PowerShell Script for Security Onion to Automate so-allow from an Analyst Workstation

So-Allow.ps1

<#
.SYNOPSIS
  A PowerShell script to automate whitelisting a device on the master Security Onion server.
.DESCRIPTION
  If your analyst workstation is constantly changing IPs, it might be a little annoying to SSH into the master Security Onion server every time to interactively whitelist your new IP. Here's a way to cut off a couple of the steps to achieve just that, using PowerShell and Plink.exe. Make sure to modify the parameters according to your environment and analyst workstation's network interface.
.PARAMETER Servers
  Specify as many servers as you would like this whitelist command to be run on. However, if the usernames or passwords are different across the servers, then the command will fail to authenticate.
.PARAMETER InterfaceAlias
  Specify the network interface to extract the IP address from. This is useful when you know the interfance is always the same, but the IP address is subject to change.
.PARAMETER LocalIP
  Specify the IP address to add to the whitelist on the Security Onion server if you know it. Otherwise, leave this blank and the script will determine it based on the InterfaceAlias parameter.
.PARAMETER DeviceType
  Specify the type of device that is being whitelisted. If none is specified, then an analyst machine is assumed.

  The details below come directly from the output of so-allow from Security Onion.

  [a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
  [b] - Logstash Beat - port 5044/tcp
  [c] - apt-cacher-ng client - port 3142/tcp
  [f] - Logstash Forwarder - Standard - port 6050/tcp
  [j] - Logstash Forwarder - JSON - port 6051/tcp
  [l] - syslog device - port 514
  [o] - ossec agent - port 1514/udp
  [s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp
.PARAMETER Username
  Specify the username to authenticate with the Security Onion master server. This script assumes that user can run sudo.
.EXAMPLE
  ./So-Allow.ps1
.EXAMPLE
  ./So-Allow.ps1 -InterfaceAlias 'Ethernet 1' -DeviceType 'o'
.NOTES
  Author: David Frazer - david.frazer336@gmail.com
  Date: 9/28/2018
#>

Param(
    $Servers = @('so'),
    $InterfaceAlias = 'Ethernet 1',
    $LocalIP = (Get-NetIPAddress -InterfaceAlias $InterfaceAlias -AddressFamily IPv4 -ErrorAction SilentlyContinue | Select -Expand IPAddress),
    [ValidateSet('a','b','c','f','j','l','o','s')]
    $DeviceType,
    $Username = 'admin'
    )

function ExtractValidIPAddress {
  Param($String)
  $IPregex = '(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))'
  if ($String -match $IPregex) { $Matches.Address }
}

function Get-PW {
  Param($PW)
  $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($PW)
  $decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
  [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
  return $Decrypted
}

If(!$LocalIP) {
  $LocalIP = Read-Host "Could not determine the local IP automatically. Which IP do you want to allow?"
  While(! (ExtractValidIPAddress $LocalIP) ) {
    $LocalIP = Read-Host "That's not a valid IP address. Which IP do you want to allow?"
  } 
}

If(!$DeviceType) {
  $DeviceType = 'a'
}

$Command = "sudo so-allow <<< $'$DeviceType\n$LocalIP'"

$Password = Read-Host "Enter password for user ($Username)" -AsSecureString

$SSHDecrypted = Get-PW $Password

Foreach($Server in $Servers) {
  Write-Host "`nSending `'$Command`' to $($Server):" -ForegroundColor Green
  & .\Plink.exe -pw $SSHDecrypted $Username@$Server $Command
}