opensoc / opensoc-ui Goto Github PK

User interface for OpenSOC

License: Apache License 2.0

JavaScript 69.67% Shell 16.52% HTML 13.81%

opensoc-ui's Introduction

OpenSOC

OpenSOC integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. OpenSOC provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat intelligence information to security telemetry within a single platform.

OpenSOC can be divided into 4 areas:

A mechanism to capture, store, and normalize any type of security telemetry at extremely high rates. Because security telemetry is constantly being generated, it requires a method for ingesting the data at high speeds and pushing it to various processing units for advanced computation and analytics.
Real time processing and application of enrichments such as threat intelligence, geolocation, and DNS information to telemetry being collected. The immediate application of this information to incoming telemetry provides the context and situational awareness, as well as the who and where information critical for investigation
Efficient information storage based on how the information will be used:

Logs and telemetry are stored such that they can be efficiently mined and analyzed for concise security visibility
The ability to extract and reconstruct full packets helps an analyst answer questions such as who the true attacker was, what data was leaked, and where that data was sent
Long-term storage not only increases visibility over time, but also enables advanced analytics such as machine learning techniques to be used to create models on the information. Incoming data can then be scored against these stored models for advanced anomaly detection.

An interface that gives a security investigator a centralized view of data and alerts passed through the system. OpenSOC’s interface presents alert summaries with threat intelligence and enrichment data specific to that alert on one single page. Furthermore, advanced search capabilities and full packet extraction tools are presented to the analyst for investigation without the need to pivot into additional tools.

Big data is a natural fit for powerful security analytics. The OpenSOC framework integrates a number of elements from the Hadoop ecosystem to provide a scalable platform for security analytics, incorporating such functionality as full-packet capture, stream processing, batch processing, real-time search, and telemetry aggregation. With OpenSOC, our goal is to tie big data into security analytics and drive towards an extensible centralized platform to effectively enable rapid detection and rapid response for advanced security threats.

Obtaining OpenSOC

This repository is a collection of submodules for convenience which is regularly updated to point to the latest versions. Github provides multiple ways to obtain OpenSOC's code:

git clone --recursive https://github.com/OpenSOC/opensoc
Download ZIP
Clone or download each repository individually

Option 3 is more likely to have the latest code.

opensoc-ui's People

Contributors

Stargazers

Watchers

opensoc-ui's Issues

Proper submodule commands need to be added for setup

The Setup development environment and deployment instructions don't include instructions for initializing and updating the submodules (kibana).

I believe all that needs to be run is -

git submodule update --init --recursive

Or you could instruct users to clone the repo using the command -

git clone --recursive

Users / Auth

We need the central role of a user in the portal. Right now, portal access is anonymous and available to anyone. Need to add an auth page and simple login / logout behavior. Auth keys should be standard email / password combo and Cookie-based sessions persisted in Redis (see connect redis-store).

understand bro data show

I found in ui bro_data query using :

"4": {
    "date_histogram": {
      "field": "timestamp",
      "interval": "10m"
    },
    "global": true,
    "facet_filter": {
      "fquery": {
        "query": {
          "filtered": {
            "query": {
              "query_string": {
                "query": "_type:bro_alert"
              }
            },
            "filter": {
              "bool": {
                "must": [
                  {
                    "range": {
                      "timestamp": {
                        "from": 1430427270047,
                        "to": 1430513670050
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  }
},

While my bro data to logstash ==> elasticsearch something like:

input {
  file {
    codec => json
    path => "/usr/local/bro/logs/current/*.log"
    type => "bro_log"
  }

  file {
    codec => json
    path => "/opt/bro/logs/current/*.log"
    type => "bro_log"
  }
}

filter {
  # Parse the `time` attribute as a UNIX timestamp (seconds since epoch)
  # and store it in `@timestamp` attribute. This will be used in Kibana later on.
  date {
    match => [ "ts", "UNIX" ]
  }
  translate {
      field => "conn_state"
      destination => "conn_state_full"
      dictionary => [
        "S0", "Attempt",
        "S1", "Established",
        "S2", "Originator close only",
        "S3", "Responder close only",
        "SF", "SYN/FIN completion",
        "REJ", "Rejected",
        "RSTO", "Originator aborted",
        "RSTR", "Responder aborted",
        "RSTOS0", "Originator SYN +  RST",
        "RSTRH", "Responder SYN ACK + RST",
        "SH", "Originator SYN + FIN",
        "SHR", "Responder SYN ACK + FIN",
        "OTH", "Midstream traffic"
      ]
    }
    grok {
        match => { "path" => ".*\/(?<bro_type>[a-zA-Z0-9]+)\.log$" }
    }
}


output {
  elasticsearch {
    embedded => true
  }
}

But there is no data show in opensoc-ui. If I just using kibana , I can see many log data in web.
I want to know which part I can modify to can show something?

"query": "_type:bro_alert" is the bro_alert should be a field in log data, or something we must use different method?

Query Scheduler

Test Failure - Cannot read property 'prototype' of undefined

I am following the "Development" instructions. I am able to launch the Ubuntu image through Vagrant, but the tests fail when I attempt to run them. I see a similar error when I attempt to launch the server.

Test Failure

vagrant@vagrant-ubuntu-trusty-64:/vagrant$ npm test

> [email protected] test /vagrant
> NODE_ENV=TEST ./node_modules/istanbul/lib/cli.js cover ./node_modules/mocha/bin/_mocha -- --check-leaks -R spec

=============================================================================
Writing coverage object [/vagrant/coverage/coverage.json]
Writing coverage reports at [/vagrant/coverage]
=============================================================================

=============================== Coverage summary ===============================
Statements   : 20.62% ( 40/194 )
Branches     : 5.17% ( 3/58 )
Functions    : 4.76% ( 1/21 )
Lines        : 20.62% ( 40/194 )
================================================================================

util.js:555
  ctor.prototype = Object.create(superCtor.prototype, {
                                          ^
TypeError: Cannot read property 'prototype' of undefined
    at Object.exports.inherits (util.js:555:43)
    at Object.<anonymous> (/vagrant/node_modules/http-proxy/lib/http-proxy/index.js:108:17)
    at Module._compile (module.js:456:26)
    at Module._extensions..js (module.js:474:10)
    at Object.Module._extensions..js (/vagrant/node_modules/istanbul/lib/hook.js:101:13)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/vagrant/node_modules/http-proxy/lib/http-proxy.js:4:17)
    at Module._compile (module.js:456:26)
    at Module._extensions..js (module.js:474:10)
    at Object.Module._extensions..js (/vagrant/node_modules/istanbul/lib/hook.js:101:13)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/vagrant/node_modules/http-proxy/index.js:13:18)
    at Module._compile (module.js:456:26)
    at Module._extensions..js (module.js:474:10)
    at Object.Module._extensions..js (/vagrant/node_modules/istanbul/lib/hook.js:101:13)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at module.exports (/vagrant/lib/modules/es-proxy.js:9:169)
    at Object.<anonymous> (/vagrant/lib/opensoc-ui.js:9:1947)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (/vagrant/node_modules/istanbul/lib/hook.js:99:20)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/vagrant/test/opensoc-ui-test.js:5:10)
    at Module._compile (module.js:456:26)
    at Module._extensions..js (module.js:474:10)
    at Object.Module._extensions..js (/vagrant/node_modules/istanbul/lib/hook.js:101:13)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at /vagrant/node_modules/mocha/lib/mocha.js:184:27
    at Array.forEach (native)
    at Mocha.loadFiles (/vagrant/node_modules/mocha/lib/mocha.js:181:14)
    at Mocha.run (/vagrant/node_modules/mocha/lib/mocha.js:393:31)
    at Object.<anonymous> (/vagrant/node_modules/mocha/bin/_mocha:380:16)
    at Module._compile (module.js:456:26)
    at Module._extensions..js (module.js:474:10)
    at Object.Module._extensions..js (/vagrant/node_modules/istanbul/lib/hook.js:101:13)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at runFn (/vagrant/node_modules/istanbul/lib/command/common/run-with-cover.js:116:16)
    at /vagrant/node_modules/istanbul/lib/command/common/run-with-cover.js:240:17
    at /vagrant/node_modules/istanbul/lib/util/file-matcher.js:56:16
    at /vagrant/node_modules/istanbul/lib/util/file-matcher.js:35:9
    at Object.next (/vagrant/node_modules/istanbul/node_modules/fileset/lib/fileset.js:41:14)
    at Fileset.EventEmitter.emit (events.js:95:17)
    at Fileset.next (/vagrant/node_modules/glob/glob.js:343:12)
    at Fileset.Glob._processEmitQueue (/vagrant/node_modules/glob/glob.js:310:12)
    at Fileset.Glob.emitMatch (/vagrant/node_modules/glob/glob.js:290:8)
    at Fileset.Glob._finish (/vagrant/node_modules/glob/glob.js:230:8)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:183:27)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:483:32)
    at Fileset.cb (/vagrant/node_modules/glob/glob.js:368:11)
    at Fileset.<anonymous> (/vagrant/node_modules/glob/glob.js:450:14)
    at Fileset.Glob._afterReaddir (/vagrant/node_modules/glob/glob.js:695:17)
    at Object.oncomplete (fs.js:107:15)
npm ERR! weird error 8
npm WARN This failure might be due to the use of legacy binary "node"
npm WARN For further explanations, please read
/usr/share/doc/nodejs/README.Debian

npm ERR! not ok code 0

Launch Server Failure

vagrant@vagrant-ubuntu-trusty-64:/vagrant$ nodemon
24 Apr 19:00:34 - [nodemon] v1.3.7
24 Apr 19:00:34 - [nodemon] to restart at any time, enter `rs`
24 Apr 19:00:34 - [nodemon] watching: *.*
24 Apr 19:00:34 - [nodemon] starting `node server.js`

util.js:555
  ctor.prototype = Object.create(superCtor.prototype, {
                                          ^
TypeError: Cannot read property 'prototype' of undefined
    at Object.exports.inherits (util.js:555:43)
    at Object.<anonymous> (/vagrant/node_modules/http-proxy/lib/http-proxy/index.js:108:17)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/vagrant/node_modules/http-proxy/lib/http-proxy.js:4:17)
    at Module._compile (module.js:456:26)
24 Apr 19:00:38 - [nodemon] app crashed - waiting for file changes before starting...

Pcap Viewer

Real-time alerts panel

Expose kafka integration through websockets to feed custom kibana panel.

AD authentication

Aside from regular authentication against Postgres, AD should be supported as an authentication scheme. If the user doesn't exist in Postgres and she logs in via AD, she should be created.

No data showing in dashboard

I have got this working with an lcx version of vagrant and i get the dashboard fine but I cannot see any data.

One example is:

PCAP Data

Access Denied

Also is there a way of getting nodemon to run in the background and on startup?

Thanks,

Stu

What is the username and password of opensoc-ui?

Hi, I followed "Setup development environment" and successfully accessed the login page.
But I couldn't login, because I don't know the username and password(I have tried admin, opensec, et al.)
Hoping for your help, and thanks for the great work, this is a amazing production.

Permissions

Pull roles / groups from AD and map to one of four permissions levels:

Analyst (Limited)
Investigator (Power)
Customer (Neutered)
Admin

Unable to compile opensoc-ui

When kicking off -- npm install -g opensoc-ui --, I get the following errors. Any inputs are appreciated.

[email protected] install /usr/local/lib/node_modules/opensoc-ui/node_modules/passport-ldapauth/node_modules/ldapauth-fork/node_modules/ldapjs/node_modules/dtrace-provider
node-gyp rebuild

[email protected] install /usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/node-expat
node-gyp rebuild

make: Entering directory /usr/local/lib/node_modules/opensoc-ui/node_modules/passport-ldapauth/node_modules/ldapauth-fork/node_modules/ldapjs/node_modules/dtrace-provider/build' touch Release/obj.target/DTraceProviderStub.stamp npm http 304 https://registry.npmjs.org/verror/1.1.0 npm http 304 https://registry.npmjs.org/cryptiles make: Leaving directory/usr/local/lib/node_modules/opensoc-ui/node_modules/passport-ldapauth/node_modules/ldapauth-fork/node_modules/ldapjs/node_modules/dtrace-provider/build'
npm http 304 https://registry.npmjs.org/iron
npm http 304 https://registry.npmjs.org/multiparty
npm http 304 https://registry.npmjs.org/negotiator
npm http 304 https://registry.npmjs.org/joi
npm http 304 https://registry.npmjs.org/mime
npm http 304 https://registry.npmjs.org/shot
npm http 304 https://registry.npmjs.org/qs
npm http 304 https://registry.npmjs.org/semver
(node) child_process: options.customFds option is deprecated. Use options.stdio instead.
npm http GET https://registry.npmjs.org/extsprintf/1.0.0
npm http GET https://registry.npmjs.org/json-schema/0.2.2
npm http GET https://registry.npmjs.org/verror/1.3.3

[email protected] install /usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/iconv
node-gyp rebuild

npm http 304 https://registry.npmjs.org/catbox
npm http 304 https://registry.npmjs.org/json-schema/0.2.2
make: Entering directory /usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/node-expat/build' cc '-D_LARGEFILE_SOURCE' '-D_FILE_OFFSET_BITS=64' '-DPIC' '-DHAVE_EXPAT_CONFIG_H' '-DNDEBUG' -I/usr/include -I/usr/include/node -I../deps/libexpat -I../deps/libexpat/lib -fPIC -Wall -Wextra -Wno-unused-parameter -pthread -m64 -O2 -fno-strict-aliasing -fno-tree-vrp -fno-omit-frame-pointer -MMD -MF ./Release/.deps/Release/obj.target/expat/deps/libexpat/lib/xmlparse.o.d.raw -c -o Release/obj.target/expat/deps/libexpat/lib/xmlparse.o ../deps/libexpat/lib/xmlparse.c npm http 304 https://registry.npmjs.org/verror/1.3.3 (node) child_process: options.customFds option is deprecated. Use options.stdio instead. make: Entering directory/usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/iconv/build'
cc '-D_LARGEFILE_SOURCE' '-D_FILE_OFFSET_BITS=64' '-DICONV_CONST=const' '-DENABLE_EXTRA=1' '-DHAVE_WORKING_O_NOFOLLOW=1' -I/usr/include -I/usr/include/node -I../deps/libiconv/srclib -I../support -fPIC -Wno-unused-parameter -pthread -m64 -O2 -fno-strict-aliasing -fno-tree-vrp -fno-omit-frame-pointer -MMD -MF ./Release/.deps/Release/obj.target/libiconv/deps/libiconv/lib/iconv.o.d.raw -c -o Release/obj.target/libiconv/deps/libiconv/lib/iconv.o ../deps/libiconv/lib/iconv.c
npm http 304 https://registry.npmjs.org/extsprintf/1.0.0
cc '-D_LARGEFILE_SOURCE' '-D_FILE_OFFSET_BITS=64' '-DPIC' '-DHAVE_EXPAT_CONFIG_H' '-DNDEBUG' -I/usr/include -I/usr/include/node -I../deps/libexpat -I../deps/libexpat/lib -fPIC -Wall -Wextra -Wno-unused-parameter -pthread -m64 -O2 -fno-strict-aliasing -fno-tree-vrp -fno-omit-frame-pointer -MMD -MF ./Release/.deps/Release/obj.target/expat/deps/libexpat/lib/xmltok.o.d.raw -c -o Release/obj.target/expat/deps/libexpat/lib/xmltok.o ../deps/libexpat/lib/xmltok.c
../deps/libexpat/lib/xmltok.c:471: warning: missing initializer
../deps/libexpat/lib/xmltok.c:471: warning: (near initialization for ‘latin1_encoding_ns.isName2’)
../deps/libexpat/lib/xmltok.c:484: warning: missing initializer
../deps/libexpat/lib/xmltok.c:484: warning: (near initialization for ‘latin1_encoding.isName2’)
../deps/libexpat/lib/xmltok.c:504: warning: missing initializer
../deps/libexpat/lib/xmltok.c:504: warning: (near initialization for ‘ascii_encoding_ns.isName2’)
../deps/libexpat/lib/xmltok.c:517: warning: missing initializer
../deps/libexpat/lib/xmltok.c:517: warning: (near initialization for ‘ascii_encoding.isName2’)
../deps/libexpat/lib/xmltok.c:730: warning: missing initializer
../deps/libexpat/lib/xmltok.c:730: warning: (near initialization for ‘little2_encoding_ns.isName2’)
../deps/libexpat/lib/xmltok.c:749: warning: missing initializer
../deps/libexpat/lib/xmltok.c:749: warning: (near initialization for ‘little2_encoding.isName2’)
../deps/libexpat/lib/xmltok.c:762: warning: missing initializer
../deps/libexpat/lib/xmltok.c:762: warning: (near initialization for ‘internal_little2_encoding_ns.isName2’)
../deps/libexpat/lib/xmltok.c:775: warning: missing initializer
../deps/libexpat/lib/xmltok.c:775: warning: (near initialization for ‘internal_little2_encoding.isName2’)
../deps/libexpat/lib/xmltok.c:871: warning: missing initializer
../deps/libexpat/lib/xmltok.c:871: warning: (near initialization for ‘big2_encoding_ns.isName2’)
../deps/libexpat/lib/xmltok.c:890: warning: missing initializer
../deps/libexpat/lib/xmltok.c:890: warning: (near initialization for ‘big2_encoding.isName2’)
cc '-D_LARGEFILE_SOURCE' '-D_FILE_OFFSET_BITS=64' '-DPIC' '-DHAVE_EXPAT_CONFIG_H' '-DNDEBUG' -I/usr/include -I/usr/include/node -I../deps/libexpat -I../deps/libexpat/lib -fPIC -Wall -Wextra -Wno-unused-parameter -pthread -m64 -O2 -fno-strict-aliasing -fno-tree-vrp -fno-omit-frame-pointer -MMD -MF ./Release/.deps/Release/obj.target/expat/deps/libexpat/lib/xmlrole.o.d.raw -c -o Release/obj.target/expat/deps/libexpat/lib/xmlrole.o ../deps/libexpat/lib/xmlrole.c
rm -f Release/obj.target/deps/libexpat/libexpat.a && ar crsT Release/obj.target/deps/libexpat/libexpat.a Release/obj.target/expat/deps/libexpat/lib/xmlparse.o Release/obj.target/expat/deps/libexpat/lib/xmltok.o Release/obj.target/expat/deps/libexpat/lib/xmlrole.o
g++ '-D_LARGEFILE_SOURCE' '-D_FILE_OFFSET_BITS=64' '-DBUILDING_NODE_EXTENSION' -I/usr/include -I/usr/include/node -I../node_modules/nan -I../deps/libexpat -I../deps/libexpat/lib -fPIC -Wall -Wextra -Wno-unused-parameter -pthread -m64 -O2 -fno-strict-aliasing -fno-tree-vrp -fno-omit-frame-pointer -fno-rtti -fno-exceptions -MMD -MF ./Release/.deps/Release/obj.target/node_expat/node-expat.o.d.raw -c -o Release/obj.target/node_expat/node-expat.o ../node-expat.cc
In file included from ../node-expat.cc:1:
../node_modules/nan/nan.h:328: error: ‘REPLACE_INVALID_UTF8’ is not a member of ‘v8::String’
make: *** [Release/obj.target/node_expat/node-expat.o] Error 1
make: Leaving directory /usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/node-expat/build' gyp ERR! build error gyp ERR! stack Error:makefailed with exit code: 2 gyp ERR! stack at ChildProcess.onExit (/usr/lib/node_modules/node-gyp/lib/build.js:267:23) gyp ERR! stack at emitTwo (events.js:87:13) gyp ERR! stack at ChildProcess.emit (events.js:172:7) gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:200:12) gyp ERR! System Linux 2.6.32-504.30.3.el6.x86_64 gyp ERR! command "/usr/local/bin/node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild" gyp ERR! cwd /usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/node-expat gyp ERR! node -v v4.2.1 gyp ERR! node-gyp -v v0.10.6 gyp ERR! not ok npm ERR! weird error 1 ../deps/libiconv/lib/iconv.c:593: fatal error: opening dependency file ./Release/.deps/Release/obj.target/libiconv/deps/libiconv/lib/iconv.o.d.raw: No such file or directory compilation terminated. Cannot create temporary file in /usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/iconv/: No such file or directory make: *** [Release/obj.target/libiconv/deps/libiconv/lib/iconv.o] Aborted make: Leaving directory/usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/iconv/build'
gyp ERR! build error
gyp ERR! stack Error: make failed with exit code: 2
gyp ERR! stack at ChildProcess.onExit (/usr/lib/node_modules/node-gyp/lib/build.js:267:23)
gyp ERR! stack at emitTwo (events.js:87:13)
gyp ERR! stack at ChildProcess.emit (events.js:172:7)
gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:200:12)
gyp ERR! System Linux 2.6.32-504.30.3.el6.x86_64
gyp ERR! command "/usr/local/bin/node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /usr/local/lib/node_modules/opensoc-ui/node_modules/xml-stream/node_modules/iconv
gyp ERR! node -v v4.2.1
gyp ERR! node-gyp -v v0.10.6
gyp ERR! not ok
npm ERR! not ok code 0

Kafka integration

Backend component of real-time alerts

OpenSOC-UI [proxyError] { [Error: connect ECONNREFUSED]

Dear All,

When run opensoc-ui in my ubuntu, but below error inor ptined,please refer to the below detail info.

root@ubuntu:/# ./usr/local/bin/opensoc-ui
warn: --minUptime not set. Defaulting to: 1000ms
warn: --spinSleepTime not set. Your script will exit if it does not stay up for at least 1000ms
Loading config from /home/davix/.opensoc-ui
{ debug: false,
host: '0.0.0.0',
port: 5000,
secret: 'b^~BN-IdQ9{gdp5sa2K$N=d5DV06eN7Y)sjZf:69dUj.3JWq=o',
static: 'static_dist',
auth: false,
elasticsearch: { url: 'http://127.0.0.1:9200' },
ldap:
{ url: 'ldap://127.0.0.1:389',
searchBase: 'dc=opensoc,dc=dev',
searchFilter: '(mail={{username}})',
searchAttributes: [ 'cn', 'uid', 'mail', 'givenName', 'sn', 'memberOf' ],
adminDn: 'cn=admin,dc=opensoc,dc=dev',
adminPassword: 'opensoc' },
pcap: { url: 'http://127.0.0.1:5000/sample/pcap', mock: false },
permissions: { pcap: [ 'cn=investigators,ou=groups,dc=opensoc,dc=dev' ] } }
Starting server on port 5000 ...
GET / 304 6.774 ms - -
GET /css/bootstrap.light.min.css 304 3.661 ms - -
GET /css/timepicker.css 304 3.217 ms - -
GET /css/animate.min.css 304 1.928 ms - -
GET /css/normalize.min.css 304 3.750 ms - -
GET /vendor/require/require.js 304 1.242 ms - -
GET /app/components/require.config.js 304 1.090 ms - -
GET /css/bootstrap-responsive.min.css 304 1.625 ms - -
GET /css/font-awesome.min.css 304 2.005 ms - -
GET /img/small.png 304 0.778 ms - -
GET /app/app.js 304 0.717 ms - -
GET /config.js 304 33.856 ms - -
[proxyError] { [Error: connect ECONNREFUSED]
code: 'ECONNREFUSED',
errno: 'ECONNREFUSED',
syscall: 'connect' }
GET /css/bootstrap.dark.min.css 304 3.051 ms - -
GET /app/partials/dashLoader.html 304 0.920 ms - -
[proxyError] { [Error: connect ECONNREFUSED]
code: 'ECONNREFUSED',
errno: 'ECONNREFUSED',
syscall: 'connect' }
GET /app/partials/dashboard.html 304 1.178 ms - -
GET /app/partials/dashLoaderShare.html 304 1.098 ms - -
GET /font/fontawesome-webfont.eot? 304 1.890 ms - -
[proxyError] { [Error: connect ECONNREFUSED]
code: 'ECONNREFUSED',
errno: 'ECONNREFUSED',
syscall: 'connect' }
GET /img/glyphicons-halflings.png 304 0.814 ms - -
GET /__es/_nodes - - ms - -
[proxyError] { [Error: connect ECONNREFUSED]
code: 'ECONNREFUSED',
errno: 'ECONNREFUSED',
syscall: 'connect' }
GET /__es/_nodes - - ms - -
[proxyError] { [Error: connect ECONNREFUSED]
code: 'ECONNREFUSED',
errno: 'ECONNREFUSED',
syscall: 'connect' }
GET /__es/_nodes - - ms - -
[proxyError] { [Error: connect ECONNREFUSED]
code: 'ECONNREFUSED',
errno: 'ECONNREFUSED',
syscall: 'connect' }

Query Parser

If we want to expose the query parser to kibana, the best approach is to port it to the frontend JS layer. This makes it extremely difficult to do nested or join-style queries, but it allows us to leverage the rest of kibana's tight integration with elasticsearch.

what's wrong with ElasticSearch

when i run the opensoc-ui, and visit the site of the http://192.168.10.124:5000 . page, and then submit the topology of Bro and Sourcefire, in the site of opensoc-ui, i can see the data of the Sourcefire, but can not see the data of the Bro, and when i check the log of ES, i found the error below , i never edit the config about the bro and it is same as the sourcefire.
someone else can help me?

org.elasticsearch.search.SearchParseException: [bro_index_2016.03.31][1]: from[-1],size[-1]: Parse Failure [Failed to parse source [{"facets":{"5":{"date_histogram":{"field":"timestamp","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"_type:sourcefire_doc"}},"filter":{"bool":{"must":[{"range":{"timestamp":{"from":1459385801824,"to":1459472201825}}}]}}}}}}},"6":{"date_histogram":{"field":"timestamp","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"_type:sourcefire_alert"}},"filter":{"bool":{"must":[{"range":{"timestamp":{"from":1459385801824,"to":1459472201825}}}]}}}}}}}},"size":0}]]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:747)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:572)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:544)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:306)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:231)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:228)
at org.elasticsearch.search.action.SearchServiceTransportAction$23.run(SearchServiceTransportAction.java:559)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.ClassCastException: org.elasticsearch.index.fielddata.plain.PagedBytesIndexFieldData cannot be cast to org.elasticsearch.index.fielddata.IndexNumericFieldData
at org.elasticsearch.search.facet.datehistogram.DateHistogramFacetParser.parse(DateHistogramFacetParser.java:174)
at org.elasticsearch.search.facet.FacetParseElement.parse(FacetParseElement.java:93)
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:731)

make test

I tried to make test but I got the following error.
Please let me know how resolve this error.

aishikaw-mac{~/opensoc-ui}21: sudo make test
dyld: DYLD_ environment variables being ignored because main executable (/usr/bin/sudo) is setuid or setgid
PORT=4000 NODE_ENV=test ./node_modules/istanbul/lib/cli.js cover
./node_modules/mocha/bin/_mocha -- --check-leaks -R spec

auth
POST /login 302 9ms - 35b
✓ logs in
GET /logout 302 5ms - 40b
✓ logs out

kafka
topics
✓ reads from topic

index
GET / 200 7ms - 2.42kb
✓ responds with success

query parser
1) should parse query

4 passing (113ms)
1 failing

query parser should parse query:
Uncaught Error: write EPIPE
at errnoException (net.js:904:11)
at Object.afterWrite (net.js:720:19)

Writing coverage object [/Users/aishikaw/opensoc-ui/coverage/coverage.json]

Writing coverage reports at [/Users/aishikaw/opensoc-ui/coverage]

=============================== Coverage summary ===============================
Statements : 80.28% ( 57/71 )
Branches : 50% ( 5/10 )
Functions : 50% ( 10/20 )

Lines : 80.28% ( 57/71 )

make: *** [test-all] Error 1

how to look the data of pcap packets

i have made the environment OpneSOC-UI , and now , from the dashboard, i can see the Bro data and Sourcefire data, but can't see the pcap pcakets at bottom of the dashboard.
today , base the instructor of it ,i have installed the LDAP auth mechanism. but it seem same as before
,pcap pcakets can not be seen yet.
so . some one can help solve this problem?
thanks

Pcap viewer: Access denied

After logging into the dashboard, the Pcap viewer panel is saying "Access denied". I've followed the instructions for setting up the UI and can't figure out why I am receiving this.

Thanks in advance

config.vm.box for Centos

Does the confgi.vm.box differ for installation on centos ?
config.vm.box = "ubuntu/trusty64"

Ldap commands doesnot execute in Centos 6.6

Hi,
I have centos 6.6 x64 installed on my vm and have setup everything with yum. I am currently experiencing some problem with ldap.

Please find details.

[root@opensoc ~]# more /etc/redhat-release
CentOS release 6.6 (Final)
[root@opensoc ~]# rpm -qa | grep ldap
compat-openldap-2.3.43-2.el6.x86_64
openldap-2.4.39-8.el6.x86_64
phpldapadmin-1.2.3-1.el6.noarch
openldap-servers-2.4.39-8.el6.x86_64
python-ldap-2.3.10-1.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
openldap-devel-2.4.39-8.el6.x86_64
openldap-clients-2.4.39-8.el6.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
php-ldap-5.3.3-40.el6_6.x86_64
[root@opensoc ~]#

I have following directory structure setup in my vm.

[root@opensoc ~]# cd /opt/opensoc

[root@opensoc opensoc]# ls -ltr
total 140
-rw-r--r-- 1 root root 4747 Nov 14 03:10 Vagrantfile
drwxr-xr-x 2 root root 4096 Nov 14 03:10 test
drwxr-xr-x 4 root root 4096 Nov 14 03:10 seed
-rw-r--r-- 1 root root 3226 Nov 14 03:10 README.md
-rw-r--r-- 1 root root 1536 Nov 14 03:10 package.json
-rw-r--r-- 1 root root 613 Nov 14 03:10 Makefile
drwxr-xr-x 4 root root 4096 Nov 14 03:10 lib
drwxr-xr-x 2 root root 4096 Nov 14 03:10 kibana
-rw-r--r-- 1 root root 497 Nov 14 03:10 index.js
-rw-r--r-- 1 root root 739 Nov 14 03:10 Gruntfile.js
drwxr-xr-x 4 root root 4096 Nov 14 03:10 examples
drwxr-xr-x 2 root root 4096 Nov 14 03:10 doc
-rw-r--r-- 1 root root 425 Nov 14 03:10 bower.json
-rw-r--r-- 1 root root 1151 Nov 26 00:02 readme.md
-rw-r--r-- 1 root root 3412 Nov 26 00:02 pom.xml.versionsBackup
-rw-r--r-- 1 root root 4134 Nov 26 00:02 pom.xml
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-Topologies
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-PlatformScripts
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-Pcap_Service
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-MessageParsers
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-Indexing
drwxr-xr-x 2 root root 4096 Nov 26 00:02 OpenSOC-FlumeConfigs
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-EnrichmentAdapters
drwxr-xr-x 4 root root 4096 Nov 26 00:02 OpenSOC-DataServices
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-DataLoads
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-Common
drwxr-xr-x 3 root root 4096 Nov 26 00:02 OpenSOC-Alerts
-rw-r--r-- 1 root root 11324 Nov 26 00:02 LICENSE
drwxr-xr-x 2 root root 4096 Dec 2 00:53 script
-rw-r--r-- 1 root root 494 Dec 2 01:19 config.json
drwxr-xr-x 29 root root 4096 Dec 2 01:20 node_modules
[root@opensoc opensoc]#

I have used following commands for ldap authentication.

slappasswd -T /opt/opensoc/seed/slapd.seed
cd /opt/opensoc/seed/ldap
ldapmodify -Y EXTERNAL -H ldapi:/// -f logging.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
ldapadd -D cn=admin,cn=config -w "opensoc" -H ldapi:/// -f memberof_add.ldif
ldapadd -D cn=admin,cn=config -w "opensoc" -H ldapi:/// -f memberof_config.ldif

its gives an error message and wont allow me login into UI.

[root@opensoc ldap]# slappasswd -T /opt/opensoc/seed/slapd.seed
Warning: Password file /opt/opensoc/seed/slapd.seed is publicly readable/writeable
{SSHA}AX0iR4MF8ZN1dwuByCzOrmfAzBmeZmtP
[root@opensoc ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f logging.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Type or value exists (20)
additional info: modify/add: olcLogLevel: value #0 already exists

[root@opensoc ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "olcDatabase={0}config,cn=config"
ldap_modify: Constraint violation (19)
additional info: attribute 'olcRootDN' cannot have multiple values

[root@opensoc ldap]# ldapadd -D cn=admin,cn=config -w "opensoc" -H ldapi:/// -f memberof_add.ldif
ldap_bind: Invalid credentials (49)
[root@opensoc ldap]# ldapadd -D cn=admin,cn=config -w "opensoc" -H ldapi:/// -f memberof_config.ldif
ldap_bind: Invalid credentials (49)
[root@opensoc ldap]#

I am not setting up opensoc development environment, can some one tell me how to fix this issue.

above commands are copied from /script/provision and I have changed directory path in ldap script and setup accordingly.

P.S: I have all pre-requiste required for opensoc such as kafka, elasticsearch, hive, hbase, mysql server.