Guy Bruneau

Automated Custom Decoder Feeds with SSH Share Key

Discussion created by Guy Bruneau on Oct 24, 2017
Latest reply on Nov 17, 2017 by John Kisner

These scripts are used to allow the analysts to add and remove metadata keys with threat information that require additional monitoring. The 3 examples are for IP addresses, hostname and domain name (Wildcard). The scripts are configured with the following keys:

 

feed_ip.csv format = #cidr,monitor,threat description,Date added (Analyst comment only)
feed_hostname.csv format = #Hostname,monitor,threat description,threat source,Date added (Analyst comment only)
feed_wild_hostname.csv format = #Hostname,monitor,threat description,threat source,Date added (Analyst comment only)

 

First step is to copy the scripts on each of the decoders, place the scripts in:

 

/root/scripts/feeds
drwxr-xr-x. 2 root root 4096 Sep 20 00:55 IP
drwxr-xr-x. 2 root root 4096 Sep 20 00:56 Hostname
drwxr-xr-x. 2 root root 4096 Sep 21 22:52 Wild_Hostname

 

Second, on a remote Linux (or Windows if it support SSH), under a directory that all analysts can access (in my case, /home/feeds) and create the following CSV files:

 

feed_ip.csv
feed_hostname.csv
feed_wild_hostname.csv

 

I'm providing these 3 examples but you can use these scripts and create other feed as well (i.e. email address, etc) for the tasks you need.

 

Third, create a set of share keys on one of the decoders that you are going to put the public key on the remote Linux for the cronjob to check automatically for updates.

 

[root@dec1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):---> Do not Enter a passphrase
Enter same passphrase again: ---> Do not Enter a passphrase
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bc:4b:30:2f:81:08:a2:c8:82:07:f0:85:d4:39:2e:ee root@dec1

cd /root/.ssh

 

Now you need to take the content of id_rsa.pub to copy it to the remote Linux in the account you are going to be using to SCP the updates (i.e. /home/guy/.ssh/) and rename id_rsa.pub to authorized_keys then chmod 600 authorized_keys to complete the task.

 

Next step, SSH from one of the Decoder to your Linux box to confirm the share keys works.

 

ssh -l guy remote_host (you will be asked to store the keys, answer yes)

 

If this is setup correctly, the Decoder should now SSH directly into the Linux workstation without asking for a password using shared keys. Next is modify the 3 feed scripts to have the correct IP (or hostname) and username to copy the feeds.

 

- Modify this IP and username, the language key and the decoder admin username and password in each of the scripts:

 

scp guy@192.168.25.5:/home/feeds/feed_ip.csv .
<LanguageKey name="monitor" valuetype="text" /> (If you have one, monitor should be change to your own organization custom key)
NwConsole -c "login localhost:50004 admin netwitness" (Change it to your admin decoder username/password)

 

- Make sure the script are executable:

 

chmod 755 feed_ip.sh
chmod 755 feed_hostname.sh
chmod 755 feed_wild_hostname.sh

 

Test the feed scripts manually to ensure they work correctly:

 

sh -x feed_ip.sh
sh -x feed_hostname.sh
sh -x feed_wild_hostname.sh

 

If the test is successful, add a cronjob for the script to check for updates every 5 minutes:

 

crontab -e

 

*/5 * * * * /root/scripts/feeds/IP/feed_ip.sh >/dev/null 2>&1
*/5 * * * * /root/scripts/feeds/Hostname/feed_hostname.sh >/dev/null 2>&1
*/5 * * * * /root/scripts/feeds/Wild_Hostname/feed_wild_hostname.sh >/dev/null 2>&1

 

Save the changes (SHIFT ZZ)

 

The decoder now should check every 5 minutes if there has been any change on the CSV files.

 

[1] https://community.rsa.com/docs/DOC-15263
[2] http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html

Attachments

Outcomes