Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Debian Install to install.sh #718

Merged
merged 3 commits into from
Mar 24, 2022
Merged

Add Debian Install to install.sh #718

merged 3 commits into from
Mar 24, 2022

Conversation

but-i-am-dominator
Copy link
Contributor

Mongodb does not have a release file for Debian 11 (bullseye). This has been tested with no issues.
The Zeek installation binary comes from The OpenSUSE Project. This is an established and trusted project.

This has been tested on VMs with fresh installs of Debian 10/11 with no issues noted.

David Quartarolo is an ACM contractor and can be contacted via Slack if there are any questions.

@but-i-am-dominator
Add debian install (#1)
2e67056 
Mongodb does not have a release file for Debian 11 (bullseye). This has been tested with no issues.
The Zeek installation binary comes from The OpenSUSE Project. This is an established and trusted project.
@but-i-am-dominator
Copy link
Contributor Author

@william-stearns When you have time for some feedback, I would appreciate it.

Zalgo2462
Zalgo2462 reviewed Jan 18, 2022
View reviewed changes
install.sh Outdated Show resolved Hide resolved
Zalgo2462
Zalgo2462 reviewed Jan 18, 2022
View reviewed changes
install.sh Show resolved Hide resolved
@Zalgo2462
Copy link
Contributor

Can confirm that RITA successfully installs along with Zeek on Debian 10 and Debian 11 using this patch.
I've attached the results of running the installs with set -x which echos each line of the script as it executes.
deb10-install.txt
deb11-install.txt

@but-i-am-dominator
Corrections (#2)
b0ab545 
As Requested:
* Removed Unecessary Dependancies
* Make _Debian_Release variable local

Updated Readme to include Debian install options
Zalgo2462
Zalgo2462 reviewed Jan 20, 2022
View reviewed changes
install.sh Outdated Show resolved Hide resolved
@but-i-am-dominator
Add debian install (#3)
18a4e98 
* Add Debian Install Parameters

* Removed Unecessary Dependancies

* Make _Debian_Release variable local

* Updated Readme to include Debian install options

* moved gpg install
Zalgo2462
Zalgo2462 approved these changes Feb 22, 2022
View reviewed changes
Copy link
Contributor

@Zalgo2462 Zalgo2462 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. This should be included in the next RITA release.

@Zalgo2462 Zalgo2462 merged commit 54ad939 into activecm:master Mar 24, 2022
@greengeek
Copy link

I just downloaded Debian 11 server (debian-11.2.0-amd64-netinst.iso) and tried the 4.5.1 release and it failed. It got to this part of the script:

Would you like to continue running the zeek configuration script and generate a new node.cfg file? (y/n) ? y

It then returns this:
...

[!] Automatic Zeek configuration failed.
[!] Please edit /opt/zeek/etc/node.cfg and run
[!] 'sudo zeekctl deploy' to start Zeek.
[!] Pausing for 20 seconds before continuing.
        [!] Adding Zeek IDS to the path in /etc/profile.d/zeek-path.sh
[-] Installing MongoDB... SUCCESS

...

It skipped over the autodetect and said it couldn't find any sniffable interfaces and moved on to the MongoDB part of the install install. I am running this in VM Workstation and the interface is ens33.

To verify it wasn't just user error, I downloaded Ubuntu Server 18.04 LTS and ran the 4.5.0 install.sh script and it was able to find the interfaces and gave a bunch more output finding the interface, creating the config file, and enabling and starting the service.

I tried two runs of it on Debian and got both the same output. I didn't try to manually install it to see if I could get past the error.

@greengeek
Copy link

greengeek commented Mar 26, 2022
edited
Loading

Here is the full screen output:

 _ \ _ _| __ __|  \
   /   |     |   _ \
_|_\ ___|   _| _/  _\  v4.5.1

Brought to you by Active CounterMeasures

[-] In order to run the installer, several basic packages must be installed.
        [-] Updating packages... SUCCESS
        [-] Ensuring curl is installed... SUCCESS
        [-] Ensuring coreutils is installed... SUCCESS
        [-] Ensuring lsb-release is installed... SUCCESS
        [-] Ensuring yum-utils is installed... SUCCESS
        [-] Ensuring gpg is installed... SUCCESS
[-] This installer will:
        [-] Install Zeek IDS to /opt/zeek
        [-] Install MongoDB
        [-] Install RITA to /usr/local/bin/rita
        [-] Create a runtime directory for RITA in /var/lib/rita
        [-] Create a configuration directory for RITA in /etc/rita
[-] Installing Zeek IDS... SUCCESS
Note: It is now time to select capture interface(s). Keep the following in mind when making selections:
      1. The interfaces you most likely want to use for capturing start with "eth" or "en" (e.g. eth0, eno1, enp1s0, enx78e7d1ea46da).
         You will generally NOT want to use loopback, bridged, or virtual interfaces (e.g. lo, br-c446eb08dde, veth582437d).
         If you choose to select interfaces belonging to the latter category, proceed at your own risk.

      2. Ensure that your capture interfaces are up before continuing.

Would you like to continue running the zeek configuration script and generate a new node.cfg file? (y/n) ? y
Continuing, all requirements met
This system has 2 cores.
There are no potentially sniffable interfaces.  This script will not be able to generate a node.cfg file as at least one interface is required, exiting.
[!] Automatic Zeek configuration failed.
[!] Please edit /opt/zeek/etc/node.cfg and run
[!] 'sudo zeekctl deploy' to start Zeek.
[!] Pausing for 20 seconds before continuing.
        [!] Adding Zeek IDS to the path in /etc/profile.d/zeek-path.sh
[-] Installing MongoDB... SUCCESS
[!] Starting MongoDB and enabling on startup.
Created symlink /etc/systemd/system/multi-user.target.wants/mongod.service → /lib/systemd/system/mongod.service.
[!] Starting MongoDB process completed.
[!] You can access the MongoDB shell with 'mongo'.
[!] If you need to stop MongoDB,
[!] run 'sudo systemctl stop mongod'.
[-] Setting Mongo feature compatibility to 4.2... SUCCESS
[-] Installing RITA... SUCCESS
[!] To finish the installation, reload the system profile with
[!] 'source /etc/profile'.

 _ \ _ _| __ __|  \
   /   |     |   _ \
_|_\ ___|   _| _/  _\  v4.5.1

Brought to you by Active CounterMeasures

Thank you for installing RITA! Happy hunting!

@but-i-am-dominator
Copy link
Contributor Author

@greengeek The install script grabs an external script to configure the interfaces which Zeek will use to capture packets.
Script here:

The script grabs the interfaces capable of sniffing based on if they are up and if they are not the loopback interface.
I think your interfaces were not detected for one reason or another.

The easiest way of testing this is with the command:
ip -o link | egrep '(state UP|state UNKNOWN|state DORMANT)' | awk '{print $2}' | sed -e 's/:$//' | egrep -v '(^lo$)'

None of this is unique to the Debian install but, this process is part of the base install script. I retested the install script on a clean build of Debian using the ISO file that you referenced (debian-11.2.0-amd64-netinst.iso) and did not encounter any issues.

I hope this helps but, if you need more assistance or if you find a bug that we can fix: please open up a new issue so that it gets more visibility. (This pull request has already been merged and I don't want any additional comments to be missed.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zalgo2462 Zalgo2462 Zalgo2462 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@but-i-am-dominator @Zalgo2462 @greengeek