def stop_agent():
"""
Stop the Zeek (BroCtl) and FileBeats processes
:return: True, if stopped successfully
"""
sys.stdout.write('[+] Stopping agent processes.\n')
# Load service profilers
filebeat_profiler = filebeat.FileBeatProfiler()
zeek_profiler = zeek.ZeekProfiler()
suricata_profiler = suricata.SuricataProfiler()
# Load service processes
zeek_p = zeek.ZeekProcess()
filebeat_p = filebeat.FileBeatProcess()
if not (filebeat_profiler.is_installed or zeek_profiler.is_installed):
sys.stderr.write('[-] Could not start agent. Is it installed?\n')
sys.stderr.write('[-] dynamite install agent\n')
return False
if suricata_profiler.is_installed:
# Load Suricata process
suricata_p = suricata.SuricataProcess()
if not suricata_p.stop(stdout=True):
sys.stderr.write('[-] Could not stop agent.suricata_process.\n')
return False
if not zeek_p.stop(stdout=True):
sys.stderr.write('[-] Could not stop agent.zeek_process.\n')
return False
elif not filebeat_p.stop(stdout=True):
sys.stderr.write('[-] Could not stop agent.filebeat.\n')
return False
return True
def status_agent():
"""
Retrieve the status of the agent processes
:return: A tuple, where the first element is the zeek process status (string), and second element are
the FileBeats and PF_RING status
"""
# Load service processes
zeek_p = zeek.ZeekProcess()
filebeat_p = filebeat.FileBeatProcess()
# Load service profilers
pf_ring_profiler = pf_ring.PFRingProfiler(stderr=False)
filebeat_profiler = filebeat.FileBeatProfiler(stderr=False)
zeek_profiler = zeek.ZeekProfiler(stderr=False)
suricata_profiler = suricata.SuricataProfiler(stderr=False)
if not (filebeat_profiler.is_installed or zeek_profiler.is_installed):
sys.stderr.write('[-] Could not start agent. Is it installed?\n')
sys.stderr.write('[-] dynamite install agent\n')
return False
agent_status = dict(
agent_processes={
'zeek': zeek_p.status(),
'pf_ring': pf_ring_profiler.get_profile(),
'filebeat': filebeat_p.status()
})
if suricata_profiler.is_installed:
# Load Suricata process
suricata_p = suricata.SuricataProcess()
agent_status['agent_processes']['suricata'] = suricata_p.status()
return agent_status
def start_agent():
"""
Start the Zeek (BroCtl) and FileBeats processes
:return: True, if started successfully
"""
# Load service profilers
pf_ring_profiler = pf_ring.PFRingProfiler(stderr=False)
filebeat_profiler = filebeat.FileBeatProfiler(stderr=False)
zeek_profiler = zeek.ZeekProfiler(stderr=False)
suricata_profiler = suricata.SuricataProfiler(stderr=False)
# Load service processes
filebeat_p = filebeat.FileBeatProcess(
install_directory=environment_variables.get('FILEBEAT_HOME'))
zeek_p = zeek.ZeekProcess(
install_directory=environment_variables.get('ZEEK_HOME'))
if not (filebeat_profiler.is_installed or zeek_profiler.is_installed):
sys.stderr.write('[-] Could not start agent. Is it installed?\n')
sys.stderr.write('[-] dynamite install agent\n')
return False
if not pf_ring_profiler.is_running:
sys.stderr.write(
'[-] PF_RING kernel modules were not loaded. Try running '
'\'modprobe pf_ring min_num_slots=32768\' as root.\n')
return False
sys.stdout.write('[+] Starting agent processes.\n')
if suricata_profiler.is_installed:
# Load Suricata process
suricata_p = suricata.SuricataProcess(
install_directory=environment_variables.get('SURICATA_HOME'),
configuration_directory=environment_variables.get(
'SURICATA_CONFIG'))
if not suricata_p.start(stdout=True):
sys.stderr.write('[-] Could not start agent.suricata_process.\n')
return False
if not zeek_p.start(stdout=True):
sys.stderr.write('[-] Could not start agent.zeek_process.\n')
return False
if not filebeat_p.start(stdout=True):
sys.stderr.write('[-] Could not start agent.filebeat.\n')
return False
return True
def stop_agent():
"""
Stop the Zeek (BroCtl) and FileBeats processes
:return: True, if stopped successfully
"""
sys.stdout.write('[+] Stopping agent processes.\n')
# Load service profilers
filebeat_profiler = filebeat.FileBeatProfiler()
zeek_profiler = zeek.ZeekProfiler()
suricata_profiler = suricata.SuricataProfiler()
# Load service processes
zeek_p = zeek.ZeekProcess()
filebeat_p = filebeat.FileBeatProcess(
install_directory=environment_variables.get('FILEBEAT_HOME'))
if not (filebeat_profiler.is_installed or zeek_profiler.is_installed):
sys.stderr.write('[-] Could not start agent. Is it installed?\n')
sys.stderr.write('[-] dynamite install agent\n')
return False
if suricata_profiler.is_installed:
# Load Suricata process
suricata_p = suricata.SuricataProcess(
install_directory=environment_variables.get('SURICATA_HOME'),
configuration_directory=environment_variables.get(
'SURICATA_CONFIG'))
if not suricata_p.stop(stdout=True):
sys.stderr.write('[-] Could not stop agent.suricata_process.\n')
return False
if not zeek_p.stop(stdout=True):
sys.stderr.write('[-] Could not stop agent.zeek_process.\n')
return False
elif not filebeat_p.stop(stdout=True):
sys.stderr.write('[-] Could not stop agent.filebeat.\n')
return False
return True
def status_agent():
"""
Retrieve the status of the agent processes
:return: A tuple, where the first element is the zeek process status (string), and second element are
the FileBeats and PF_RING status
"""
# Load service processes
zeek_p = zeek.ZeekProcess(
install_directory=environment_variables.get('ZEEK_HOME'))
filebeat_p = filebeat.FileBeatProcess(
environment_variables.get('FILEBEAT_HOME'))
# Load service profilers
pf_ring_profiler = pf_ring.PFRingProfiler(stderr=False)
filebeat_profiler = filebeat.FileBeatProfiler(stderr=False)
zeek_profiler = zeek.ZeekProfiler(stderr=False)
suricata_profiler = suricata.SuricataProfiler(stderr=False)
if not (filebeat_profiler.is_installed or zeek_profiler.is_installed):
sys.stderr.write('[-] Could not start agent. Is it installed?\n')
sys.stderr.write('[-] dynamite install agent\n')
return False
agent_status = dict(agent_processes={
'pf_ring': pf_ring_profiler.get_profile(),
'filebeat': filebeat_p.status()
})
if suricata_profiler.is_installed:
# Load Suricata process
suricata_p = suricata.SuricataProcess(
install_directory=environment_variables.get('SURICATA_HOME'),
configuration_directory=environment_variables.get(
'SURICATA_CONFIG'))
agent_status['agent_processes']['suricata'] = suricata_p.status()
return zeek_p.status(), agent_status
def uninstall_agent(prompt_user=True):
"""
Uninstall the agent
:param prompt_user: Print a warning before continuing
:return: True, if uninstall succeeded
"""
environment_variables = utilities.get_environment_file_dict()
filebeat_profiler = filebeat.FileBeatProfiler()
pf_profiler = pf_ring.PFRingProfiler()
zeek_profiler = zeek.ZeekProfiler()
suricata_profiler = suricata.SuricataProfiler()
if not (filebeat_profiler.is_installed or zeek_profiler.is_installed
or suricata_profiler.is_installed):
sys.stderr.write('[-] No agent installation detected.\n')
return False
if filebeat_profiler.is_installed:
filebeat_config = filebeat.FileBeatConfigurator(
install_directory=environment_variables.get('FILEBEAT_HOME'))
if prompt_user:
sys.stderr.write(
'[-] WARNING! REMOVING THE AGENT WILL RESULT IN EVENTS NO LONGER BEING SENT TO {}.\n'
.format(filebeat_config.get_logstash_targets()))
resp = utilities.prompt_input(
'Are you sure you wish to continue? ([no]|yes): ')
while resp not in ['', 'no', 'yes']:
resp = utilities.prompt_input(
'Are you sure you wish to continue? ([no]|yes): ')
if resp != 'yes':
sys.stdout.write('[+] Exiting\n')
return False
if filebeat_profiler.is_running:
filebeat.FileBeatProcess().stop(stdout=True)
if zeek_profiler.is_running:
zeek.ZeekProcess().stop()
if pf_profiler.is_installed:
shutil.rmtree(environment_variables.get('PF_RING_HOME'))
os.remove('/opt/dynamite/.agent_environment_prepared')
if filebeat_profiler.is_installed:
shutil.rmtree(environment_variables.get('FILEBEAT_HOME'),
ignore_errors=True)
if zeek_profiler.is_installed:
shutil.rmtree(environment_variables.get('ZEEK_HOME'),
ignore_errors=True)
shutil.rmtree(environment_variables.get('ZEEK_SCRIPTS'),
ignore_errors=True)
if suricata_profiler.is_installed:
shutil.rmtree(environment_variables.get('SURICATA_HOME'),
ignore_errors=True)
shutil.rmtree(environment_variables.get('SURICATA_CONFIG'),
ignore_errors=True)
shutil.rmtree(environment_variables.get('OINKMASTER_HOME'),
ignore_errors=True)
shutil.rmtree(const.INSTALL_CACHE, ignore_errors=True)
env_lines = ''
for line in open('/etc/dynamite/environment').readlines():
if 'FILEBEAT_HOME' in line:
continue
elif 'ZEEK_HOME' in line:
continue
elif 'ZEEK_SCRIPTS' in line:
continue
elif 'SURICATA_HOME' in line:
continue
elif 'SURICATA_CONFIG' in line:
continue
elif 'PF_RING_HOME' in line:
continue
elif 'OINKMASTER_HOME' in line:
continue
elif line.strip() == '':
continue
env_lines += line.strip() + '\n'
with open('/etc/dynamite/environment', 'w') as f:
f.write(env_lines)
return True