Wazuh SIEM(SOC 1 of 3)

 Get Wazuh

• # project: https://github.com/wazuh/wazuh-docker
• git clone https://github.com/wazuh/wazuh-docker.git -b v4.12.0

Cert

• sudo docker-compose -f generate-indexer-certs.yml run --rm generator

Run

• Set ufw 9200/tcp,1514-1516/tcp/udp,443/tcp
• sudo docker-compose up -d
• open https://ip:your_port or space(443) check status
  use default account admin and password SecretPassword to login

Agent

• Windows:install Agent and modify ip point to wazuh ip before start service
• Linux: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html
• sudo -s
• check curl be install
• GPG Key
  curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
• REPO
  echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
• sudo apt-get update
• CONFIG
  sudo apt-get install gnupg apt-transport-https
  curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
• WAZUH_MANAGER="<wazuh_ip>
• apt-get install wazuh-agent
• SERVICE
  sudo systemctl daemon-reload
  sudo systemctl enable wazuh-agent
  sudo systemctl start wazuh-agent
• STOP UPDATE: agent update use manager control panel
  sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
  sudo apt-get update

SOC Home

 SOC Home

• Level 1
  High Risk to Level 2
• Wazuh 
• Graylog 
• Zeek 
• Level 2
  Create Joe to Level 3
• TheHive
• Cortex
• MISP
• CISA-KEV
• Level 3
  Create Auto playload
• SOAR
• n8n
• Level 4 Wait
  Event Reort
• Level 5 Wait
  Full Check

Wazuh SIEM (SOC Level 1 of 3) Update

Down

• cd $HOME/wazuh-docker/single-node
• sudo docker compose down

New Version # https://github.com/wazuh/wazuh-docker

• cd $HOME/wazuh-docker/
• git fetch --all --tags
• git reset --hard
• git checkout v4.14.5

Cert

• sudo docker-compose -f generate-indexer-certs.yml run --rm generator

Run

• sudo docker-compose up -d
• login and upgrade agent

Graylog SIEM (SOC Level 2 of 3)

Get Graylog

• git clone https://github.com/Graylog2/docker-compose.git

Config

• cd docker-compose/cluster
  #set your_new_password
  #get your_new_password_sha from : echo -n your_new_password | shasum -a 256
• sudo nano .env.example
  keyin your_new_password and your_new_password_sha
• sudo mv .env.example .env

Run

• sudo docker-compose up -d
• sudo ufw open ports 9000,1514~1516(tcp/udp),12201(tcp/udp)
• http://yourip:9000/welcome

OpenVAS : Vulnerability Scanning

See 

• https://greenbone.github.io > Greenbone Community Containers
• https://greenbone.github.io/docs/latest/22.4/container/index.html

Ubuntu

• Install Docker
• sudo usermod -aG docker $USER && su $USER
• export DOWNLOAD_DIR=$HOME/greenbone-community-container && mkdir -p $DOWNLOAD_DIR
• curl -f -O -L https://greenbone.github.io/docs/latest/_static/compose.yaml --output-dir "$DOWNLOAD_DIR"
• sudo nano $DOWNLOAD_DIR/compose.yaml
• find 127.0.0.1:443:443 change 127.0.0.1 to 0.0.0.0
• find 127.0.0.1:9392:9392 change 127.0.0.1 to 0.0.0.0
• docker compose -f $DOWNLOAD_DIR/compose.yaml pull
• docker compose -f $DOWNLOAD_DIR/compose.yaml up -d
• docker compose -f $DOWNLOAD_DIR/compose.yaml logs -f
• Ctrl+C
• docker compose -f $DOWNLOAD_DIR/compose.yaml \
  exec -u gvmd gvmd gvmd --user=admin --new-password='<password>'

Test

• xdg-open "https://127.0.0.1" 2>/dev/null >/dev/null &

Firewall

• sudo ufw allow 9393/tcp
• sudo ufw reload

Config

• open https://ip:9393/dashboards
• admin
• Setting
• change utc to your timezone
• administration > feed status , all of those is newest
  #see scan db https://www.ichiayi.com/tech/openvas
• Configuration > Scan Configs, refresh to download items before is null
  # https://greenbone.github.io/docs/latest/22.4/container/workflows.html
• docker compose -f $DOWNLOAD_DIR/compose.yaml pull notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects
• docker compose -f $DOWNLOAD_DIR/compose.yaml up -d notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects

Scan Work

• open https://ip:9393/dashboards
• type1:take a scan, Scans > Tasks, click:Task Wizard, keyin ip and click scan of button
• type2:Authenticated Scan,
• Configuration > Credentials
• menu Username + Password or Username + ssh key
• Configuration > Targets, keyin name/ip/Credentials
• Scans > Tasks and click New Task
• Scan Targets choose above info
• Scan Config choose full and fast
• start after save
• report:Scans > Reports, click date and time to watch or download

modify openwebui open file will happen error when user not admin

• backup files.py

sudo docker exec -it open-webui /bin/bash cd /app/backend/open_webui/routers/ cp files.py files1.py

• modify files.py

sudo docker cp open-webui:/app/backend/open_webui/routers/files.py files.py sudo nano files.py find all  if file and (file.user_id == user.id or user.role == "admin"): and add front remark like this #if file and (file.user_id == user.id or user.role == "admin"): and add code under this line if file:

• replace files.py

sudo docker cp files.py open-webui:/app/backend/open_webui/routers/files.py