TheHive, Cortex & MISP Installation Using Docker Compose - Virtual Lab Building Series: Ep10
Вставка
- Опубліковано 15 чер 2022
- Hey all and welcome to my channel! In Episode 10 of our cyber security virtual lab building series, we are going to install TheHive, Cortex and MISP using Docker containers by leveraging the Docker Compose tool and using .YAML to define our deployment.
To recap, TheHive is a security incident response platform (SIRP) used by cyber security professionals to manage and track incidents on a case by case basis. Cortex and MISP are platforms that provide us with intelligence after analysis of any observables such as IP addresses, hostnames etc that we may see during the incident.
There are many approaches to installing these platforms, however, for a quick and easy lab setup I have chosen to deploy docker containers for each service.
This is part 1 of the installation, stay tuned, in the next video session I will complete all the integrations of these platform as well as be revisiting Wazuh that we installed in the previous video, integrating it with these systems.
If you have been enjoying this series so far, please don't forget to like and subscribe!
Links used in video:
www.docker.com/resources/what...
docs.docker.com/compose/
github.com/coolacid/docker-misp
hub.docker.com/r/strangebee/t...
hub.docker.com/_/redis
hub.docker.com/_/cassandra
hub.docker.com/_/elasticsearch
hub.docker.com/r/thehiveproje...
docs.strangebee.com/thehive/s...
****UPDATED DOCKER COMPOSE .YAML****
github.com/ls111-cybersec/the...
**OLD VERSION (Incase the changes want to be referenced)**
Docker-Compose Configuration File: ls111.me/thehive-cortex-misp-...
NOTE: I am not sponsored by or affiliated to any of the products or services mentioned in this video, all opinions are my own based on personal experiences.
DISCLAIMER: All information, techniques and tools showcased in these videos are for educational and ethical penetration testing purposes ONLY. NEVER attempt to use this information to gain unauthorized access to systems without the EXPLICIT consent of its owners. This is a punishable offense by law in most countries.
#thehive #cortex #docker #misp #cybersecurity #soc
Hi All, just a quick update from me, because a few things have changed since I created this video, you can find an updated version of this docker-compose.yml file on my GitHub, which will hopefully iron out any issues you may have while completing this.
github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update/blob/main/docker-compose.yml
MISP does not start, it stays loading in Firefox and never appears
i have the same problem, have you found the problem ?@@user-jd3jg1gx6b
@@user-jd3jg1gx6b I had the same issue on my case it worked to change the 10.0.x IP of MISP in the docker-compose file to the public IP assigned to the host running the services.
I'm waiting for Ep11! Thank you so much!!!
I'm waiting for Ep12! Thank you so much!!! @LS11 Cyber Security Education
Just what i was looking for! Thank you for uploading..
Hi .. so i tried installing following your tutorial but instead of strangebee/thehive i used thehiveproject/thehive4 . Everything installed well and i can see all the containers are up and services listening on the designated ports. My problem is when i try to browse the servers IP on the browser i get nothing both on http and https, that is for thehive and misp. Cortex loads but i cant get past the update database. What could i be missing.
Hi George, two things come to mind, it sounds like your containers are not communicating correctly on the container internal network. Double check that all your containers have been joined to the SOC_NET network like I use in my docker-compose.yml file. The other thing is because you are using a different TheHive image (version4), the entrypoint script used by the docker container in version 4 may not be accepting or interpreting all the setup commands we are providing in the command section, which links up the databases and other services correctly. With previous versions of TheHive you had to supply a application.conf file which includes all the setup for Casandra, Elasticsearch etc.
It is really a tough one for me to answer without looking at your logs to see where its failing. Can I suggest that when you run docker-compose up and it begins to spew out all that setup text in your terminal, that you work through that and see if you can spot any errors or warnings and troubleshoot from there.
You are awesome man! Appreciate it
Glad I could help, thanks for watching!
Fantastic so far. Now I have all my security in 1 place. Can't help wondering if smaller containers like alpine and all in 1 like pods are more efficient. For example wazuh, hive and cortex could all be in 1 container, reducing the number of databases. They are made to work together
Thanks for watching! Yes you could most definitely use Alpine and run docker, then create a docker compose file and launch all those containers from one place.
Great video series. What if we have more than 2 analysts? I mean that TheHive version 5 supports only 2 normal users. Can you provide old hive (ex. version 4) docker-compose file, with MISP and cortex?
Thank you very much for your video. Did you run your yaml code on Wazuh configured windows 10 vm? Or your computer have virtualbox ?
Trouble with cortex. After entering user credentials and pressing create nothing happened. After page reload i get "user init not found".
Same thing after redoing everything over.
same here
@@zedhacking i think it had something to do with the username or password in my case.
after i entered some random genereated string into the fields it worked.
Thank you . I have a issue, cortex not updating
can i work on the same soar build but with using elk stack as siem instead of wazuh ?
Hi, I deployed TheHive Cortex but I can not create analyzer in Cortex. There is no option for "Data Type". Please Help ;d
basically every thing is installed properly but on Ubuntu VM, so the ip address is not the same.
When i try to connect with my IP address it doesn't work, even if i changed the HOSTNAME in the docker-compose file with my IP and i tried it with localhost, it didn't work too.
what should i do
i have followed the same steps but couldn’t load up the misp . apart from that all are working. page loading error comes for misp. could someone please help?
why after finishing all the installation, and the system is up and running with all configuration, 2 or 3 day, it will rest all users and delete the organization created?
salute! i got a problem with starting MISP - "Could not locate the PGP public key", what can i do?
Did you solve it?
any video for same topic but TheHive4?
So the Thehive, cortex, misp and all of those stuffs are in a only single server? It's good to do that if I have to up the service in a company?
Hi, thanks for watching. In a enterprise environment, it is generally a best practice to separate each of these services across multiple servers for scalability and redundancy reasons. In the context of this video, it was my intention to create a single, easy deployment lab using docker containers, to save whoever is watching the time and frustrations of setting up each individual service themselves, so that they can almost immediately start exploring examples of the types of tools used in a SOC.
You should remove the old link. It get cought up with a zombie on autopilot, like me, who just use the wrong yml code without thinking :)
Hello my friend. I don't understand your architecture where you have installed docker (in a Virtualbox VM in internal network or in your Host Machine where you installed virtualbox)? I saw your architecture in previous episodes that uses a FW with NAT interface (For WAN) and Internal Network (For LAN). Please give more details about this installations
Hi, thanks for watching, in this video, I am using a single Ubuntu Server running Docker and it is connected to an internal virtual network along with a Windows VM on the same internal virtual network. The firewall is also on this internal network to provide internet access. I am then using PowerShell on the windows VM to SSH into the Ubuntu Server to configure the docker-compose.yml file, hopefully this helps.
I don't understand when to start following the steps , please help
Good afternoon!
I tried to install according to your configuration, but with the docker stratum, an error occurs that there is not enough memory.
What are the requirements for a virtual server?
How is the OS version?
How many processors?
How much RAM memory?
Hi there! I used 12GB RAM, 6 vCPU's on Ubuntu 20.04 server running Docker. You should be able to get away with 8GB RAM though. Hope this helps and thanks for watching!
@@ls111cyberEd Thx.
I reduced the virtual server memory to 4 GB and reinstalled the project. No matter how strange it may sound, but at the moment I don’t see any messages about running out of memory and killing the process, the error associated with cassandra has also disappeared, but when initializing the database schema in thehive, an error occurs, which leads to the suspension of the process:
docker-compose-thehive-1 | [info] o.t.s.m.Database [|] Creating database schema
docker-compose-thehive-1 | [info] o.t.s.m.Operations [|] *** UPDATE SCHEMA OF thehive-enterprise (4): Update graph: Add taskRule in share
docker-compose-thehive-1 | [error] o.t.s.m.Database [|] ***********************************************************************
docker-compose-thehive-1 | [error] o.t.s.m.Database [|] * Database initialisation has failed. Restart application to retry it *
docker-compose-thehive-1 | [error] o.t.s.m.Database [|] ***********************************************************************
docker-compose-thehive-1 | [error] o.t.t.TheHiveStarter [|] TheHive startup failure
docker-compose-thehive-1 | org.thp.scalligraph.ScalligraphApplicationImpl$InitialisationFailure: Database initialisation failure
Have you had similar problems? Do you have any idea how to fix it?
Special thanks for your work.
is it also possible to build individual VMs for HIVE, MISP, and CORTEX and integrate them as you have with Docker?
Hi Maurice, thanks for watching, yes you can definitely do this, you will need to manually install each service on its respective VM and all your VM's will need to be part of the same virtual network.
How do I reset the web console password to Cortex UI
how to add responders and analyzers to the container?
Hi, thanks for watching, you can check these two videos:
ua-cam.com/video/F9aCAYwP9do/v-deo.html
ua-cam.com/video/YuMn02vTe5k/v-deo.html
hello , i got this error when i try to install it
ERROR: The Compose file './docker-compose.yml' is invalid because:
Unsupported config option for services.cassandra: 'mem_limit'
Unsupported config option for services.elasticsearch: 'mem_limit'
Unsupported config option for services.thehive: 'mem_limit'
only comment with "#" this lines and ready!
example like this:
cassandra:
image: 'cassandra:4'
restart: unless-stopped
#mem_limit: 1000m
ports:
and other comments
cause u are using ubuntu right? maybe u could use RHEL for this issue or you can #mem_limit
you can update docker-compose to 1.29 and it will work
we are waiting for you 💔
Hi, thanks for watching! Please checkout my latest video if you have not already seen it:
ua-cam.com/video/F9aCAYwP9do/v-deo.html
Please I am facing many issues ...could we meet online for troubleshooting
please how can i solve this error : error the hive latest not found manifest unknown
Hi, thanks for watching! Please try using the updated docker-compose.yml config on my GitHub, there were a few changes that happened roughly 2 weeks ago with The Hive docker image where it seems they have removed the :latest tag. I have updated the .yml to use version 5.2. Hopefully, this helps.
github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update/blob/main/docker-compose.yml
use the new link with yml file instead of old
Hello,
I am getting
Protocol initialization request, step 1 (OPTIONS): failed to send request (io.netty.channel.StacklessClosedChannelException))
thehive_1 | [warn] o.t.s.u.Retry [|] An error occurs (java.lang.IllegalArgumentException: Could not instantiate implementation: org.janusgraph.diskstorage.cql.CQLStoreManager), retrying (2/10)
it continues 10 times and fails.
Any ideas - I seem to be stuck.
I got the same error and I think Cassandra doesn't do very well with the set mem_limit (=1000m). You can remove the mem_limit and try using "- MAX_HEAP_SIZE=1G" & "- HEAP_NEWSIZE=1G" options under the environment block for Cassandra.
Same for me