weslambert/NCSA_Simple_Scan_Install_On_Security_Onion

## NCSA_Simple_Scan_Install_On_Security_Onion
#!/bin/bash
# Script to download and shim https://github.com/ncsa/bro-simple-scan for use with Zeek on Security Onion
# Last Modified 2/21/2020 by @therealwlambert

SS_PATH="/opt/zeek/share/zeek/policy/simple-scan"
SS_SCRIPT="simple-scan.zeek"
BRO_DN_PATH="/opt/zeek/share/zeek/policy/bro-is-darknet"
BRO_DN_SCRIPT="bro-is-darknet.zeek"

echo "Adding directory structure..."
mkdir -p $SS_PATH
echo "@load ./$SS_SCRIPT" > $SS_PATH/__load__.zeek

# bro-is-darknet  is a dependency for simple-scan
mkdir -p $BRO_DN_PATH
echo "@load ./$BRO_DN_SCRIPT" > $BRO_DN_PATH/__load__.zeek

# Get scripts
echo "Getting scripts..."
wget -O $SS_PATH/$SS_SCRIPT https://raw.githubusercontent.com/ncsa/bro-simple-scan/master/scripts/scan.bro
wget -O $BRO_DN_PATH/$BRO_DN_SCRIPT https://raw.githubusercontent.com/ncsa/bro-is-darknet/master/scripts/main.bro

# Modify simple-scan script to reference policy directory instead of packages
sed -i 's/@load packages\/bro-is-darknet/@load policy\/bro-is-darknet/' $SS_PATH/$SS_SCRIPT

# Modify Darknet script to use zeek_init
sed -i 's/bro_init/zeek_init/' $BRO_DN_PATH/$BRO_DN_SCRIPT

# Add module refs to local.zeek
echo "@load bro-is-darknet" >> /opt/zeek/share/zeek/site/local.zeek
echo "@load simple-scan" >> /opt/zeek/share/zeek/site/local.zeek

salt "*" state.highstate

echo "Make sure to copy local.zeek to all applicable forward nodes with the following command:"
echo
echo "sudo salt-cp \"*nodes*\" /opt/zeek/share/zeek/site/local.zeek /opt/zeek/share/zeek/site/local.zeek"
echo

echo "Check for script errors with:"
echo
echo "sudo salt \"*nodes*\" cmd.run \"zeekctl check\" "
echo
echo
echo "Then restart Zeek on all applicable nodes:"
echo
echo "sudo salt \"*nodes*\" cmd.run \"so-zeek-restart\""
	#!/bin/bash
	# Script to download and shim https://github.com/ncsa/bro-simple-scan for use with Zeek on Security Onion
	# Last Modified 2/21/2020 by @therealwlambert

	SS_PATH="/opt/zeek/share/zeek/policy/simple-scan"
	SS_SCRIPT="simple-scan.zeek"
	BRO_DN_PATH="/opt/zeek/share/zeek/policy/bro-is-darknet"
	BRO_DN_SCRIPT="bro-is-darknet.zeek"

	echo "Adding directory structure..."
	mkdir -p $SS_PATH
	echo "@load ./$SS_SCRIPT" > $SS_PATH/__load__.zeek

	# bro-is-darknet is a dependency for simple-scan
	mkdir -p $BRO_DN_PATH
	echo "@load ./$BRO_DN_SCRIPT" > $BRO_DN_PATH/__load__.zeek

	# Get scripts
	echo "Getting scripts..."
	wget -O $SS_PATH/$SS_SCRIPT https://raw.githubusercontent.com/ncsa/bro-simple-scan/master/scripts/scan.bro
	wget -O $BRO_DN_PATH/$BRO_DN_SCRIPT https://raw.githubusercontent.com/ncsa/bro-is-darknet/master/scripts/main.bro

	# Modify simple-scan script to reference policy directory instead of packages
	sed -i 's/@load packages\/bro-is-darknet/@load policy\/bro-is-darknet/' $SS_PATH/$SS_SCRIPT

	# Modify Darknet script to use zeek_init
	sed -i 's/bro_init/zeek_init/' $BRO_DN_PATH/$BRO_DN_SCRIPT

	# Add module refs to local.zeek
	echo "@load bro-is-darknet" >> /opt/zeek/share/zeek/site/local.zeek
	echo "@load simple-scan" >> /opt/zeek/share/zeek/site/local.zeek

	salt "*" state.highstate

	echo "Make sure to copy local.zeek to all applicable forward nodes with the following command:"
	echo
	echo "sudo salt-cp \"nodes\" /opt/zeek/share/zeek/site/local.zeek /opt/zeek/share/zeek/site/local.zeek"
	echo

	echo "Check for script errors with:"
	echo
	echo "sudo salt \"nodes\" cmd.run \"zeekctl check\" "
	echo
	echo
	echo "Then restart Zeek on all applicable nodes:"
	echo
	echo "sudo salt \"nodes\" cmd.run \"so-zeek-restart\""