Troubleshooting From Capture to Database Creation

January 18, 2024 Comments Off on Troubleshooting From Capture to Database Creation

Please walk through the checks within the below PDF file on your Zeek and AC-Hunter systems. If any of them fail or you’re getting errors of some form, please get in touch with support at https://portal.activecountermeasures.com/support/support-request/ . Please describe the check that failed and include the program output and errors (if any).

 

Troubleshooting_From_Capture_to_Database_Creation.pdf

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=8241

Read More

Limiting Mongo’s Memory Usage

January 10, 2024 Comments Off on Limiting Mongo’s Memory Usage

The database package used in AC-Hunter (up to version 6.4.0) is Mongodb. Mongo assumes it has access to as much memory as the system has – and occasionally even more than that. 🙂 If you’re finding that mongodb is occasionally crashing because it’s out of memory, please read on to see how to put a limit on Mongo’s memory usage.

 

Is Mongo Eating Up All Your Memory?

Run:

sudo dmesg -T | egrep -i '(Out of memory|oom)'

and look for mongod being killed in the results.

 

What Memory Limit to Use?

First, we need to confirm how much memory is available on your system. Please run:

free -h

on your AC-Hunter system. Here’s a sample output, showing just the “Total” column for memory and swap:

     total
Mem: 32Gi
Swap: 40Gi

This system has 32GB + 40GB = 72GB total memory space. We can’t use all of that since some is used by the kernel, libraries, other programs, and disk caching, so the amount we pick needs to be less than 72GB. Leaving 8GB for other uses means our limit for Mongo has to be 64GB or less.

Note that a lot of this memory is swap, so as Mongo goes beyond 32GB it will start to run more slowly. It should be fine to pick a number a little larger than 32GB (such as 36GB, 40GB, or 44GB, but you should be cautious about going too much beyond those.

In short, pick a number that’s up to 12GB more than your installed memory, but also less than (memory + swap – 8GB).

 

Putting This Limit in Place

Next, log in to the AC-Hunter system as a user that has sudo privileges and run:

sudo nano /opt/AC-Hunter/docker/db.mongo.yml

In this file, look down for a line that reads:

    command: "mongod --auth"

While this article may not show it, that line should be indented by exactly 4 spaces; as you’re editing it, please don’t change the spacing or save the file with any form of tabs.
Please add the following wiredTigerCacheSize parameter to that line inside the pair of double quotes. The number you place at the end is the maximum number of gigabytes that Mongo should be allowed to use:

    command: "mongod --auth --wiredTigerCacheSizeGB 44"

Again, make sure not to change the number of spaces to the left of “command:…” or convert it to tabs. Both of the command line options start with two simple dashes each (to the right of “0” on an English language keyboard.) The odd capitalization in “–wiredTigerCacheSizeGB” is actually correct.

Once you’ve made the change, save and exit with ctrl-o and ctrl-x, respectively, and then run:

hunt down
hunt up -d --force-recreate

 

Closing Thoughts

To watch Mongo’s memory usage, run “top”. Press “M” to sort the processes by the amount of memory they use. If you plan to leave top running for a few days to watch it, press “s120<Enter>” (without the quotes) to tell top to only refresh its output once every 120 seconds.

There’s one side note to this. The limit you set above handles most of Mongo’s memory usage but not the memory it temporarily uses while creating indexes. This is why Mongo may occasionally go above the limit you set.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=8234

Read More

Using a Proxy With AC-Hunter

November 28, 2023 Comments Off on Using a Proxy With AC-Hunter

Because AC-Hunter is a security tool, it’s common that it may be placed in a network segment that can’t make direct outbound connections but allows requests sent through an HTTP or HTTPS proxy. This blocks AC-Hunter from 1) checking for updated AC-Hunter versions, 2) installing and updating packages during the install, and 3) sending outbound Slack alerts.

With a short adjustment to two configuration files AC-Hunter can use your proxy for its outbound connections, both during the installation and during normal operation.

 

Setting Environment Variables to Force Using a Proxy in AC-Hunter

You have the ability to set environment variables for your containers by editing the yaml files that start them up. For example, if we want to set the Linux *_proxy variables for the API container, please do the following. Edit /opt/AC-Hunter/docker/api.yaml with:

sudo nano /opt/AC-Hunter/docker/api.yaml

In that file scroll down to the “services:” section, the “api:” section inside that, and the “environment:” section in “api:”. You’ll see some environment variables already there. Below them, add the following lines, preserving the spacing exactly as the others (in my case, there are 6 spaces before each “-“. You’ll need to replace “http://” with “https://” if the proxy expects an https connection, “1.2.3.4” with the IP address of the proxy, and “3128” with the TCP port to which the proxy is listening in all 6 lines. The “dash” is required.

- http_proxy="http://1.2.3.4:3128/"
- https_proxy="http://1.2.3.4:3128/"
- ftp_proxy="http://1.2.3.4:3128/"
- HTTP_PROXY="http://1.2.3.4:3128/"
- HTTPS_PROXY="http://1.2.3.4:3128/"
- FTP_PROXY="http://1.2.3.4:3128/"

The URL placed inside the pairs of quotes can also accept a username and password if needed to access the proxy, like:

- http_proxy="http://bart:[email protected]:3128/"
- https_proxy="http://bart:[email protected]:3128/"
- ftp_proxy="http://bart:[email protected]:3128/"
- HTTP_PROXY="http://bart:[email protected]:3128/"
- HTTPS_PROXY="http://bart:[email protected]:3128/"
- FTP_PROXY="http://bart:[email protected]:3128/"

If your proxy IP address is an IPv6 address, it needs to be surrounded by square brackets so that it’s clear which part is the IPv6 address and which part is the port:

- http_proxy="http://[fe80:cafe::7]:3128/"
- https_proxy="http://[fe80:cafe::7]:3128/"
- ftp_proxy="http://[fe80:cafe::7]:3128/"
- HTTP_PROXY="http://[fe80:cafe::7]:3128/"
- HTTPS_PROXY="http://[fe80:cafe::7]:3128/"
- FTP_PROXY="http://[fe80:cafe::7]:3128/"

Once you have the modified versions of these lines added, save and exit.

Restart AC-Hunter with:

hunt down ; sleep 10 ; hunt up -d

(You should _not_ need to add –force-recreate to the above command)

Finally, please make a backup of api.yaml somewhere so you can pull in these changes after a future upgrade.

Once these changes are in place, most command line tools that need to place outbound connections understand they should look at these environment variables to locate a proxy.

 

Forcing a Proxy During the AC-Hunter Install

If you also need to use a proxy during the initial install, you’ll have to do that at the command line for the user doing the install. Edit the file “~/.bash_profile” and add the following lines:

export http_proxy="http://1.2.3.4:3128/"
export https_proxy="http://1.2.3.4:3128/"
export ftp_proxy="http://1.2.3.4:3128/"
export HTTP_PROXY="http://1.2.3.4:3128/"
export HTTPS_PROXY="http://1.2.3.4:3128/"
export FTP_PROXY="http://1.2.3.4:3128/"

In a similar way to how you edited api.yaml above you’ll need to:

– Replace 1.2.3.4 with the IP address of your proxy (surrounding it with square brackets if it’s an IPv6 address)
– Replace “3128” with the port on which the proxy listens
– Replace “http://” with “https://” if the proxy expects HTTPS (encrypted) connections
– Add in a username and password if required to access the proxy.

Make sure you do this on all systems on which you’re installing an AC-Hunter component, and log out and log back in before trying the installation.

 

Reference

When AC-Hunter is started it uses docker-compose to actually launch the underlying programs. For more detail on setting environment variables with docker-compose, see https://docs.docker.com/compose/environment-variables/set-environment-variables/ .

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=8186

Read More

Ways to Speed Up AC-Hunter

September 20, 2023 Comments Off on Ways to Speed Up AC-Hunter

The following PDF document covers ways to tune AC-Hunter’s performance so that it can keep up with high bandwidth connections:

Speeding Up AC-Hunter/AC-Hunter Performance Tuning

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=8119

Read More

Remove an Existing AC-Hunter Web User

September 19, 2023 Comments Off on Remove an Existing AC-Hunter Web User

You can remove an existing web users’ account from the command line. SSH into the system running AC-Hunter and run:

sudo /opt/AC-Hunter/scripts/manage_web_user.sh remove -u '[email protected]'

Replace [email protected] with the username to remove. It should be surrounded by single quotes.

Note: The Username (-u) is required to be in the format of an email address

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=8114

Read More

Importing Zeek Logs Manually Into RITA or AC-Hunter

January 9, 2023 Comments Off on Importing Zeek Logs Manually Into RITA or AC-Hunter

AC-Hunter normally imports the most recent 24 hours of logs for you, discarding old logs when new ones show up. There may be times when you want to import logs by hand, such as when:

– you’re bringing over logs from a sensor that doesn’t normally submit them.
– you’ve upgraded AC-Hunter and have a note that a database needs to be re-imported.
– you’d like to look at a time range smaller than a day.

 

Before you create a database, make sure the name you want to use doesn’t exist by checking the output of:

rita list

If that database name does exist, you can delete it with:

rita delete database_name

Finally, create a database from these logs by running the following command:

rita import /directory/that/holds/the/logs/ database_name

This command may take a while – the import process uses a lot of processor time, memory, and disk.

 

Note that this is the same command for both RITA and AC-Hunter. Once that has finished running, there will be a new database that you can use in future RITA commands or find in AC-Hunter’s database list (go to Dashboard, Gear icon, Database tab).

If you’re looking to replace a rolling database (one whose name ends in “-rolling”), please contact [email protected].

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7732

Read More

Troubleshooting Espy Server

December 16, 2022 Comments Off on Troubleshooting Espy Server

Please refer to the following PDF file as a guide to troubleshooting your Espy server installation:

Troubleshooting Espy Server

 

Many thanks to Logan Lembke for providing this troubleshooting document.

Revision: November 11, 2022

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7694

Read More

Corelight@Home Sensors Don’t Seem to Send Any Logs Over to AC-Hunter

December 8, 2022 Comments Off on Corelight@Home Sensors Don’t Seem to Send Any Logs Over to AC-Hunter

The Corelight@home package appears to save its hourly logs in an uncompressed format by default. To change this to the compressed logs that AC-Hunter is expecting, please do the following:

sudo nano /etc/corelight-softsensor.conf

(You’re welcome to use a different editor than nano.) Search down through the file (with ctrl-w) for the characters gzip . You should find this line:

Corelight::batch_log_gzip F

Please change the capital F to a capital T:

Corelight::batch_log_gzip T

Please save and exit. Now you’ll need to restart the corelight@home suite:

systemctl restart corelight-softsensor.service

Logs created from this point on should be compressed by default, allowing AC-Hunter to find the compressed logs it expects. You should have a new database for this system within a few hours.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7684

Read More

Moving AC-Hunter Storage to a Larger Drive

November 17, 2022 Comments Off on Moving AC-Hunter Storage to a Larger Drive

When you run out of space, it’s time to add a new drive to your AC-Hunter system. Included in the below PDF document are the steps to make that happen. It will involve a brief outage, so plan for a time when AC-Hunter isn’t being actively used.

Moving_AC-Hunter_Storage_to_a_Larger_Drive.pdf

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7640

Read More

Bypassing Chrome’s Certificate Warning

October 24, 2022 Comments Off on Bypassing Chrome’s Certificate Warning

In older versions of Chrome, when a certificate was self-signed one could access a page explaining why and press “Proceed to Website” to ignore the error. Newer versions of Chrome may not allow this, depending on your security settings.

If you no longer get this button when trying to go to your BeaKer server, for example, click inside the certificate warning page and type the characters

thisisunsafe

Then press Enter.

They won’t show up on the screen, but when you press enter you’ll leave the certificate warning page and continue to the BeaKer server.

For more information, see https://dblazeski.medium.com/chrome-bypass-net-err-cert-invalid-for-development-daefae43eb12 .

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7554

Read More