Created
September 28, 2018 13:20
-
-
Save maravedi/ea54ea23daf72dd58bcc74a51b32989e to your computer and use it in GitHub Desktop.
PowerShell Script for Security Onion to Automate so-allow from an Analyst Workstation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
A PowerShell script to automate whitelisting a device on the master Security Onion server. | |
.DESCRIPTION | |
If your analyst workstation is constantly changing IPs, it might be a little annoying to SSH into the master Security Onion server every time to interactively whitelist your new IP. Here's a way to cut off a couple of the steps to achieve just that, using PowerShell and Plink.exe. Make sure to modify the parameters according to your environment and analyst workstation's network interface. | |
.PARAMETER Servers | |
Specify as many servers as you would like this whitelist command to be run on. However, if the usernames or passwords are different across the servers, then the command will fail to authenticate. | |
.PARAMETER InterfaceAlias | |
Specify the network interface to extract the IP address from. This is useful when you know the interfance is always the same, but the IP address is subject to change. | |
.PARAMETER LocalIP | |
Specify the IP address to add to the whitelist on the Security Onion server if you know it. Otherwise, leave this blank and the script will determine it based on the InterfaceAlias parameter. | |
.PARAMETER DeviceType | |
Specify the type of device that is being whitelisted. If none is specified, then an analyst machine is assumed. | |
The details below come directly from the output of so-allow from Security Onion. | |
[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp | |
[b] - Logstash Beat - port 5044/tcp | |
[c] - apt-cacher-ng client - port 3142/tcp | |
[f] - Logstash Forwarder - Standard - port 6050/tcp | |
[j] - Logstash Forwarder - JSON - port 6051/tcp | |
[l] - syslog device - port 514 | |
[o] - ossec agent - port 1514/udp | |
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp | |
.PARAMETER Username | |
Specify the username to authenticate with the Security Onion master server. This script assumes that user can run sudo. | |
.EXAMPLE | |
./So-Allow.ps1 | |
.EXAMPLE | |
./So-Allow.ps1 -InterfaceAlias 'Ethernet 1' -DeviceType 'o' | |
.NOTES | |
Author: David Frazer - david.frazer336@gmail.com | |
Date: 9/28/2018 | |
#> | |
Param( | |
$Servers = @('so'), | |
$InterfaceAlias = 'Ethernet 1', | |
$LocalIP = (Get-NetIPAddress -InterfaceAlias $InterfaceAlias -AddressFamily IPv4 -ErrorAction SilentlyContinue | Select -Expand IPAddress), | |
[ValidateSet('a','b','c','f','j','l','o','s')] | |
$DeviceType, | |
$Username = 'admin' | |
) | |
function ExtractValidIPAddress { | |
Param($String) | |
$IPregex = '(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))' | |
if ($String -match $IPregex) { $Matches.Address } | |
} | |
function Get-PW { | |
Param($PW) | |
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($PW) | |
$decrypted = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr) | |
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) | |
return $Decrypted | |
} | |
If(!$LocalIP) { | |
$LocalIP = Read-Host "Could not determine the local IP automatically. Which IP do you want to allow?" | |
While(! (ExtractValidIPAddress $LocalIP) ) { | |
$LocalIP = Read-Host "That's not a valid IP address. Which IP do you want to allow?" | |
} | |
} | |
If(!$DeviceType) { | |
$DeviceType = 'a' | |
} | |
$Command = "sudo so-allow <<< $'$DeviceType\n$LocalIP'" | |
$Password = Read-Host "Enter password for user ($Username)" -AsSecureString | |
$SSHDecrypted = Get-PW $Password | |
Foreach($Server in $Servers) { | |
Write-Host "`nSending `'$Command`' to $($Server):" -ForegroundColor Green | |
& .\Plink.exe -pw $SSHDecrypted $Username@$Server $Command | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment