Skip to content

Instantly share code, notes, and snippets.

@maravedi
Created September 28, 2018 13:20
Show Gist options
  • Save maravedi/ea54ea23daf72dd58bcc74a51b32989e to your computer and use it in GitHub Desktop.
Save maravedi/ea54ea23daf72dd58bcc74a51b32989e to your computer and use it in GitHub Desktop.
PowerShell Script for Security Onion to Automate so-allow from an Analyst Workstation
<#
.SYNOPSIS
A PowerShell script to automate whitelisting a device on the master Security Onion server.
.DESCRIPTION
If your analyst workstation is constantly changing IPs, it might be a little annoying to SSH into the master Security Onion server every time to interactively whitelist your new IP. Here's a way to cut off a couple of the steps to achieve just that, using PowerShell and Plink.exe. Make sure to modify the parameters according to your environment and analyst workstation's network interface.
.PARAMETER Servers
Specify as many servers as you would like this whitelist command to be run on. However, if the usernames or passwords are different across the servers, then the command will fail to authenticate.
.PARAMETER InterfaceAlias
Specify the network interface to extract the IP address from. This is useful when you know the interfance is always the same, but the IP address is subject to change.
.PARAMETER LocalIP
Specify the IP address to add to the whitelist on the Security Onion server if you know it. Otherwise, leave this blank and the script will determine it based on the InterfaceAlias parameter.
.PARAMETER DeviceType
Specify the type of device that is being whitelisted. If none is specified, then an analyst machine is assumed.
The details below come directly from the output of so-allow from Security Onion.
[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[b] - Logstash Beat - port 5044/tcp
[c] - apt-cacher-ng client - port 3142/tcp
[f] - Logstash Forwarder - Standard - port 6050/tcp
[j] - Logstash Forwarder - JSON - port 6051/tcp
[l] - syslog device - port 514
[o] - ossec agent - port 1514/udp
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp
.PARAMETER Username
Specify the username to authenticate with the Security Onion master server. This script assumes that user can run sudo.
.EXAMPLE
./So-Allow.ps1
.EXAMPLE
./So-Allow.ps1 -InterfaceAlias 'Ethernet 1' -DeviceType 'o'
.NOTES
Author: David Frazer - david.frazer336@gmail.com
Date: 9/28/2018
#>
Param(
$Servers = @('so'),
$InterfaceAlias = 'Ethernet 1',
$LocalIP = (Get-NetIPAddress -InterfaceAlias $InterfaceAlias -AddressFamily IPv4 -ErrorAction SilentlyContinue | Select -Expand IPAddress),
[ValidateSet('a','b','c','f','j','l','o','s')]
$DeviceType,
$Username = 'admin'
)
function ExtractValidIPAddress {
Param($String)
$IPregex = '(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))'
if ($String -match $IPregex) { $Matches.Address }
}
function Get-PW {
Param($PW)
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($PW)
$decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
return $Decrypted
}
If(!$LocalIP) {
$LocalIP = Read-Host "Could not determine the local IP automatically. Which IP do you want to allow?"
While(! (ExtractValidIPAddress $LocalIP) ) {
$LocalIP = Read-Host "That's not a valid IP address. Which IP do you want to allow?"
}
}
If(!$DeviceType) {
$DeviceType = 'a'
}
$Command = "sudo so-allow <<< $'$DeviceType\n$LocalIP'"
$Password = Read-Host "Enter password for user ($Username)" -AsSecureString
$SSHDecrypted = Get-PW $Password
Foreach($Server in $Servers) {
Write-Host "`nSending `'$Command`' to $($Server):" -ForegroundColor Green
& .\Plink.exe -pw $SSHDecrypted $Username@$Server $Command
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment