This package is provided in all supported Linux distributions.
On Debian and Ubuntu linux, run:
sudo apt-get -y install tcpdump
On Centos, RHEL, or Fedora Linux, run:
sudo yum -y install tcpdump
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=868
sudo hunt logs web sudo hunt logs api sudo hunt logs db sudo hunt logs auth
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=866
Here’s how you can switch the docker storage location.
First, stop the docker daemon.
sudo systemctl stop docker
Next, move your docker directory. In this example we are moving the directory to /hunt/docker but you can choose your own location as long as you change the directory in the subsequent steps as well.
sudo mv /var/lib/docker /hunt/docker
Create /etc/docker/daemon.json and make it look like this:
{
"data-root": "/hunt/docker"
}
Or if the file already exists then add the “data-root” line immediately after the opening brace like this:
{
"data-root": "/hunt/docker",
...existing contents
}
Then start the docker daemon again:
sudo systemctl start docker
At this point you should be able to access AC-Hunter through the web interface, but if not you can try starting it manually using:
sudo hunt up -d --force-recreate
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=864
Yes.
curl -fsSL https://raw.githubusercontent.com/activecm/zeek-log-transport/master/connect_sensor.sh -O curl -fsSL https://raw.githubusercontent.com/activecm/shell-lib/master/acmlib.sh -O curl -fsSL https://raw.githubusercontent.com/activecm/zeek-log-transport/master/zeek_log_transport.sh -O bash connect_sensor.sh my.achunter.system [/zeek/log/top/dir/]
Note; common directories that hold Zeek logs include:
/opt/zeek/logs/ #Zeek as installed by Rita /usr/local/zeek/logs/ #Zeek default /var/lib/docker/volumes/var_log_zeek/_data/ #Blue Vector /nsm/zeek/logs #Security Onion /storage/zeek/logs/
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=863
The logs for each machine get placed in a different directory on the AC-Hunter system for each Zeek sensor. On the AC-Hunter system, they should be under /opt/zeek/remotelogs/{zeek_sensor_name}/ , with additional directories under that for each calendar day (such as /opt/zeek/remotelogs/zeek1__1921681213/2021-04-01/).
Please log in to your Zeek system as the user under which you installed Zeek and make sure you can ssh to the AC-Hunter system with:
ssh [email protected] -i "$HOME/.ssh/id_rsa_dataimport" 'echo Successfully connected.'
The “Successfully connected.” response should come back without having to enter a password; if you are asked for a password there’s something wrong with the ssh key setup.
As that same user on the Zeek sensor, please run:
/usr/local/bin/zeek_log_transport.sh --dest ACH.IP.ADDRESS --localdir /opt/zeek/logs/
Replace ACH.IP.ADDRESS with the address of the AC-Hunter system. If your logs are stored somewhere other than /opt/zeek/logs/ on this sensor, adjust that too. This should start sending logs over to the AC-Hunter system. It’s OK to leave this running; any files you successfully transfer now will not be resent later.
Please check the file that initiates sending logs:
cat /etc/cron.d/zeek_log_transport
It should look like the following:
5 * * * * senduser /usr/local/bin/zeek_log_transport.sh --dest ACH.IP.ADDRESS --localdir /opt/zeek/logs/
“senduser” will need to be the account name on this system under which you did the installation, “ACH.IP.ADDRESS” should be the AC-Hunter system’s IP, and “/opt/zeek/logs/” will need to be the directory where you have Zeek logs on this system.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=861
The following steps will delete any Zeek logs older than 4 days on the AC-Hunter system. Note that this will not delete any AC-Hunter databases, just the raw Zeek log files that were imported. It will also not delete them from your actual sensors, just the copies that were sent to the AC-Hunter system, so if you ever needed them again you could manually copy them from the originals on your Zeek sensors.
To see what files would be deleted by this command, you can run the following under the “dataimport” account on your AC-Hunter server (run “sudo su – dataimport” if you’re not already logged in as that user, and then run):
find "/opt/zeek/remotelogs/" -type f -mtime +4 -print0 | xargs -0 -r -n 20 echo
To set up a daily automatic delete, add the following line to /etc/cron.d/delete_old_zeek_logs . Example command, though you can feel free to use any editor you like:
sudo vi /etc/cron.d/delete_old_zeek_logs
Everything from “0 3” to “-f'” is one line. Please be especially careful when typing the path “/opt/zeek/remotelogs/” and make sure there are no spaces between the first and last slash. The quotes on this line (before find and after dash-f) are single quotes (below the double quotes on a US keyboard) and we use double quotes around the log directory.
0 3 * * * dataimport /bin/bash -c 'find "/opt/zeek/remotelogs/" -type f -mtime +4 -print0 | xargs -0 -r -n 20 rm -f'
Run both of the following:
sudo service cron reload 2>/dev/null sudo service crond reload 2>/dev/null
Side note: You should not reduce the +4 in the above command; if you deleted logs that were 1, 2, or 3 days old, you’d run the risk of deleting files that zeek_log_transport would then have to copy over again (it sends any new files from the previous 3 days worth of logs every time it runs).
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=860
The safelist is stored in json format, an industry standard for sharing data. Here’s a small part of the top of the default safelist:
[
{
"Name": "8075",
"Type": "asn",
"Modules": [
{
"Name": "Beacons",
"Src": false,
"Dst": true
}
],
"Comment": "Microsoft patching and time servers"
},
{
"Name": "41231",
"Type": "asn",
"Modules": [
{
"Name": "Beacons",
"Src": false,
"Dst": true
}
],
"Comment": "Ubuntu patching servers"
},
...
You have the ability to edit this file to add new entries, take out existing entries, or modify entries. If you do, here are a few notes about the formatting in this file:
You must use double quotes, not single quotes, backquotes or “smart quotes” as used in word processors for all strings. For example, “Name” and “8075” from above are valid; ‘Name’ and `8075` are not.
Whenever using true, false, or null as values, these must be all lowercase.
Inside each matched pair of left and right square brackets (“[” and “]”, json lists), and inside each matched pair of curly braces (“{” and “}”, json dictionaries), the entries are separated by commas, but you don’t use a comma after the final entry. For example:
{
"Name": "Beacons",
"Src": false,
"Dst": true
}
Most Linux distributions and the Mac OS offer a tool called jq (“json query”) that allows you to extract data from and modify json files. It’s not commonly installed by default, but should be available in your package manager. Once installed you can do the following:
To see the full contents in pretty-printed format (like the example above where entries are indented according to how deep they are), use:
cat edited-safelist.json | jq . | less
To check whether a json file is in a valid format, run:
$ cat edited-safelist.json | jq . >/dev/null $
When you’re returned to a prompt directly, that means the format appears correct. If the file is not valid json, such as this one where I used single quotes instead of double quotes:
$ cat malformed-safelist.json | jq . >/dev/null parse error: Invalid numeric literal at line 1, column 16 $
you’ll get back some kind of error.
The default json output format (pretty-printing, as seen above) takes a lot of lines to display, especially when you have a large safelist. To give each safelist entry a single line run the following (all on one line, even if wrapped in this document):
( echo '[' ; cat edited-safelist.json | jq -c '.[]' | sed -e '$!s/$/,/' ; echo ']' ) >safelist-perline.json
The safelist-perline.json contains the same content and is still a valid json file, but shows the safelist entries one per line, such as:
[
{"Name":"8075","Type":"asn","Modules":[{"Name":"Beacons","Src":false,"Dst":true}],"Comment":"Microsoft patching and time servers"},
{"Name":"41231","Type":"asn","Modules":[{"Name":"Beacons","Src":false,"Dst":true}],"Comment":"Ubuntu patching servers"},
{"Name":"16625","Type":"asn","Modules":[{"Name":"Beacons","Src":false,"Dst":true}],"Comment":"Akamai CDN"},
]
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=859
You can view all AC-Hunter Web User accounts from the command line. SSH into the system running AC-Hunter and run:
sudo hunt run --rm db_client mongo_cmd.sh "db.getSiblingDB('users').user.find({},{_id:0,email:1,active:1})" | grep email
This will output a list of all web/UI users.
(Note on the above command: from “sudo” to “grep email” is one line)
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=858
You can add a new user from the command line. SSH into the system running AC-Hunter and run:
sudo /opt/AC-Hunter/scripts/manage_web_user.sh add -u '[email protected]' -p 'newpassword'
Replace [email protected] and newpassword with the new username to add and the new password you wish to use. Both should be surrounded by single quotes.
Note: The Username (-u) is required to be in the format of an email address
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=857
You can change an existing users’ password from the command line. SSH into the system running AC-Hunter and run:
sudo /opt/AC-Hunter/scripts/manage_web_user.sh reset -u '[email protected]' -p 'newpassword'
Replace [email protected] and newpassword with the username to modify and the new password you wish to use. Both should be surrounded by single quotes.
Note: The Username (-u) is required to be in the format of an email address
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=856