The following PDF document covers ways to tune AC-Hunter’s performance so that it can keep up with high bandwidth connections:

Speeding Up AC-Hunter/AC-Hunter Performance Tuning

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=8119

Please refer to the following PDF file as a guide to troubleshooting your Espy server installation:

Troubleshooting Espy Server

 

Many thanks to Logan Lembke for providing this troubleshooting document.

Revision: November 11, 2022

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7694

In older versions of Chrome, when a certificate was self-signed one could access a page explaining why and press “Proceed to Website” to ignore the error. Newer versions of Chrome may not allow this, depending on your security settings.

If you no longer get this button when trying to go to your BeaKer server, for example, click inside the certificate warning page and type the characters

thisisunsafe

Then press Enter.

They won’t show up on the screen, but when you press enter you’ll leave the certificate warning page and continue to the BeaKer server.

For more information, see https://dblazeski.medium.com/chrome-bypass-net-err-cert-invalid-for-development-daefae43eb12 .

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7554

RITA, both as a standalone program and as a background tool in AC-Hunter, includes a setting called FilterExternalToInternal . This setting controls whether you will end up seeing connections that start out on the Internet and land on one of your internal systems or not seeing these.

As Threat Hunting tools, both RITA and AC-Hunter focus on outbound traffic – traffic from an Internal IP address to an External IP address – as they look for Command and Control traffic and related Threats. Inbound traffic (from an External IP address to an Internal IP address) would rarely – if ever – fall into this same category of C&C Threats. The problem is that you may see a large number of entries in AC-Hunter caused by incoming portscans that make it more difficult to see the actual threats. For this reason, our best recommendation for most networks is to ignore inbound traffic.

To decide how to set this value, please use these guidelines:

– If you do not 1) have any servers with public IPs you’ve declared as Internal, 2) do not allow port forwarding from your router back to internal machines, and 3) use no other technologies like VPNS to bring in connections, there are no circumstances where you’ll see Inbound traffic, so this setting will have no effect on your copy of AC-Hunter.

– If you do have Inbound traffic:

– …and are using AC-Hunter 6.1.0 or lower, you’ll see the inbound traffic by default.
– …and are using AC-Hunter 6.2.0 or higher, you will not see inbound traffic by default.
– …and set FilterExternalToInternal to “true” you will override the default and you will not see inbound traffic.
– …and set FilterExternalToInternal to “false” you will override the default and you will see inbound traffic.

To see how to set this value, see the “Analyzing incoming traffic” section of the AC-Hunter install guide, and set FilterExternalToInternal to your preferred value.

The downside of seeing this inbound traffic is that you’re likely to see a large number of incoming scans from the Internet that may push legitimate Threats out of your view. The downside of hiding this inbound traffic is that there’s a small chance that an Inbound connection could carry command and control traffic or a related Threat.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=5132

Please refer to the following PDF file as a guide to troubleshooting LDAP integration in AC-Hunter:

Troubleshooting AC-Hunter LDAP

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=4972

How Do I Verify an LDAP Server’s Certificate with a Custom Certificate Authority when Integrating AC-Hunter with LDAP/Active Directory?

To start, copy the public certificate of the custom certificate authority to the machine running AC-Hunter.

The certificate authority file must be formatted as a .pem file or a .cer file using base 64 encoding.

The path to the certificate authority must be made available to the ‘achunter_auth’ Docker container. In order to do this, two files must be edited:

 

First, in ‘/etc/AC-Hunter/config.yaml’, the ‘CAPath’ field under ‘Authorization>Providers>LDAP>TLS’ must be set to the path where the certificate will reside within the Docker container.

‘usr/lib/ssl/certs/’ is recommended, though any valid, unrestricted path will work.

Ex:

Authorization:
  Providers:
    LDAP:
    - Name: ...
      Hostname: ...
      Port: 636
      TLS:
        Enabled: true
        VerifyCertificate: true
        CAPath: /usr/lib/ssl/certs/achunter.pem

 

Second, a bind mount must also be added in ‘/opt/AC-Hunter/docker/auth.yml’.

The path given for the “target” of the bind mount must match the entry for ‘CAPath’ in ‘/etc/AC-Hunter/config.yaml’. Under the “volumes” section, add a new entry:

type: bind
source: /path/to/certificate/on/host
target: /usr/lib/ssl/certs/achunter.pem
read_only: true

 

After editing these files, run:

hunt up -d --force-recreate

 

Warning: ‘/opt/AC-Hunter/docker/auth.yaml’ is overwritten on each upgrade. This file will need to be updated with the new bind mount after each upgrade of AC-Hunter.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=4571

Here’s how to control the networks Docker assigns to the containers used by AC-Hunter and other tools.

First, stop the Docker daemon.

sudo systemctl stop docker

Next, make a backup of your current Docker daemon configuration file.

sudo cp /etc/docker/daemon.json /etc/docker/daemon.json.bak

If the file does not exist, please create it as root. Then, open /etc/docker/daemon.json in your preferred text editor.

To change how Docker allocates networks to containers, edit the “default-address-pools” configuration. By default, Docker allocates /24 subnets from the following networks:

• 172.80.0.0/16
• 172.90.0.0/16

For example, to tell the Docker daemon to allocate /24 networks out of 10.100.0.0/16 , delete the default “default-address-pools” configuration if it exists and add the following to the file:

{
  "default-address-pools": [
    {
      "base": "10.100.0.0/16",
      "size": 24
    },
  ],
}

Finally, restart the Docker daemon.

sudo systemctl start docker

For more information, please see the official Docker documentation at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=3350

The earliest releases of AC-Hunter ran RITA every 2 hours. If you’ve had AC-Hunter for a long time and have upgraded it in place, that setting may still be there.

Current releases of AC-Hunter run RITA every hour so you can see your data with less delay. To make this change:

• Log in to the AC-Hunter host.
• Edit /etc/AC-Hunter/config.yaml with your preferred editor:

sudo vim /etc/AC-Hunter/config.yaml

• Locate the Schedule line under the RITA: section (note; there are multiple “Schedule:” lines in this file). If it’s currently set to run every two hours, it will look like:

Schedule: "0 20 0-23/2 * * *"

(If it doesn’t have the “/2” following 0-23, RITA is already run every hour and you can stop here.)

• Remove the “/2” from that line so it now looks like:

Schedule: "0 20 0-23 * * *"

Be careful not to change the number of spaces at the beginning of that line. Save your changes and exit.

• Now load these changes into AC-Hunter with the following commands.

sudo ./hunt down
sudo ./hunt up -d --force-recreate

• As a side note, when AC-Hunter is restarted, RITA is automatically run.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=2769

This approach only works if you have created an actual DNS hostname for the AC-Hunter system and access it with a URL like https://achunter.mydomain.com (https://achunter.mydomain.com) , as opposed to accessing it with an IP address such as https://1.2.3.4 (https://1.2.3.4) .

On the AC-Hunter system, make a backup of the original key and certificate with:

sudo cp -p /etc/AC-Hunter/private.key /etc/AC-Hunter/private.key.orig
sudo cp -p /etc/AC-Hunter/public.crt /etc/AC-Hunter/public.crt.orig

Create the keys for the hostname you use. To use the built-in openssl command on the AC-Hunter system, ssh to it and run:

openssl req -new -newkey rsa:2048 -nodes -keyout SERVER_NAME.key -out SERVER_NAME.csr

Send this “.csr” (Certificate Signing Request) file and any other requested information to your chosen Certificate Authority and pay to have it signed. They’ll return a signed certificate file.

Please save a copy of the key, csr, and crt files in a different system.

Copy the key you generated above to /etc/AC-Hunter/private.key on the AC-Hunter system.

Download the certificate you received from the CA to /etc/AC-Hunter/public.crt on the AC-Hunter server.

If your Certificate Authority provides root and/or intermediate certificates as well, these need to go into the public.crt file too!  The order does matter; your server certificate goes at the top of that file, followed by the intermediate certificate, then the CA root certificate.

As the user under which AC-Hunter was installed, run:

sudo chown root /etc/AC-Hunter/public.crt /etc/AC-Hunter/private.key
sudo chmod 644 /etc/AC-Hunter/public.crt /etc/AC-Hunter/private.key
sudo hunt up -d --force-recreate web

Now go back to your web browser and reload the AC-Hunter interface with Shift-Ctrl-R .

From this point on you should no longer see the warning about an unsigned certificate when starting AC-Hunter. To confirm that the new certificate is being used, go to https://achunters.host.name (https://achunters.host.name) and click on the lock to the left of the URL when it comes up (the steps to see certificate details vary between browsers). You should be able to see the details of your new certificate there; if you still see a certificate with the Organization set to either “OffensiveCounterMeasures” or “Active Countermeasures”, retry these steps or check with support.

We recommend setting a yearly reminder to replace the certificate before it expires.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=873

---