Integrating GRR

[id1010...@gmail.com]

I haven't worked with Docker outside of what little experience I have with Security Onion, but I recently noticed that GRR has started releasing Docker images as of 5 months ago: https://hub.docker.com/r/grrdocker/grr/

How viable would it be to just integrate that image into the current Security Onion Beta, since it's also running largely on Docker?

[Wes]

On Saturday, December 23, 2017 at 10:17:37 PM UTC-5, id1010...@gmail.com wrote:
> I haven't worked with Docker outside of what little experience I have with Security Onion, but I recently noticed that GRR has started releasing Docker images as of 5 months ago: https://hub.docker.com/r/grrdocker/grr/
>
> How viable would it be to just integrate that image into the current Security Onion Beta, since it's also running largely on Docker?

I've actually done this before. It's not too difficult, however, there are some modifications to be made in regard to the web administration (web server settings), how the Docker container is managed, etc.

If you wanted to try it alongside Security Onion real quick (NOT in Production, but in a test lab), you could try the following:

sudo docker run -d \
--name grr-server \
-e EXTERNAL_HOSTNAME="localhost" \
-e ADMIN_PASSWORD="demo" \
--ulimit nofile=1048576:1048576 \
-p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080 \
grrdocker/grr:latest grr

Keep in mind, if you wanted this to be permanent, you would need to start the container as a service, make your own management scripts, or make modifications to the Security Onion startup/container start scripts, (which may be overwritten at some point).

You should then be able to access GRR web admin interface via localhost:8000

If you wish to access it externally, you would need to add something like the following rule for iptables:

GRR Admin interface:

sudo iptables -I DOCKER-USER ! -i docker0 -o docker0 -s your_ip_address -p tcp --dport 8000 -j ACCEPT

GRR Client/Agent communication:

sudo iptables -I DOCKER-USER ! -i docker0 -o docker0 -s your_ip_address -p tcp --dport 8080 -j ACCEPT

Also, if you wanted those iptables rules to be permanent, they would need to be added to /etc/ufw/after.rules, so that they are loaded after ufw is loaded each time the machine boots up.

I'm working on a script to make said/similar configuration changes for you for a quicker/ more seamless integration, which I should have completed soon.

I've also been working on some Elastalert rules and scripts to to automatically query/interrogate GRR and run flows based on particular alerts, which I hope to completed soon as well.

Thanks,
Wes

[Jay Hawk]

This is awesome, thanks for the reply I look forward to seeing more of your work on integrating GRR. Guess I'm gonna have to start diving into docker.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/GrzL6VwC80k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Brant Hale]

I was a little concerned at first with the docker element, but now it really shows a lot of potential of adding extras without breaking the base OS.   I am seeing commercial software use this for applications and plugins as well.  Innovation has some learning curve, but looks like this will give us more options with lower risk.

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

[Wes Lambert]

Jay,

To circle back on this, here's a link to an integration procedure (*not officially supported*, of course) for GRR:

https://github.com/Security-Onion-Solutions/security-onion/wiki/GRR

It's certainly not the best, but seems to work to some degree.  

If you get time, please try it and let me know if it worked for you, and what could be improved.

Thanks,

Wes

[Jay Hawk]

Awesome, I look forward to trying it out.

Thanks!

[id1010...@gmail.com]

After a quick install (and getting the server up was fast <5 min) it seemed to work without issue. But for some reason I've had issues getting the clients to run the grr client and connect to the GRR Server.

So far I've tried to run the Client and Server on SecurityOnion (just to test it out), here the Grrclient.deb fails to install.

I've also tried from a separate Windows host I'd previously had working on a different setup, but it fails to connect to the GrrServer.

When trying to run a GRRclient and GRRServer on the SO machine for testing I received this:

----
sudo dpkg -i grr_3.2.1.1_i386.deb
(Reading database ... 157274 files and directories currently installed.)
Preparing to unpack grr_3.2.1.1_i386.deb ...
Unpacking grr (3211-1) over (3211-1) ...
Setting up grr (3211-1) ...
/var/lib/dpkg/info/grr.postinst: 13: /var/lib/dpkg/info/grr.postinst: /usr/lib/grr/grr_3.2.1.1_i386/grrd: not found
dpkg: error processing package grr (--install):
subprocess installed post-installation script returned error exit status 127
Processing triggers for ureadahead (0.100.0-16) ...
Errors were encountered while processing:
grr
----
What's odd there is grrd is definitely in the /usr/lib/grr/grr_.../ directory so its error doesn't make any sense to me.

Next up, while trying to get the Windows client setup, I didn't have any issues accessing the GRR Server over HTTPS (in order to pull down the binary) after modify my host file to access the domain I specified.

However the sensor never connected to the GRR Server and from reading the Debugging information it keeps trying to connection to the box over http giving this error:
"Could not connect to GRR Servers ['http://IP:8080/'], directly or through these proxies:['']

I'll try to troubleshoot some more tomorrow.


-Jay

> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

[Wes Lambert]

Thanks for the feedback, Jay.  I will take a look at it.  To confirm, have you opened the port on the Security Onion machine, so that the client can get to the box on port 8080?

Also, in the meantime, would you be so kind as to open an issue for the repo below, so we can continue the discussion there?

https://github.com/weslambert/securityonion-grr/issues

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Jay Hawk]

Disabling UFW was one of my first steps to troubleshoot the issue. It didn't resolve the issue.

I'll submit a report and try to work the issue in a few hours.

To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.

[Wes Lambert]

I think I know what the issue is for the client connection error (the way port 8080 is exposed).  See if this works for you:

1. Re-enable ufw

2. Stop and remove "so-grr" container.

sudo docker stop so-grr && sudo docker rm so-grr

3. Restart so-grr container, providing your external ip for EXTERNAL_HOSTNAME value:

sudo docker run  -d --name so-grr --restart unless-stopped -e EXTERNAL_HOSTNAME="YOUR_EXTERNAL_IP" --ulimit nofile=1048576:1048576   -p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080 -v $HOME/grr/etc:/usr/share/grr-server/install_data/etc -v $HOME/grr/datastore:/usr/share/grr-server/lib/python2.7/site-packages/grr/var/grr-datastore  grrdocker/grr:latest grr

4. Add an iptables rule for the remote host

sudo iptables -I DOCKER-USER ! -i docker0 -o docker0 -s REMOTE_HOST_IP -p tcp --dport 8080 -j ACCEPT

Thanks,

Wes

[Wes Lambert]

To clarify, "remote host" here should be the host on which the client is installed.

Thanks,
Wes

[Wes Lambert]

Forgot to mention, you may want to restart the GRR client service after doing all of the above.

[id1010...@gmail.com]

For Reference two issues have been created in Github.
https://github.com/weslambert/securityonion-grr/issues/1
https://github.com/weslambert/securityonion-grr/issues/2

Working to apply your recommendations now.

-Jay

[Wes Lambert]

Thanks, Jay!

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to security-onion@googlegroups.com.

[id1010...@gmail.com]

No, thank you!
Both issues have now been resolved, I'll keep exploring the Demo setup and see if I find any other issues.

Please let me know if you make any changes, or add any other awesome features and need someone to test them out, I'll try to help however I can.

Thanks again,
-Jay

On Sunday, January 14, 2018 at 2:20:15 PM UTC-5, Wes wrote:
> Thanks, Jay!
>
>
> On Jan 14, 2018 2:19 PM, <id1010...@gmail.com> wrote:
> For Reference two issues have been created in Github.
>
> https://github.com/weslambert/securityonion-grr/issues/1
>
> https://github.com/weslambert/securityonion-grr/issues/2
>
>
>
> Working to apply your recommendations now.
>
>
>
>
>
> -Jay
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.