v1d1an / s1em Goto Github PK
View Code? Open in Web Editor NEWThis project is a SIEM with SIRP and Threat Intel, all in one.
License: MIT License
s1em's People
Contributors
Stargazers
Watchers
Forkers
b1540p azgaviperr rtbn hecg119 f3ryadump d-demirci kuustudio dusmana khanchan austinsonger jotaah123 salim391 stevend33 slrendell kidrek mohammadfebrir muse117 whiteeyehansel b1gw00d 3m1za4 nx6110a5100 pacmad silocityit sofienelkamel fiebererdi alevgpopov ashed ahmzan arfdgry l1kw1d sec-js rajivraj jermainlaforce infrastrukt rusbomber akityo istoo cagivajsp lichnak entrysky arintriyanto 3tern4l dowdyph0 rokoman legly andyoulovexy jalvaradoareas insighty admin1475963 yashodhank mcdave2k1 cybersecurity-labs b1utal kyawkyaw-cyber funnor nhanledinh aungthuaye bigbrobro ivanup ethicalsecurity-agency soheileghbali amedk anjar-wilujeng minhan2106 zixuanfe academy-of-learning-career-college bmedi ptrandri hasiholanabdullah skandashield satwickx alexd-y abiliokrismanuel talltechys1em's Issues
how to collect logs please describe in details
how to set an agent on windows and other distro
What are the advantages compared to security onion?
I am evaluating SELKS and security onion and S1EM and am confused as to which one to choose and what are the similarities and differences between them.
stoq starting fail
Description
Environment
- OS (where S1EM server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
- S1EM version: { e.g. S1EM 1.0.2 }
- Other environment details:
Reproducible Steps
5c45131fe946 v1d1an/stoq:3.0.5 "stoq run -a yara ha…" 9 minutes ago Restarting (1) 58 seconds ago stoq
docker logs stoq
stoq.exceptions.StoqPluginException: Mwdb API Key was not provided
{"asctime": "2022-04-24 09:51:14,292", "levelname": "DEBUG", "name": "stoq", "message": "Writing logs to /home/stoq/.stoq/logs/stoq.log"}
Traceback (most recent call last):
File "/usr/local/bin/stoq", line 33, in <module>
sys.exit(load_entry_point('stoq-framework==3.0.1', 'console_scripts', 'stoq')())
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/cli.py", line 294, in main
plugin_dir_list=args.plugin_dir,
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/core.py", line 470, in __init__
d: self.load_plugin(d) for d in dest_archivers if d # type: ignore
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/core.py", line 470, in <dictcomp>
d: self.load_plugin(d) for d in dest_archivers if d # type: ignore
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/plugin_manager.py", line 177, in load_plugin
plugin = plugin_class(plugin_config)
File "/home/stoq/.stoq/plugins/mwdb/mwdb.py", line 45, in __init__
raise StoqPluginException("Mwdb API Key was not provided")
stoq.exceptions.StoqPluginException: Mwdb API Key was not provided
{"asctime": "2022-04-24 09:52:15,042", "levelname": "DEBUG", "name": "stoq", "message": "Writing logs to /home/stoq/.stoq/logs/stoq.log"}
Traceback (most recent call last):
File "/usr/local/bin/stoq", line 33, in <module>
sys.exit(load_entry_point('stoq-framework==3.0.1', 'console_scripts', 'stoq')())
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/cli.py", line 294, in main
plugin_dir_list=args.plugin_dir,
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/core.py", line 470, in __init__
d: self.load_plugin(d) for d in dest_archivers if d # type: ignore
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/core.py", line 470, in <dictcomp>
d: self.load_plugin(d) for d in dest_archivers if d # type: ignore
File "/usr/local/lib/python3.7/site-packages/stoq_framework-3.0.1-py3.7.egg/stoq/plugin_manager.py", line 177, in load_plugin
plugin = plugin_class(plugin_config)
File "/home/stoq/.stoq/plugins/mwdb/mwdb.py", line 45, in __init__
raise StoqPluginException("Mwdb API Key was not provided")
stoq.exceptions.StoqPluginException: Mwdb API Key was not provided
docker logs mwdb-web
2022/04/24 09:50:57 [error] 10#10: *75 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.19, server: mwdb-web, request: "POST /api/auth/login HTTP/1.1", upstream: "http://172.18.0.24:8080/api/auth/login", host: "mwdb-web"
172.18.0.19 - - [24/Apr/2022:09:50:57 +0000] "POST /api/auth/login HTTP/1.1" 502 157 "-" "mwdblib/4.1.0 python-requests/2.27.1" "-"
2022/04/24 09:51:07 [error] 10#10: *75 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.19, server: mwdb-web, request: "POST /api/auth/login HTTP/1.1", upstream: "http://172.18.0.24:8080/api/auth/login", host: "mwdb-web"
172.18.0.19 - - [24/Apr/2022:09:51:07 +0000] "POST /api/auth/login HTTP/1.1" 502 157 "-" "mwdblib/4.1.0 python-requests/2.27.1" "-"
172.18.0.19 - - [24/Apr/2022:09:51:17 +0000] "POST /api/auth/login HTTP/1.1" 502 157 "-" "mwdblib/4.1.0 python-requests/2.27.1" "-"
2022/04/24 09:51:17 [error] 10#10: *75 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.19, server: mwdb-web, request: "POST /api/auth/login HTTP/1.1", upstream: "http://172.18.0.24:8080/api/auth/login", host: "mwdb-web"
2022/04/24 09:51:17 [error] 10#10: *82 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.19, server: mwdb-web, request: "POST /api/auth/login HTTP/1.1", upstream: "http://172.18.0.24:8080/api/auth/login", host: "mwdb-web"
172.18.0.19 - - [24/Apr/2022:09:51:17 +0000] "POST /api/auth/login HTTP/1.1" 502 157 "-" "mwdblib/4.1.0 python-requests/2.27.1" "-"
172.18.0.19 - - [24/Apr/2022:09:51:27 +0000] "POST /api/auth/login HTTP/1.1" 502 157 "-" "mwdblib/4.1.0 python-requests/2.27.1" "-"
2022/04/24 09:51:27 [error] 10#10: *82 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.19, server: mwdb-web, request: "POST /api/auth/login HTTP/1.1", upstream: "http://172.18.0.24:8080/api/auth/login", host: "mwdb-web"
2022/04/24 09:51:37 [error] 10#10: *82 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.19, server: mwdb-web, request: "POST /api/auth/login HTTP/1.1", upstream: "http://172.18.0.24:8080/api/auth/login", host: "mwdb-web"
172.18.0.19 - - [24/Apr/2022:09:51:37 +0000] "POST /api/auth/login HTTP/1.1" 502 157 "-" "mwdblib/4.1.0 python-requests/2.27.1" "-"
docker logs mwdb
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Waiting for postgres
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Waiting for postgres
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Waiting for postgres
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Waiting for postgres
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Waiting for postgres
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Waiting for postgres
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Waiting for postgres
psql: error: connection to server at "postgres" (172.18.0.12), port 5432 failed: FATAL: password authentication failed for user "mwdb"
Expected Output
Actual Output
Additional information
Screenshots (optional)
Waiting for Cortex to come online.
{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}{"type":"NoNodeAvailable","message":"ElasticSearch cluster is unreachable"}
Can you commit a agent guide?
Can you commit a agent guide?How to install agent?how to configure it?thanks
delete
delete
Problem with data in Arkime
Prerequisites
Hello. I tried everything but after rebooting the machine every time in Arkime, there is no data. The .pcaps are in the container but after every reboot, the machine loses Arkime data and starts to show only new .pcaps Can you help me to resolve this issues? Thank you.
- I read the S1EM WIKI S1EM documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
- I went through old GitHub issues and couldn't find anything relevant
- I googled the issue and didn't find anything relevant
Description
Environment
- OS (where S1EM server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
- S1EM version: { e.g. S1EM 1.0.2 }
- Other environment details:
Reproducible Steps
Steps to create the smallest reproducible scenario:
- { e.g. Run ... }
- { e.g. Click ... }
- { e.g. Error ... }
Additional information
Can you add a license?
Hi,
I want to use your code but legally, without a license I can't.
Can you please add one?
More info :
java.security.AccessControlException: access denied
Description
{"log":""Caused by: java.security.AccessControlException: access denied (\"java.io.FilePermission\" \"/usr/share/elasticsearch/config/certificates/certs/ca-cert-NetLock_Arany_=Class_Gold=_F��tan��s��tv��ny.pem\" \"
read\")",\n","stream":"stdout","time":"2022-04-14T12:44:17.233448403Z"}
{"log":""at java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) ~[?:?]",\n","stream":"stdout","time":"2022-04-14T12:44:17.233458803Z"}
{"log":"uncaught exception in thread [main]\n","stream":"stderr","time":"2022-04-14T12:44:17.233211701Z"}
{"log":""at java.security.AccessController.checkPermission(AccessController.java:1068) ~[?:?]",\n","stream":"stdout","time":"2022-04-14T12:44:17.233466003Z"}
{"log":""at java.lang.SecurityManager.checkPermission(SecurityManager.java:416) ~[?:?]",\n","stream":"stdout","time":"2022-04-14T12:44:17.233587004Z"}
{"log":""at java.lang.SecurityManager.checkRead(SecurityManager.java:756) ~[?:?]",\n","stream":"stdout","time":"2022-04-14T12:44:17.233596204Z"}
Wazuh
Is possible to include Wazuh or integrate with ELK?
[error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/cortex_6/_search?
StringEntity({"seq_no_primary_term":"true","query":{"ids":{"values":["init"]}},"size":1},Some(application/json))
=> ElasticError(security_exception,unable to authenticate user [elastic] for REST request [/cortex_6/_search],None,None,None,List(ElasticError(security_exception,unable to aNone,None,None,null,None,None,None,List())),None,None,None,List())
[info] o.t.c.s.ErrorHandler - POST /cortex/api/organization/analyzer/MISP_2_1 returned 500
org.elastic4play.InternalError: Unknown error: ElasticError(security_exception,unable to authenticate user [elastic] for REST request [/cortex_6/_search],None,None,None,List(stic] for REST request [/cortex_6/_search],None,None,None,null,None,None,None,List())),None,None,None,List())
at org.elastic4play.database.DBConfiguration.$anonfun$execute$2(DBConfiguration.scala:158)
at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:56)
at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:93)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:93)
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:48)
Kibana Is Not Online, OpenCTI is 404
Hello,
When im deploy with 01_deploy.sh
stuck in messages " Wait to kibana online"
and when i run the web opencti is 404
yaml: line 1460: did not find expected key
Description
Enter the monitoring interface (ex:ens32):ens37
Failed to start S1EM-promiscuous.service: Unit is not loaded properly: Invalid argument.
See system logs and 'systemctl status S1EM-promiscuous.service' for details.
##########################################
######### GENERATE CERTIFICATE ###########
##########################################
yaml: line 1460: did not find expected key
##########################################
########## DOCKER DOWNLOADING ############
##########################################
yaml: line 1460: did not find expected key
##########################################
########## STARTING TRAEFIK ##############
##########################################
yaml: line 1460: did not find expected key
##########################################
############# STARTING HOMER #############
##########################################
yaml: line 1460: did not find expected key
##########################################
STARTING ELASTICSEARCH/KIBANA
##########################################
yaml: line 1460: did not find expected key
Error: No such container: es01
Waiting for Elasticsearch to come online.
Environment
Linux localhost.localdomain 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
CentOS Linux release 7.9.2009 (Core)
[root@localhost S1EM]# docker version
Client: Docker Engine - Community
Version: 20.10.14
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 24 01:49:57 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 87a90dc
Built: Thu Mar 24 01:48:24 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
[root@localhost S1EM]# docker-compose version
Docker Compose version v2.4.1
Reproducible Steps
Steps to create the smallest reproducible scenario:
- { e.g. Run ... }
- { e.g. Click ... }
- { e.g. Error ... }
Expected Output
Actual Output
Additional information
Screenshots (optional)
Filebeat not starting
Hi i have an issue on the docker filebeat it is not starting at all.
this is the error i get when i start the project.
ERROR: for filebeat Cannot start service filebeat: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/var/lib/docker/volumes/s1em_fleet/_data" to rootfs at "/var/log/osquery" caused: mkdir /var/lib/docker/overlay2/10ec02b905dc0d0f9ebc96c974327186b007c167d170d929bd95d593de2e6786/merged/var/log/osquery: read-only file system: unknown
ERROR: Encountered errors while bringing up the project.
i'm using ubuntu 18.04
thanks
Can't install S1EM
Hello!
Can't install S1EM
Ubuntu Server 20
latest docker & docker-compose
Starting of installation
##########################################
######### GENERATE CERTIFICATE ###########
##########################################
/usr/local/bin/docker-compose: line 1: Not: command not found
##########################################
########## DOCKER DOWNLOADING ############
##########################################
/usr/local/bin/docker-compose: line 1: Not: command not found
##########################################
########## STARTING TRAEFIK ##############
##########################################
/usr/local/bin/docker-compose: line 1: Not: command not found
##########################################
############# STARTING HOMER #############
##########################################
/usr/local/bin/docker-compose: line 1: Not: command not found
##########################################
STARTING ELASTICSEARCH/KIBANA
##########################################
/usr/local/bin/docker-compose: line 1: Not: command not found
Error response from daemon: No such container: es01
Waiting for Elasticsearch to come online.
^C
ERROR: for arkime Cannot start service arkime: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "/arkime/bin/viewer.sh": permission denied: unknown
Add feature SSO
Hello,
Is it possible to add a SSO for all services with a AD or a LDAP ?
So the SOC man have just to logging to the front URL once.
The Best will be that all the internal password are in a vault only know by the vault and change every x day.
Thanks
Error on Heimdall when running deploy shell script
Error: near line 4: UNIQUE constraint failed: items.id
Error: near line 5: UNIQUE constraint failed: items.id
Error: near line 6: UNIQUE constraint failed: items.id
Error: near line 7: UNIQUE constraint failed: items.id
Error: near line 8: UNIQUE constraint failed: items.id
Error: near line 9: UNIQUE constraint failed: items.id
Error: near line 10: UNIQUE constraint failed: items.id
Error: near line 11: UNIQUE constraint failed: items.id
Error: near line 12: UNIQUE constraint failed: items.id
Error: near line 13: UNIQUE constraint failed: items.id
Error: near line 14: UNIQUE constraint failed: items.id
Error: near line 15: UNIQUE constraint failed: items.id
add dashboard from rock-nsm
Hi,
Maybe it can be interesting to check rock-nsm and integrate some of its feature in your project like the dashboard.
i let you check and tell me if it interesting or not :)
Waiting for Elasticsearch to come online.
keytool error: java.lang.Exception: Alias <ca> does not exist
MISP waiting to come online.. waiting more then a hour
I'm stuck at the deployment of the misp docker.
##########################################
########## STARTING DATABASES ############
##########################################
Creating db ... done
Creating postgres ... done
##########################################
############ STARTING MISP ###############
##########################################
db is up-to-date
redis is up-to-date
Creating misp-modules ... done
Creating misp ... done
##########################################
########### CONFIGURING MISP #############
##########################################
Waiting for MISP to come online.
Waiting for MISP to come online.
If i run "docker logs misp" i'm getting this output:
2022-12-29 15:50:20,173 INFO Set uid to user 0 succeeded
2022-12-29 15:50:20,175 INFO supervisord started with pid 7
2022-12-29 15:50:21,178 INFO spawned: 'cron' with pid 8
2022-12-29 15:50:21,182 INFO spawned: 'nginx' with pid 9
2022-12-29 15:50:21,185 INFO spawned: 'php-fpm_00' with pid 10
2022-12-29 15:50:21,190 INFO spawned: 'workers' with pid 14
/etc/nginx/certs/cert.pem /etc/ssl/certs/cert.pem
/etc/nginx/certs/dhparams.pem /etc/ssl/certs/dhparams.pem
/etc/nginx/certs/key.pem /etc/ssl/certs/key.pem
Setup MySQL...
Configure PHP | Change PHP values ...
2022-12-29 15:50:21,193 INFO success: php-fpm_00 entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
Starting PHP FPM
2022-12-29 15:50:22,207 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2022-12-29 15:50:22,207 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2022-12-29 15:50:22,208 INFO success: workers entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
ERROR 2002 (HY000): Can't connect to MySQL server on 'db' (115)
Waiting for database to come up
Upgrading .env when modif in env.sample
Hello
when i upgrade my S1EM version it does not upgrade my .env i had an error in my upgrade like
ELASTIC_VERSION variable is not SET
maybe it should be said before upgrading to do a merge of the actual .env with the env.sample or do it automatically with the bash script.
Installation error,
Hey guys,
I was getting an issue within the docker-compose.yml in line 387:
ERROR: yaml.scanner.ScannerError: mapping values are not allowed here in "./docker-compose.yml", line 387, column 30
Had to modify it from
command: -C -i af_packet:: local
to
command: -C -i af_packet::local
I'm not sure if this is correct, I have another box where the script is working but on this particular one I'm getting this error later on:
Enter the monitoring interface (ex:ens32):
Job for S1EM-promiscuous.service failed because the control process exited with error code.
See "systemctl status S1EM-promiscuous.service" and "journalctl -xe" for details.
##########################################
######### GENERATE CERTIFICATE ###########
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
########## DOCKER DOWNLOADING ############
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
########## STARTING TRAEFIK ##############
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
############# STARTING HOMER #############
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
##### STARTING ELASTICSEARCH/KIBANA ######
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
Error: No such container: es01
Waiting for Elasticsearch to come online.
Machine is:
Linux ip-xxxxxxx #23~20.04.1-Ubuntu SMP Mon Nov 15 14:03:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
ERROR
Description
Environment
- OS centos 7.9 Linux localhost.localdomain 5.17.4-1.el7.elrepo.x86_64 #1 SMP PREEMPT Tue Apr 19 12:06:15 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
- S1EM version: { S1EM latest }
- Other environment details:
Reproducible Steps
CORTEX keytool error: java.lang.Exception: Alias does not exist
##########################################
########### STARTING CORTEX ##############
##########################################
[+] Running 2/2
⠿ Container es01 Running 0.0s
⠿ Container cortex Started 4.3s
keytool error: java.lang.Exception: Alias <ca> does not exist
Certificate was added to keystore
[+] Running 0/1
[+] Running 0/1rtex Restarting 6.5s
[+] Running 1/1rtex Restarting 6.7s
⠿ Container cortex Started 10.8s
##########################################
######### DEPLOY CORTEX USER #############
##########################################
docker logs cortex
PassiveTotal_Components 2.0
AzureTokenRevoker 1.0
MetaDefenderCore_GetReport 1.0
Diario_GetReport 1.0
MalwareClustering_Search 1.0
Mnemonic_pDNS_Closed 3.0
Splunk_Search_File_Filename 3.0
UnshortenLink 1.2
Onyphe_Summary 1.0
AnyRun_Sandbox_Analysis 1.0
[error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/cortex_6/_search?scroll=60000ms
StringEntity({"seq_no_primary_term":"true","query":{"bool":{"must":[{"term":{"relations":{"value":"worker"}}},{"match_all":{}}]}},"from":0,"sort":[{"_doc":{"order":"desc"}}]},Some(application/json))
=> ElasticError(index_not_found_exception,no such index [cortex_6],Some(_na_),Some(cortex_6),None,List(ElasticError(index_not_found_exception,no such index [cortex_6],Some(_na_),Some(cortex_6),None,null,None,None,None,List())),None,None,None,List())
[warn] o.e.d.SearchWithScroll - Search error
org.elastic4play.IndexNotFoundException$: null
at org.elastic4play.IndexNotFoundException$.<clinit>(Errors.scala)
at org.elastic4play.database.DBConfiguration.$anonfun$execute$2(DBConfiguration.scala:155)
at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:56)
at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:93)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:93)
[info] p.c.s.AkkaHttpServer - Enabling HTTP/2 on Akka HTTP server...
[info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9001
[info] c.s.e.h.JavaClient$ - Creating HTTP client on https://es01:9200
[info] c.s.e.h.JavaClient$ - Creating HTTP client on https://es01:9200
[info] c.s.e.h.JavaClient$ - Creating HTTP client on https://es01:9200
[info] c.s.e.h.JavaClient$ - Creating HTTP client on https://es01:9200
[info] c.s.e.h.JavaClient$ - Creating HTTP client on https://es01:9200
[info] o.e.s.MigrationSrv - Create a new empty database
[info] o.e.s.MigrationSrv - Migrate database from version 0, add operations for version 2
[info] o.e.s.MigrationSrv - Migrate database from version 0, add operations for version 3
[info] o.e.s.MigrationSrv - Migrate database from version 0, add operations for version 4
[info] o.e.s.MigrationSrv - Migrate database from version 0, add operations for version 5
[info] o.e.s.MigrationSrv - Migrate database from version 0, add operations for version 6
[warn] o.e.c.RestClient - request [PUT https://es01:9200/cortex_6?include_type_name=false] returned 1 warnings: [299 Elasticsearch-7.17.2-de7261de50d90919ae53b0eff9413fd7e5307301 "[types removal] Using include_type_name in create index requests is deprecated. The parameter will be removed in the next major version."]
[info] o.e.s.MigrationSrv - Migrating 0 entities from sequence
[info] o.e.s.MigrationSrv - Migrating 0 entities from artifact
[info] o.e.s.MigrationSrv - Migrating 0 entities from audit
[info] o.e.s.MigrationSrv - Migrating 0 entities from data
[info] o.e.s.MigrationSrv - Migrating 0 entities from dblist
migrateEntity(sequence) has finished : Success(())
migrateEntity(audit) has finished : Success(())
migrateEntity(artifact) has finished : Success(())
migrateEntity(data) has finished : Success(())
[info] o.e.s.MigrationSrv - Migrating 0 entities from job
migrateEntity(dblist) has finished : Success(())
[info] o.e.s.MigrationSrv - Migrating 0 entities from organization
[info] o.e.s.MigrationSrv - Migrating 0 entities from report
[info] o.e.s.MigrationSrv - Migrating 0 entities from user
migrateEntity(report) has finished : Success(())
migrateEntity(job) has finished : Success(())
migrateEntity(organization) has finished : Success(())
[info] o.e.s.MigrationSrv - Migrating 0 entities from worker
migrateEntity(user) has finished : Success(())
[info] o.e.s.MigrationSrv - Migrating 0 entities from workerConfig
migrateEntity(worker) has finished : Success(())
migrateEntity(workerConfig) has finished : Success(())
[info] o.e.s.MigrationSrv - End of migration
DEPLOY CORTEX USER ERROR
##########################################
######### DEPLOY CORTEX USER #############
##########################################
Waiting for Cortex to come online.
Waiting for Cortex to come online.
{"_id":"[email protected]","createdAt":1650872396446,"name":"[email protected]","createdBy":"init","roles":["superadmin"],"organization":"cortex","status":"Ok","_type":"user","_parent":null,"_routing":"[email protected]","_seqNo":0,"_primaryTerm":1,"id":"[email protected]","hasKey":true,"hasPassword":false}{"createdAt":1650872398227,"status":"Active","createdBy":"[email protected]","description":"SOC team","_id":"test","_type":"organization","_parent":null,"_routing":"test","_seqNo":2,"_primaryTerm":1,"id":"test","name":"test"}{"createdBy":"[email protected]","_id":"[email protected]","createdAt":1650872399245,"name":"[email protected]","organization":"test","roles":["read","analyze","orgadmin"],"status":"Ok","_type":"user","_parent":null,"_routing":"[email protected]","_seqNo":0,"_primaryTerm":1,"id":"[email protected]","hasKey":false,"hasPassword":false}{"type":"AuthorizationError","message":"Insufficient rights to perform this action"}{"type":"AuthorizationError","message":"Insufficient rights to perform this action"}{"type":"AuthorizationError","message":"Insufficient rights to perform this action"}{"type":"AuthorizationError","message":"Insufficient rights to perform this action"}{"type":"AuthorizationError","message":"Insufficient rights to perform this action"}
##########################################
######### CONFIGURING THEHIVE ############
##########################################
the hive error
##########################################
######## DEPLOY THEHIVE USER #############
##########################################
Waiting for TheHive to come online.
Waiting for TheHive to come online.
Waiting for TheHive to come online.
Waiting for TheHive to come online.
Waiting for TheHive to come online.
Waiting for TheHive to come online.
{"name":"test","description":"SOC team","_id":"~16400","id":"~16400","createdAt":1650872529470,"createdBy":"[email protected]","_type":"organisation","links":[]}{"type":"NotFoundError","message":"User not found"}
##########################################
######## CONFIGURING ELASTALERT ##########
##########################################
docker logs thehive
[info] o.j.g.d.m.ManagementSystem [|] Index update job successful for [global]
[info] o.t.s.m.Database [|mgmt-460d99bb] Reindex job 705a77f0 is finished
[info] o.t.s.m.Operations [|] *** UPDATE SCHEMA OF thehive-cortex (2): Create database schema
[info] o.t.s.m.Database [|mgmt-6c96e9f2] Creating database schema
[info] o.t.s.m.Operations [|] *** UPDATE SCHEMA OF thehive (99): Create database schema
[info] o.t.s.m.Database [|mgmt-26b82ee7] Creating database schema
[info] a.c.s.ClusterSingletonManager [|] Singleton manager starting singleton actor [akka://application/system/singletonManagerCaseNumberLeader/CaseNumberLeader]
[info] a.c.s.ClusterSingletonManager [|] ClusterSingletonManager state change [Start -> Oldest]
[info] o.q.i.StdSchedulerFactory [|] Using default implementation for ThreadExecutor
[info] o.q.s.SimpleThreadPool [|] Job execution threads will use class loader of thread: main
[info] o.q.c.SchedulerSignalerImpl [|] Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl
[info] o.q.c.QuartzScheduler [|] Quartz Scheduler v.2.3.2 created.
[info] o.q.s.RAMJobStore [|] RAMJobStore initialized.
[info] o.q.c.QuartzScheduler [|] Scheduler meta-data: Quartz Scheduler (v2.3.2) 'DefaultQuartzScheduler' with instanceId 'NON_CLUSTERED'
Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
NOT STARTED.
Currently in standby mode.
Number of jobs executed: 0
Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.
[info] o.q.i.StdSchedulerFactory [|] Quartz scheduler 'DefaultQuartzScheduler' initialized from default resource file in Quartz package: 'quartz.properties'
[info] o.q.i.StdSchedulerFactory [|] Quartz scheduler version: 2.3.2
[info] o.q.c.QuartzScheduler [|] Scheduler DefaultQuartzScheduler_$_NON_CLUSTERED started.
[info] a.c.s.ClusterSingletonManager [|] Singleton manager starting singleton actor [akka://application/system/singletonManagerIntegrityCheckActor/IntegrityCheckActor]
[info] a.c.s.ClusterSingletonManager [|] ClusterSingletonManager state change [Start -> Oldest]
[info] a.c.s.ClusterSingletonProxy [|] Singleton identified at [akka://application/system/singletonManagerCaseNumberLeader/CaseNumberLeader]
[info] o.t.t.s.IntegrityCheck [|] Integrity checks is enabled and will start at Sun May 01 02:30:00 UTC 2022
[info] a.c.s.ClusterSingletonProxy [|] Singleton identified at [akka://application/system/singletonManagerIntegrityCheckActor/IntegrityCheckActor]
[info] o.t.t.c.m.s.TheHiveMispClient [|] Add MISP connection MISP
url: https://siem.kkguan.com/misp
proxy: <not set>
filters:
max attributes: <not set>
max age: <not set>
excluded orgs:
excluded tags:
whitelist tags:
[info] a.c.s.ClusterSingletonManager [|] Singleton manager starting singleton actor [akka://application/user/misp-actor-singleton/singleton]
[info] a.c.s.ClusterSingletonManager [|] ClusterSingletonManager state change [Start -> Oldest]
[info] o.t.t.c.m.s.MispActor [|] [Actor[akka://application/user/misp-actor-singleton/singleton#-1138602413]] Starting actor MISP
[info] a.c.s.ClusterSingletonProxy [|] Singleton identified at [akka://application/user/misp-actor-singleton/singleton]
[info] a.c.s.ClusterSingletonManager [|] Singleton manager starting singleton actor [akka://application/user/flowSingletonManager/singleton]
[info] a.c.s.ClusterSingletonManager [|] ClusterSingletonManager state change [Start -> Oldest]
[info] play.api.Play [|] Application started (Prod) (no global state)
[info] p.c.s.AkkaHttpServer [|] Listening for HTTP on /0.0.0.0:9000
[info] a.c.s.ClusterSingletonProxy [|] Singleton identified at [akka://application/user/flowSingletonManager/singleton]
[info] o.t.s.c.Entrypoint [00000002|] 172.18.0.2 POST /thehive/api/v0/organisation
[info] o.t.s.AccessLogFilter [00000002|] 172.18.0.2 POST /thehive/api/v0/organisation took 624ms and returned 201 166 bytes
[info] o.t.s.c.Entrypoint [00000003|] 172.18.0.2 POST /thehive/api/v1/user
[error] o.t.s.u.Retry [00000003|3c3bd6ba] uncaught error, not retrying
org.thp.scalligraph.NotFoundError: User not found
at org.thp.scalligraph.traversal.TraversalOps$TraversalOpsDefs.getOrFail(TraversalOps.scala:145)
at org.thp.thehive.services.LocalPasswordAuthSrv.$anonfun$setPassword$1(LocalPasswordAuthSrv.scala:113)
at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$7(JanusDatabase.scala:241)
at scala.util.Try$.apply(Try.scala:213)
at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$6(JanusDatabase.scala:241)
at scala.util.Try$.apply(Try.scala:213)
at org.thp.scalligraph.utils.DelayRetry.withTry(Retry.scala:93)
at org.thp.scalligraph.janus.JanusDatabase.tryTransaction(JanusDatabase.scala:238)
at org.thp.thehive.services.LocalPasswordAuthSrv.setPassword(LocalPasswordAuthSrv.scala:107)
at org.thp.scalligraph.auth.MultiAuthSrv.$anonfun$setPassword$1(MultiAuthSrv.scala:107)
[error] o.t.s.m.Database [00000003|3c3bd6ba] Exception raised, rollback (User not found)
[warn] o.t.t.s.TOTPAuthSrv [00000003|3c3bd6ba] local fails: org.thp.scalligraph.NotFoundError: User not found
[warn] o.t.s.ErrorHandler [00000003|3c3bd6ba] POST /thehive/api/v1/user returned 404
[info] o.t.s.AccessLogFilter [00000003|] 172.18.0.2 POST /thehive/api/v1/user took 354ms and returned 404 51 bytes
[info] o.t.s.c.Entrypoint [00000004|] 172.18.0.2 POST /thehive/api/v1/user/[email protected]/key/renew
[error] o.t.s.u.Retry [00000004|7ba3f473] uncaught error, not retrying
org.thp.scalligraph.NotFoundError: User not found
at org.thp.scalligraph.traversal.TraversalOps$TraversalOpsDefs.getOrFail(TraversalOps.scala:145)
at org.thp.thehive.services.LocalKeyAuthSrv.$anonfun$renewKey$1(LocalKeyAuthSrv.scala:51)
at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$7(JanusDatabase.scala:241)
at scala.util.Try$.apply(Try.scala:213)
at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$6(JanusDatabase.scala:241)
at scala.util.Try$.apply(Try.scala:213)
at org.thp.scalligraph.utils.DelayRetry.withTry(Retry.scala:93)
at org.thp.scalligraph.janus.JanusDatabase.tryTransaction(JanusDatabase.scala:238)
at org.thp.thehive.services.LocalKeyAuthSrv.renewKey(LocalKeyAuthSrv.scala:43)
at org.thp.scalligraph.auth.MultiAuthSrv.$anonfun$renewKey$1(MultiAuthSrv.scala:110)
[error] o.t.s.m.Database [00000004|7ba3f473] Exception raised, rollback (User not found)
[warn] o.t.t.s.TOTPAuthSrv [00000004|7ba3f473] key fails: org.thp.scalligraph.NotFoundError: User not found
[warn] o.t.s.ErrorHandler [00000004|7ba3f473] POST /thehive/api/v1/user/[email protected]/key/renew returned 404
[info] o.t.s.AccessLogFilter [00000004|] 172.18.0.2 POST /thehive/api/v1/user/[email protected]/key/renew took 189ms and returned 404 51 bytes
[info] o.t.t.s.IntegrityCheck [|] Integrity check on Organisation ( dedup ): job scheduled, it will start at Mon Apr 25 07:42:39 UTC 2022
[info] o.t.t.s.IntegrityCheck [|] Start of deduplication of Organisation
[info] o.t.t.s.IntegrityCheck [|] End of deduplication of Organisation:
duplicate: 0
duration: 55
[info] o.t.t.s.IntegrityCheck [|] Integrity check on User ( dedup ): job scheduled, it will start at Mon Apr 25 07:42:40 UTC 2022
[info] o.t.t.s.IntegrityCheck [|] Start of deduplication of User
[info] o.t.t.s.IntegrityCheck [|] End of deduplication of User:
duplicate: 0
duration: 51
SURICATA
##########################################
######## UPDATE SURICATA RULES ###########
##########################################
25/4/2022 -- 07:43:37 - <Info> -- Loading /etc/suricata/update.yaml
25/4/2022 -- 07:43:37 - <Info> -- Using data-directory /var/lib/suricata.
25/4/2022 -- 07:43:37 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
25/4/2022 -- 07:43:37 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
25/4/2022 -- 07:43:37 - <Info> -- Found Suricata version 6.0.5 at /usr/bin/suricata.
25/4/2022 -- 07:43:37 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
25/4/2022 -- 07:43:38 - <Info> -- No change in sources
25/4/2022 -- 07:43:38 - <Info> -- Saved /var/lib/suricata/update/cache/index.yaml
25/4/2022 -- 07:43:39 - <Info> -- Loading /etc/suricata/update.yaml
25/4/2022 -- 07:43:39 - <Info> -- Using data-directory /var/lib/suricata.
25/4/2022 -- 07:43:39 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
25/4/2022 -- 07:43:39 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
25/4/2022 -- 07:43:39 - <Info> -- Found Suricata version 6.0.5 at /usr/bin/suricata.
25/4/2022 -- 07:43:39 - <Info> -- Loading /etc/suricata/suricata.yaml
25/4/2022 -- 07:43:39 - <Info> -- Disabling rules for protocol modbus
25/4/2022 -- 07:43:39 - <Info> -- Disabling rules for protocol dnp3
25/4/2022 -- 07:43:39 - <Info> -- Disabling rules for protocol enip
25/4/2022 -- 07:43:39 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.md5.
25/4/2022 -- 07:43:40 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
100% - 3269232/3269232
25/4/2022 -- 07:43:43 - <Info> -- Done.
25/4/2022 -- 07:43:43 - <Info> -- Fetching https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
100% - 9855/9855
25/4/2022 -- 07:43:44 - <Info> -- Done.
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
25/4/2022 -- 07:43:44 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
25/4/2022 -- 07:43:45 - <Info> -- Ignoring file rules/emerging-deleted.rules
25/4/2022 -- 07:43:46 - <Info> -- Loaded 33209 rules.
25/4/2022 -- 07:43:46 - <Info> -- Disabled 14 rules.
25/4/2022 -- 07:43:46 - <Info> -- Enabled 0 rules.
25/4/2022 -- 07:43:46 - <Info> -- Modified 0 rules.
25/4/2022 -- 07:43:46 - <Info> -- Dropped 0 rules.
25/4/2022 -- 07:43:47 - <Info> -- Enabled 131 rules for flowbit dependencies.
25/4/2022 -- 07:43:47 - <Info> -- Backing up current rules.
25/4/2022 -- 07:43:49 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33209; enabled: 25807; added: 54; removed 9; modified: 1257
25/4/2022 -- 07:43:49 - <Info> -- Writing /var/lib/suricata/rules/classification.config
25/4/2022 -- 07:43:49 - <Info> -- Skipping test, disabled by configuration.
25/4/2022 -- 07:43:49 - <Info> -- Running suricatasc -c reload-rules.
Unable to connect to socket /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
25/4/2022 -- 07:43:50 - <Error> -- Reload command exited with error: 1
25/4/2022 -- 07:43:50 - <Info> -- Done.
##########################################
########## UPDATE YARA RULES #############
##########################################
Expected Output
Actual Output
Additional information
Screenshots (optional)
Failed to enable unit: Unit file S1EM-promiscuous.service does not exist.
sed: can't read /usr/lib/systemd/system/S1EM-promiscuous.service: No such file or directory
Failed to start S1EM-promiscuous.service: Unit S1EM-promiscuous.service not found
S1EM installation suported linux distros
Hi Vidian.. hope all is well. What are the supported linux distros for the installation . I was trying with ubuntu 20.04 but im getting errors when i run the setup script. Error says docker command not found.
Waiting for TheHive to come online.
Deployment got stuck by prompting "Waiting for TheHive to come online."
Problem elastic nodes up
Hey there, how are u?
I was doing some tests with your compose and I had the following problem... I ran the shellscript step by step, however, the elastic nodes do not go up because of this message, even though I configured the environment variables file correctly, it could help in that case, please?
Thanks!!
{"type": "server", "timestamp": "2022-10-26T06:11:05,075Z", "level": "INFO", "component": "o.e.x.s.a.RealmsAuthenticator", "cluster.name": "s1em", "node.name": "es01", "message": "Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]", "cluster.uuid": "W4fS5cU8Sdyp671yy0hVrg", "node.id": "YRM3VLPLQ4iEmw3wSyDZLA" }
{"type": "server", "timestamp": "2022-10-26T06:11:07,572Z", "level": "INFO", "component": "o.e.x.s.a.RealmsAuthenticator", "cluster.name": "s1em", "node.name": "es01", "message": "Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]", "cluster.uuid": "W4fS5cU8Sdyp671yy0hVrg", "node.id": "YRM3VLPLQ4iEmw3wSyDZLA" }
ERROR: The Compose file
##########################################
######### GENERATE CERTIFICATE ###########
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
########## DOCKER DOWNLOADING ############
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
########## STARTING TRAEFIK ##############
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
############# STARTING HOMER #############
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
##########################################
STARTING ELASTICSEARCH/KIBANA
##########################################
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.misp.hostname contains an invalid type, it should be a string
Error: No such container: es01
Waiting for Elasticsearch to come online.
Feature Request
it would be interesting to have choice for selecting module on your solution like deleting module we don't want to have and set some module to be additional like opencti etc...
01_deploy.sh script error
I had modified 01_deploy.sh,now it's work
01_deploy.txt
Change base ports to avoid conflict.
I'm looking for some guidance as I have a dev server where some of the service ports ie 80/443 are already in use and this is preventing me from starting S1EM. I temporarily disabled apache and I was able to get it to start loading but long term, I need to have it live in parallel.
Any guidance would be appreciated.
Uprade Arkime to 3.0.0
A new version of arkime is available, it should be interesting to upgrade it and it supports ES >= 7.10.0
worker:failed to scan: File "/home/stoq/.stoq/plugins/lief/lief.py"
Description
Environment
- OS (where S1EM server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
- S1EM version: { e.g. S1EM 1.0.2 }
- Other environment details:
Reproducible Steps
Expected Output
Actual Output
Additional information
Screenshots (optional)
cp: cannot create regular file '/usr/lib/systemd/system/S1EM-promiscuous.service': No such file or directory
01_deploy first time error
On first time running 01_deploy.sh get a error to delete ".env" not found
Upgrade to Elastic 7.14.0
Hi,
Elastic 7.14 is available.
Many change to security 🎆
So can you add to the short roadmap .
Thanks
TheHive user password not working
Hey,
i've been building such a system for a week now, your project is already saving me a lot of work, thanks for that :)
is there any way to support?
i got problem with the newly created user in thehive.
somehow he didn't want to accept the password
so i split the command in creating and setting the password
Line 289 in 99ddb8a
so i split the command in creating the user and setting the password
echo "##########################################"
echo "######## DEPLOY THEHIVE USER #############"
echo "##########################################"
echo
echo
while [ "$(docker exec thehive sh -c 'curl -s http://127.0.0.1:9000')" == "" ]; do
echo "Waiting for TheHive to come online.";
sleep 15;
done
echo
echo
curl -sk -L -XPOST "https://127.0.0.1/thehive/api/v0/organisation" -H 'Content-Type: application/json' -u [email protected]:secret -d "{\"description\": \"SOC team\",\"name\": \"$organization\"}"
echo
echo
while [ "$(docker logs thehive | grep -i "End of deduplication of Organisation")" == "" ]; do
echo "Waiting for TheHive organization.";
sleep 15;
done
echo
echo
curl -sk -L -XPOST "https://127.0.0.1/thehive/api/v1/user" -H 'Content-Type: application/json' -u [email protected]:secret -d "{\"login\":\"$admin_account\",\"name\":\"admin\",\"profile\":\"org-admin\",\"organisation\":\"$organization\"}"
echo
while [ "$(docker logs thehive | grep -i " End of deduplication of User")" == "" ]; do
echo "Waiting for the creation of user in TheHive .";
sleep 15;
done
echo
echo
curl -sk -L -XPOST "https://127.0.0.1/thehive/api/v1/user/$admin_account/password/set" -H 'Content-Type: application/json' -u [email protected]:secret -d "{\"password\":\"$admin_password\"}"
thehive_apikey=$(curl -sk -L -XPOST "https://$HOSTNAME/thehive/api/v1/user/$admin_account/key/renew" -u [email protected]:secret)
while [ "$(docker logs thehive | grep -i " End of deduplication of User")" == "" ]; do
echo "Waiting for the password change of user in TheHive .";
sleep 15;
done
Arkime, Spiderfoot, Cyberchef, CodiMD, Upload do not work
Hi,
I followed all the steps and looked at all the logs. However, these services have not risen/are not accessible. Would you help me?
Taking advantage, I would like to thank you for the excellent work. It's amazing.
chmod: cannot access '/usr/lib/systemd/system/S1EM-promiscuous.service': No such file or directory
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.