SIEMonster V2 VM Installation Guide

Release 1.4 November 2016

1

Table of contents

1 Overview ...................................................................................................... 1

2 Getting Started ............................................................................................. 2

2.1 Installation ............................................................................................. 2

2.2 VMware Appliance Import ......................................................................... 2

2.3 Logging in to the appliance ....................................................................... 3

3 Configuration ................................................................................................ 4

3.1 Static IP and hosts file setup ..................................................................... 4

3.2 IP changes .............................................................................................. 4

3.3 Internal DNS for corporate environment changes ......................................... 5

3.4 Internal Proxy if Proxies are used .............................................................. 5

3.5 Proteus Dockbeat SHARD FLUSH ............................................................... 5

3.6 Web Interface Ip & Setup ......................................................................... 6

3.7 Profile button Password chnage ................................................................. 7

3.8 Dashboards ............................................................................................. 8

4 Changing Passwords ..................................................................................... 8

4.1 Default Passwords ................................................................................... 8

4.2 Trial License ........................................................................................... 10

4.3 Proteus TimeZone Updates ...................................................................... 11

1

1 OVERVIEW

Welcome to the SIEMonster V2.

SIEMonster is a collection of Open Source security event management tools in a single package. You can be up and running in 10 minutes with live data on a dashboard without any of the associated configuration headaches. You can get the latest updates on www.siemonster.com and click on the support tab

Version 1 build was achieved by assignment scripts but due to the complexity of V2, we have decided to release the build into separate Ova files to reduce build and configuration times. It was way too complex to bring up the build for the average user. The default usernames and passwords for accessing SIEMonster are shown in the Configuration Section These passwords must be changed after installation. SIEMonster has been built to run on VMware Workstation, ESX, Amazon AWS and Microsoft Azure, this guide is for the VM installation. SIEMonster minimum requirements for system memory is 4GB on each node as pre-set in the OVA, recommended allocation is 16GB for both Proteus and Capricorn, & 32GB for Kraken & Tiamat.

SIEMonster overview

2

2 GETTING STARTED

2.1 INSTALLATION

SIEMonster OVA Appliances Release 2.0 can be downloaded from the SIEMonster website under Downloads. There are 6 Monsters. You will need Proteus, Capricorn, Kraken and Tiamat to make up SIEMonster. Hydra (data logger) and Ikutruso (Bro/IDS) are optional. The installation now makes the use of the Docker overlay; applications being pulled from the SIEMonster repository. Ensure that the VM target has an active internet connection before proceeding and be aware that data may be downloaded. The process is

1. Download the 4-6 images

2. Open the virtual machines and rename them to their roles

3. Change the IP’s and reboot

4. Setup your local machine with DNS entries to map to the Web interface

5. Test all the interfaces

6. Enable SSL for internal/external access

7. Change all default passwords

2.2 VMWARE APPLIANCE IMPORT

Using VMware Open a Virtual Machine, rename to the role and select import for all machines one at a time in any order.

3

NOTE:

Once the image has been imported the appliance can be powered on. Adjustments to system memory are required, see the FAQ. Minimum requirement is 4GB per appliance.

Crucial: If the system memory is changed, then please edit the following file: /etc/default/elasticsearch

Find the line: ES_HEAP_SIZE=2g This applies to Proteus, Kraken and Tiamat. It is not required to be changes on Capricorn, Ikuturso and Hydra.

Change 2g to half of the system memory, e.g. if system memory is 8GB set to ES_HEAP_SIZE=4g

Check and activate the Network Connection in VMware on each instance

and enable network connection. Do this before you boot each appliance.

If you are worried about IP conflicts, keep the network connection

disabled, change the IP shutdown the appliance then re-enable it.

2.3 LOGGING IN TO THE APPLIANCE

Boot Order is Kraken, Tiamat, Proteus and Capricorn last.

Once the appliance has started up, login as user siemonster with password siemonster.

4

3 CONFIGURATION

3.1 STATIC IP AND HOSTS FILE SETUP

In order that each server can be resolved by name, a suitable hosts file must be configured and a static IP address set.

Plan the IP range that will be used and adjust the values accordingly. The template files presume an IP range from 192.168.0.101 to 192.168.0.106 and can be adjusted to suit your environment.

Server Name IP Address Role

Kraken 192.168.0.101 Database Cluster Node 1

Tiamat 192.168.0.102

Database Cluster Node 2

Proteus 192.168.0.103

Front End (Database in 2 node instance)

Capricorn 192.168.0.104

Front End

Hydra 192.168.0.105

Remote Collector

Ikuturso 192.168.0.105

Bro/Tards IDS

3.2 IP CHANGES

You will need to change the IP’s to suit your environment. To change your IP for each server, change the /etc/hosts entry and /etc/network/interfaces using sudo and reboot.

sudo pico /etc/hosts

sudo pico /etc/network/interfaces

sudo reboot

Ensure if you have unchecked the Network Adapter Connect on startup to recheck it for VMware.

Once all the servers are up ping each of the servers by name and google.com to ensure internal and external connections.

5

3.3 INTERNAL DNS FOR CORPORATE ENVIRONMENT CHANGES

Note: Only relevant for outbound blocking of DNS in corporate environments.

If your company is blocking outbound DNS

requests except when sourced from internal resolvers, you will need to make a file change so docker can get to the outside world for container updates.

Create a file /etc/docker/daemon.json

Edit this file and include your internal DNS servers:

{ "dns": ["192.168.10.1", "192.168.20.1"] }

Restart Docker:

sudo service docker restart

Wait for containers to come back up or simply reboot Capricorn.

Check result:

docker exec -it nginx cat /etc/resolv.conf

docker exec -it nginx wget get.docker.com

3.4 INTERNAL PROXY IF PROXIES ARE USED

When deployed in an environment requiring a proxy for outgoing traffic, you will need to add the proxy by editing the file /etc/default/docker. Un-comment the line "#export http_proxy=".." and add the proxy details.

3.5 PROTEUS DOCKBEAT SHARD FLUSH

Run the following command from a Proteus Shell to flush Dockbeat Shard Data

curl -XDELETE 'localhost:9200/dockb*/'

Failure to do so will show a blank dashboard in SIEMonster but this can be run any time.

6

3.6 WEB INTERFACE IP & SETUP

The web interface installation utilizes a DNSMasq service on Capricorn to allow resolution of local subdomains via a Nginx container.

For successful deployment, this requires a few additions to the local hosts file on the client accessing the web server.

On Windows this requires editing C:\Windows\System32\Drivers\Etc\Hosts (Windows 7, 10 – Copy the hosts file to your desktop make the changes and copy it back to avoid permission issues)

On Linux, these additions can be made to the /etc/hosts file

Add the following entries, assuming Capricorn is set to 192.168.0.104:

192.168.0.104 v2.siemonster.local 192.168.0.104 admin.v2.siemonster.local 192.168.0.104 app.v2.siemonster.local 192.168.0.104 ir.v2.siemonster.local 192.168.0.104 411.v2.siemonster.local 192.168.0.104 reporting.v2.siemonster.local 192.168.0.104 minemeld.v2.siemonster.local 192.168.0.104 health.v2.siemonster.local 192.168.0.104 sm-kibana.v2.siemonster.local 192.168.0.104 splogtash.v2.siemonster.local 192.168.0.104 python_simplehttpserver.v2.siemonster.local 192.168.0.104 alerta-web.v2.siemonster.local

The correct address to use is http://v2.siemonster.local

Wait up to 5 minutes after Capricorn has booted to ensure all the services have started, especially the web server. Ping V2.siemonster.local to ensure IP/name is right. The default username is admin@siemonster.com The default password is siemonster.

7

3.7 PROFILE BUTTON PASSWORD CHNAGE

DO NOT use the Profile button to change the Admin password, this button is not yet ready for Production. Use the http://admin.v2.siemonster.local section below for user maintenance. Administration of the Web Interface is managed from the following URL: http://admin.v2.siemonster.local using the same credentials.

Users can be added and modified by clicking on the Users tab:

Click on the ‘Create Users’ link to create a new user and enter email/password details:

8

User profiles are in json format. Use the admin profile as a template when creating new users, copy & paste appropriate items.

If the json format is incorrect there will be an alert, and save function will be disabled. Review the admin template and decide what dashboards/areas to be applied to which user.

3.8 DASHBOARDS

The only two Dashboards that will have data is Health and Dockbeat. The other Dashboards will fill with data as you add agents to endpoints and point devices to SIEMonster. .

4 CHANGING PASSWORDS

4.1 DEFAULT PASSWORDS

Host User Password Access

192.168.0.101-104

siemonster siemonster

SSH/Local Access

9

Capricorn 411 admin admin http://192.168.0.104:8080

Capricorn Incident Response Admin admin admin http://192.168.0.104:8000/admin

Capricorn Minemeld admin minemeld https://192.168.0.104:4443

Capricorn Health admin admin http://192.168.0.104:3000

Default Passwords to be changes after build

Once you are happy with your SIEM and its in production it’s time to lockdown the system. This includes changing all the default passwords. Below is a simple guide on changing the passwords on all the systems. Place these passwords in a safe place.

Linux passwords for root & siemonster on all servers:

sudo passwd root – sudo passwd siemonster

Web Interface Portal

Administration of the Web Interface is managed from the following URL: http://admin.v2.siemonster.local Password can be changed there, do not use the Profiles button.

FIR password: Login as admin to the FIR web interface and change within the user section

411: Once logged in go to the Users section:

10

Click on edit next to the user

Enter the new password twice.

4.2 TRIAL LICENSE

Trial License for activation: Go to Reports on the top menu. Click on the flashing icon:

Click ‘Activate License’

11

Tick box – ‘I agree to the terms and conditions’ Click Online Activation

Also, supports importing your own license, see upcoming Quick guide.

4.3 PROTEUS TIMEZONE UPDATES

OSSEC by default uses the timezone of the local machine. To change the time zone first change locally: sudo dpkg-reconfigure tzdata Follow the instructions that follow. Commit to OSSEC: /home/siemonster/proteus/ossec-timezone.sh