diff --git a/automation/README.md b/automation/README.md new file mode 100644 index 0000000..7c8e950 --- /dev/null +++ b/automation/README.md @@ -0,0 +1,88 @@ +####DISCLAIMER + + ANY DOWNLOAD AND USE OF THIS UNSUPPORTED SOFTWARE PROGRAM PRODUCT IS DONE AT + THE USERS OWN RISK AND THE USER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO + – WITHOUT LIMITATION – ANY COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM + SUCH ACTIVITIES. SHOULD IT PROVE DEFECTIVE, USER ASSUMES THE COST OF ALL + NECESSARY SERVICING, REPAIR AND/OR CORRECTION. IT IS THEREFORE UP TO THE + USER TO TAKE ADEQUATE PRECAUTION AGAINST POSSIBLE DAMAGES RESULTING FROM + THIS UNSUPPORTED SOFTWARE. + +##Description + +```bash + Automation to support the quick correlation, tagging, and visualization of AIS data. + _____ .___ _________ + / _ \ | |/ _____/ + / /_\ \| |\_____ \ +/ | \ |/ \ Author: Cory Kennedy (@corykennedy) +\____|__ /___/___v1.0_ / + \/ AUTOMISPER \/ + + + Automation can also be used as standalone scripts + + Scripts are simply a working POC and written to only support TAXII 1.1 +``` + +##Dependancies +```bash + + Active AIS Participation | https://www.us-cert.gov/ais + + Working Flare instance | https://github.com/bcmc/oss + + Working MISP instance | https://github.com/MISP/MISP + + Working CTI-Toolkit | https://github.com/certau/cti-toolkit.git (MISP server) +``` + +##Installation Summary +```bash + + Install scripts & crontabs onto your MISP and Flare servers + + Need help with crontabs? Try: https://crontab.guru/ + + The below will execute the scripts at 2:30am daily and log all output +``` + +##FLARE Installation + +Step 1: GIT the automation branch + + git clone -b Automation --single-branch https://github.com/NoDataFound/oss.git oss-automation + +Step 2: Move scripts from oss-automation/scripts/flare to your flare server + Example: +```bash + mv oss-automation/scripts/flare/* /opt/Flare/scripts/ +``` + +Step 3: Install crontabs + + export VISUAL=nano; crontab -e + +Example - GNU nano 2.3.1 File: /tmp/crontab.aisautomation + + 30 2 * * * /opt/Flare/scripts/CISCP.sh &>/opt/Flare/scripts/logs/CISCP_`date +\%y-\%m-\%d`.out + 32 2 * * * /opt/Flare/scripts/AIS.sh &>/opt/Flare/scripts/logs/AIS_`date +\%y-\%m-\%d`.out + +Save with ctrl + x + +###### Flare server is complete. Proceed to MISP + +##MISP Installation + +Step 1: GIT the automation branch + + git clone -b Automation --single-branch https://github.com/NoDataFound/oss.git oss-automation + +Step 2: Move scripts from oss-automation/scripts/misp to your MISP server + Example: + + mv oss-automation/scripts/misp/* /home/misp/scripts/ + +Step 3: Install crontabs + + export VISUAL=nano; crontab -e + +Example - GNU nano 2.3.1 File: /tmp/crontab.mispautomation + + 30 2 * * * /home/misp/scripts/MISP.sh + +Save with ctrl + x + +###### MISP server is complete! YOU ARE DONE! + diff --git a/automation/flare/AIS.sh b/automation/flare/AIS.sh new file mode 100644 index 0000000..011be0d --- /dev/null +++ b/automation/flare/AIS.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# ------------------------------DISCLAIMER-------------------------------------# +# ANY DOWNLOAD AND USE OF THIS UNSUPPORTED SOFTWARE PROGRAM PRODUCT IS DONE AT # +# THE USERS OWN RISK AND THE USER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO # +# – WITHOUT LIMITATION – ANY COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM # +# SUCH ACTIVITIES. SHOULD IT PROVE DEFECTIVE, USER ASSUMES THE COST OF ALL # +# NECESSARY SERVICING, REPAIR AND/OR CORRECTION. IT IS THEREFORE UP TO THE # +# USER TO TAKE ADEQUATE PRECAUTION AGAINST POSSIBLE DAMAGES RESULTING FROM # +# THIS UNSUPPORTED SOFTWARE. # +# ------------------------------DISCLAIMER-------------------------------------# +# Simple shell script to pull the AIS feed from AIS Data +# There are much better ways to do this. This is only a quick working POC +# Author: Cory Kennedy (@corykennedy) +# _____ .___ _________ +# / _ \ | |/ _____/ +# / /_\ \| |\_____ \ +# / | \ |/ \ +# \____|__ /___/___v1.0_ / +# \/ \/ +# AIS Automation +# Usage: ./AIS.sh +# ----------------------------------------------------------------------------- +#Move into our working directory +cd /opt/Flare/ +#Poll AIS server for AIS feed using TAXII 1.1 and format date parameters +./poll.sh 1.1 AIS -b $(date -d '1 days ago' --utc "+%FT%T.%N" | sed -r 's/[[:digit:]]{6}$/Z/') -e $(date -d --utc "+%FT%T.%N" | sed -r 's/[[:digit:]]{6}$/Z/') +#Move into our working feed directory +cd /opt/Flare/subscribeFeeds/AIS/ +#Prepare all files for transport +tar -zcvf /opt/Flare/TRANSFER/AIS_`date +%y-%m-%d`.tgz . +#Cleanup files after completion +rm -rf /opt/Flare/subscribeFeeds/AIS/* +# ------------------------------DISCLAIMER-------------------------------------# +# ANY DOWNLOAD AND USE OF THIS UNSUPPORTED SOFTWARE PROGRAM PRODUCT IS DONE AT # +# THE USERS OWN RISK AND THE USER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO # +# – WITHOUT LIMITATION – ANY COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM # +# SUCH ACTIVITIES. SHOULD IT PROVE DEFECTIVE, USER ASSUMES THE COST OF ALL # +# NECESSARY SERVICING, REPAIR AND/OR CORRECTION. IT IS THEREFORE UP TO THE # +# USER TO TAKE ADEQUATE PRECAUTION AGAINST POSSIBLE DAMAGES RESULTING FROM # +# THIS UNSUPPORTED SOFTWARE. # +# ------------------------------DISCLAIMER-------------------------------------# diff --git a/automation/flare/CISCP.sh b/automation/flare/CISCP.sh new file mode 100644 index 0000000..f68f87f --- /dev/null +++ b/automation/flare/CISCP.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# ------------------------------DISCLAIMER-------------------------------------# +# ANY DOWNLOAD AND USE OF THIS UNSUPPORTED SOFTWARE PROGRAM PRODUCT IS DONE AT # +# THE USERS OWN RISK AND THE USER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO # +# – WITHOUT LIMITATION – ANY COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM # +# SUCH ACTIVITIES. SHOULD IT PROVE DEFECTIVE, USER ASSUMES THE COST OF ALL # +# NECESSARY SERVICING, REPAIR AND/OR CORRECTION. IT IS THEREFORE UP TO THE # +# USER TO TAKE ADEQUATE PRECAUTION AGAINST POSSIBLE DAMAGES RESULTING FROM # +# THIS UNSUPPORTED SOFTWARE. # +# ------------------------------DISCLAIMER-------------------------------------# +# Simple shell script to pull the CISCP feed from AIS Data +# There are much better ways to do this. This is only a quick working POC. +# Author: Cory Kennedy (@corykennedy) +# _________ .___ ____________________________ +# \_ ___ \| |/ _____/\_ ___ \______ \ +# / \ \/| |\_____ \ / \ \/| ___/ +# \ \___| |/ \\ \___| | +# \______ /___/_______ / \______ /v1.1| +# \/ \/ \/ +# AIS Automation +# Usage: ./CISCP.sh +# ----------------------------------------------------------------------------- +#Move into our working directory +cd /opt/Flare/ +#Poll AIS server for AIS feed using TAXII 1.1 and format date parameters +./poll.sh 1.1 CISCP -b $(date -d '1 days ago' --utc "+%FT%T.%N"| sed -r 's/[[:digit:]]{6}$/Z/') -e $(date -d --utc "+%FT%T.%N" | sed -r 's/[[:digit:]]{6}$/Z/') +#Move into our working feed directory +cd /opt/Flare/subscribeFeeds/CISCP/ +#Prepare all files for transport +tar -zcvf /opt/Flare/TRANSFER/CISCP_`date +%y-%m-%d`.tgz . +#Cleanup files after completion +rm -rf /opt/Flare/subscribeFeeds/CISCP/* +# ------------------------------DISCLAIMER-------------------------------------# +# ANY DOWNLOAD AND USE OF THIS UNSUPPORTED SOFTWARE PROGRAM PRODUCT IS DONE AT # +# THE USERS OWN RISK AND THE USER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO # +# – WITHOUT LIMITATION – ANY COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM # +# SUCH ACTIVITIES. SHOULD IT PROVE DEFECTIVE, USER ASSUMES THE COST OF ALL # +# NECESSARY SERVICING, REPAIR AND/OR CORRECTION. IT IS THEREFORE UP TO THE # +# USER TO TAKE ADEQUATE PRECAUTION AGAINST POSSIBLE DAMAGES RESULTING FROM # +# THIS UNSUPPORTED SOFTWARE. # +# ------------------------------DISCLAIMER-------------------------------------# diff --git a/automation/misp/MISP.sh b/automation/misp/MISP.sh new file mode 100644 index 0000000..05b9ff7 --- /dev/null +++ b/automation/misp/MISP.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# ------------------------------DISCLAIMER-------------------------------------# +# ANY DOWNLOAD AND USE OF THIS UNSUPPORTED SOFTWARE PROGRAM PRODUCT IS DONE AT # +# THE USERS OWN RISK AND THE USER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO # +# – WITHOUT LIMITATION – ANY COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM # +# SUCH ACTIVITIES. SHOULD IT PROVE DEFECTIVE, USER ASSUMES THE COST OF ALL # +# NECESSARY SERVICING, REPAIR AND/OR CORRECTION. IT IS THEREFORE UP TO THE # +# USER TO TAKE ADEQUATE PRECAUTION AGAINST POSSIBLE DAMAGES RESULTING FROM # +# THIS UNSUPPORTED SOFTWARE. # +# ------------------------------DISCLAIMER-------------------------------------# +# Simple script to automate AIS data into MISP +# Author: Cory Kennedy (@corykennedy) +# ----------------------------------------------------------------------------- +# _____ .___ _________ _____ .___ ___________________ +# / _ \ | |/ _____/ .__ / \ | |/ _____/\______ \ +# / /_\ \| |\_____ \ __| |___ / \ / \| |\_____ \ | ___/ +# / | \ |/ \ /__ __/ / Y \ |/ \ | | +# \____|__ /___/TAXII1.1 / |__| \____|__ /___/_______ / |____| +# \/ \/ \/ \/ +# Usage: ./MISP.sh +# ----------------------------------------------------------------------------- +#Transfer files from AIS host, then remove source files. +#Assumes you have ssh-copy-id yourself onto your flare host. +rsync -avz --remove-source-files -e ssh user@your.flare.host:/opt/Flare/TRANSFER /home/misp/feeds/ +#Move into our working directory +cd /home/misp/feeds/TRANSFER/ +#Find compressed AIS files and uncompress them +cat *.tgz | tar -zxvf - -i +#Import into MISP +python /home/misp/cti-toolkit/stixtransclient.py --file /home/misp/feeds/TRANSFER/ -r --misp --misp-url https://misp --misp-key [YOURMISPKEY] --misp-threat 2 --misp-distribution 0 --misp-info "AIS" +#Cleanup transfered files after completion +rm -rf /home/misp/feeds/TRANSFER/ +# ------------------------------DISCLAIMER-------------------------------------# +# ANY DOWNLOAD AND USE OF THIS UNSUPPORTED SOFTWARE PROGRAM PRODUCT IS DONE AT # +# THE USERS OWN RISK AND THE USER WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO # +# – WITHOUT LIMITATION – ANY COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM # +# SUCH ACTIVITIES. SHOULD IT PROVE DEFECTIVE, USER ASSUMES THE COST OF ALL # +# NECESSARY SERVICING, REPAIR AND/OR CORRECTION. IT IS THEREFORE UP TO THE # +# USER TO TAKE ADEQUATE PRECAUTION AGAINST POSSIBLE DAMAGES RESULTING FROM # +# THIS UNSUPPORTED SOFTWARE. # +# ------------------------------DISCLAIMER-------------------------------------#