Skip to content

Application Configuration

CYBERQUEST

Copy the package cyberquest-deployment.tar.gz in the user's folder and install it as follows:

tar -xvf cyberquest-deployment.tar.gz

cd cyberquest-deployment 

bash keygen.sh

bash rabbitmq/certRMQ.sh

bash createDockerVolumes.sh 

docker compose up -d

The packet contains the following services:

Services Description
rabbitmq Message Queuing
mariadb Server for storing configurations
redisServer Memory storage service
data-forward Module that forwards the events or alerts from CYBERQUEST application to other SIEM's
cerebro It provides the management interface for the NoSQL service and is only used for troubleshooting
data-correlation Generate alerts based on real time and correlate events for alerting
data-storage Long term storage module
data-executor Execution service
webapplication Contains the web interface of the solution
data-acquisition It processes events using API parsers. After the events have been processed, they are sent to: online database (Online DataStorage), Data Storage service and Data Correlation service
data-receiver A component that receives data transmitted over a HTTPS communication
data-server Is responsible for receiving events and pre-processing them. After this process, the events are sent to the Data Acquisition service using the internal queue service (RabbitMQ)

NETALERT

Copy the netalert-deployment.tar.gz package in the user's folder and install it as follows:

tar -xvf cyberquest-deployment.tar.gz

1.Enter the repository folder 

cd netalert-deployment

2.Setup enviroment

echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
echo 'vm.nr_hugepages=5120' >> /etc/sysctl.conf
sysctl -p

3.For local docker volume creation (under /data/ folder)

bash ./configureVolumes.sh

4.Edit docker-compose.yml and set it up:

  • data-sense container. example:
 ElasticSearchHost=http://127.0.0.1 (add the management ip)
 InterfaceName=enp4s0 (add the zc pf ring interface)
  • Set-up memory consumed by the Java VM of OpenSearch (default is 8GB).

Example with 3GB:

  • Xmx3G (NOT MORE THAN 31 GB and NOT MORE THE 50% of machine RAM)
  • we recommend that minimum allocated to be the same as max: Xms3G (minimum allocated)
  • opensearch-node container:
    "OPENSEARCH_JAVA_OPTS=-Xms3G -Xmx3G"

5.Start docker as daemon with command

docker compose up -d

6.One time only, modify the opensearch container.

  • get a shell inside the container
 docker exec -it $(docker ps|grep opensearch|cut -d' ' -f1) bash
  • inside the container execute the following
cd plugins/opensearch-security/tools/

./securityadmin.sh -backup my-backup-directory \
-icl \
-nhnv \
-cacert ../../../config/root-ca.pem \
-cert ../../../config/kirk.pem \
-key ../../../config/kirk-key.pem


./securityadmin.sh -f ../../../config/opensearch-security/internal_users.yml \
-t internalusers \
-icl \
-nhnv \
-cacert ../../../config/root-ca.pem \
-cert ../../../config/kirk.pem \
-key ../../../config/kirk-key.pem

The packet contains the following services:

Services Description
mldns In in charge of Machine Learning detections of anomalous DNS traffic (the sample contains the GPU implementation which is suitable JUST for applicances which contains Nvidia GPUs)
mlsmtp In in charge of Machine Learning detections of anomalous SMTP traffic (the sample contains the GPU implementation which is suitable JUST for applicances which contains Nvidia GPUs)
mltraffic In in charge of machine learning detections of general network traffic (the sample contains the GPU implementation which is suitable JUST for applicances which contains Nvidia GPUs)
datasense Performs data-collection from the network card. It needs a supported virtual/physical NIC
apt-scanner Performs alerting for apt alerts
WebServer Contains the web interface of the solution
opensearch-node Contains the opensearch master-node. Additional nodes can be added on the same VM/phisical mashine or other VMs
rabbitmq Message Queuing
mariadb Server for storing configurations
syslog-forward Syslog forwarding components