Web application
Package name: intrudect-web
The web application collects alerts from agents and provides search and export capabilities for the gathered data. It integrates with multiple chat applications to deliver notifications, imports IOC data from MISP, and exports network alerts for Wazuh. Additionally, devices can be configured under Settings > Devices
to simplify the analysis of network alerts, while networks and their policies can be set up under Settings > Network policies
to detect suspicious traffic between networks.
Most importantly, the centralized control panel provides up-to-date statistics and graphs on alerts, system file logs, new devices, and top source or destination IPs by packets, connections, or bytes.
GeoIP setup
- Create free account in https://www.maxmind.com/
- Add your AccountID and License key into
/etc/GeoIP.conf
- Add Editions to
/etc/GeoIP.conf
: - Execute geoipupdate
- Add it to crontab as well
Database setup
-
MariaDB server should be already installed as a depency.
-
Create database and user
-
Allocate as much memory as possible to database.
In/etc/mysql/mariadb.conf.d/50-server.cnf
-
Load timezone tables into MariaDB
Verify that output is > 0
Configuration
Configuration file is in /opt/intrudect-web/config.json
.
HOMEURL
is used by agents to send alerts and request configuration changes.-
LISTEN
parameter specifies the IP address and port where the web application listens, and you should forward your reverse proxy traffic to this location. Since the web application itself does not have support for TLS, you must set up a reverse proxy, like Nginx or Caddy, in front of it in a production environment. -
DB
refers for MariaDB connection URI (refer to setup guide). MISP
is used to receive IOC data (such as domains and destination IP addresses) from a MISP server, which is queried once per hour for specifiedTAGS
.WAZUH
configuration sets the export file in JSON format for Wazuh agent. LeaveLOGFILE
empty to disable export.
{
"HOMEURL": "https://example.com",
"LISTEN": "127.0.0.1:8080",
"TIMEZONE": "Europe/Tallinn",
"DB": {
"MYSQL" : "mysql://intrudect:PASSWORD@tcp(localhost)/intrudect",
"TCPLOGMAXDAYS" : 90,
"DNSLOGMAXDAYS" : 90,
"DHCPLOGMAXDAYS" : 90
},
"MISP": {
"APIKEY" : "...",
"URL" : "https://misp.example.com",
"TAGS" : ["Cobalt Strike", "C2", "gophish", "evilginx"]
},
"WAZUH" : {
"LOGFILE" : "/var/log/intrudect-wazuh.json"
}
}
Start service
Logfile
Web server writes additional info to /var/logs/intrudect-web.log
Inital user
Before launching the web application, an initial user and password must be created using the command-line utility.
Add agents
Point your browser to the web application hostname and log in. Navigate to "Agents" and select the specific agent configuration from the menu.
After adding an agent, you can use "Download Config" to download its configuration file. This file now includes the agent’s login credentials for the web application. Save the configuration file on the server where this particular agent is running.
Configuration files are located at /opt/intrudect-<agentname>/etc/config.json
Adding external communication platforms
The Web application can be integrated with external communication platforms such as Slack, Mattermost, and MS Teams. This allows users to receive real-time notifications based on their defined rules.
Wazuh integration
- Install Wazuh agent into the server.
-
Append to
/var/ossec/etc/ossec.conf
-
Restart Wazuh agent
-
On the Wazuh server, create a rule group and rules in the file:
/var/ossec/etc/rules/local_rules.xml
For example, one rule to catch all events:Or multiple rules with custom levels:<group name="intrudect"> <rule id="100010" level="12"> <decoded_as>json</decoded_as> <field name="type">useragent</field> <description>$(description)</description> </rule> </group>
PossibleTYPE
values:honeypot
,egress
,dhcp
,ioc
,tor
,arp
,dns_txt
,dns_ptr
,dns_a
,dns_aaaa
,dns_dga
,dns
,ldap
,portscan
,smb
,useragent
,adm_protocol
,newdevice
,n2n
,pwd_brute
<group name="intrudect"> <rule id="100010" level="12"> <decoded_as>json</decoded_as> <field name="type">TYPE1</field> <description>$(description)</description> </rule> <rule id="100011" level="12"> <decoded_as>json</decoded_as> <field name="type">TYPE2</field> <description>$(description)</description> </rule> / ... / </group>
-
Restart Wazuh