Automated Custom Decoder Feeds with SSH Share Key
These scripts are used to allow the analysts to add and remove metadata keys with threat information that require additional monitoring. The 3 examples are for IP addresses, hostname and domain name (Wildcard). The scripts are configured with the following keys:
feed_ip.csv format = #cidr,monitor,threat description,Date added (Analyst comment only)
feed_hostname.csv format = #Hostname,monitor,threat description,threat source,Date added (Analyst comment only)
feed_wild_hostname.csv format = #Hostname,monitor,threat description,threat source,Date added (Analyst comment only)
First step is to copy the scripts on each of the decoders, place the scripts in:
drwxr-xr-x. 2 root root 4096 Sep 20 00:55 IP
drwxr-xr-x. 2 root root 4096 Sep 20 00:56 Hostname
drwxr-xr-x. 2 root root 4096 Sep 21 22:52 Wild_Hostname
Second, on a remote Linux (or Windows if it support SSH), under a directory that all analysts can access (in my case, /home/feeds) and create the following CSV files:
I'm providing these 3 examples but you can use these scripts and create other feed as well (i.e. email address, etc) for the tasks you need.
Third, create a set of share keys on one of the decoders that you are going to put the public key on the remote Linux for the cronjob to check automatically for updates.
[root@dec1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):---> Do not Enter a passphrase
Enter same passphrase again: ---> Do not Enter a passphrase
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
Now you need to take the content of id_rsa.pub to copy it to the remote Linux in the account you are going to be using to SCP the updates (i.e. /home/guy/.ssh/) and rename id_rsa.pub to authorized_keys then chmod 600 authorized_keys to complete the task.
Next step, SSH from one of the Decoder to your Linux box to confirm the share keys works.
ssh -l guy remote_host (you will be asked to store the keys, answer yes)
If this is setup correctly, the Decoder should now SSH directly into the Linux workstation without asking for a password using shared keys. Next is modify the 3 feed scripts to have the correct IP (or hostname) and username to copy the feeds.
- Modify this IP and username, the language key and the decoder admin username and password in each of the scripts:
scp firstname.lastname@example.org:/home/feeds/feed_ip.csv .
<LanguageKey name="monitor" valuetype="text" /> (If you have one, monitor should be change to your own organization custom key)
NwConsole -c "login localhost:50004 admin netwitness" (Change it to your admin decoder username/password)
- Make sure the script are executable:
chmod 755 feed_ip.sh
chmod 755 feed_hostname.sh
chmod 755 feed_wild_hostname.sh
Test the feed scripts manually to ensure they work correctly:
sh -x feed_ip.sh
sh -x feed_hostname.sh
sh -x feed_wild_hostname.sh
If the test is successful, add a cronjob for the script to check for updates every 5 minutes:
*/5 * * * * /root/scripts/feeds/IP/feed_ip.sh >/dev/null 2>&1
*/5 * * * * /root/scripts/feeds/Hostname/feed_hostname.sh >/dev/null 2>&1
*/5 * * * * /root/scripts/feeds/Wild_Hostname/feed_wild_hostname.sh >/dev/null 2>&1
Save the changes (SHIFT ZZ)
The decoder now should check every 5 minutes if there has been any change on the CSV files.
- Community Thread
- feed automation
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
If you are looking to do simple recurring automated feeds please look at the following: https://community.rsa.com/docs/DOC-78021 as this may provide the automation that you need without the complexity of custom scripts.