You can view all AC-Hunter Web User accounts from the command line. SSH into the system running AC-Hunter and run:
sudo hunt run --rm db_client mongo_cmd.sh "db.getSiblingDB('users').user.find({},{_id:0,email:1,active:1})" | grep email
This will output a list of all web/UI users.
(Note on the above command: from “sudo” to “grep email” is one line)
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=858
You can add a new user from the command line. SSH into the system running AC-Hunter and run:
sudo /opt/AC-Hunter/scripts/manage_web_user.sh add -u '[email protected]' -p 'newpassword'
Replace [email protected] and newpassword with the new username to add and the new password you wish to use. Both should be surrounded by single quotes.
Note: The Username (-u) is required to be in the format of an email address
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=857
You can change an existing users’ password from the command line. SSH into the system running AC-Hunter and run:
sudo /opt/AC-Hunter/scripts/manage_web_user.sh reset -u '[email protected]' -p 'newpassword'
Replace [email protected] and newpassword with the username to modify and the new password you wish to use. Both should be surrounded by single quotes.
Note: The Username (-u) is required to be in the format of an email address
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=856
If you’re not receiving syslog events, please refer to the AC-Hunter Troubleshooting Alerting document below (PDF);
AC-Hunter Troubleshooting Alerting Document
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=855
Run the following commands on the AC-Hunter system:
cat /opt/AC-Hunter/VERSION
./hunt run --rm api rita --version
./hunt run --rm db mongo --version
The “cat” command will return the version of AC-Hunter, while the 2 hunt commands will tell you the versions of Rita and Mongo on the system.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=854
From the AC-Hunter system, run:
sudo docker image prune
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=853
sudo vim /etc/AC-Hunter/rita.yaml
Edit the values after AlwaysInclude and/or InternalSubnets; be careful to use double quotes, no spaces between the left bracket and right bracket, and always put a /32 after individual IP addresses (or the appropriate subnet size after network blocks). Once saved, activate the changes by running:
sudo hunt up -d --force-recreate
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=852
By default we name a sensor “hostname__ipaddress”. If you want to force a name for a sensor, edit /etc/rita/agent.yaml on the Zeek sensor. Here are the commands to use as the file and its parent directory may not exist:
sudo mkdir -p /etc/rita sudo vim /etc/rita/agent.yaml
Feel free to use any editor in place of vim, above. You’ll need to add a line to that file of this form:
Name: custom_sensor_name
The only characters you can use for the name are upper and lowercase letters, digits, the underscore, caret, plus and equals. The entire name needs to be 52 characters or less.
Here’s a sample:
sudo cat /etc/rita/agent.yaml Name: zeek_sensor_A17
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=851