Some Resources are named firehose and some are named firehost

firehostdeliveryRoleGuardDuty
firehostdeliveryRoleIAM
firehostdeliveryRoleInspector
firehostdeliveryRoleMacie
firehostdeliveryRoleVPC

Hi @sonofagl1tch,

I think the README is too long. It's difficult to find specific information and it's necessary to do a lot of scrolling to get to the Get Started section.

It would be much better to have all that information organized in a Wiki section. I think the following the Wiki can have the following sections:

• Environment deployed by the template (topology, what does the template do, things that cannot go inside the template and why...).
• Installing the template.
• Configuring/Accessing remotely (Windows, Mac and Linux).
• Configuring Wazuh.

Best regards,
Marta

currently you cannot run mulitple detonation labs at once because the user being created in the cf template already exists. this breaks the stack.

request to generate a username like "wazuh-asdfsreasd" with everything after the hyphen being generated in the cf template.

this will allow multiple detlabs to run at once

Hello,

The VPCFlow Bucket where logs are stored is being configured as custom type but it must be vpflow:

This makes VPC Flow logs not being parsed/processed by Wazuh.

Best regards,
Marta

add wazuh agent to all other systems in the detonationlab

setup template or install script to automatically set the default index in kibana

https://stackoverflow.com/questions/36871862/programmatically-set-kibanas-default-index-pattern

Describe the bug
The AWS wodle configuration in wazuh is not correct, which means the script doesn't execute this part of the template:

Boto3 python package wasn't installed either.

To Reproduce
Steps to reproduce the behavior:

1. Deploy the template available at master branch in cloudformation
2. ssh wazuh
3. tail -n20 /var/ossec/etc/ossec.conf

Expected behavior
Template values in configuration should be replaced with bucket names and AWS keys. Boto3 should be installed.

Output

# tail -n20 /var/ossec/etc/ossec.conf
    <bucket type="custom">
      <name>inspectorlogging</name>
      <path>firehose</path>
      <access_key>insert_access_key</access_key>
      <secret_key>insert_secret_key</secret_key>
    </bucket>
    <bucket type="custom">
      <name>macielogging</name>
      <path>firehose</path>
      <access_key>insert_access_key</access_key>
      <secret_key>insert_secret_key</secret_key>
    </bucket>
    <bucket type="custom">
      <name>vpcflowlogging</name>
      <path>flowlogs</path>
      <access_key>insert_access_key</access_key>
      <secret_key>insert_secret_key</secret_key>
    </bucket>
  </wodle>
</ossec_config>
# pip install boto3
Collecting boto3
  Downloading https://files.pythonhosted.org/packages/6d/5b/67f82c90b73ea21121a7d94c0b56546c1bfbd516ca27ae829220389c547a/boto3-1.9.69-py2.py3-none-any.whl (128kB)
    100% |████████████████████████████████| 133kB 5.7MB/s
Collecting s3transfer<0.2.0,>=0.1.10 (from boto3)
  Downloading https://files.pythonhosted.org/packages/d7/14/2a0004d487464d120c9fb85313a75cd3d71a7506955be458eebfe19a6b1d/s3transfer-0.1.13-py2.py3-none-any.whl (59kB)
    100% |████████████████████████████████| 61kB 8.4MB/s
Collecting botocore<1.13.0,>=1.12.69 (from boto3)
  Downloading https://files.pythonhosted.org/packages/72/ba/a188505f67a78a686aa24d8511a18cb5a8bb27705c9d1b1bb81bee97a138/botocore-1.12.69-py2.py3-none-any.whl (5.2MB)
    100% |████████████████████████████████| 5.2MB 228kB/s
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/lib/python2.7/dist-packages (from boto3)
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /usr/lib/python2.7/dist-packages (from s3transfer<0.2.0,>=0.1.10->boto3)
Collecting urllib3<1.25,>=1.20; python_version == "2.7" (from botocore<1.13.0,>=1.12.69->boto3)
  Downloading https://files.pythonhosted.org/packages/62/00/ee1d7de624db8ba7090d1226aebefab96a2c71cd5cfa7629d6ad3f61b79e/urllib3-1.24.1-py2.py3-none-any.whl (118kB)
    100% |████████████████████████████████| 122kB 8.9MB/s
Requirement already satisfied: python-dateutil<3.0.0,>=2.1; python_version >= "2.7" in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: docutils>=0.10 in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: six in /usr/lib/python2.7/dist-packages (from python-dateutil<3.0.0,>=2.1; python_version >= "2.7"->botocore<1.13.0,>=1.12.69->boto3)
Installing collected packages: urllib3, botocore, s3transfer, boto3
  Found existing installation: urllib3 1.8.2
    Uninstalling urllib3-1.8.2:
      Successfully uninstalled urllib3-1.8.2
  Found existing installation: botocore 1.10.82
    Uninstalling botocore-1.10.82:
      Successfully uninstalled botocore-1.10.82
Successfully installed boto3-1.9.69 botocore-1.12.69 s3transfer-0.1.13 urllib3-1.24.1
You are using pip version 9.0.3, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
# pip install boto3
Requirement already satisfied: boto3 in /usr/local/lib/python2.7/site-packages
Requirement already satisfied: s3transfer<0.2.0,>=0.1.10 in /usr/local/lib/python2.7/site-packages (from boto3)
Requirement already satisfied: botocore<1.13.0,>=1.12.69 in /usr/local/lib/python2.7/site-packages (from boto3)
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/lib/python2.7/dist-packages (from boto3)
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /usr/lib/python2.7/dist-packages (from s3transfer<0.2.0,>=0.1.10->boto3)
Requirement already satisfied: urllib3<1.25,>=1.20; python_version == "2.7" in /usr/local/lib/python2.7/site-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: python-dateutil<3.0.0,>=2.1; python_version >= "2.7" in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: docutils>=0.10 in /usr/lib/python2.7/dist-packages (from botocore<1.13.0,>=1.12.69->boto3)
Requirement already satisfied: six in /usr/lib/python2.7/dist-packages (from python-dateutil<3.0.0,>=2.1; python_version >= "2.7"->botocore<1.13.0,>=1.12.69->boto3)
You are using pip version 9.0.3, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

update cloudformation template to collect and write vpcflow logs to an s3 bucket without the usage of a lambda function

currently the det lab creates 1 s3 bucket per service getting logged. This was the easiest way to do it in the beginning due to how we learned to create the logging pipeline. Since then I have multiple requests to log all services to a single s3 bucket with a subdirectory for each service. This was due to a limitation in s3 for 100 buckets total. To solve this issue I think we should add an option to the config page for the user to select multiple or single s3 bucket for logs. The directory structure should look something like the below

• rootDir - nameOfDetlab
  • childDirs - Guardduty|macie|cloudtrail|vpc|etc
    • logs - however they write out

Hello @sonofagl1tch,

The Wazuh team has added support for AWS Trust Advisor in wazuh/wazuh#1845. I think we should add it to the detonation lab.

Tasks:

• Enable service in CF template.
• Create bucket and forward AWS Trust Advisor events to the bucket.
• Add necessary configuration to ossec.conf file in Wazuh manager.

Best regards,
Marta

currently, network visibility is pretty weak. So I want to add bro and suricata/snort to my detlab.

https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient

Hello @sonofagl1tch,

The Wazuh team has improved the way Inspector findings are fetched from AWS: a bucket is no longer necessary since events are directly read from AWS API using boto3. More info: wazuh/wazuh#1895

There's no need to send Inspector events to a bucket anymore, enabling the service and updating Wazuh configuration should be enough.

Best regards,
Marta

Hi @sonofagl1tch,

After deploying the detonation lab, I had to register the agents manually. I think the registration scripts should be improved to use authd.

Currently defined tasks:

• Add port 1515 to wazuh manager's security group (the wazuh agent doesnt need to have any opened port).
• Enable authd in the wazuh manager.
• Modify registration script for linux agents.
• Modify registration script for windows agents using the MSI (https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_windows.html#using-the-command-line).

Best regards,
Marta

Describe the bug
I have deployed the template multiple times today and all the times I did, the AWS secret key wasn't correctly replaced in the Wazuh configuration file.

To Reproduce
Steps to reproduce the behavior:

1. Deploy template

Expected behavior
The insert_secret_key value should be replaced by the actual secret key.

Additional context

# tail /var/ossec/etc/ossec.conf
      <access_key>AKIAJ64K653OQV3ZJ6IA</access_key>
      <secret_key>insert_secret_key</secret_key>
    </bucket>
    <bucket type="vpcflow">
      <name>detonationlab-s3bucketvpcflow-15sozza5u84l7</name>
      <access_key>AKIAJ64K653OQV3ZJ6IA</access_key>
      <secret_key>insert_secret_key</secret_key>
    </bucket>
  </wodle>
</ossec_config>

add default values for all parameters in the cloudformation template

installwazuh script not appending aws wodle to ossec.conf

add nikto web vuln scanner to redteam instance in template

Is your feature request related to a problem? Please describe.
The actual template deploys very expensive EC2 instances. I think the deployed environment is good for production but it's too much for someone who only wants to do a few testing or playing around.

Describe the solution you'd like
Add another template, this way the user would have two options to chose from: prod or testing.
I don't want to do it by copying and pasting, if the code of one template can't be used for the other we can try doing a script that generates the template or something like that.

add atleast 1 tag to every resource that is created by the detonationlab for ease of account cleanup after cloudformation stack is deleted

Describe the bug
When I try to deploy the template it fails in the middle of the deployment process and rolls back all the deployed resources.

To Reproduce
Steps to reproduce the behavior:

1. Create a new stack with the template.
2. Wait.

Expected behavior
I expect the stack deployment to get CREATE_COMPLETE status instead of ROLLBACK_IN_PROGRESS.

Screenshots

Additional context
It seems Amazon Marketplace has updated their images so the ID is no longer the one specified in the template.

update the cloudformation template to automatically update the wazuh server with everything it needs to ingest aws logs

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>no</run_on_start>
  <skip_on_error>no</skip_on_error>
  <bucket type="cloudtrail">
    <name>wazuh-cloudtrail</name>
    <access_key>insert_access_key</access_key>
    <secret_key>insert_secret_key</secret_key>
  </bucket>
</wodle>

after cloudformation template is delete, the s3 buckets are kept if they have objects within them. We need to either add an option to choose buckets are deleted fully with a lambda function or some other solution.

ideas

• https://stackoverflow.com/questions/40383470/can-i-force-cloudformation-to-delete-non-empty-s3-bucket/40383846
• https://techblog.realtor.com/empty-trash-deleting-stack/

Hello @sonofagl1tch,

I've noticed the script in /additionalInstallationScripts/installWazuh-Ubuntu.sh is outdated respecting to the installWazuh script used for Amazon Linux.

I think it would be a good idea to make some kind of library with common install functions for both rpm and deb. The only difference between the two should be the way repositories are managed.

Best regards,
Marta

oracle has changed the URI format and TLD for downloading java. This will need to be updated in the installWazuh.sh script.

need to remove wazuhagenttraffic securitygroup for all instances except for the wazuh server. Also the wazuhagenttraffic securitygroup needs to have the egress rules deleted so it allows all outbound traffic instead of just specific ports.

Hi @sonofagl1tch,

After the deployment of my Wazuh manager in the Detonation lab, the Wazuh app wasn't installed. I run the script manually and noticed the following error:

Attempting to transfer from https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1.0_6.4.0.zip
Attempting to transfer from https://artifacts.elastic.co/downloads/kibana-plugins/https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1.0_6.4.0.zip/https://packages.wazuh.com/wazuhapp/wazuhapp-3.6.1.0_6.4.0.zip-6.4.0.zip
Plugin installation was unsuccessful due to error "No valid url specified."

I think the problem is on this part of the script:

More precisely, the Wazuh version variable is 3.6.1 but in the URL it is hardcoded a .0, resulting in a file wazuhapp-3.6.1.0 which doesn't exist.

Best regards,
Marta

It would help a lot to have each PR automatically tested using a CI service such as Travis or Jenkins.

route53 DNS
currently requires a public domain to be registered to be used so I cut it for cost reasons

• Can a free public domain name be used for the detonation lab?
• Can I automate this with cloudformation?
• how much would it cost to use the route53 services for everything?

Hello,

One of the kibana dashboard visualizations is broken:

The fieldname is interface_id instead of interfaceid.

Best regards,
Marta

setup template or install script to automatically import the kibana Visualizations and dashboards created for the detonation lab

• elastic/kibana#10858 (comment)
• https://discuss.elastic.co/t/kibana-6-4-script-to-import-dashboards-visualisation-search-and-index/147186/4
• https://github.com/sonofagl1tch/AWSDetonationLab/tree/master/KibanaAdditionalConfigs

fix error

- ***** RFIURL is not defined in nikto.conf--no RFI tests will run *****

update cloudformation template to prompt for a VT key during the build stage that will configure the wazuh server to use their VT integration.

https://documentation.wazuh.com/3.x/user-manual/capabilities/virustotal-scan/index.html

Hi @sonofagl1tch and @mgmacias95,

since the release of Wazuh v3.9.1, Wazuh is compatible with Elastic 7.1.0 but now, Logstash and Java aren't necessary, so the installation process from installWazuh.sh needs some changes.

In addition, Elastic 7.1.0 includes some security features out of the box. More info at https://www.elastic.co/es/blog/getting-started-with-elasticsearch-security.

Requested changes:

• Bump Wazuh version to v3.9.1.
• Remove Logstash.
• Remove Java.
• Install Filebeat and the new template.

Some helpful links:

• https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/wazuh_server_rpm.html#wazuh-server-rpm
• https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/wazuh_server_deb.html#wazuh-server-deb
• https://documentation.wazuh.com/current/installation-guide/installing-elastic-stack/elastic_server_rpm.html
• https://documentation.wazuh.com/current/installation-guide/installing-elastic-stack/elastic_server_deb.html.

Best regards,
Braulio.

Hello,

The Windows AMI currently used by the Detonation lab is outdated. This makes the template to fail when deploying.

From AWS Docs:

The Windows AMIs in each release have new AMI IDs. Therefore, we recommend that you write scripts that locate the latest AWS Windows AMIs by their names, rather than by their IDs.

This problem has already happened (#51) so we should consider looking for AMIs based on instance names instead of having AMIs hardcoded.

Best regards,
Marta

Describe the bug
Boto3 python package is not being installed in the wazuh manager, that makes the Wazuh's AWS integration to fail:

2019/03/22 19:51:38 wazuh-modulesd:aws-s3: INFO: Executing Bucket Analysis: ********
2019/03/22 19:51:38 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  Returned exit code 4
2019/03/22 19:51:38 wazuh-modulesd:aws-s3: WARNING: Bucket:  -  boto3 module is required.
2019/03/22 19:51:38 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

Hello @sonofagl1tch,

The Wazuh team has added support for AWS Config in wazuh/wazuh#1835. I think we should add it to the detonation lab.

Tasks:

• Enable service in CF template.
• Create bucket and forward AWS Config events to the bucket.
• Add necessary configuration to ossec.conf file in Wazuh manager.

Best regards,
Marta

add sections to the cloudformation template that automatically turns on the following services

• guardduty
• cloudtrail
• macie
• inspector