Web application
Installation
Configuration
Configuration is in /opt/intrudect-web/config.json.
HOMEURLis used by agents to send alerts and request configuration changes.-
LISTENparameter specifies the IP address and port where the web application listens, and you should forward your reverse proxy traffic to this location. Since the web application itself does not have support for TLS, you must set up a reverse proxy, like Nginx or Caddy, in front of it in a production environment. -
DBMariaDB connection URI for database connection MISPis for receiving IOC data (domains and destination ip addresses) from MISP. MISP server is queried once per hour for specifiedTAGSWAZUHexport file in JSON format for Wazuh agent
{
"HOMEURL": "https://example.com",
"LISTEN": "127.0.0.1:8080",
"TIMEZONE": "Europe/Tallinn",
"DB": "mysql://intrudect:PASSWORD@tcp(localhost)/intrudect",
"MISP": {
"APIKEY" : "...",
"URL" : "https://misp.example.com",
"TAGS" : ["Cobalt Strike", "C2", "gophish", "evilginx"]
},
"WAZUH" : {
"LOGFILE" : "/var/log/intrudect-wazuh.json"
}
}
Start service
Logfile
Web server writes additional info to /var/logs/intrudect-web.log
Inital user
Before launching the web application, an initial user and password must be created using the command-line utility.
Add agents
Point your browser to your Web application hostname and log in. Navigate to "Agents".
Agent configuration
Refer to specif agent configuration in the menu. Example (not default) configuration is provided when adding new agent.
If there is error in the JSON, congiguration cannot be saved and line containing error is shown
After agent is added you can use "Download Config" to download agent configuration file. This file now contains agent login information to Web application. Save the config file in the server running this particular agent.
Config files are in the /opt/intrudect-<agentname>/etc/config.json
Adding external communication platforms
The Web application can be integrated with external communication platforms such as Slack, Mattermost, and MS Teams. This allows users to receive real-time notifications based on their defined rules.
Wazuh integration
- Install Wazuh agent into the server.
-
Append to
/var/ossec/etc/ossec.conf -
Restart Wazuh agent
-
In Wazuh server create rule group and rules.
/var/ossec/etc/rules/local_rules.xml
One rule to catch all:Or multiple rules with custom levels:<group name="intrudect"> <rule id="100010" level="12"> <decoded_as>json</decoded_as> <field name="type">useragent</field> <description>$(description)</description> </rule> </group>
PossibleTYPEvalues:adm_protocol,arp,dhcp,dns,dns_a,dns_aaaa,dns_ptr,dns_txt,honeypot,portscan,smb,tor,useragent<group name="intrudect"> <rule id="100010" level="12"> <decoded_as>json</decoded_as> <field name="type">TYPE1</field> <description>$(description)</description> </rule> <rule id="100011" level="12"> <decoded_as>json</decoded_as> <field name="type">TYPE2</field> <description>$(description)</description> </rule> / ... / </group> -
Restart Wazuh