本安装过程的Linux版本为:ubuntu-20.04.2.0-desktop-amd64,效果图:
worker
alienvault connector一、依赖环境的安装
1、 Node.js的安装
wget https://nodejs.org/dist/v14.16.0/node-v14.16.0-linux-x64.tar.xz
tar xf node-v14.16.0-linux-x64.tar.xz
mv node-v14.16.0-linux-x64 node
sudo ln -s /home/你的用户名/node/bin/node /usr/local/bin
sudo ln -s /home/你的用户名/node/bin/npm /usr/local/bin
node -v
npm -v
2、安装python3.8
(1) 使用 Anaconda安装python3.8
bash Anaconda3-2020.11-Linux-x86_64.sh
安装完后键入python:
Python 3.8.5 (default, Sep 4 2020, 07:30:14)
[GCC 7.3.0] :: Anaconda, Inc. on linux
Type "help", "copyright", "credits" or "license" for more information.
(2)安装python3-pip,需要等待很长时间
sudo apt-get install python3-pip
备注:
APT安装出错:
E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 10260 (unattended-upgr)
N: Be aware that removing the lock file is not a solution and may break your system.
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?
解决方法:https://blog.csdn.net/qq_44657899/article/details/104571502
(3)安装elasticsearch,需要等待很长时间
sudo sysctl -w vm.max_map_count=1048575
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get update && sudo apt-get install elasticsearch
sudo systemctl start elasticsearch.service
ps -aux |grep elasticsearch
(4)安装minio
wget https://dl.min.io/server/minio/release/linux-amd64/minio_20210326000041.0.0_amd64.deb
dpkg -i minio_20210326000041.0.0_amd64.deb
sudo MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=password minio server /mnt/data
(5)安装redis
sudo add-apt-repository ppa:redislabs/redis
sudo apt-get update
sudo apt-get install redis
启动redis服务器:redis-server
验证:
ps -aux |grep redis
redis 19339 0.3 0.0 69468 8976 ? Ssl 18:17 0:00 /usr/bin/redis-server 127.0.0.1:6379
(6)安装RabbitMQ
https://www.rabbitmq.com/install-debian.html
安装依赖关系
sudo apt-get update -y
sudo apt-get install curl gnupg debian-keyring debian-archive-keyring -y
添加存储签署密钥
curl -fsSL https://github.com/rabbitmq/signing-keys/releases/download/2.0/rabbitmq-release-signing-key.asc | sudo apt-key add -
sudo apt-key adv --keyserver"keyserver.ubuntu.com"--recv-keys"F77F1EDA57EBB1CC"
wget-O -"https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey"|sudoapt-key add -
sudo apt-key adv --keyserver"keyserver.ubuntu.com"--recv-keys"F6609E60DC62814E"
开启HTTPS传输
sudo apt-get install apt-transport-https
添加源
sudo tee /etc/apt/sources.list.d/rabbitmq.list <<EOF
> deb http://ppa.launchpad.net/rabbitmq/rabbitmq-erlang/ubuntu focal main
> deb-src http://ppa.launchpad.net/rabbitmq/rabbitmq-erlang/ubuntu focal main
> deb https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu/ focal main
> deb-src https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu/ focal main
> EOF
安装erlang包
sudo apt-get update -y
sudo apt-get install -y erlang-base \
erlang-asn1 erlang-crypto erlang-eldap erlang-ftp erlang-inets \
erlang-mnesia erlang-os-mon erlang-parsetools erlang-public-key \
erlang-runtime-tools erlang-snmp erlang-ssl \
erlang-syntax-tools erlang-tftp erlang-tools erlang-xmerl
安装rabbitmq-server
sudo apt-get install rabbitmq-server -y --fix-missing
sudo apt-get install rabbitmq-server -y --fix-missing
验证:
ps -aux |grep rabbitmq
rabbitmq 25805 2.2 0.4 1704048 79528 ? Ssl 18:48 0:03 /usr/lib/erlang/erts-11.2/bin/beam.smp -W w -MBas ageffcbf -MHas ageffcbf -MBlmbcs 512 -MHlmbcs 512 -MMmcs 30 -P 1048576 -t 5000000 -stbt db -zdbbl 128000 -sbwt none -sbwtdcpu none -sbwtdio none -- -root /usr/lib/erlang -progname erl -- -home /var/lib/rabbitmq -- -pa -noshell -noinput -s rabbit boot -boot start_sasl -lager crash_log false -lager handlers []
rabbitmq 25816 0.0 0.0 2504 1496 ? Ss 18:48 0:00 erl_child_setup 32768
rabbitmq 25842 0.0 0.0 6360 196 ? S 18:48 0:00 /usr/lib/erlang/erts-11.2/bin/epmd -daemon
rabbitmq 25861 0.0 0.0 3888 844 ? Ss 18:48 0:00 inet_gethost 4
rabbitmq 25862 0.0 0.0 3968 1772 ? S 18:48 0:00 inet_gethost 4
# 启用 rabbitmq_manager,参考:https://www.cnblogs.com/cnwcl/p/13796611.html
cd /etc/rabbitmq
sudo rabbitmq-plugins enable rabbitmq_management
添加rabbitmq用户:
# 添加用户
sudo rabbitmqctl add_user admin admin
# 赋予权限
sudo rabbitmqctl set_user_tags admin administrator
# 赋予 virtual host 中所有资源的配置、写、读权限
sudo rabbitmqctl set_permissions -p / admin '.*' '.*' '.*'
# 重启 rabbitmq
service rabbitmq-server restart
二 、安装opencti
1、下载opencti
wget -c https://github.com/OpenCTI-Platform/opencti/releases/download/4.3.5/opencti-release-4.3.5.tar.gz
2、配置应用
$ cd opencti
$ cp config/default.json config/production.json
admin": {
"email": "admin@opencti.io",
"password": "ChangeMe",
"token": "ChangeMe"
token使用https://www.uuidgenerator.net/生成的UUID4
"minio": {
"endpoint": "localhost",
"port": 9000,
"use_ssl": false,
"access_key": "ChangeMe",
"secret_key": "ChangeMe"
}
"rabbitmq": {
"hostname": "localhost",
"port": 5672,
"port_management": 15672,
"management_ssl": false,
"username": "admin",
"password": "admin"
},
更改相应的密码。
3、安装相关的python
$ cd src/python
$ pip3 install -r requirements.txt
$ cd ../..
ERROR: Cannot uninstall 'PyYAML'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.
pip install --ignore-installed PyYAML
4、安装yarn
sudo npm install yarn -g
启动opencti:
/home/你的用户名/node/bin/yarn serv
运行效果:
yarn run v1.22.10
$ node build/index.js
{"version":"4.3.4","level":"info","message":"[OPENCTI] Starting platform","timestamp":"2021-04-04T12:43:39.029Z"}
{"version":"4.3.4","level":"info","message":"[CHECK] ElasticSearch is alive","timestamp":"2021-04-04T12:43:39.241Z"}
{"version":"4.3.4","level":"info","message":"[CHECK] Minio is alive","timestamp":"2021-04-04T12:43:39.252Z"}
{"version":"4.3.4","level":"info","message":"[CHECK] RabbitMQ is alive","timestamp":"2021-04-04T12:43:39.293Z"}
{"version":"4.3.4","level":"info","message":"[CHECK] Redis is alive","timestamp":"2021-04-04T12:43:39.296Z"}
{"version":"4.3.4","level":"info","message":"[CHECK] Python3 is available","timestamp":"2021-04-04T12:43:39.596Z"}
{"version":"4.3.4","level":"info","message":"[INIT] New platform detected, initialization...","timestamp":"2021-04-04T12:43:39.676Z"}
{"version":"4.3.4","level":"info","message":"[INIT] Elasticsearch indexes loaded","timestamp":"2021-04-04T12:43:41.195Z"}
{"version":"4.3.4","level":"info","message":"[INIT] Creating migration structure","timestamp":"2021-04-04T12:43:41.195Z"}
{"version":"4.3.4","level":"info","message":"[INIT] Initialization of settings and basic elements","timestamp":"2021-04-04T12:43:41.555Z"}
{"version":"4.3.4","level":"info","message":"[INIT] Platform default initialized","timestamp":"2021-04-04T12:43:44.275Z"}
{"version":"4.3.4","level":"info","message":"[INIT] admin user initialized","timestamp":"2021-04-04T12:43:45.138Z"}
{"version":"4.3.4","level":"info","message":"[STREAM] Starting streaming processor","timestamp":"2021-04-04T12:43:46.107Z"}
{"version":"4.3.4","level":"info","message":"[OPENCTI] Servers ready on port 4000","timestamp":"2021-04-04T12:43:46.109Z"}
opencti的链接:http://localhost:4000
一些bug:
虚拟机断电后,文件系统变成只读文件了。
解决方案:https://www.kafan.cn/edu/46111822.html
sudo fsck / -y
命令进行修复
5、安装worker
$ cd worker
$ pip3 install -r requirements.txt
# 添加opencti的url连接和admin_token
$ cp config.yml.sample config.yml
启动多个worker:
$ python3 worker.py &
$ python3 worker.py &
6、安装connector
git clone https://github.com/OpenCTI-Platform/connectors
进入任何一个连接器的目录,修改config.yml.sample,添加opencti的url和admin token,以及连接器的uuidv4和相关的配置项。
以alienvault为例:
opencti:
url: 'http://localhost:4000'
token: '1938cxxc-ab2c-4857-877e-43198e6858f1'
connector:
id: 'a33f54d7-d6xx-41c9-8fff-f64da4ef5570'
type: 'EXTERNAL_IMPORT'
name: 'AlienVault'
scope: 'alienvault'
confidence_level: 15 # From 0 (Unknown) to 100 (Fully trusted)
update_existing_data: false
log_level: 'info'
alienvault:
base_url: 'https://otx.alienvault.com'
api_key: 'xx87xxcf1e877f8512xx3a9a184xxb6xx2342axx77ba728xxc95125fc75907xx'
tlp: 'White'
create_observables: true
create_indicators: true
pulse_start_timestamp: '2020-05-01T00:00:00' # ISO 8601
report_type: 'threat-report'
report_status: 'New' # New, In progress, Analyzed and Closed
guess_malware: false # Use tags to guess malware
guess_cve: false # Use tags to guess CVE
excluded_pulse_indicator_types: 'FileHash-MD5,FileHash-SHA1' # Excluded Pulse indicator types
interval_sec: 1800 # Seconds
修改黑色文字。
网友评论