Tuesday, June 21, 2022

MalTrail - SecurityOnion@Home (Try)

 I was reading up on MalTrail, and wanted to get that up and operational on my SecurityOnion VM (I know it probably can't handle it, but there is no fun in that).  At the moment I am not sure how cpu/ram intensive MalTrail is,  but I did see that it has been dockerized.  

One thing of note, is I am going into this knowing that it will be unsupported by the SecurityOnion team,  which is understandable.  

So with that, I am playing on my home setup of SecurityOnion, which I often test things with.  

Below is a screenshot of the Docker instructions.  


Seems easy enough, I made a slight change to the export location. and skipped the apt parts :), since I am using CentOS, and would like to limit the application installed.   

The for line I also skipped as the the sniffing port is already set to promisc

I could have added the Docker container into SecurityOnion elastic-net, but that could cause other issues down the road.  

The install went pretty easy, no errors that I could see, but I could not access the site.  

http://localhost:8338  

My thoughts were that I needed to open the firewall for this.    Reading up on SecurityOnion looks like I needed to create a Portgroup, and then add it to the INPUT for Standalone? 

*This is a standalone install of SecurityOnion

  • so-firewall addportgroup maltrail
  • so-firewall addport 8338
  • salt system_standalone state.apply firewall
 Tried again to access http://localhost:8338  (No Success)

Next I tried  netstat -tulnp | grep LISTEN

Which looks like this:


This is the file I edited: /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml.





Reading more into this, I think I needed to add the ports to the Analyst Role, but I could be getting confused, cause I also see that its referencing the file: /opt/so/saltstack/local/pillar/minions/<HOSTNAME>_<ROLE>.sls

------------------

After this whole write-up, I figured it out.  I used the documentation from SecurityOnion and this section.  

Basically I added the maltrail port group to the Analyst role for the standalone machine through the standalone.sls file.   

---Now to figure out why its not actually reporting anything.  

No comments:

Post a Comment