-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathso-misp-setup
executable file
·112 lines (92 loc) · 2.99 KB
/
so-misp-setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/bin/bash
#
# Copyright (C) 2018 Wes Lambert
#
# This file is part of Security Onion MISP Import Wizard.
# Security Onion MISP Import Wizard is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# Security Onion MISP Import Wizard is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with Foobar. If not, see <https://www.gnu.org/licenses/>.
#
# Description: Configure Security Onion to Import NIDS Rules and Zeek Intel from MISP
. /usr/sbin/so-common
echo
echo "Welcome to the Security Onion MISP Import Wizard!"
echo
echo
echo "What is the URL of your MISP instance?"
read mispurl
echo
echo
echo "Please provide an API key to access a MISP instance."
echo
echo "You can find this information by navigating to:"
echo "https://your-misp-instance/events/automation"
read -s apikey
echo
echo
echo "Would you like to configure NIDS rules for Snort/Suricata?"
echo
echo "If so, please type YES below and press the ENTER key:"
echo
read nids_rules
echo
echo
echo "Would you like to configure Intel data for Zeek?"
echo
echo "If so, please type YES below and press the ENTER key:"
echo
read intel
echo
if [ ! $nids_rules = "YES" ] && [ ! $intel = "YES" ]; then
echo "No rules or intel data selected to import. Exiting..."
exit 0
fi
echo "To confirm, we will configure the following:"
echo
if [ $nids_rules = "YES" ]; then
echo "NIDS Rules: /opt/so/saltstack/local/salt/idstools/misp.rules"
fi
if [ $intel = "YES" ]; then
echo "Zeek Intel: /opt/so/saltstack/local/salt/zeek/policy/intel/misp-intel.dat"
fi
echo "MISP Server: $mispurl"
echo "API Key: (redacted)"
echo
echo
echo "If you would like to continue, please type "YES" below and press the ENTER key:"
read confirm
echo
if [ $confirm != "YES" ]; then
echo "Did confirm configuration...exiting..."
echo
exit 0
else
#echo "Cloning GH Repo..."
#git clone https://github.com/weslambert/securityonion-misp
MISPCFG="/etc/misp/mispcfg"
mkdir -p /etc/misp
cp securityonion-misp/mispcfg $MISPCFG
echo "Configuring..."
# Configure so-misp-download with appropriate values
sed -i "s|^MISP.*|MISP=\"$mispurl\"|" $MISPCFG
sed -i "s/^APIKEY.*/APIKEY=\"$apikey\"/" $MISPCFG
sed -i "s/^INTEL=.*/INTEL=\"${intel,,}\"/" $MISPCFG
sed -i "s/^NIDS_RULES.*/NIDS_RULES=\"${nids_rules,,}\"/" $MISPCFG
# Copy misp scripts into place
cp securityonion-misp/so-misp-download /usr/sbin/so-misp-download
cp securityonion-misp/so-misp-configure /usr/sbin/so-misp-configure
# Set perms
chmod +x /usr/sbin/so-misp-download
chmod +x /usr/sbin/so-misp-configure
echo
# Run configuration script
/usr/sbin/so-misp-configure
echo
fi