@RojoLoco said in AV - should companies keep buying it?:

@scottalanmiller said in AV - should companies keep buying it?:

@RojoLoco said in AV - should companies keep buying it?:

@Dashrender said in AV - should companies keep buying it?:

@RojoLoco said in AV - should companies keep buying it?:

@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

What? How can they install something? They dont' have admin rights, right?

See bold text. And yes, I know. Beyond my control.

If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.

That's my take on it as well. My users are mostly excellent, they rarely do dumb things. In fact, they often call me over to look at stuff they deem suspect, and it makes me smile to know they stopped to think first. But I sleep better knowing webroot is there.

Even IT people should not be local admins. It's partly about doing something dumb, but things can happen accidentally, too.

@scottalanmiller hit the nail on the head. DARE basically did 3 things that were really bad.

1. I had never even heard of marijuana, heroine, or crack in 5th grade, but I was introduced to all that in the DARE program
2. They blatantly lied about things you have already been exposed to such as alcohol and beer. My father, mother, and their friends regularly drank beer and occasionally liquor so I knew that it was flat out lie that one beer could kill you.
3. It made not doing drugs look really dorky.

---

Pull down latest repository updates

---

sudo apt update

---

Install curl, apt-transport-https, and lsb-release

---

sudo apt install curl
sudo apt install apt-transport-https
sudo apt install lsb-release

---

Create symbolic link to python

---

if [ ! -f /usr/bin/python ]; then ln -s /usr/bin/python3 /usr/bin/python; fi

---

Install GPG Key

---

curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

---

Add repository

---

 echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

---

Pull down latest package information

---

apt update

---

Install wazuh

---

apt install wazuh-manager

---

Confirm Wazuh is running

---

 systemctl status wazuh-manager

---

Install Wazuh API

---

---

Add Node JS repository

---

curl -sL https://deb.nodesource.com/setup_8.x | bash -

---

Install Node JS

---

sudo apt install nodejs

---

Install Wazuh API

---

sudo apt install wazuh-api

---

Check status

---

 sudo systemctl status wazuh-api

---

Disable Wazuh automatic updates

---

sudo sed -i "s/^deb/deb/" /etc/apt/sources.list.d/wazuh.list
sudo apt update

---

Install GPG keys and add repository

---

curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list

---

APT Update

---

sudo apt update

---

Install Filebeat

---

sudo apt install filebeat=6.7.1

---

Download Filebeat config file to forward logs

---

sudo curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/filebeat/filebeat.yml

---

Edit Filebeat config file to point to Elastic Server IP (In this lab environment I am using 127.0.0.1)

---

sed -i 's/YOUR_ELASTIC_SERVER_IP/127.0.0.1/' /etc/filebeat/filebeat.yml

---

Start Filebeat service and configure it to automatically start at boot

---

sudo systemctl daemon-reload
sudo systemctl enable filebeat.service
sudo systemctl start filebeat.service

---

Disable Elasticsearch repository updates

---

sudo sed -i "s/^deb/deb/" /etc/apt/sources.list.d/elastic-6.x.list
sudo apt update

@RojoLoco said in Preparing for the storm:

Head for high ground and watch out for the storm surge. Stay safe.

No such thing as high ground here. If you can get 15 feet above sea level, you found a mountain.

It is a hard decision whether you should evacuate or not. People always think those that don't evacuate are idiots but there are two advantages to staying during a storm.

1. you could do repairs during the storm
2. You have a better chance in saving your valuables from flooding
3. When a mandatory evacuation is in place, all the looters come out because even the police are gone.

Since my lab servers are planets. I will create three different groups based on planet features.

red_planets - Mercury and Mars

caputured_planets (myth) - Venus 

gas_giants - Jupiter

Create the Groups

/var/ossec/bin/agent_groups -a -g red_planets -q

/var/ossec/bin/agent_groups -a -g gas_giants -q

/var/ossec/bin/agent_groups -a -g captured_planets -q

Now list your agents from the wazuh-manager

/var/ossec/bin/agent_groups

Note the Agent IDs

Available agents: 
   ID: 001, Name: mercury, IP: 192.168.122.86
   ID: 002, Name: venus, IP: 192.168.122.8
   ID: 003, Name: mars, IP: 192.168.122.203
   ID: 004, Name: jupiter, IP: 192.168.122.252

Add Agents to the appropriate groups

/var/ossec/bin/agent_groups -a -i 001 -g red_planets -q
/var/ossec/bin/agent_groups -a -i 003 -g red_planets -q
/var/ossec/bin/agent_groups -a -i 002 -g captured_planets -q
/var/ossec/bin/agent_groups -a -i 004 -g gas_giants -q

We can now edit a centralized configuration file based on groups from our Wazuh server

/var/ossec/etc/shared/red_planets/agent.conf
/var/ossec/etc/shared/captured_planets/agent.conf
/var/ossec/etc/shared/gas_giants/agent.conf

Whenever you make changes to these config files you can quickly verify if the configuration is valid by running

/var/ossec/bin/verify-agent-conf

Example output of /var/ossec/bin/verify-agent-conf

verify-agent-conf: Verifying [/var/ossec/etc/shared/gas_giants/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/captured_planets/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/red_planets/agent.conf]
verify-agent-conf: OK

Matthew is expected to make landfall right where my house is as a category 4. I spent 10 hours till 2am last night boarding up. We evacuated in the middle of the night last night to my parents which is about an hour I land.

We want to edit /var/ossec/etc/rules/local_rules.xml

sudo nano /var/ossec/etc/rules/local_rules.xml

Our file should look like this:

GNU nano 2.9.3   /var/ossec/etc/rules/local_rules.xml            
 
<!-- Local rules -->
 
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2019, Wazuh Inc. -->
 
<!-- Example -->
<group name="local,syslog,sshd,">
 
  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.$
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</desc$
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</gr$
  </rule>
 
</group>

Let’s take a look at the current rule 5402 for privilege escalation so we can create the child rule

** Alert 1555331931.323394: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
2019 Apr 15 12:38:51 (jupiter) 192.168.122.252->/var/log/auth.log
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: root
Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu
tty: pts/1
pwd: /home/joel
command: /usr/bin/docker run -it ubuntu

This is the information we want, but the severity level is only 3. That is fine on most servers, but privilege escalation is more severe on docker containers so we actually want to make it a 12 without affecting other servers.

Add the Child Rule

sudo nano /var/ossec/etc/rules/local_rules.xml

Add this to the bottom of the file. Replace jupiter|saturn
with your hostnames for you docker hosts.

<group name="local,syslog,sshd,">
 
  <rule id="100023" level="12">
   <if_sid>5402</if_sid>
   <hostname>jupiter|saturn</hostname>
   <description>Privelege Escalation on Docker Host!!!</description>
 </rule>
 
</group>

Save and exit nano.

Verify Rule is processing properly

Go to your docker host and run a command using sudo. This should generate our typical 5402 alert.

Now pull the alert from the .json file

cat /var/ossec/logs/alerts/alerts.json | grep "\"5402\"" | head -n1 | python -m json.tool | grep full_log | cut -d "\"" -f4

You should get output similar to this:

Apr 15 12:38:51 jupiter sudo: joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu

Now copy that output and past it in the log test tool:

/var/ossec/bin/ossec-logtest

If executed properly, you should get this:

**Phase 1: Completed pre-decoding.
       full event: 'Apr 15 12:38:51 jupiter sudo:     joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'
       timestamp: 'Apr 15 12:38:51'
       hostname: 'jupiter'
       program_name: 'sudo'
       log: '    joel : TTY=pts/1 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/docker run -it ubuntu'
 
**Phase 2: Completed decoding.
       decoder: 'sudo'
       srcuser: 'joel'
       tty: 'pts/1'
       pwd: '/home/joel'
       dstuser: 'root'
       command: '/usr/bin/docker run -it ubuntu'
 
**Phase 3: Completed filtering (rules).
       Rule id: '100023'
       Level: '12'
       Description: 'Privelege Escalation on Docker Host!!!'
**Alert to be generated.

Restart Wazuh Manager

sudo systemctl restart wazuh-manager

Test generating the alert using any sudo command
Enjoy your new alert

** Alert 1555351056.962538: mail  - local,syslog,sshd,
2019 Apr 15 17:57:36 (jupiter) 192.168.122.252->/var/log/auth.log
Rule: 100023 (level 12) -> 'Privelege Escalation on Docker Host!!!'
User: root
Apr 15 17:57:35 jupiter sudo:     joel : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/nano text
tty: pts/0
pwd: /home
command: /bin/nano text

Testing on server not listed on the rule

I ssh into my lab server mercury and run a sudo command from there. Since it is not jupiter or saturn like we set it in our rule, it did not generate a wazuh custom rule

** Alert 1555354943.969236: - syslog,sudo,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,
2019 Apr 15 19:02:23 (mercury) 192.168.122.86->/var/log/auth.log
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: root
Apr 15 15:02:21 mercury sudo:     joel : TTY=pts/0 ; PWD=/home/joel ; USER=root ; COMMAND=/usr/bin/apt install glances
tty: pts/0
pwd: /home/joel
command: /usr/bin/apt install glances

My boss knew I was leaving for a while and asked me not to announce it until he made the announcement several weeks later.

The I'm Back thread was about the hurricane not work related.

For those intersted in testing suricata with wazuh and elk, you need to make sure you have the proper interface configured in the suricata.yaml config file. In my VM environment, I could not get suricata to work because my interface was ens3 instead of eth0 or eth1. Which is the only reason I am pulling down a custom config file in my installation.

---

Install Suricata

---

cd /root
apt -y install epel-release wget jq
curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo
apt -y install suricata

---

Setup custom emerging threat rules

---

wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
rm /etc/suricata/rules/* -f
mv rules/*.rules /etc/suricata/rules/

---

Download and copy custom suricata.yaml config file. (note you will need to search and replace eth0 and eth1 if you are using a different ethernet interface. I had to change all those entries to ens3

---

wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml

---

Start suricata and configure it to start at boot

---

systemctl daemon-reload
systemctl enable suricata
systemctl start suricata

---

Add suricata config to wazuh agent file. You can do this from server or all clients. In my automation script, I just have the clients pull down a new ossec file.

---

nano /var/ossec/etc/ossec.conf

---

Add to the lines below to ossec.conf just above the last line

---

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

---

The bottom of ossec.conf should now look like this

---

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
  </localfile>

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

</ossec_config>

---

Restart agent and suricata

---

systemctl restart suricata
systemctl restart wazuh-agent

---

Trip suricata and check your alert

---

curl http://testmyids.com

@Breffni-Potter said in How do you choose a web designer/marketing agency.:

Bit of an open ended question.

Your thoughts would be appreciated.

I have never successfully hired one. They have all turned out to be fluff or straight up crooks. That is why I took the last year or so to really learn WordPress, CSS, PHP, and social media marketing.

Can we please just nuke this whole thread? All the feedback was already taken into consideration. It's really not becoming a good look for anyone.

@breffni-potter said in I grabbed an Android TV box...:

Post back here after 2 months of usage.

Not quite two months of usage (about 6 weeks), but I wanted to report back before I forgot about this thread. The android TV has become our main media box on our tv. I bought another one to replace my firestick on our tv in our bedroom.

It is still running much faster than my firestick ever did, and all classic roms (Nes, SNES, gameboy, N64) run very smooth without issues. We are also playing through several android games such Xcom, KOTR, and more all of which run flawlessly. We are able to download Netflix and Amazon Prime videos offline to take with us when traveling to my parents house for the kids. Which is not possible with Firestick.

@brianwinkelmann said in Suggestions to build a High-End Gaming PC:

I know that I can also google it, but I want to consider your valuable experience as IT community

I think you will get better feedback if you come up with initial build plan on your own and present it here for discussion. I would do some research and post an idea of some specifications that you think would work for your application. You haven't really given us much information other than gaming pc.

@romo said in What's the worst technology ever invented?:

@irj said in What's the worst technology ever invented?:

Small office printers!!!!

Can't upvote your comment enough, really hate having to deal with them.

An old comic, but definitely a good one

http://theoatmeal.com/comics/printers

Enable Nginx Compression

sudo nano /etc/nginx/nginx.conf

Uncomment the Following lines. If you have extra CPU on your host, you can turn up the compression level up level 9. I am running level 8 on my server.

Install yui-compressor

sudo apt install yui-compressor

Create Script to run using jar file.

sudo nano /var/www/html/compress_js.sh

Paste the following contents in the file. This will search for javascript files in your /var/www/html directory. Then run the command yui-compressor --type js -o against your javascript files.

#!/bin/sh
for file in `find . -name "*.js"`
do
echo "Compressing $file …"
yui-compressor --type js -o $file $file
done

Now run the script

sudo sh /var/www/html/compress_js.sh

You should see the following output:

Install JPEG Optim

sudo apt install jpegotptim

Create JPEG Optim Script file

sudo nano /var/www/html/compress_jpg.sh

Put the following contents in the file. This script is pretty much the same as our other script. We are searching for all jpg files then running compression on them .

#!/bin/sh
for file in `find . -name "*.jpg"`
do
echo "Compressing $file …"
jpegoptim $file
done

Now run the script

sudo sh /var/www/html/compress_jpg.sh

It should look like this. Also, not that jpegoptim will skip any files that would be made larger by "compression." You can see this when the percentage is notated by a negative percentage. The files are skipped in that case.

@r3dpand4 said in Crypto Predictions:

you should only invest what you're willing to lose 100%

That is the key right there!

Perhaps a guest mouse would solve the issue

Can you just look at my computer/tablet/router real quick....?

Has anyone ever used java on a network share. An application that I would like to use requires java, but hosts can use java on mounted java partition. How would I go about doing this?

@rojoloco said in Anybody use Teleseed Bot for Telegram?:

@jaredbusch said in Anybody use Teleseed Bot for Telegram?:

@wrx7m said in Anybody use Teleseed Bot for Telegram?:

This whole time I just thought it was an encrypted IM system. Didn't realize it had a chatroom. Hmm.

That because the government wants you to think it is a thing only used by terrorists.

Encrypted, eh? Clearly the ML chatroom is just a front for who knows what kinds of nefarious activities...

They probably even own bitcion just like terrorists .... I disapprove and only trust governments to keep me safe