POST Install Procedures

Migration

If you backed up data from your 3.4 SCOT instance and wish to restore it, you will need to follow the migration procedure Migration

SSL Certs

SCOT will generate a “snake-oil” self signed certificate upon install. It is highly recommended to replace these certificates with real certs as soon as possible.

Configuration Files

The following sections details the parameters in the varios configuration files available in SCOT. Use your favorite editor to adjust the values to your site. You can test your changes for syntax errors by using the following command:

$ perl -wc scot.cfg.pl

Correct any syntax errors reported before continuing. Typically you will need to resart SCOT for any changes to be recognized.

scot.cfg.pl

This config controls many aspects of the SCOT application server.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
%environment = (
    
    time_zone   => 'America/Denver',
    # scot version
    version     => '3.5.1',

    # set this to hostname of the scot server
    servername  => '127.0.0.1',

    # the mode can be prod or dev
    mode        => 'prod',

    # authentication can be "Remoteuser", "Local", or "Ldap"
    auth_type   => 'Local', 

    # group mode can be "local" or "ldap"
    group_mode  => 'local',

    # default owner of new stuff
    default_owner   => 'scot-admin',

    # default set of groups to apply to stuff
    default_groups  => {
        read    => [ 'wg-scot-ir', 'wg-scot-researchers' ],
        modify  => [ 'wg-scot-ir' ],
    },

    # the group that can perform admin functions
    admin_group => 'wg-scot-admin',

    # filestore is where scot stores uploaded and extracted files
    file_store_root => '/opt/scotfiles',

    epoch_cols  => [ qw(when updated created occurred) ],

    int_cols    => [ qw(views) ],

    site_identifier => 'Sandia',

    default_share_policy => 1,

    share_after_time    => 10, # minutes

    stomp_host  => "localhost",
    stomp_port  => 61613,
    topic       => "/topic/scot",

    # location and site_identifier (future use)
    location                => 'demosite',
    site_identifier         => "demosite",
    default_share_policy    => "none",

    # mojo defaults are values for the mojolicious startup
    mojo_defaults   => {
        # change this after install and restart scot
        secrets => [qw(scot1sfun sc0t1sc00l)],

        # see mojolicious docs 
        default_expiration  => 14400,

        # hypnotoad workers, 50-100 heavy use, 20 - 50 light
        # hypnotoad_workers   => 75,
        hypnotoad => {
            listen  => [ 'http://localhost:3000?reuse=1' ],
            workers => 20,
            clients => 1,
            proxy   => 1,
            pidfile => '/var/run/hypno.pid',
            heartbeat_timeout   => 40,
        },

    },

    log_config => {
        logger_name     => 'SCOT',
        layout          => '%d %7p [%P] %15F{1}: %4L %m%n',
        appender_name   => 'scot_log',
        logfile         => '/var/log/scot/scot.log',
        log_level       => 'DEBUG',
    },

    cgi_ids_config  => {
        whitelist_file  => '',
        disable_filters => [],
    },

    # this file helps scot determine valid domain "entities"
    # keep up to date, by creating a root cron job that does the following:
    # @daily (cd /opt/scot/etc; export https_proxy=yourproxy.com; wget -q -N https://publicsuffix.org/list/public_suffix_list.dat)
    mozilla_public_suffix_file  => '/opt/scot/etc/public_suffix_list.dat',

    # modules to instantiate at Env.pm startup. will be done in 
    # order of the array
    modules => [
        {
            attr    => 'mongo',
            class   => 'Scot::Util::MongoFactory',
            config  => {
                db_name         => 'scot-prod',
                host            => 'mongodb://localhost',
                write_safety    => 1,
                find_master     => 1,
            },
        },
        {
            attr    => "es",
            class   => "Scot::Util::ElasticSearch",
            config  => {
                nodes   => [qw(localhost:9200)],
            },
        },
        {
            attr    => 'esproxy',
            class   => 'Scot::Util::ESProxy',
            config  => {
                nodes       => [ qw(localhost:9200) ],
                max_workers => 1,
                proto       => 'http',
                servername  => 'localhost',
                serverport  => 9200,
                username    => ' ',
                password    => ' ',
            },
        },
        {
            attr    => 'mongoquerymaker',
            class   => 'Scot::Util::MongoQueryMaker',
            config  => {
            },
        },
        {
            attr    => 'mq',
            class   => 'Scot::Util::Messageq',
            config  => {
                destination => "scot",
                stomp_host  => "localhost",
                stomp_port  => 61613,
            },
        },
        {
            attr    => 'imap',
            class   => 'Scot::Util::Imap',
            config  => {
                mailbox     => 'INBOX',          # mailbox, typically INBOX
                hostname    => 'mail.domain.tld',# hostname of the imap server
                port        => 993,              # port of the imap server
                username    => 'scot-alerts',    # username  of the 
                                                 # account receiving alert email
                password    => 'changemenow',    # password  
                ssl         => [ 
                    'SSL_verify_mode', 0         # ssl options 
                ],                               # see perldoc IO::SSL
                uid         => 1,                # uid   IMAP config item 
                ignore_size_errors  => 1,        # ignore_size_errors 
            },
        },
        {
            attr    => 'enrichments',
            class   => 'Scot::Util::Enrichments',
            config  => {
                # mappings map the enrichments that are available 
                # for a entity type
                mappings    => {
                    ipaddr      => [ qw(splunk geoip robtex_ip ) ],
                    ipv6        => [ qw(splunk geoip robtex_ip ) ],
                    email       => [ qw(splunk ) ],
                    md5         => [ qw(splunk ) ],
                    sha1        => [ qw(splunk ) ],
                    sha256      => [ qw(splunk ) ],
                    domain      => [ qw(splunk robtex_dns ) ],
                    file        => [ qw(splunk  ) ],
                    ganalytics  => [ qw(splunk  ) ],
                    snumber     => [ qw(splunk ) ],
                    message_id  => [ qw(splunk ) ],
                    cve         => [ qw(cve_lookup ) ],
                },

                # foreach enrichment listed above place any 
                # config info for it here
                enrichers => {
                    geoip   => {
                        type    => 'native',
                        module  => 'Scot::Util::Geoip',
                    },
                    robtex_ip   => {
                        type    => 'external_link',
                        url     => 'https://www.robtex.com/ip/%s.html',
                        field   => 'value',
                        title   => 'Lookup on Robtex (external)',
                    },
                    robtex_dns   => {
                        type    => 'external_link',
                        url     => 'https://www.robtex.com/dns/%s.html',
                        field   => 'value',
                        title   => 'Lookup on Robtex (external)',
                    },
                    splunk      => {
                        type    => 'internal_link',
                        url     => 'https://splunk.domain.tld/en-US/app/search/search?q=search%%20%s',
                        field   => 'value',
                        title   => 'Search on Splunk',
                    },
                    cve_lookup  => {
                        type    => 'external_link',
                        url     => "https://cve.mitre.org/cgi-bin/cvename.cgi?name=%s",
                        field   => "value",
                        title   => "Lookup CVE description",
                    },
                }, # end enrichment module enrichers
            }, # end ennrichmenst config stanza
        }, # end enrichments stanza
        {
            attr    => 'ldap',
            class   => 'Scot::Util::Ldap',
            config  => {
                servername  => 'ldap.domain.tld',
                dn          => 'cn=cn_name,ou=local config,dc=tld',
                password    => 'changemenow',
                scheme      => 'ldap',
                group_search    => {
                    base    => 'ou=groups,ou=orgname1,dc=dcname1,dc=dcname2,dc=dcname3',
                    filter  => '(| (cn=wg-scot*))',
                    attrs   => [ 'cn' ],
                },
                user_groups => {
                    base    => 'ou=accounts,ou=ouname,dc=dcname1,dc=dcname1,dc=dcname1',
                    filter  => 'uid=%s',
                    attrs   => ['memberOf'],
                }
            }, # end ldap config
        }, # end ldap
    ],
    entity_regexes  => [],
    #
    # form contain directions on how to build the custom incident form fields
    # and signatures (and others later?)
    # 
    forms   => {
        signature  => [
            {
                type    => "textarea",
                key     => "description",
                value   => '',
                value_type => {
                    type    => 'static',
                    url     => undef,
                    key     => 'description',
                },
                label   => "Description",
                help    => "Enter a short description of the signature's purpose",
            },
            {
                type    => "input",
                key     => "type",
                value   => '',
                label   => "Type",
                help    => "Enter the signature type, e.g. yara, snort, etc.",
                value_type => {
                    type    => 'static',
                    url     => undef,
                    key     => 'type',
                },
            },
            {
                type    => "dropdown",
                key     => "prod_sigbody_id",
                value   => [],
                value_type  => {
                    type    => "dynamic",
                    url     => '/scot/api/v2/signature/%s',
                    key     => 'prod_sigbody_id',
                },
                label   => "Production Signature Body Version",
                help    => "Select the version of the signature body you wish to be used in production",
            },
            {
                type    => "dropdown",
                key     => "qual_sigbody_id",
                value   => [],
                value_type  => {
                    type    => "dynamic",
                    url     => '/scot/api/v2/signature/%s',
                    key     => 'qual_sigbody_id',
                },
                label   => "Quality Signature Body Version",
                help    => "Select the version of the signature body you wish to be used in quality",
            },
            {
                type    => "input_multi",
                key     => 'signature_group',
                value   => [],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'signature_group',
                },
                label   => "Signature Group",
                help    => "Group signatures under common names",
            },
            {
                type    => 'input',
                key     => 'target.type',
                value   => '',
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'target.type',
                },
                label   => "Reference Type",
                help    => "The SCOT datatype that originated this signature",
            },
            {
                type    => 'input',
                key     => 'target.id',
                value   => '',
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'target.id',
                },
                help    => 'The id of the SCOT datatype that originated this sig',
                label   => "Reference ID",
            },
			{
                type    => "multi_select",
                key     => "action",
                value   => [
                    { value => 'alert',  selected => 0 },
                    { value => 'block', selected => 0 },
                ],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'action',
                },
                label   => "Action",
                help    => "The automated action that should take place when this signature is triggered. Select multiple actions using ctrl/command key.",
            },
        ],
        incident    => [
            # substitue your text and values here to match your
            # incident types
            {
                type    => "dropdown",
                key     => 'type',
                value   => [
                    { value => 'NONE',  selected => 1 },
                    { value => 'FYI', selected => 0 },
                    { value => 'Type 1 : Root Comprimise', selected => 0 },
                    { value => 'Type 1 : User Compromise', selected => 0 },
                    { value => 'Type 1 : Loss/Theft/Missing Desktop', selected => 0 },
                    { value => 'Type 1 : Loss/Theft/Missing Laptop', selected => 0 },
                    { value => 'Type 1 : Loss/Theft/Missing Media', selected => 0 },
                    { value => 'Type 1 : Loss/Theft/Missing Other', selected => 0 },
                    { value => 'Type 1 : Malicious Code Trojan', selected => 0 },
                    { value => 'Type 1 : Malicious Code Virus', selected => 0 },
                    { value => 'Type 1 : Malicious Code Worm', selected => 0 },
                    { value => 'Type 1 : Malicious Code Other', selected => 0 },
                    { value => 'Type 1 : Web Site Defacement', selected => 0 },
                    { value => 'Type 1 : Denial of Service', selected => 0 },
                    { value => 'Type 1 : Critical Infrastructure Protection', selected => 0 },
                    { value => 'Type 1 : Unauthorized Use', selected => 0 },
                    { value => 'Type 1 : Information Compromise', selected => 0 },
                    { value => 'Type 2 : Attempted Intrusion', selected => 0 },
                    { value => 'Type 2 : Reconnaissance Activity', selected => 0 },
                ],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'type',
                },
                label   => 'Incident Type',
                help    => "Select best match for incident type",
            }, 
            # substitute your text and values to match your incident cats
            {
                type    => "dropdown",
                key     => "category",
                value   => [
                    { value => 'NONE', selected => 1},
                    { value => 'IMI-1', selected => 0},
                    { value => 'IMI-2', selected => 0},
                    { value => 'IMI-3', selected => 0},
                    { value => 'IMI-4', selected => 0},
                ],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'category',
                },
                label   => 'Incident Category',
                help    => "Select best match for incident category",
            },
            {
                type    => "dropdown",
                key     => "sensitivity",
                value   => [
                    {value => 'NONE', selected => 1},
                    {value => 'OUO', selected => 0},
                    {value => 'PII', selected => 0},
                    {value => 'SUI', selected => 0},
                    {value => 'UCNI', selected => 0},
                    {value => 'Other', selected => 0},
                ],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'sensitivity',
                },
                label   => 'Incident Sensitivity',
                help    => "Select best match for incident sensitivity",
            },
            {
                type    => "dropdown",
                key     => "security_category",
                value   => [
                    {value => 'NONE', selected => 1},
                    {value => 'Low', selected => 0},
                    {value => 'Moderate', selected => 0},
                    {value => 'High', selected => 0},
                ],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'security_category',
                },
                label   => 'Incident Security Category',
                help    => "Select best match for incident security category",
            },
            #date field for tracking when incident occurred
            {
                type    => "calendar",
                key     => "occurred",
                value   => "",
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'occurred',
                },
                label   => "Date/Time Occurred",
                help    => "Select Date/Time Incident Occurred",
            },
            {
                type    => "calendar",
                key     => "discovered",
                value   => "",
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'discovered',
                },
                label   => "Date/Time Discovered",
                help    => "Select Date/Time Incident was discovered",
            },
            {
                type    => "calendar",
                key     => "reported",
                value   => "",
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'reported',
                },
                label   => "Date/Time Reported",
                help    => "Select Date/Time Incident was reported",
            },
            {
                type    => "calendar",
                key     => "closed",
                value   => "",
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'closed',
                },
                label   => "Date/Time Closed",
                help    => "Select Date/Time Incident was closed",
            },
        ],
        incident_v2 => [
            {
                type    => 'dropdown',
                key     => 'type',
                value   => [
                    # place your types here...
                    { value => "none",      selected => 1 },
                    { value => "intrusion", selected => 0 },
                    { value => "malware",   selected => 0 },
                ],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'type',
                },
                label   => "Incident Type",
                help    => <<'EOF',
<table>
  <tr> <th>intrusion</th><td>An intrusion occurred</td> </tr>
  <tr> <th>malware</th>  <td>Malware detected</td>      </tr>
</table>
EOF
            },
            {
                type    => "calendar",
                key     => "discovered",
                value   => "",
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'discovered',
                },
                label   => "Date/Time Discovered",
                help    => "Select Date/Time Incident was discovered",
            },
            {
                type    => "dropdown",
                key     => "severity",
                value   => [
                    {value => 'NONE', selected => 1},
                    {value => 'Low', selected => 0},
                    {value => 'Moderate', selected => 0},
                    {value => 'High', selected => 0},
                ],
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'severity',
                },
                label   => 'Incident severity',
                help    => "Select best match for incident severity",
            }, 
        ],
        guide   => [
            {
                type    => "input_multi",
                key     => "applies_to",
                value   => '',
                value_type  => {
                    type    => "static",
                    url     => undef,
                    key     => 'applies_to',
                },
                label   => 'Guide applies to',
                help    => 'Enter string matching subject that this guide applies to',
            },
        ],
    }, 
    dailybrief  => {
        mail    => {
            from    => 'scot@yourdomain.com',
            to      => 'tbruner@scotdemo.com',
            host    => 'smtp.yourdomain.com',
        },
        url     => 'https://scot.yourdomain.com/'
    },
    incident_summary_template   => <<EOF,
<table>
    <tr><th>Description</th><td><i>place description of the incident here</i></td></tr>
    <tr><th>Related Indicators</th><td><i>Place IOC's here</i></td></tr>
    <tr><th>Source Details</th><td><i>Place wource port, ip, protocol, etc. here</i></td></tr>
    <tr><th>Compromised System Details</th><td><i>Place details about compromised System here</i></td></tr>
    <tr><th>Recovery/Mitigation Actions</th><td><i>Place recovery/mitigation details here</i></td></tr>
    <tr><th>Physical Location of System</th><td><i>Place the city and State of system location</i></td></tr>
    <tr><th>Detection Details</th><td><i>Place Source, methods, or tools used to identify incident</i></td></tr>
</table>
EOF
);

alert.cfg.pl

This config file controls how alerts are received from an IMAP server.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
####
#### alert.cfg.pl
####
#### Used to configure the SCOT email alert input program
#### bin/alert.pl which uses Scot::App::Mail
####

%environment = (

    ## See perl DateTime documenation for values matching your locale
    time_zone   => 'America/Denver',

    ## Set up Scot Logging to your liking.  See Log::Log4perl documentaton
    ## for details on layout and log_level.  By default, log_level of DEBUB
    ## is very verbose, but is probably the level you want to be able to 
    ## figure out an error after it occurs.
    log_config  => {
        logger_name     => 'SCOT',
        layout          => '%d %7p [%P] %15F{1}: %4L %m%n',
        appender_name   => 'scot_log',
        logfile         => '/var/log/scot/scot.mail.log',
        log_level       => 'DEBUG',
    },

    ## MODULES
    ## Each hash in the following array, will result in an attribute
    ## being created in the Scot/Env.pm module that points to the class
    ## described.  if you ever get a "cant find foo in Scot::Env" you might
    ## be missing something here

    modules => [
        ## describe to SCOT how to talk to your imap server
        {
            attr    => 'imap',
            class   => 'Scot::Util::Imap',
            config  => {
                mailbox     => 'INBOX',          # mailbox, typically INBOX
                hostname    => 'mail.domain.tld',# hostname of the imap server
                port        => 993,              # port of the imap server
                username    => 'scot-alerts',    # username  of the 
                                                 # account receiving alert email
                password    => 'changemenow',    # password  
                ssl         => [ 
                    'SSL_verify_mode', 0         # ssl options 
                ],                               # see perldoc IO::SSL
                uid         => 1,                # uid   IMAP config item 
                ignore_size_errors  => 1,        # ignore_size_errors 
            },
        },
        ## describe how for the Scot Perl client to find the SCOT server
        {
            attr    => 'scot',
            class   => 'Scot::Util::ScotClient',
            config  => {
                servername  => 'scotserver',
                # username with sufficient scot perms to create alert(groups)
                username    => 'scot-alerts',
                # the password for that user
                password    => 'changemenow',
                # authentication type: RemoteUser, LDAP, Local
                authtype    => 'Local',
            },
        },
        ## mongodb connection information
        {
            attr    => 'mongo',
            class   => 'Scot::Util::MongoFactory',
            config  => {
                db_name         => 'scot-prod',
                host            => 'mongodb://localhost',
                write_safety    => 1,
                find_master     => 1,
            },
        },
        ## ActiveMQ connection info
        {
            attr    => 'mq',
            class   => 'Scot::Util::Messageq',
            config  => {
                destination => "scot",
                stomp_host  => "localhost",
                stomp_port  => 61613,
            },
        },
        ## Elasticsearch connection info
        {
            attr    => 'es',
            class   => 'Scot::Util::ElasticSearch',
            config  => {
                nodes       => [ qw(localhost:9200) ],
                max_workers => 1,
            },
        },
    ],
    ## parser_dir is where to find the modules that can parse the emails
    parser_dir  => '/opt/scot/lib/Scot/Parser',
    ## alert.pl can utilize rest or direct mongo connection to input data
    get_method      => "mongo",     # other value is "rest"
    ## leave_unseen = 1 means SCOT will leave emails marked "unread" 
    ## leave_unseen = 0 means SCOT marks emails read after processing
    leave_unseen    => 1,
    # interactive => [ yes | no ]
    # pauses processing after each message and writes to console 
    interactive     => 'no',   
    verbose         => 1,
    # max_processes => 0 to positive int
    # number of child processes to fork to parse messages in parallel
    # 0 = disable forking and do all messages sequentially
    # recommendation is 5-10 in production, 0 for testing.
    max_processes   => 0,       
    # fetch_mode    => [ unseen | time ]
    # unseen looks for unseen messages via imap protocol
    # time gets all message since a given time
    # both modes check unique message_id and will not reprocess something
    # already in SCOT database
    fetch_mode      => 'unseen', 
    # since     => { unit => amount }
    # hashref where key is the unit [ day, hour, minute ]
    # amount is integer value
    # used by time fetch_mode 
    since           => { hour => 2 },
    # approved_alert_domains => [ 'domain1\.org', ... ]
    # only domains listed in this array can send email to scot
    # periods need to be escaped by \
    approved_alert_domains  => [ 'domain\.tld' ],
    # approve_accounts => [ 'user@email.addr' ];
    # account in this domain can also send to scot
    approved_accounts   => [ 'user@server.domain.tld' ],

    # future use:
    location                => "scot_demo",
    site_identifier         => "scot_demo",
    default_share_policy    => "none",
);

flair.cfg.pl

The Flair app automatically detects enties, see Entities. This config file look like:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
%environment = (
    time_zone   => 'America/Denver',
    # server name of the SCOT server
    servername  => 'localhost',
    # username with sufficient scot perms to create alert(groups)
    username    => 'scot-alerts',
    # the password for that user
    password    => 'changemenow',
    # authentication type: RemoteUser, LDAP, Local
    authtype    => 'Local',
    # interactive
    interactive => 0,
    # max workers
    max_workers => 20,
    # log config
    log_config  => {
        logger_name     => 'SCOT',
        layout          => '%d %7p [%P] %15F{1}: %4L %m%n',
        appender_name   => 'scot_log',
        logfile         => '/var/log/scot/scot.flair.log',
        log_level       => 'DEBUG',
    },
    ## Flair.pm needs to know how to connect to the ActiveMQ topic
    stomp_host  => "localhost",
    stomp_port  => 61613,
    topic       => "/topic/scot",
    ## updates to flair-ed entries and alerts will be done by this account
    default_owner   => "scot-admin",
    # modules used by flair app
    modules => [
        {
            attr    => 'img_munger',
            class   => 'Scot::Util::ImgMunger',
            config  => {
            },
        },
        {
            attr    => 'extractor',
            class   => 'Scot::Extractor::Processor',
            config  => {
                suffixfile  => '/opt/scot/etc/effective_tld_names.dat',
            },
        },
        {
            attr    => 'scot',
            class   => 'Scot::Util::ScotClient',
            config  => {
                servername  => 'localhost',
                # username with sufficient scot perms to create alert(groups)
                username    => 'scot-alerts',
                # the password for that user
                password    => 'changemenow',
                # authentication type: RemoteUser, LDAP, Local
                authtype    => 'Local',
            },
        },
        {
            attr    => 'mongo',
            class   => 'Scot::Util::MongoFactory',
            config  => {
                db_name         => 'scot-prod',
                host            => 'mongodb://localhost',
                write_safety    => 1,
                find_master     => 1,
            },
        },
        {
            attr    => 'mq',
            class   => 'Scot::Util::Messageq',
            config  => {
                destination => "scot",
                stomp_host  => "localhost",
                stomp_port  => 61613,
            },
        },
        {
            attr    => 'enrichments',
            class   => 'Scot::Util::Enrichments',
            config  => {
                # mappings map the enrichments that are available 
                # for a entity type
                mappings    => {
                    ipaddr      => [ qw(splunk geoip robtex_ip ) ],
                    email       => [ qw(splunk ) ],
                    md5         => [ qw(splunk ) ],
                    sha1        => [ qw(splunk ) ],
                    sha256      => [ qw(splunk ) ],
                    domain      => [ qw(splunk robtex_dns ) ],
                    file        => [ qw(splunk  ) ],
                    ganalytics  => [ qw(splunk  ) ],
                    snumber     => [ qw(splunk ) ],
                    message_id  => [ qw(splunk ) ],
                },

                # foreach enrichment listed above place any 
                # config info for it here
                enrichers => {
                    geoip   => {
                        type    => 'native',
                        module  => 'Scot::Util::Geoip',
                    },
                    robtex_ip   => {
                        type    => 'external_link',
                        url     => 'https://www.robtex.com/ip/%s.html',
                        field   => 'value',
                        title   => 'Lookup on Robtex (external)',
                    },
                    robtex_dns   => {
                        type    => 'external_link',
                        url     => 'https://www.robtex.com/dns/%s.html',
                        field   => 'value',
                        title   => 'Lookup on Robtex (external)',
                    },
                    splunk      => {
                        type    => 'internal_link',
                        url     => 'https://splunk.domain.tld/en-US/app/search/search?q=search%%20%s',
                        field   => 'value',
                        title   => 'Search on Splunk',
                    },
                }, # end enrichment module enrichers
            }, # end ennrichmenst config stanza
        }, # end enrichments stanza
        {
            attr    => 'regex',
            class   => 'Scot::Extractor::Regex',
            config  => {
                entity_regexes  => [
                ],
            },
        },  
    ],
    # future use:
    location                => "scot_demo",
    site_identifier         => "scot_demo",
    default_share_policy    => "none",
);

game.cfg.pl

This controls aspects of the gamification system.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
%environment = (
    log_config  => {
        logger_name     => 'SCOT',
        layout          => '%d %7p [%P] %15F{1}: %4L %m%n',
        appender_name   => 'scot_log',
        logfile         => '/var/log/scot/scot.game.log',
        log_level       => 'DEBUG',
    },
    days_ago    => 30,
    modules => [
        {
            attr    => 'mongo',
            class   => 'Scot::Util::MongoFactory',
            config  => {
                db_name         => 'scot-prod',
                host            => 'mongodb://localhost',
                write_safety    => 1,
                find_master     => 1,
            },
        },
    ],
);

stretch.cfg.pl

This controls aspects of the elastic search input system.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
%environment = (
    time_zone   => 'America/Denver',
    max_workers => 1,
    log_config  => {
        logger_name     => 'SCOT',
        layout          => '%d %7p [%P] %15F{1}: %4L %m%n',
        appender_name   => 'scot_log',
        logfile         => '/var/log/scot/scot.stretch.log',
        log_level       => 'DEBUG',
    },
    max_workers     => 2,
    stomp_host      => 'localhost',
    stomp_port      => 61613,
    topic           => '/topic/scot',
    default_owner   => 'scot-admin',
    modules => [
        {
            attr    => 'es',
            class   => 'Scot::Util::ElasticSearch',
            config  => {
                nodes   => [ qw(localhost:9200) ],
            },
        },
        {
            attr    => 'scot',
            class   => 'Scot::Util::ScotClient',
            config  => {
                servername  => "localhost",
                username    => "scot-alerts",
                password    => "changemenow",
                auth_type    => "basic",
            },
        },
        {
            attr    => 'mongo',
            class   => 'Scot::Util::MongoFactory',
            config  => {
                db_name         => 'scot-prod',
                host            => 'mongodb://localhost',
                write_safety    => 1,
                find_master     => 1,
            },
        },
    ],
    # future use:
    location                => "scot_demo",
    site_identifier         => "scot_demo",
    default_share_policy    => "none",
);

CRON Jobs

The /opt/scot/alert.pl program that reads in alerts from the IMAP server needs a crontab entry. It is recommended to run this every 2 to 5 minutes. Here’s the crontab entry:

*/5 * * * * /opt/scot/bin/alert.pl

Automating SCOT backups are a good idea as well:

0 3,12,20 * * * /opt/scot/bin/backup.pl     # backup scot at 3am 12 noon and 8pm

The game.pl job populates the analyst leaderboard:

30 4 * * * /opt/scot/bin/game.pl

The metric.pl job calculates response time metrics:

15 2 * * * /opt/scot/bin/metric.pl