diff --git a/osect_sensor/Application/edge_tcpdump/common/__init__.py b/osect_sensor/Application/edge_tcpdump/common/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/osect_sensor/Application/edge_tcpdump/common/__pycache__/__init__.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/common/__pycache__/__init__.cpython-38.pyc deleted file mode 100644 index 97f3588..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/common/__pycache__/__init__.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/common/__pycache__/app_config.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/common/__pycache__/app_config.cpython-38.pyc deleted file mode 100644 index fd28d58..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/common/__pycache__/app_config.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/common/app_config.py b/osect_sensor/Application/edge_tcpdump/common/app_config.py deleted file mode 100644 index 3831e10..0000000 --- a/osect_sensor/Application/edge_tcpdump/common/app_config.py +++ /dev/null @@ -1,21 +0,0 @@ -SLEEP_TIME = 60 -""" 監視インターバル """ - -TCPDUMP_SHELL_COMMAND = [ - "/usr/sbin/tcpdump", - "-w", - "realtime-%F-%T.pcap", - "-G", - "60", - "-ni", - "enp1s0", - "-s", - "0", - "-Z", - "root", - "-z", - "/opt/ot_tools/capture.sh", -] -""" tcpdumpの起動shellコマンド """ - -REMOVE_PCAP_FILE = "realtime-*.pcap" diff --git a/osect_sensor/Application/edge_tcpdump/manage.py b/osect_sensor/Application/edge_tcpdump/manage.py deleted file mode 100755 index 80247d0..0000000 --- a/osect_sensor/Application/edge_tcpdump/manage.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python -"""Django's command-line utility for administrative tasks.""" -import os -import sys - - -def main(): - os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'sc_tcpdump.settings') - try: - from django.core.management import execute_from_command_line - except ImportError as exc: - raise ImportError( - "Couldn't import Django. Are you sure it's installed and " - "available on your PYTHONPATH environment variable? Did you " - "forget to activate a virtual environment?" - ) from exc - execute_from_command_line(sys.argv) - - -if __name__ == '__main__': - main() diff --git a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__init__.py b/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/__init__.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/__init__.cpython-38.pyc deleted file mode 100644 index 79949d8..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/__init__.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/settings.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/settings.cpython-38.pyc deleted file mode 100644 index 15e327e..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/settings.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/urls.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/urls.cpython-38.pyc deleted file mode 100644 index fc12e76..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/__pycache__/urls.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/settings.py b/osect_sensor/Application/edge_tcpdump/sc_tcpdump/settings.py deleted file mode 100644 index b23946d..0000000 --- a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/settings.py +++ /dev/null @@ -1,110 +0,0 @@ -""" -Django settings for sc_tcpdump project. -Generated by 'django-admin startproject' using Django 2.2.3. -For more information on this file, see -https://docs.djangoproject.com/en/2.2/topics/settings/ -For the full list of settings and their values, see -https://docs.djangoproject.com/en/2.2/ref/settings/ -""" - -import os - -# Build paths inside the project like this: os.path.join(BASE_DIR, ...) -BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) - - -# Quick-start development settings - unsuitable for production -# See https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/ - -# SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = "" - -# SECURITY WARNING: don't run with debug turned on in production! -DEBUG = False - -ALLOWED_HOSTS = [] - - -# Application definition - -INSTALLED_APPS = [ - "tcpdump.apps.TcpdumpConfig", - "django.contrib.admin", - "django.contrib.auth", - "django.contrib.contenttypes", - # 'django.contrib.sessions', - "django.contrib.messages", - # 'django.contrib.staticfiles', -] - -MIDDLEWARE = [ - "django.middleware.security.SecurityMiddleware", - "django.contrib.sessions.middleware.SessionMiddleware", - "django.middleware.common.CommonMiddleware", - "django.middleware.csrf.CsrfViewMiddleware", - "django.contrib.auth.middleware.AuthenticationMiddleware", - "django.contrib.messages.middleware.MessageMiddleware", - "django.middleware.clickjacking.XFrameOptionsMiddleware", -] - -ROOT_URLCONF = "sc_tcpdump.urls" - -TEMPLATES = [ - { - "BACKEND": "django.template.backends.django.DjangoTemplates", - "DIRS": [], - "APP_DIRS": True, - "OPTIONS": { - "context_processors": [ - "django.template.context_processors.debug", - "django.template.context_processors.request", - "django.contrib.auth.context_processors.auth", - "django.contrib.messages.context_processors.messages", - ], - }, - }, -] - -WSGI_APPLICATION = "sc_tcpdump.wsgi.application" - - -# Database -# https://docs.djangoproject.com/en/2.2/ref/settings/#databases - -# Password validation -# https://docs.djangoproject.com/en/2.2/ref/settings/#auth-password-validators - -AUTH_PASSWORD_VALIDATORS = [ - { - "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator", - }, - { - "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator", - }, - { - "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator", - }, - { - "NAME": "django.contrib.auth.password_validation.NumericPasswordValidator", - }, -] - - -# Internationalization -# https://docs.djangoproject.com/en/2.2/topics/i18n/ - -LANGUAGE_CODE = "ja" - -TIME_ZONE = "Asia/Tokyo" - -USE_I18N = True - -USE_L10N = True - -USE_TZ = False - - -# Static files (CSS, JavaScript, Images) -# https://docs.djangoproject.com/en/2.2/howto/static-files/ - -STATIC_URL = "/static/" diff --git a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/urls.py b/osect_sensor/Application/edge_tcpdump/sc_tcpdump/urls.py deleted file mode 100644 index f5ea61a..0000000 --- a/osect_sensor/Application/edge_tcpdump/sc_tcpdump/urls.py +++ /dev/null @@ -1,20 +0,0 @@ -"""sc_tcpdump URL Configuration - -The `urlpatterns` list routes URLs to views. For more information please see: - https://docs.djangoproject.com/en/2.2/topics/http/urls/ -Examples: -Function views - 1. Add an import: from my_app import views - 2. Add a URL to urlpatterns: path('', views.home, name='home') -Class-based views - 1. Add an import: from other_app.views import Home - 2. Add a URL to urlpatterns: path('', Home.as_view(), name='home') -Including another URLconf - 1. Import the include() function: from django.urls import include, path - 2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) -""" -from django.contrib import admin -from django.urls import path - -urlpatterns = [] - diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/__init__.py b/osect_sensor/Application/edge_tcpdump/tcpdump/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/__pycache__/__init__.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/tcpdump/__pycache__/__init__.cpython-38.pyc deleted file mode 100644 index 9886570..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/tcpdump/__pycache__/__init__.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/__pycache__/apps.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/tcpdump/__pycache__/apps.cpython-38.pyc deleted file mode 100644 index 28ca696..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/tcpdump/__pycache__/apps.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/apps.py b/osect_sensor/Application/edge_tcpdump/tcpdump/apps.py deleted file mode 100644 index db4167b..0000000 --- a/osect_sensor/Application/edge_tcpdump/tcpdump/apps.py +++ /dev/null @@ -1,5 +0,0 @@ -from django.apps import AppConfig - - -class TcpdumpConfig(AppConfig): - name = 'tcpdump' diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/management/__init__.py b/osect_sensor/Application/edge_tcpdump/tcpdump/management/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/management/__pycache__/__init__.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/tcpdump/management/__pycache__/__init__.cpython-38.pyc deleted file mode 100644 index edf4b2a..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/tcpdump/management/__pycache__/__init__.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__init__.py b/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__pycache__/__init__.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__pycache__/__init__.cpython-38.pyc deleted file mode 100644 index 8b7efd7..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__pycache__/__init__.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__pycache__/tcpdump_control.cpython-38.pyc b/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__pycache__/tcpdump_control.cpython-38.pyc deleted file mode 100644 index 24c5980..0000000 Binary files a/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/__pycache__/tcpdump_control.cpython-38.pyc and /dev/null differ diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/tcpdump_control.py b/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/tcpdump_control.py deleted file mode 100644 index b12a2c6..0000000 --- a/osect_sensor/Application/edge_tcpdump/tcpdump/management/commands/tcpdump_control.py +++ /dev/null @@ -1,31 +0,0 @@ -import time -from django.core.management import BaseCommand -from subprocess import Popen, DEVNULL -from common.app_config import SLEEP_TIME, TCPDUMP_SHELL_COMMAND - - -class Command(BaseCommand): - # python manage.py help control tcpdumpで表示されるメッセージ - help = "control tcpdump" - - # コマンドが実行された際に呼ばれるメソッド - def handle(self, *args, **options): - """ - tcpdumpの起動と停止をコントロールする。 - :param args: - :param options: - """ - proc = None - while True: - try: - # 起動状態で起動されていない場合は起動する - if proc is None: - proc = Popen( - TCPDUMP_SHELL_COMMAND, - stdin=DEVNULL, - stdout=DEVNULL, - stderr=DEVNULL, - ) - except: - pass - time.sleep(SLEEP_TIME) diff --git a/osect_sensor/Application/edge_tcpdump/tcpdump/migrations/__init__.py b/osect_sensor/Application/edge_tcpdump/tcpdump/migrations/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/osect_sensor/Infrastructure/edge_cron/work/ot_tools/tsharkfields2bacnetservicelog_dict.awk b/osect_sensor/Infrastructure/edge_cron/work/ot_tools/tsharkfields2bacnetservicelog_dict.awk deleted file mode 100755 index 4d35f07..0000000 --- a/osect_sensor/Infrastructure/edge_cron/work/ot_tools/tsharkfields2bacnetservicelog_dict.awk +++ /dev/null @@ -1,209 +0,0 @@ -#!/usr/bin/awk -f - -BEGIN { - FS = "\t" - OFS = "\t" - - BACnetUnconfirmedServiceChoice[0] = "i-Am" - BACnetUnconfirmedServiceChoice[1] = "i-Have" - BACnetUnconfirmedServiceChoice[2] = "unconfirmedCOVNotification" - BACnetUnconfirmedServiceChoice[3] = "unconfirmedEventNotification" - BACnetUnconfirmedServiceChoice[4] = "unconfirmedPrivateTransfer" - BACnetUnconfirmedServiceChoice[5] = "unconfirmedTextMessage" - BACnetUnconfirmedServiceChoice[6] = "timeSynchronization" - BACnetUnconfirmedServiceChoice[7] = "who-Has" - BACnetUnconfirmedServiceChoice[8] = "who-Is" - BACnetUnconfirmedServiceChoice[9] = "utcTimeSynchronization" - BACnetUnconfirmedServiceChoice[10] = "writeGroup" - BACnetUnconfirmedServiceChoice[11] = "unconfirmedCovNotificationMultiple" - BACnetUnconfirmedServiceChoice[12] = "unconfirmedAuditNotification" - - BACnetConfirmedServiceChoice[0] = "acknowledgeAlarm" - BACnetConfirmedServiceChoice[1] = "confirmedCOVNotification" - BACnetConfirmedServiceChoice[2] = "confirmedEventNotification" - BACnetConfirmedServiceChoice[3] = "getAlarmSummary" - BACnetConfirmedServiceChoice[4] = "getEnrollmentSummary" - BACnetConfirmedServiceChoice[5] = "subscribeCOV" - BACnetConfirmedServiceChoice[6] = "atomicReadFile" - BACnetConfirmedServiceChoice[7] = "atomicWriteFile" - BACnetConfirmedServiceChoice[8] = "addListElement" - BACnetConfirmedServiceChoice[9] = "removeListElement" - BACnetConfirmedServiceChoice[10] = "createObject" - BACnetConfirmedServiceChoice[11] = "deleteObject" - BACnetConfirmedServiceChoice[12] = "readProperty" - BACnetConfirmedServiceChoice[13] = "readPropertyConditional" - BACnetConfirmedServiceChoice[14] = "readPropertyMultiple" - BACnetConfirmedServiceChoice[15] = "writeProperty" - BACnetConfirmedServiceChoice[16] = "writePropertyMultiple" - BACnetConfirmedServiceChoice[17] = "deviceCommunicationControl" - BACnetConfirmedServiceChoice[18] = "confirmedPrivateTransfer" - BACnetConfirmedServiceChoice[19] = "confirmedTextMessage" - BACnetConfirmedServiceChoice[20] = "reinitializeDevice" - BACnetConfirmedServiceChoice[21] = "vtOpen" - BACnetConfirmedServiceChoice[22] = "vtClose" - BACnetConfirmedServiceChoice[23] = "vtData" - BACnetConfirmedServiceChoice[24] = "authenticate" - BACnetConfirmedServiceChoice[25] = "requestKey" - BACnetConfirmedServiceChoice[26] = "readRange" - BACnetConfirmedServiceChoice[27] = "lifeSafetyOperation" - BACnetConfirmedServiceChoice[28] = "subscribeCOVProperty" - BACnetConfirmedServiceChoice[29] = "getEventInformation" - BACnetConfirmedServiceChoice[30] = "subscribeCovPropertyMultiple" - BACnetConfirmedServiceChoice[31] = "confirmedCovNotificationMultiple" - BACnetConfirmedServiceChoice[32] = "confirmedAuditNotification" - BACnetConfirmedServiceChoice[33] = "auditLogQuery" - - BACnetTypeName[0] = "Confirmed-REQ" - BACnetTypeName[1] = "Unconfirmed-REQ" - BACnetTypeName[2] = "Simple-ACK" - BACnetTypeName[3] = "Complex-ACK" - BACnetTypeName[4] = "Segment-ACK" - BACnetTypeName[5] = "Error" - BACnetTypeName[6] = "Reject" - BACnetTypeName[7] = "Abort" - - BACnetObjectType[0] = "analog-input" - BACnetObjectType[1] = "analog-output" - BACnetObjectType[2] = "analog-value" - BACnetObjectType[3] = "binary-input" - BACnetObjectType[4] = "binary-output" - BACnetObjectType[5] = "binary-value" - BACnetObjectType[6] = "calendar" - BACnetObjectType[7] = "command" - BACnetObjectType[8] = "device" - BACnetObjectType[9] = "event-enrollment" - BACnetObjectType[10] = "file" - BACnetObjectType[11] = "group" - BACnetObjectType[12] = "loop" - BACnetObjectType[13] = "multi-state-input" - BACnetObjectType[14] = "multi-state-output" - BACnetObjectType[15] = "notification-class" - BACnetObjectType[16] = "program" - BACnetObjectType[17] = "schedule" - BACnetObjectType[18] = "averaging" - BACnetObjectType[19] = "multi-state-value" - BACnetObjectType[20] = "trend-log" - BACnetObjectType[21] = "life-safety-point" - BACnetObjectType[22] = "life-safety-zone" - BACnetObjectType[23] = "accumulator" - BACnetObjectType[24] = "pulse-converter" - BACnetObjectType[25] = "event-log" - BACnetObjectType[26] = "global-group" - BACnetObjectType[27] = "trend-log-multiple" - BACnetObjectType[28] = "load-control" - BACnetObjectType[29] = "structured-view" - BACnetObjectType[30] = "access-door" - BACnetObjectType[31] = "timer" - BACnetObjectType[32] = "access-credential" - BACnetObjectType[33] = "access-point" - BACnetObjectType[34] = "access-rights" - BACnetObjectType[35] = "access-user" - BACnetObjectType[36] = "access-zone" - BACnetObjectType[37] = "credential-data-input" - BACnetObjectType[38] = "network-security" - BACnetObjectType[39] = "bitstring-value" - BACnetObjectType[40] = "characterstring-value" - BACnetObjectType[41] = "date-pattern-value" - BACnetObjectType[42] = "date-value" - BACnetObjectType[43] = "datetime-pattern-value" - BACnetObjectType[44] = "datetime-value" - BACnetObjectType[45] = "integer-value" - BACnetObjectType[46] = "large-analog-value" - BACnetObjectType[47] = "octetstring-value" - BACnetObjectType[48] = "positive-integer-value" - BACnetObjectType[49] = "time-pattern-value" - BACnetObjectType[50] = "time-value" - BACnetObjectType[51] = "notification-forwarder" - BACnetObjectType[52] = "alert-enrollment" - BACnetObjectType[53] = "channel" - BACnetObjectType[54] = "lighting-output" - BACnetObjectType[55] = "reserved-obj-type-55" - BACnetObjectType[56] = "network-port" - BACnetObjectType[57] = "elevator-group" - BACnetObjectType[58] = "escalator" - BACnetObjectType[59] = "lift" - BACnetObjectType[60] = "staging" - BACnetObjectType[61] = "audit-log" - BACnetObjectType[62] = "audit-reporter" - - print("#ts", "src", "dst", "resp_p", "cmd", "apdutype", "objtype") -} -{ - if (NF != 10) { - next; - } - - timestamp = $1 - - if (length($2) != 0 && length($3) != 0) { - ip_src = $2 - ip_dst = $3 - - } else if (length($4) != 0 && length($5) != 0) { - ip_src = $4 - ip_dst = $5 - - } else { - next - } - - udp_dstport = $6 - - bacapp_type = $7 - bacapp_confirmed_service = $8 - bacapp_unconfirmed_service = $9 - - if (bacapp_type == 0 || bacapp_type == 3) { - service = BACnetConfirmedServiceChoice[bacapp_confirmed_service] " ("bacapp_confirmed_service")" - - } else if (bacapp_type == 1) { - service = BACnetUnconfirmedServiceChoice[bacapp_unconfirmed_service] " ("bacapp_unconfirmed_service")" - - } else { - next - - } - - if (length($10) == 0) { - bacapp_objectType = "None" - print(timestamp, ip_src, ip_dst, service, udp_dstport, BACnetTypeName[bacapp_type] " (" bacapp_type ")", bacapp_objectType) - next - } else { - bacapp_objectType = $10 - } - - split(bacapp_objectType, object_list, ",") - - #split("", object_hash) - #for (i = 1; i <= length(object_list); i++ ) { - # object_hash[object_list[i]] = 0 - #} - - - n = asort(object_list) - - if (object_list[1] < 128) { - object_str = BACnetObjectType[object_list[1]] - } else { - object_str = "(" object_list[1] ") Vendor Proprietary Value" - } - print(timestamp, ip_src, ip_dst, service, udp_dstport, BACnetTypeName[bacapp_type] " (" bacapp_type ")", object_str) - - for (i = 2; i <= n; i++) { - if (object_list[i-1] != object_list[i]) { - if (object_list[i] < 128) { - object_str = BACnetObjectType[object_list[i]] - } else { - object_str = "(" object_list[i] ") Vendor Proprietary Value" - } - print(timestamp, ip_src, ip_dst, service, udp_dstport, BACnetTypeName[bacapp_type] " (" bacapp_type ")", object_str) - } - - } -} - - -END { - -} - diff --git a/osect_sensor/README.md b/osect_sensor/README.md index 60490c6..60b08e5 100644 --- a/osect_sensor/README.md +++ b/osect_sensor/README.md @@ -6,7 +6,7 @@ - [OKI AIエッジコンピューター「AE2100」](https://www.oki.com/jp/AIedge/) -また、Ubuntu 18.04.5 LTSおよびUbuntu 20.04.3 LTSで動作確認済みです。 +また、Ubuntu 18.04.5 LTSおよびUbuntu 20.04.5 LTSで動作確認済みです。 本手順書では、ホームディレクトリ直下(`~/osect_sensor`)にインストールすることとしています。別のディレクトリにインストールする場合、パスを読み替えてください。 @@ -80,27 +80,9 @@ $ mv ~/OsecT/osect_sensor ~/ ### 3.1. 監視ネットワークインタフェースの設定 -設定箇所は4箇所です。 +設定箇所は3箇所です。 -1箇所目:設定ファイルを編集し、監視ネットワークを指定します。 - -```bash -$ vi ~/osect_sensor/Application/edge_tcpdump/common/app_config.py -``` - -編集箇所 - -```python -TCPDUMP_SHELL_COMMAND = ['/usr/sbin/tcpdump', '-w', 'realtime-%F-%T.pcap', '-G', '60', '-ni', 'enp0s3', '-s', '0', '-z', '/opt/ot_tools/capture.sh'] -```` - -編集例:監視ネットワークインタフェースがenp0s8の場合 - -```python -TCPDUMP_SHELL_COMMAND = ['/usr/sbin/tcpdump', '-w', 'realtime-%F-%T.pcap', '-G', '60', '-ni', 'enp0s8', '-s', '0', '-z', '/opt/ot_tools/capture.sh'] -``` - -2箇所目:crontabを編集し、監視ネットワークを指定します。 +1箇所目:crontabを編集し、監視ネットワークを指定します。 ```bash $ vi ~/osect_sensor/conf/crontab @@ -109,17 +91,17 @@ $ vi ~/osect_sensor/conf/crontab 編集箇所 ```bash -@reboot /usr/bin/suricata -c /opt/ot_tools/suricata.yaml -i eth1 > /dev/null 2>&1 -@reboot /opt/p0f/bin/p0f-k -f /opt/p0f/etc/p0f-k.fp -i eth1 -O /var/log/p0f-k.log > /dev/null 2>&1 -@reboot /usr/local/bin/yaf --mac --live pcap --in eth1 --rotate 60 --out /var/log/yaf/flow +* * * * * /opt/ot_tools/suricata_cron.sh enp1s0 > /dev/null 2>&1 +* * * * * /opt/ot_tools/p0f_cron.sh enp1s0 > /dev/null 2>&1 +* * * * * /opt/ot_tools/yaf_cron.sh enp1s0 > /dev/null 2>&1 ``` 編集例:監視ネットワークインタフェースがenp0s8の場合 ```bash -@reboot /usr/bin/suricata -c /opt/ot_tools/suricata.yaml -i enp0s8 > /dev/null 2>&1 -@reboot /opt/p0f/bin/p0f-k -f /opt/p0f/etc/p0f-k.fp -i enp0s8 -O /var/log/p0f-k.log > /dev/null 2>&1 -@reboot /usr/local/bin/yaf --mac --live pcap --in enp0s8 --rotate 60 --out /var/log/yaf/flow +* * * * * /opt/ot_tools/suricata_cron.sh enp0s8 > /dev/null 2>&1 +* * * * * /opt/ot_tools/p0f_cron.sh enp0s8 > /dev/null 2>&1 +* * * * * /opt/ot_tools/yaf_cron.sh enp0s8 > /dev/null 2>&1 ``` 3箇所目:suricata.yamlを編集し、監視ネットワークを指定します。 diff --git a/osect_sensor/docker-compose.yml b/osect_sensor/docker-compose.yml index e708422..8252341 100644 --- a/osect_sensor/docker-compose.yml +++ b/osect_sensor/docker-compose.yml @@ -10,7 +10,6 @@ services: - ./keys/client.pem:/etc/ssl/private/client.pem - ./conf/suricata_update.conf:/etc/suricata_update.conf - ./conf/suricata.yaml:/opt/ot_tools/suricata.yaml # suricata realtime - - ./conf/logrotate_p0f.conf:/etc/logrotate_p0f.conf # p0f realtime - ./conf/crontab:/root/crontab - ./conf/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg # zeek realtime - ./conf/node.cfg:/opt/zeek/etc/node.cfg # zeek realtime @@ -37,4 +36,4 @@ volumes: driver_opts: type: local device: ./logs/ottools - o: bind \ No newline at end of file + o: bind diff --git a/osect_sensor/logs/pcap/.gitkeep b/osect_sensor/logs/pcap/.gitkeep deleted file mode 100644 index e69de29..0000000