整個過程使用虛擬機在CentOS Linux release 7.2.1511 (Core)安裝成功。
安裝thehive需要的步驟:
1、安裝存儲數據的elasticsearch,使用docker安裝或者rpm包進行安裝
2、安裝cortex,創建相關用戶賬號獲取相關API的秘鑰供thehive使用
3、安裝thehive,調用cortex提供的秘鑰獲取相關調用接口進行調查
elasticsearch相關命令使用:https://www.cnblogs.com/remainsu/p/elasticsearch-chang-yong-curl-ming-ling.html
一、安裝elasticsearch
1.1使用docker進行安裝
注意安裝時請注意時間同步問題,否者會出現證書相關問題:ntpdate cn.pool.ntp.org
Docker CE:https://docs.docker.com/install/#supported-platforms
Docker Compose:https://docs.docker.com/compose/install/
Git:https://git-scm.com/book/en/v2/Getting-Started-Installing-Git
按照以上步驟完成docker的安裝
第一步:
sudo sysctl -w vm.max_map_count=262144
第二步:
yum install -y java-1.8.0-openjdk
第三步,創建在本機上保存數據的目錄:
mkdir -p /usr/share/elasticsearch/data
chmod 777 /usr/share/elasticsearch/data
第四步:安裝es
docker run \
--name elasticsearch \
--hostname elasticsearch \
--rm \
--publish 127.0.0.1:9200:9200 \
--publish 127.0.0.1:9300:9300 \
--volume /usr/share/elasticsearch/data:/usr/share/elasticsearch/data \
-e "http.host=0.0.0.0" \
-e "transport.host=0.0.0.0" \
-e "xpack.security.enabled=false" \
-e "cluster.name=hive" \
-e "script.inline=true" \
-e "thread_pool.index.queue_size=100000" \
-e "thread_pool.search.queue_size=100000" \
-e "thread_pool.bulk.queue_size=100000" \
docker.elastic.co/elasticsearch/elasticsearch:5.6.0
1.2使用rpm包進行安裝
注意安裝時請注意時間同步問題,否者會出現證書相關問題:
ntpdate cn.pool.ntp.org
參考:https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md
第一步:
sudo sysctl -w vm.max_map_count=262144
第二步:
yum install -y java-1.8.0-openjdk
第三步:在/etc/yum/repos.d/創建elasticsearch.repo,加入以下內容:
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
?mkdir -p /etc/yum/repos.d/
?cd /etc/yum/repos.d/
第四步:
? sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
? sudo yum install elasticsearch
第五步:
? cd /etc/elasticsearch/
在/etc/elasticsearch/elasticsearch.yml中加入以下內容:
network.host: 127.0.0.1
script.inline: true
cluster.name: hive
thread_pool.index.queue_size: 100000
thread_pool.search.queue_size: 100000
thread_pool.bulk.queue_size: 100000
?xpack.security.enabled: true
強烈建議避免將此服務暴露給不受信任的區域。
如果Elasticsearch和thehive運行在同一主機上(而不是在docker),編輯/etc/ Elasticsearch /elasticsearch.yml和設置網絡。主機參數為127.0.0.1。thehive使用動態腳本進行部分更新。因此,必須使用script.inline: true來激活它們。
還必須設置集群名稱(例如,hive)。線程池隊列大小必須設置一個較高的值(100000)。默認大小將容易使隊列超載。
第六步:
手動安裝xpack:https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-5.6.16.zip
./elasticsearch-plugin install file:///root/x-pack-5.6.16.zip
-> Downloading file:///root/x-pack-5.6.16.zip
[=================================================] 100%??
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@? ? WARNING: plugin requires additional permissions? ? @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission \\.\pipe\* read,write
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission setFactory
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission createPolicy.JavaPolicy
* java.security.SecurityPermission getPolicy
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setPolicy
* java.util.PropertyPermission * read,write
* javax.net.ssl.SSLPermission setHostnameVerifier
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@? ? ? ? WARNING: plugin forks a native controller? ? ? ? @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
This plugin launches a native controller that is not subject to the Java
security manager nor to system call filters.
Continue with installation? [y/N]y
-> Installed x-pack
自動安裝:
進入:/usr/share/elasticsearch/bin
./elasticsearch-plugin install x-pack
并且破解相關文件(過程見:https://blog.csdn.net/dymkkj/article/details/91043669) :
/usr/share/elasticsearch/plugins/x-pack/x-pack-5.6.16.jar
第七步:
sudo systemctl enable elasticsearch.service
?sudo systemctl start elasticsearch.service
? sudo systemctl status elasticsearch.service
第八步:更改用戶密碼
默認用戶名密碼為: elastic:changeme
curl --user elastic:changeme http://127.0.0.1:9200
{
? "name" : "0Gxn_d0",
? "cluster_name" : "hive",
? "cluster_uuid" : "UC3wm1J-SRO_GwVBnEPxow",
? "version" : {
? ? "number" : "5.6.16",
? ? "build_hash" : "3a740d1",
? ? "build_date" : "2019-03-13T15:33:36.565Z",
? ? "build_snapshot" : false,
? ? "lucene_version" : "6.6.1"
? },
? "tagline" : "You Know, for Search"
}
更改密碼(http://www.lxweimin.com/p/f1b009113e61):
curl -XPUT -u elastic '127.0.0.1:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{"password" : "2020@qwerty"}'
curl --user elastic:2020@qwerty http://127.0.0.1:9200
二、安裝cortex
yum install https://dl.bintray.com/thehive-project/rpm-stable/thehive-project-release-1.1.0-2.noarch.rpm
yum install cortex
yum install python-pip python2.7-dev python3-pip python3-dev ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl libmagic1 build-essential git libssl-dev
pip3 install cortexutils
sudo systemctl enable cortex.service
sudo systemctl start cortex.service
sudo systemctl status cortex.service
firewall-cmd --zone=public --add-port=9001/tcp --permanent
firewall-cmd --reload
相關配置文件在:/etc/cortex中,需要進行部分修改,以下給出模板:
# Sample Cortex application.conf file
## SECRET KEY
#
# The secret key is used to secure cryptographic functions.
#
# IMPORTANT: If you deploy your application to several? instances,? make
# sure to use the same key.
#這個地方需要添加相關秘鑰,具體生成方法請參照官網
play.http.secret.key="XpN0jSW03tWKGQr2MSpI6mizC0oEa8BPY3FgENBgDvCKbk0obep19pDcy2oE7tad"
#http.port = "9001"
## ElasticSearch
search {
? # Name of the index
? index = cortex
? # Address of the ElasticSearch instance
? uri = "http://127.0.0.1:9200"
}
# ElasticSearch cluster name
cluster {
name = hive
}
## Cache
#
# If an analyzer is executed against the same observable, the previous report can be returned without re-executing the
# analyzer. The cache is used only if the second job occurs within cache.job (the default is 10 minutes).
cache.job = 10 minutes
## Authentication
auth {
method.basic = true
# "provider" parameter contains the authentication provider(s). It can be multi-valued, which is useful
# for migration.
# The available auth types are:
# - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No
#? configuration are required.
# - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in
#? the "ad" section below.
# - ldap : use LDAP to authenticate users. The associated configuration shall be done in the
#? "ldap" section below.
provider = [local]
ad {
# The Windows domain name in DNS format. This parameter is required if you do not use
# 'serverNames' below.
#domainFQDN = "mydomain.local"
# Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
# above. If this parameter is not set, TheHive uses 'domainFQDN'.
#serverNames = [ad1.mydomain.local, ad2.mydomain.local]
# The Windows domain name using short format. This parameter is required.
#domainName = "MYDOMAIN"
# If 'true', use SSL to connect to the domain controller.
#useSSL = true
}
ldap {
# The LDAP server name or address. The port can be specified using the 'host:port'
# syntax. This parameter is required if you don't use 'serverNames' below.
#serverName = "ldap.mydomain.local:389"
# If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
#serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
# Account to use to bind to the LDAP server. This parameter is required.
#bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
# Password of the binding account. This parameter is required.
#bindPW = "***secret*password***"
# Base DN to search users. This parameter is required.
#baseDN = "ou=users,dc=mydomain,dc=local"
# Filter to search user in the directory server. Please note that {0} is replaced
# by the actual user name. This parameter is required.
#filter = "(cn={0})"
# If 'true', use SSL to connect to the LDAP directory server.
#useSSL = true
}
}
## ANALYZERS
#
analyzer {
? # Absolute path where you have pulled the Cortex-Analyzers repository.
? #放分析器的地方
? #path = ["/opt/Cortex-Analyzers/analyzers"]
? urls = ["https://dl.bintray.com/thehive-project/cortexneurons/analyzers.json"]
? # Sane defaults. Do not change unless you know what you are doing.
? fork-join-executor {
? ? # Min number of threads available for analysis.
? ? parallelism-min = 2
? ? # Parallelism (threads) ... ceil(available processors * factor).
? ? parallelism-factor = 2.0
? ? # Max number of threads available for analysis.
? ? parallelism-max = 4
? }
}
? #放應答器的地方
responder {
path = ["/opt/thehive/responders","/opt/cortex/github-aacgood/Cortex-Analyzers/Responders"]
}
# It's the end my friend. Happy hunting!
進入首頁后需要初始化數據庫
獲取的秘鑰將用于thehive的配置文件中,以便于thehive使用cortex
三、安裝thehive
yum install thehive
sudo systemctl enable thehive.service
sudo systemctl start thehive.service
sudo systemctl status thehive.service
firewall-cmd --zone=public --add-port=9000/tcp --permanent
firewall-cmd --reload
安裝完后,啟動服務前,需要進行配置文件的更改:
# Secret Key
# The secret key is used to secure cryptographic functions.
# WARNING: If you deploy your application on several servers, make sure to use the same key.
#需要更改的地方
play.http.secret.key="PBnMSnyrQZD8sY5J69VL0Nj9jfEs0UJnNd3Pupv5MpA2nmJ9bSmYZAoxlAv4dNQn"
# Elasticsearch
search {
? ## Basic configuration
? # Index name.
? index = the_hive
? # ElasticSearch instance address.
? uri = "http://127.0.0.1:9200/"
? ## Advanced configuration
? # Scroll keepalive.
? #keepalive = 1m
? # Scroll page size.
? #pagesize = 50
? # Number of shards
? #nbshards = 5
? # Number of replicas
? #nbreplicas = 1
? # Arbitrary settings
? #settings {
? #? # Maximum number of nested fields
? #? mapping.nested_fields.limit = 100
? #}
? ## Authentication configuration
#@kindsjay@JamesCullum. Changing the application.conf key "search.username" to "user" and "search.password" to "password #resolved this for me on both RC01 and RC02. Thanks to@ag-michaelfor pointing me towards this fix.
#https://github.com/TheHive-Project/TheHive/issues/1055
# 加es的用戶認證,請將"search.username" 更改為 "user" and #"search.password" 更改為 "password"
? #search.username = ""
? #search.password = ""
? ## SSL configuration
? #search.keyStore {
? #? path = "/path/to/keystore"
? #? type = "JKS" # or PKCS12
? #? password = "keystore-password"
? #}
? #search.trustStore {
? #? path = "/path/to/trustStore"
? #? type = "JKS" # or PKCS12
? #? password = "trustStore-password"
? #}
}
# Authentication
auth {
? # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
? # available auth types are:
? # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.
? # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
? # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
? # oauth2 : use OAuth/OIDC to authenticate users. Configuration is under "auth.oauth2" and "auth.sso" keys
? provider = [local]
? # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true.
? #method.basic = true
? ad {
? ? # The Windows domain name in DNS format. This parameter is required if you do not use
? ? # 'serverNames' below.
? ? #domainFQDN = "mydomain.local"
? ? # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
? ? # above. If this parameter is not set, TheHive uses 'domainFQDN'.
? ? #serverNames = [ad1.mydomain.local, ad2.mydomain.local]
? ? # The Windows domain name using short format. This parameter is required.
? ? #domainName = "MYDOMAIN"
? ? # If 'true', use SSL to connect to the domain controller.
? ? #useSSL = true
? }
? ldap {
? ? # The LDAP server name or address. The port can be specified using the 'host:port'
? ? # syntax. This parameter is required if you don't use 'serverNames' below.
? ? #serverName = "ldap.mydomain.local:389"
? ? # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
? ? #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
? ? # Account to use to bind to the LDAP server. This parameter is required.
? ? #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
? ? # Password of the binding account. This parameter is required.
? ? #bindPW = "***secret*password***"
? ? # Base DN to search users. This parameter is required.
? ? #baseDN = "ou=users,dc=mydomain,dc=local"
? ? # Filter to search user in the directory server. Please note that {0} is replaced
? ? # by the actual user name. This parameter is required.
? ? #filter = "(cn={0})"
? ? # If 'true', use SSL to connect to the LDAP directory server.
? ? #useSSL = true
? }
? oauth2 {
? ? # URL of the authorization server
? ? #clientId = "client-id"
? ? #clientSecret = "client-secret"
? ? #redirectUri = "https://my-thehive-instance.example/index.html#!/login"
? ? #responseType = "code"
? ? #grantType = "authorization_code"
? ? # URL from where to get the access token
? ? #authorizationUrl = "https://auth-site.com/OAuth/Authorize"
? ? #tokenUrl = "https://auth-site.com/OAuth/Token"
? ? # The endpoint from which to obtain user details using the OAuth token, after successful login
? ? #userUrl = "https://auth-site.com/api/User"
? ? #scope = "openid profile"
? }
? # Single-Sign On
? sso {
? ? # Autocreate user in database?
? ? #autocreate = false
? ? # Autoupdate its profile and roles?
? ? #autoupdate = false
? ? # Autologin user using SSO?
? ? #autologin = false
? ? # Attributes mappings
? ? #attributes {
? ? #? login = "sub"
? ? #? name = "name"
? ? #? groups = "groups"
? ? #? #roles = "roles"
? ? #}
? ? # Name of mapping class from user resource to backend user ('simple' or 'group')
? ? #mapper = group
? ? # Default roles for users with no groups mapped ("read", "write", "admin")
? ? #defaultRoles = []
? ? #groups {
? ? #? # URL to retreive groups (leave empty if you are using OIDC)
? ? #? #url = "https://auth-site.com/api/Groups"
? ? #? # Group mappings, you can have multiple roles for each group: they are merged
? ? #? mappings {
? ? #? ? admin-profile-name = ["admin"]
? ? #? ? editor-profile-name = ["write"]
? ? #? ? reader-profile-name = ["read"]
? ? #? }
? ? #}
? }
}
# Maximum time between two requests without requesting authentication
session {
? warning = 5m
? inactivity = 1h
}
# Max textual content length
play.http.parser.maxMemoryBuffer= 1M
# Max file size
play.http.parser.maxDiskBuffer = 1G
# Cortex
# TheHive can connect to one or multiple Cortex instances. Give each
# Cortex instance a name and specify the associated URL.
#
# In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line
play.modules.enabled += connectors.cortex.CortexConnector
#需要更改的地方
cortex {
? "LOCAL CORTEX" {
? ? url = "http://127.0.0.1:9001"
? ? key ="ZN4hcdcFSJP3DmfCvYZsjGC9GyOrKj7j"
? ? }
? #"CORTEX-SERVER-ID" {
? #? url = ""
? #? key = ""
? #? # HTTP client configuration (SSL and proxy)
? #? ws {}
? #}
}
# MISP
# TheHive can connect to one or multiple MISP instances. Give each MISP
# instance a name and specify the associated Authkey that must? be used
# to poll events, the case template that should be used by default when
# importing events as well as the tags that must be added to cases upon
# import.
# Prior to configuring the integration with a MISP instance, you must
# enable the MISP connector. This will allow you to import events to
# and/or export cases to the MISP instance(s).
#play.modules.enabled += connectors.misp.MispConnector
misp {
? # Interval between consecutive MISP event imports in hours (h) or
? # minutes (m).
? interval = 1h
? #"MISP-SERVER-ID" {
? #? # MISP connection configuration requires at least an url and a key. The key must
? #? # be linked with a sync account on MISP.
? #? url = ""
? #? key = ""
? #
? #? # Name of the case template in TheHive that shall be used to import
? #? # MISP events as cases by default.
? #? caseTemplate = "<Template_Name_goes_here>"
? #
? #? # Optional tags to add to each observable? imported? from? an? event
? #? # available on this instance.
? #? tags = ["misp-server-id"]
? #
? #? ## MISP event filters
? #? # MISP filters is used to exclude events from the import.
? #? # Filter criteria are:
? #? # The number of attribute
? #? max-attributes = 1000
? #? # The size of its JSON representation
? #? max-size = 1 MiB
? #? # The age of the last publish date
? #? max-age = 7 days
? #? # Organization and tags
? #? exclusion {
? #? ? organisation = ["bad organisation", "other organisations"]
? #? ? tags = ["tag1", "tag2"]
? #? }
? #
? #? ## HTTP client configuration (SSL and proxy)
? #? # Truststore to use to validate the X.509 certificate of the MISP
? #? # instance if the default truststore is not sufficient.
? #? # Proxy can also be used
? #? ws {
? #? ? ssl.trustManager.stores = [ {
? #? ? ? path = /path/to/truststore.jks
? #? ? } ]
? #? ? proxy {
? #? ? ? host = proxy.mydomain.org
? #? ? ? port = 3128
? #? ? }
? #? }
? #
? #? # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)
? #? # Default is ImportAndExport
? #? purpose = ImportAndExport
? #} ## <-- Uncomment to complete the configuration
}
同樣需要初始化
祝好運!
