-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpcap-service.sh
executable file
·210 lines (184 loc) · 6.65 KB
/
pcap-service.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/bin/bash
# pcap as a service, capture network data for later processing with tools like Zeek and RITA
# GPL-3.0-or-later
# shellcheck disable=SC2034
# Works with:
# - Ubuntu
# - pfSense (to do)
# This script was built from the following exmaples:
# https://github.com/0ptsec/optsecdemo
# https://github.com/bettercap/bettercap/blob/master/bettercap.service
# https://github.com/angristan/wireguard-install
# https://github.com/g0tmi1k/os-scripts/blob/master/kali2.sh
# Additional resources:
# https://github.com/zeek/zeek
# https://github.com/activecm/rita
# Thanks and credits:
# https://github.com/william-stearns (wstearns-ACM) in the Threat Hunter Community Discord
# https://unix.stackexchange.com/questions/194863/delete-files-older-than-x-days (user basic6's answer)
RED="\033[01;31m" # Issues/Errors
GREEN="\033[01;32m" # Success
YELLOW="\033[01;33m" # Warnings
BLUE="\033[01;34m" # Information
BOLD="\033[01;01m" # Highlight
RESET="\033[00m" # Normal
function IsRoot() {
# Root EUID check
if [ "${EUID}" -ne 0 ]; then
echo "You need to run this script as root"
exit 1
fi
}
IsRoot
function checkOS() {
# Check OS version
OS="$(grep -E "^ID=" /etc/os-release | cut -d '=' -f 2)"
if [[ "$OS" == '' ]]; then
OS="$(cat /etc/platform)"
if [[ "$OS" == pfSense ]]; then
echo -e "[${BLUE}i${RESET}]$OS detected."
fi
exit 1
elif [[ $OS == "ubuntu" ]]; then
CODENAME="$(grep VERSION_CODENAME /etc/os-release | cut -d '=' -f 2)" # debian or ubuntu
echo -e "[${BLUE}i${RESET}]$OS $CODENAME detected."
MAJOR_UBUNTU_VERSION=$(grep VERSION_ID /etc/os-release | cut -d '"' -f2 | cut -d '.' -f 1)
if [[ $MAJOR_UBUNTU_VERSION -lt 18 ]]; then
echo "⚠️ Your version of Ubuntu is not supported."
echo ""
echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk."
echo ""
until [[ $CONTINUE =~ ^(y|n)$ ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
elif [[ $OS == "fedora" ]]; then
MAJOR_FEDORA_VERSION="$(grep VERSION_ID /etc/os-release | cut -d '=' -f2)"
echo -e "[${BLUE}i${RESET}]$OS $MAJOR_FEDORA_VERSION detected."
if [[ $MAJOR_FEDORA_VERSION -lt 34 ]]; then
echo "⚠️ Your version of Fedora may not be supported."
echo ""
until [[ $CONTINUE =~ ^(y|n)$ ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
fi
}
checkOS
# Check to see if this service is already running
if [ -e /etc/systemd/system/packet-capture.service ]; then
systemctl status packet-capture.service
echo ""
echo -e "[${BLUE}i${RESET}]Service already exists. Reconfigure and overwrite it?"
until [[ $RECONFIGURE_CHOICE =~ ^(y|n)$ ]]; do
read -rp "[y/n]: " -e -i y RECONFIGURE_CHOICE
done
if [ "$RECONFIGURE_CHOICE" == y ]; then
if (systemctl is-active packet-capture.service > /dev/null); then
systemctl stop packet-capture.service
fi
if (systemctl is-enabled packet-capture.service > /dev/null); then
systemctl disable packet-capture.service
fi
rm /etc/systemd/system/packet-capture.service && \
rm /etc/cron.d/pcap-rotation-service && \
systemctl daemon-reload
else
exit 0
fi
fi
function DefinePCAPPath() {
echo ""
echo -e "[${BLUE}>${RESET}]Please enter a path for pcap storage (default is ${GREEN}/var/log/pcaps${RESET})"
echo ""
until [[ $PCAP_PATH =~ ^(/[a-zA-Z0-9_-]+){1,}$ ]]; do
read -rp "[Enter full path without the trailing '/']: " -e -i '/var/log/pcaps' PCAP_PATH
done
if [ "$PCAP_PATH" == '' ]; then
if ! [ -e /var/log/pcaps ]; then
echo -e "[${GREEN}>${RESET}]Creating /var/log/pcaps..."
mkdir -p /var/log/pcaps
chmod 750 /var/log/pcaps
chown -R nobody:nobody /var/log/pcaps
else
echo -e "[${GREEN}✓${RESET}]/var/log/pcaps already exits."
fi
else
if ! [ -e "$PCAP_PATH" ]; then
echo -e "[${GREEN}>${RESET}]Creating $PCAP_PATH..."
mkdir -p "$PCAP_PATH"
chmod 750 "$PCAP_PATH"
chown -R nobody:nobody "$PCAP_PATH"
else
echo -e "[${GREEN}✓${RESET}]$PCAP_PATH exists."
fi
fi
}
DefinePCAPPath
function DefineNIC() {
# Select network interface
CAP_IFACE="$(ip a | grep -oP "^\d+:\s+\w+:" | cut -d ':' -f 2 | sed 's/[[:space:]]//g' | grep -P "^e\w+")"
echo ""
echo -e "[${BLUE}i${RESET}]Detecting network interfaces..."
ip a | grep -oP "^\d+:\s+\w+:" | cut -d ':' -f 2 | sed 's/[[:space:]]//g'
echo ""
echo -e "[${BLUE}i${RESET}]Which interface would you like to capture from?"
until [[ $CAP_IFACE_CHOICE =~ ^([[:alnum:]]+)$ ]]; do
read -rp "Interface: " -e -i "$CAP_IFACE" CAP_IFACE_CHOICE
done
}
DefineNIC
function SchedulePCAPRotation() {
# Create a cron task to rotate pcap files based on logging time frame
echo ""
echo -e "[${BLUE}i${RESET}]Please enter a range of time in days for logs to maintain."
echo " Cron will run daily (/etc/cron.d/pcap-rotation-service) to rotate the pcaps."
echo ""
until [[ $DAYS =~ ^([[:digit:]]+)$ ]]; do
read -rp "Range of time (days): " -e -i 30 DAYS
done
echo "# Cron task for packet-capture.service
# Rotates pcap files under $PCAP_PATH based on the range of time in days
# For example, +60 means 60 days of pcaps are maintained
* 0 * * * root /usr/bin/find $PCAP_PATH -type f -mtime +$DAYS -delete" >> /etc/cron.d/pcap-rotation-service
echo -e "${GREEN}[>]${RESET}Added task to /etc/cron.d/pcap-rotation-service"
}
SchedulePCAPRotation
# cat /etc/systemd/system/packet-capture.service
echo "[Unit]
Description=Packet capture service for network forensics
Documentation=https://github.com/straysheep-dev/network-visibility, https://www.activecountermeasures.com/raspberry-pi-network-sensor-webinar-qa/
Wants=network.target
After=network.target
[Service]
Type=simple
PermissionsStartOnly=true
ExecStart=/usr/bin/nice -n 15 $(command -v tcpdump) -i $CAP_IFACE_CHOICE -Z nobody -G 3600 -w '$PCAP_PATH/$(hostname -s).%%Y%%m%%d%%H%%M%%S.pcap' '((tcp[13] & 0x17 != 0x10) or not tcp)'
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/packet-capture.service
# tcpdump still drops privileges, will restart automatically
# use %% to escape %'s in systemd service units
# root:root /opt/pcaps
# tcpdump:tcpdump /opt/pcaps/hostname.%%Y%%m%%d%%H%%M%%S.pcap
# $(subshell) is encased within two double quotes ""'s to safely handle 'hostname -s'
echo ""
echo -e "[${BLUE}i${RESET}]Reloading all systemctl service files..."
echo ""
systemctl daemon-reload && \
echo -e "[${BLUE}i${RESET}]Enabling packet-capture.service..."
echo ""
systemctl enable packet-capture.service && \
echo -e "[${BLUE}i${RESET}]Starting packet-capture.service"
echo ""
systemctl start packet-capture.service && \
echo -e "[${GREEN}✓${RESET}]Done."
echo ""
systemctl status packet-capture.service