ...110002 ....
<group name="windows,byself">
  <rule id="110001" level="0">
    <if_sid>wazuh:rule.id</if_sid>
    <match>full_log keyword</match>
    <description>event info</description>
    <group>byself</group>
  </rule>
</group>

/var/ossec/bin/wazuh-control restart

modify openwebui open file will happen error when user not admin

• backup files.py

sudo docker exec -it open-webui /bin/bash cd /app/backend/open_webui/routers/ cp files.py files1.py

• modify files.py

sudo docker cp open-webui:/app/backend/open_webui/routers/files.py files.py sudo nano files.py find all  if file and (file.user_id == user.id or user.role == "admin"): and add front remark like this #if file and (file.user_id == user.id or user.role == "admin"): and add code under this line if file:

• replace files.py

sudo docker cp files.py open-webui:/app/backend/open_webui/routers/files.py

docker clean

 #remove old container and images

• run all container
• remove old container and images,volume
• docker system prune
• docker volume prune
• docker builder prune
• stop all container{docker stop $(docker ps -q)}
• stop docker desktop{Stop-Process -Name "Docker Desktop"}
• wsl --shutdown
• Optimize-VHD -Path C:\Users\yourname\AppData\Local\Docker\wsl\data\ext4.vhdx -Mode Full
• Optimize-VHD -Path C:\Users\yourname\AppData\Local\Docker\wsl\main\ext4.vhdx -Mode Full
• wsl
• start docker desktop{Start-Process "Docker Desktop"}
• start all container{docker start $(docker ps -aq)}

searxng

• docker pull searxng/searxng
• docker run -d -p 4000:8080 -e "BASE_URL=http://localhost:4000/" -e "INSTANCE_NAME=searxng" searxng/searxng