rgl/provision-packetbeat.ps1

## provision-packetbeat.ps1
Set-StrictMode -Version Latest
$ProgressPreference = 'SilentlyContinue'
$ErrorActionPreference = 'Stop'
trap {
    Write-Host
    Write-Host "ERROR: $_"
    Write-Host (($_.ScriptStackTrace -split '\r?\n') -replace '^(.*)$','ERROR: $1')
    Write-Host (($_.Exception.ToString() -split '\r?\n') -replace '^(.*)$','ERROR EXCEPTION: $1')
    Write-Host
    throw
}

Add-Type -AssemblyName System.IO.Compression.FileSystem
function Install-ZippedApplication($destinationPath, $name, $url, $expectedHash, $expectedHashAlgorithm='SHA256') {
    $localZipPath = "$env:TEMP\$name.zip"
    (New-Object System.Net.WebClient).DownloadFile($url, $localZipPath)
    $actualHash = (Get-FileHash $localZipPath -Algorithm $expectedHashAlgorithm).Hash
    if ($actualHash -ne $expectedHash) {
        throw "$name downloaded from $url to $localZipPath has $actualHash hash that does not match the expected $expectedHash"
    }
    [IO.Compression.ZipFile]::ExtractToDirectory($localZipPath, $destinationPath)
    Remove-Item $localZipPath
}

#
# enable TLS 1.1 and 1.2.

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol `
    -bor [Net.SecurityProtocolType]::Tls11 `
    -bor [Net.SecurityProtocolType]::Tls12


#
# download npcap.
# NB you must install it manually.

$npcapUrl = 'https://nmap.org/npcap/dist/npcap-0.9986.exe'
$npcapSetupPath = "$PWD\$(Split-Path -Leaf $npcapUrl)"
(New-Object System.Net.WebClient).DownloadFile($npcapUrl, $npcapSetupPath)


#
# install packetbeat.
# NB you must install npcap from https://nmap.org/npcap/ first.

Install-ZippedApplication `
    "$PWD\packetbeat-tmp" `
    packetbeat `
    'https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.5.1-windows-x86_64.zip' `
    '2fea65c6175b4f0f1e075b3d8f66eab7a1ed9c7dc9a61b6d51bab0165e47a7051bf36a792320366593b0c7407e1001caa688080fe185d54a1f5098b660e43764' `
    'SHA512'
Rename-Item (Resolve-Path packetbeat-tmp\packetbeat-*) packetbeat
Move-Item packetbeat-tmp\packetbeat .
Remove-Item packetbeat-tmp

# run with a default configuration that outputs data to stdout.
cd packetbeat
.\packetbeat.exe devices
Set-Content -Encoding ascii packetbeat.yml @'
# Available log levels are: error, warning, info (default), debug
logging.level: info
packetbeat.flows:
  timeout: 1m
  period: 10s
# also add the process name that created the socket.
# see https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-processes.html
packetbeat.procs.enabled: true
# set the index to one of the interface returned by .\packetbeat.exe devices
packetbeat.interfaces.device: 0
# see https://www.elastic.co/guide/en/beats/packetbeat/master/configuration-interfaces.html#_bpf_filter
packetbeat.interfaces.bpf_filter: 'port 443'
# see https://www.elastic.co/guide/en/beats/packetbeat/master/configuration-tls.html
# NB even thou we are configuring all of the documented protocols, the default bfp_filter is
#    not good because non-443 ports still being captured... so we force bpf_filter to only
#    capture port 443.
packetbeat.protocols:
  - type: tls
    enabled: true
    send_certificates: false
    ports: [443]
  - type: http
    enabled: false
  - type: amqp
    enabled: false
  - type: memcache
    enabled: false
  - type: mysql
    enabled: false
  - type: pgsql
    enabled: false
  - type: redis
    enabled: false
  - type: thrift
    enabled: false
  - type: mongodb
    enabled: false
  - type: nfs
    enabled: false
output.file:
  enabled: true
  path: .
  filename: flows
  rotate_every_kb: 10000
  number_of_files: 100
output.console:
  enabled: false
  pretty: true
'@
.\packetbeat.exe -c packetbeat.yml

# you can show a summary with:
jq '{exe:.process.executable,source_ip:.source.ip,source_port:.source.port,destination_ip:.destination.ip,destination_port:.destination.port}' flows
jq -r '"\(.process.executable) \(.source.ip):\(.source.port) \(.destination.ip):\(.destination.port)"' flows
jq -r '[.process.executable, .source.ip, .source.port, .destination.ip, .destination.port] | @csv' flows
	Set-StrictMode -Version Latest
	$ProgressPreference = 'SilentlyContinue'
	$ErrorActionPreference = 'Stop'
	trap {
	Write-Host
	Write-Host "ERROR: $_"
	Write-Host (($_.ScriptStackTrace -split '\r?\n') -replace '^(.*)$','ERROR: $1')
	Write-Host (($_.Exception.ToString() -split '\r?\n') -replace '^(.*)$','ERROR EXCEPTION: $1')
	Write-Host
	throw
	}

	Add-Type -AssemblyName System.IO.Compression.FileSystem
	function Install-ZippedApplication($destinationPath, $name, $url, $expectedHash, $expectedHashAlgorithm='SHA256') {
	$localZipPath = "$env:TEMP\$name.zip"
	(New-Object System.Net.WebClient).DownloadFile($url, $localZipPath)
	$actualHash = (Get-FileHash $localZipPath -Algorithm $expectedHashAlgorithm).Hash
	if ($actualHash -ne $expectedHash) {
	throw "$name downloaded from $url to $localZipPath has $actualHash hash that does not match the expected $expectedHash"
	}
	[IO.Compression.ZipFile]::ExtractToDirectory($localZipPath, $destinationPath)
	Remove-Item $localZipPath
	}

	#
	# enable TLS 1.1 and 1.2.

	[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol `
	-bor [Net.SecurityProtocolType]::Tls11 `
	-bor [Net.SecurityProtocolType]::Tls12


	#
	# download npcap.
	# NB you must install it manually.

	$npcapUrl = 'https://nmap.org/npcap/dist/npcap-0.9986.exe'
	$npcapSetupPath = "$PWD\$(Split-Path -Leaf $npcapUrl)"
	(New-Object System.Net.WebClient).DownloadFile($npcapUrl, $npcapSetupPath)


	#
	# install packetbeat.
	# NB you must install npcap from https://nmap.org/npcap/ first.

	Install-ZippedApplication `
	"$PWD\packetbeat-tmp" `
	packetbeat `
	'https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.5.1-windows-x86_64.zip' `
	'2fea65c6175b4f0f1e075b3d8f66eab7a1ed9c7dc9a61b6d51bab0165e47a7051bf36a792320366593b0c7407e1001caa688080fe185d54a1f5098b660e43764' `
	'SHA512'
	Rename-Item (Resolve-Path packetbeat-tmp\packetbeat-*) packetbeat
	Move-Item packetbeat-tmp\packetbeat .
	Remove-Item packetbeat-tmp

	# run with a default configuration that outputs data to stdout.
	cd packetbeat
	.\packetbeat.exe devices
	Set-Content -Encoding ascii packetbeat.yml @'
	# Available log levels are: error, warning, info (default), debug
	logging.level: info
	packetbeat.flows:
	timeout: 1m
	period: 10s
	# also add the process name that created the socket.
	# see https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-processes.html
	packetbeat.procs.enabled: true
	# set the index to one of the interface returned by .\packetbeat.exe devices
	packetbeat.interfaces.device: 0
	# see https://www.elastic.co/guide/en/beats/packetbeat/master/configuration-interfaces.html#_bpf_filter
	packetbeat.interfaces.bpf_filter: 'port 443'
	# see https://www.elastic.co/guide/en/beats/packetbeat/master/configuration-tls.html
	# NB even thou we are configuring all of the documented protocols, the default bfp_filter is
	# not good because non-443 ports still being captured... so we force bpf_filter to only
	# capture port 443.
	packetbeat.protocols:
	- type: tls
	enabled: true
	send_certificates: false
	ports: [443]
	- type: http
	enabled: false
	- type: amqp
	enabled: false
	- type: memcache
	enabled: false
	- type: mysql
	enabled: false
	- type: pgsql
	enabled: false
	- type: redis
	enabled: false
	- type: thrift
	enabled: false
	- type: mongodb
	enabled: false
	- type: nfs
	enabled: false
	output.file:
	enabled: true
	path: .
	filename: flows
	rotate_every_kb: 10000
	number_of_files: 100
	output.console:
	enabled: false
	pretty: true
	'@
	.\packetbeat.exe -c packetbeat.yml

	# you can show a summary with:
	jq '{exe:.process.executable,source_ip:.source.ip,source_port:.source.port,destination_ip:.destination.ip,destination_port:.destination.port}' flows
	jq -r '"\(.process.executable) \(.source.ip):\(.source.port) \(.destination.ip):\(.destination.port)"' flows
	jq -r '[.process.executable, .source.ip, .source.port, .destination.ip, .destination.port] \| @csv' flows