Web UI

Package name: intrudect-web

The Web UI collects alerts from agents and provides search and export capabilities for the gathered data. It supports notification delivery via webhooks and e-mail, imports IOC data from MISP, and exports as JSON for Wazuh/Elastic.

Note

Command examples shown on page need to be executed in root shell

Note

If mariadb & rsyslog were installed as dependencies, they need to be enabled and started

systemctl --now enable mariadb
systemctl --now enable rsyslog

MaxMind GeoIP

Install

Ubuntu apt install geoipupdate
RedHat https://github.com/maxmind/geoipupdate/releases

Setup

Create free account in https://www.maxmind.com/
Add your AccountID and License key into /etc/GeoIP.conf
```
AccountID xxxx
LicenseKey xxxx
```

Add Editions to /etc/GeoIP.conf:

EditionIDs GeoLite2-Country GeoLite2-City GeoLite2-ASN

Execute geoipupdate (NB it will take 1-2 minutes for your maxmind AccountID and LicenseKey values to populate inside their infrastructure)
```
geoipupdate -v
```

Add it to crontab as well

( crontab -l ; echo "30 05  *  *  * geoipupdate" ) | crontab -

Database setup

MariaDB server should be already installed as a depency.

Create database and user

mysql

MariaDB> CREATE DATABASE intrudect CHARACTER SET utf8mb4  COLLATE utf8mb4_unicode_ci;
MariaDB> GRANT ALL PRIVILEGES ON intrudect.* TO 'intrudect'@'localhost' IDENTIFIED BY 'PASSWORD';
MariaDB> FLUSH PRIVILEGES;

Allocate as much memory as possible to database.
In /etc/mysql/mariadb.conf.d/50-server.cnf or /etc/my.cnf.d/mariadb-server.cnf (RedHat)
```
[mysqld]
max_allowed_packet=200M
innodb_buffer_pool_size = XXG
```
Restart MariaDB server after config change
```
systemctl restart mariadb.service
```
Ensure start on boot
```
systemctl enable mariadb.service
```

Load timezone tables into MariaDB

mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql

Verify that output is > 0

mysql -e 'SELECT COUNT(*) FROM mysql.time_zone;'
+----------+
| COUNT(*) |
+----------+
|      498 |
+----------+

Configuration

Configuration file is in /opt/intrudect-web/config.json.

HOMEURL is used by agents to send alerts and request configuration changes.
LISTEN parameter specifies the IP address and port where the web UI listens, and you should forward your reverse proxy traffic to this location. Since the web UI itself does not have support for TLS, you must set up a reverse proxy, like Nginx or Caddy, in front of it in a production environment.
DB refers for MariaDB connection URI (refer to setup guide).
MISP is used to receive IOC data (such as domains and destination IP addresses) from a MISP server, which is queried once per hour for specified TAGS.
WAZUH configuration sets the export file in JSON format for Wazuh agent. Leave LOGFILE empty to disable export.
GEOIP folder of geoip database files (Ubuntu - /var/lib/GeoIP/, RedHat - /usr/share/GeoIP/)

{
  "HOMEURL": "https://example.com",
  "LISTEN": "127.0.0.1:8080",
  "TIMEZONE": "Europe/Tallinn",
  "DB": {
    "MYSQL" : "mysql://intrudect:PASSWORD@tcp(localhost)/intrudect?charset=utf8mb4&collation=utf8mb4_unicode_ci",
    "TCPLOGMAXDAYS" : 90,
    "DNSLOGMAXDAYS" : 90,
    "DHCPLOGMAXDAYS" : 90,
    "HTTPLOGMAXDAYS" : 90
  },
  "GEOIP": "/var/lib/GeoIP/",
  "MISP": {
      "APIKEY" : "",
      "URL" : "https://misp.example.com",
      "TAGS" : ["Cobalt Strike", "C2", "gophish", "evilginx"]
  },
  "WAZUH" : {
      "LOGFILE" : "/var/log/intrudect-wazuh.json"
  }
}

Start & enable service

systemctl restart intrudect-web
systemctl enable intrudect-web

Logfile

Web server writes additional info to /var/log/intrudect-web.log

Inital user

Before launching the web UI, an initial user and password must be created using the command-line utility.

cd /opt/intrudect-web
./intrudect-cli -cmd add -type admin -username <username> -password <passowrd>

Initial settings

Define network names and address ranges in "Site->Networks"
Review different module settings underr "Monitoring" menu.
Authorized DNS servers "Monitoring->DNS"
Authorized DHCP servers "Monitoring->DHCP"
Admin workstation addresses/subnets "Monitoring->Admin protocols"
Add alerting integrations under "Settings->Integrations"

Add agents

Point your browser to the web UI hostname and log in. Navigate to "Agents" and select the specific agent configuration from the menu.

After adding an agent, you can use "Download Config" to download its configuration file. This file now includes the agent’s login credentials for the web UI. Save the configuration file on the server where this particular agent is running.

Configuration files are located at /opt/intrudect-<agentname>/etc/config.json

Adding external communication platforms

The web UI supports alert delivery to external channels via webhooks and e-mail. This allows users to receive real-time notifications based on their defined rules.

Wazuh integration (optional)

Install Wazuh agent into the server.

Append to /var/ossec/etc/ossec.conf

<!-- intrudect -->
<ossec_config>
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/intrudect-wazuh.json</location>
  </localfile>
</ossec_config>

Restart Wazuh agent
```
systemctl restart wazuh-agent
```

On the Wazuh server, create a rule group and rules in the file: /var/ossec/etc/rules/local_rules.xml
For example, one rule to catch all events:

<group name="intrudect">
  <rule id="100010" level="12">
    <decoded_as>json</decoded_as>
    <field name="type">useragent</field>
    <description>$(description)</description>
  </rule>
</group>

Or multiple rules with custom levels:
Possible TYPE values: honeypot,egress,dhcp,ioc,tor,arp,dns_txt,dns_ptr,dns_a,dns_aaaa,dns_dga,dns,ldap,portscan,smb,useragent,adm_protocol,newdevice,n2n,pwd_brute

<group name="intrudect">
  <rule id="100010" level="12">
    <decoded_as>json</decoded_as>
    <field name="type">TYPE1</field>
    <description>$(description)</description>
  </rule>
  <rule id="100011" level="12">
    <decoded_as>json</decoded_as>
    <field name="type">TYPE2</field>
    <description>$(description)</description>
  </rule>
  / ... /
</group>

Restart Wazuh
```
systemctl restart wazuh-manager
```