Run:
sudo iptables -L -nxv | less -S
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=872
Run:
sudo iptables -L -nxv | less -S
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=872
This script will show the status of both the AC-Hunter and Zeek systems. Example call:
ach_status.sh | less
If you’d prefer to create a compressed version of this output ready to attach to a tech support email thread, run the following, all on one line:
TF=$(mktemp -q /tmp/achstat.$(date +%Y%m%d%H%M%S).XXXXXX) ; ach_status.sh >"$TF" 2>&1 ; gzip -9 "$TF"
The resulting file in /tmp/ whose name starts with achstat and ends with gz is ready to send back as part of a support request.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=871
This package is provided in all supported Linux distributions.
On Debian and Ubuntu linux, run:
sudo apt-get -y install tcpdump
On Centos, RHEL, or Fedora Linux, run:
sudo yum -y install tcpdump
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=868
If you’re not receiving syslog events, please refer to the AC-Hunter Troubleshooting Alerting document below (PDF);
AC-Hunter Troubleshooting Alerting Document
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=855
Run the following commands on the AC-Hunter system:
cat /opt/AC-Hunter/VERSION
./hunt run --rm api rita --version
./hunt run --rm db mongo --version
The “cat” command will return the version of AC-Hunter, while the 2 hunt commands will tell you the versions of Rita and Mongo on the system.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=854
sudo vim /etc/AC-Hunter/rita.yaml
Edit the values after AlwaysInclude and/or InternalSubnets; be careful to use double quotes, no spaces between the left bracket and right bracket, and always put a /32 after individual IP addresses (or the appropriate subnet size after network blocks). Once saved, activate the changes by running:
sudo hunt up -d --force-recreate
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=852