sudo /usr/local/bin/zeek restart
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=886
sudo /usr/local/bin/zeek restart
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=886
All systems are designed to run on 64 bit Linux operating systems. The preferred platforms for AC-Hunter v6.4.3+ are:
1) Ubuntu Linux 24.04
2) CentOS Stream 9
3) RHEL 9
The system should be patched and up-to-date using apt or yum. AC-Hunter will install all of the required dependencies.
If your operating system offers “server” and “desktop” versions, we encourage the server version as it frees up a little more ram and the desktop isn’t required. That said, if you prefer the desktop for your uses, that’s fine. With the exception of the system running Zeek, all of the other components can be run on physical or virtual machines.
We don’t recommend Windows or Mac OS as platforms on which to run these packages, but heartily encourage their use by the analyst for running a web browser (Chrome or Firefox recommended) to review results.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=878
You can reset your password from the command line. SSH into the system running AC-Hunter and run:
sudo /opt/AC-Hunter/scripts/manage_web_user.sh reset -u '[email protected]' -p 'newpassword'
Replace [email protected] and newpassword with the existing username to reset and the new password you wish to use. Both should be surrounded by single quotes.
Note: The Username (-u) is required to be in the format of an email address
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=877
To check that your span port is correctly feeding data to Zeek, first install tcpdump,
Installing tcpdump (This package is provided in all supported Linux distributions.)
On Debian and Ubuntu Linux, run:
sudo apt-get -y install tcpdump
On Centos, RHEL, or Fedora Linux, run:
sudo yum -y install tcpdump
then run the following, replacing {ethernet_port} with the name of your network card on which Zeek is listening:
tcpdump -i {ethernet_port} -c 100 -qtnp
If you see no output at all, press ctrl-c to kill the program and check that the network card is correctly connected to the span port on your switch.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=876
Required Internet Connectivity
If the installation enables a firewall, make sure you allow at least the following traffic:
A. Incoming to the AC-Hunter system, allow incoming TCP ports 22, 80, 443.
B. Incoming to the Zeek system, allow incoming TCP port 22. For the interface(s) used to sniff traffic, there should be no incoming firewall at all.
C. If you’re setting up a third Active-Flow system to process netflow records, that system should accept incoming TCP port 22 and UDP port 2055.
D. You can further restrict the above ports so that only machines owned by administrators and the Zeek and Active-Flow nodes can access port 22, only machines that should see the AC-Hunter web interface can access ports 80 and 443 on the AC-Hunter computer, and only the routers feeding netflow records can access UDP port 2055 on Active-Flow.
E. All systems should be able to place UDP port 53 and TCP ports 53, 80, and 443 requests out to the Internet to retrieve patches and pull down supporting information used in AC-Hunter’s web UI.
Future versions of AC-Hunter may use outbound https connections to retrieve reputation information. Details about this access will be added as these features are included.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=874
This approach only works if you have created an actual DNS hostname for the AC-Hunter system and access it with a URL like https://achunter.mydomain.com (https://achunter.mydomain.com) , as opposed to accessing it with an IP address such as https://1.2.3.4 (https://1.2.3.4) .
On the AC-Hunter system, make a backup of the original key and certificate with:
sudo cp -p /etc/AC-Hunter/private.key /etc/AC-Hunter/private.key.orig sudo cp -p /etc/AC-Hunter/public.crt /etc/AC-Hunter/public.crt.orig
Create the keys for the hostname you use. To use the built-in openssl command on the AC-Hunter system, ssh to it and run:
openssl req -new -newkey rsa:2048 -nodes -addext "subjectAltName = DNS:YOURDOMAIN.NAME" -keyout SERVER_NAME.key -out SERVER_NAME.csr
Send this “.csr” (Certificate Signing Request) file and any other requested information to your chosen Certificate Authority and pay to have it signed. They’ll return a signed certificate file.
Please save a copy of the key, csr, and crt files in a different system.
Copy the key you generated above to /etc/AC-Hunter/private.key on the AC-Hunter system.
Download the certificate you received from the CA to /etc/AC-Hunter/public.crt on the AC-Hunter server.
If your Certificate Authority provides root and/or intermediate certificates as well, these need to go into the public.crt file too! The order does matter; your server certificate goes at the top of that file, followed by the intermediate certificate, then the CA root certificate.
As the user under which AC-Hunter was installed, run:
sudo chown root /etc/AC-Hunter/public.crt /etc/AC-Hunter/private.key sudo chmod 644 /etc/AC-Hunter/public.crt /etc/AC-Hunter/private.key sudo hunt up -d --force-recreate web
Now go back to your web browser and reload the AC-Hunter interface with Shift-Ctrl-R .
From this point on you should no longer see the warning about an unsigned certificate when starting AC-Hunter. To confirm that the new certificate is being used, go to https://achunters.host.name (https://achunters.host.name) and click on the lock to the left of the URL when it comes up (the steps to see certificate details vary between browsers). You should be able to see the details of your new certificate there; if you still see a certificate with the Organization set to either “OffensiveCounterMeasures” or “Active Countermeasures”, retry these steps or check with support.
We recommend setting a yearly reminder to replace the certificate before it expires.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=873
Run:
sudo iptables -L -nxv | less -S
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=872
This script will show the status of both the AC-Hunter and Zeek systems. Example call:
ach_status.sh | less
If you’d prefer to create a compressed version of this output ready to attach to a tech support email thread, run the following, all on one line:
TF=$(mktemp -q /tmp/achstat.$(date +%Y%m%d%H%M%S).XXXXXX) ; ach_status.sh >"$TF" 2>&1 ; gzip -9 "$TF"
The resulting file in /tmp/ whose name starts with achstat and ends with gz is ready to send back as part of a support request.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=871
If the underlying Linux system runs out of space, that can lead to processes dying unexpectedly or tasks not completing. To check if you’re running low, run:
df -h
This shows the amount of free space on each of your partitions. Example – your output will be different:
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 60G 9.9G 51G 17% /
/dev/vda2 1.0T 101G 899G 10% /var
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 180K 1.9G 1% /dev/shm
tmpfs 1.9G 193M 1.7G 11% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
tmpfs 380M 0 380M 0% /run/user/1001
tmpfs 380M 0 380M 0% /run/user/0
The important lines are the ones associated with the root filesystem(“/”), the home partition (“/home/”, if there is one), and “/var/”, if there is one. If any of these are very low on space, you’ll need to free some up.
A common tool for this is delete-databases.sh , available on the Zeek and AC-Hunter/RITA systems. When run with no command line parameters, it lists the available databases.
Once you’ve found some you no longer need to keep, run the tool again with the name(s) of one or more of them to remove. We recommend running the same command on both systems to remove them from both.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=870
Yes there is! Run the following commands on your AC-Hunter system, depending on your version.
If you are using AC-Hunter 5.3.0 or higher, please run the following:
/usr/local/bin/import_pcaps.sh -p pcap_filename.pcap -d database_name
If you have AC-Hunter 5.2.0 or lower:
Set the following variables to your own values:
export PCAP_FILE=/absolute/path/to/file.pcap export BRO_DIR=/absolute/path/you/want/bro/logs/ export DATABASE=yourdatabasename
Convert your pcap to Bro logs:
sudo docker run --rm --volume "$PCAP_FILE:/capture.pcap" --volume "$BRO_DIR:/pcap" --env BRO_DNS_FAKE=true blacktop/bro:2.5 -r /capture.pcap local
Import the Bro logs into AI-Hunter using RITA:
~/AIH-source/AI-Hunter-latest/rita import $BRO_DIR $DATABASE
At this point your database should be visible in AC-Hunter.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=869