Skip to content

Web application

Package name: intrudect-web

The web application collects alerts from agents and provides search and export capabilities for the gathered data. It integrates with multiple chat applications to deliver notifications, imports IOC data from MISP, and exports network alerts for Wazuh. Additionally, devices can be configured under Settings > Devices to simplify the analysis of network alerts, while networks and their policies can be set up under Settings > Network policies to detect suspicious traffic between networks.

Most importantly, the centralized control panel provides up-to-date statistics and graphs on alerts, system file logs, new devices, and top source or destination IPs by packets, connections, or bytes.

GeoIP setup

  • Create free account in https://www.maxmind.com/
  • Add your AccountID and License key into /etc/GeoIP.conf
  • Add Editions to /etc/GeoIP.conf:
    EditionIDs GeoLite2-Country GeoLite2-City GeoLite2-ASN
    
  • Execute geoipupdate
    sudo geoipupdate -v
    
  • Add it to crontab as well
    ( crontab -l ; echo "30 05  *  *  * geoipupdate" ) | crontab -
    

Database setup

  • MariaDB server should be already installed as a depency.

  • Create database and user

    sudo mysql
    
    MariaDB> create database intrudect;
    MariaDB> grant all privileges on intrudect.* TO 'intrudect'@'localhost' identified by 'PASSWORD';
    MariaDB> flush privileges;
    

  • Allocate as much memory as possible to database.
    In /etc/mysql/mariadb.conf.d/50-server.cnf

    [mysqld]
    max_allowed_packet=200M
    innodb_buffer_pool_size = XXG
    

  • Load timezone tables into MariaDB

    mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql
    
    Verify that output is > 0
    mysql -e 'SELECT COUNT(*) FROM mysql.time_zone;'
    +----------+
    | COUNT(*) |
    +----------+
    |      498 |
    +----------+
    

Configuration

Configuration file is in /opt/intrudect-web/config.json.

  • HOMEURL is used by agents to send alerts and request configuration changes.
  • LISTEN parameter specifies the IP address and port where the web application listens, and you should forward your reverse proxy traffic to this location. Since the web application itself does not have support for TLS, you must set up a reverse proxy, like Nginx or Caddy, in front of it in a production environment.

  • DB refers for MariaDB connection URI (refer to setup guide).

  • MISP is used to receive IOC data (such as domains and destination IP addresses) from a MISP server, which is queried once per hour for specified TAGS.
  • WAZUH configuration sets the export file in JSON format for Wazuh agent. Leave LOGFILE empty to disable export.
{
  "HOMEURL": "https://example.com",
  "LISTEN": "127.0.0.1:8080",
  "TIMEZONE": "Europe/Tallinn",
  "DB": {                         
    "MYSQL" : "mysql://intrudect:PASSWORD@tcp(localhost)/intrudect", 
    "TCPLOGMAXDAYS" : 90,              
    "DNSLOGMAXDAYS" : 90,     
    "DHCPLOGMAXDAYS" : 90        
  },
  "MISP": {
      "APIKEY" : "...",
      "URL" : "https://misp.example.com",
      "TAGS" : ["Cobalt Strike", "C2", "gophish", "evilginx"]
  },
  "WAZUH" : {
      "LOGFILE" : "/var/log/intrudect-wazuh.json"
  }
}

Start service

systemctl restart intrudect-web

Logfile

Web server writes additional info to /var/logs/intrudect-web.log

Inital user

Before launching the web application, an initial user and password must be created using the command-line utility.

cd /opt/intrudect-web
./intrudect-cli -cmd add -username <username> -password <passowrd>

Add agents

Point your browser to the web application hostname and log in. Navigate to "Agents" and select the specific agent configuration from the menu.

After adding an agent, you can use "Download Config" to download its configuration file. This file now includes the agent’s login credentials for the web application. Save the configuration file on the server where this particular agent is running.

download config

Configuration files are located at /opt/intrudect-<agentname>/etc/config.json

Adding external communication platforms

The Web application can be integrated with external communication platforms such as Slack, Mattermost, and MS Teams. This allows users to receive real-time notifications based on their defined rules.

integrations

Wazuh integration

  • Install Wazuh agent into the server.
  • Append to /var/ossec/etc/ossec.conf

    <!-- intrudect -->                                                                                       
    <ossec_config>                                                                                           
      <localfile>                                                                                            
        <log_format>json</log_format>                                                                        
        <location>/var/log/intrudect-wazuh.json</location>                                                   
      </localfile>                                                                                           
    </ossec_config> 
    

  • Restart Wazuh agent

    systemctl restart wazuh-agent
    

  • On the Wazuh server, create a rule group and rules in the file: /var/ossec/etc/rules/local_rules.xml
    For example, one rule to catch all events:

    <group name="intrudect">
      <rule id="100010" level="12">
        <decoded_as>json</decoded_as>
        <field name="type">useragent</field>
        <description>$(description)</description>
      </rule>
    </group>
    
    Or multiple rules with custom levels:
    Possible TYPE values: honeypot,egress,dhcp,ioc,tor,arp,dns_txt,dns_ptr,dns_a,dns_aaaa,dns_dga,dns,ldap,portscan,smb,useragent,adm_protocol,newdevice,n2n,pwd_brute
    <group name="intrudect">
      <rule id="100010" level="12">
        <decoded_as>json</decoded_as>
        <field name="type">TYPE1</field>
        <description>$(description)</description>
      </rule>
      <rule id="100011" level="12">
        <decoded_as>json</decoded_as>
        <field name="type">TYPE2</field>
        <description>$(description)</description>
      </rule>
      / ... /
    </group>
    

  • Restart Wazuh

    systemctl restart wazuh-manager