整個(gè)過(guò)程使用虛擬機(jī)在CentOS Linux release 7.2.1511 (Core)安裝成功。

安裝thehive需要的步驟：

1踢京、安裝存儲(chǔ)數(shù)據(jù)的elasticsearch誉碴，使用docker安裝或者rpm包進(jìn)行安裝

2、安裝cortex瓣距，創(chuàng)建相關(guān)用戶賬號(hào)獲取相關(guān)API的秘鑰供thehive使用

3黔帕、安裝thehive，調(diào)用cortex提供的秘鑰獲取相關(guān)調(diào)用接口進(jìn)行調(diào)查

elasticsearch相關(guān)命令使用：https://www.cnblogs.com/remainsu/p/elasticsearch-chang-yong-curl-ming-ling.html

一蹈丸、安裝elasticsearch

1.1使用docker進(jìn)行安裝

注意安裝時(shí)請(qǐng)注意時(shí)間同步問(wèn)題成黄，否者會(huì)出現(xiàn)證書相關(guān)問(wèn)題：ntpdate cn.pool.ntp.org

Docker CE:https://docs.docker.com/install/#supported-platforms

Docker Compose:https://docs.docker.com/compose/install/

Git:https://git-scm.com/book/en/v2/Getting-Started-Installing-Git

按照以上步驟完成docker的安裝

第一步：

sudo sysctl -w vm.max_map_count=262144

第二步：

yum install -y java-1.8.0-openjdk

第三步，創(chuàng)建在本機(jī)上保存數(shù)據(jù)的目錄：

mkdir -p /usr/share/elasticsearch/data

chmod 777 /usr/share/elasticsearch/data

第四步：安裝es

docker run \

--name elasticsearch \

--hostname elasticsearch \

--rm \

--publish 127.0.0.1:9200:9200 \

--publish 127.0.0.1:9300:9300 \

--volume /usr/share/elasticsearch/data:/usr/share/elasticsearch/data \

-e "http.host=0.0.0.0" \

-e "transport.host=0.0.0.0" \

-e "xpack.security.enabled=false" \

-e "cluster.name=hive" \

-e "script.inline=true" \

-e "thread_pool.index.queue_size=100000" \

-e "thread_pool.search.queue_size=100000" \

-e "thread_pool.bulk.queue_size=100000" \

docker.elastic.co/elasticsearch/elasticsearch:5.6.0

1.2使用rpm包進(jìn)行安裝

注意安裝時(shí)請(qǐng)注意時(shí)間同步問(wèn)題逻杖，否者會(huì)出現(xiàn)證書相關(guān)問(wèn)題：

ntpdate cn.pool.ntp.org

參考：https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md

第一步：

sudo sysctl -w vm.max_map_count=262144

第二步：

yum install -y java-1.8.0-openjdk

第三步：在/etc/yum/repos.d/創(chuàng)建elasticsearch.repo奋岁，加入以下內(nèi)容：

[elasticsearch-5.x]

name=Elasticsearch repository for 5.x packages

baseurl=https://artifacts.elastic.co/packages/5.x/yum

gpgcheck=1

gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch

enabled=1

autorefresh=1

type=rpm-md

?mkdir -p /etc/yum/repos.d/

?cd /etc/yum/repos.d/

第四步：

? sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

? sudo yum install elasticsearch

第五步：

? cd /etc/elasticsearch/

在/etc/elasticsearch/elasticsearch.yml中加入以下內(nèi)容：

network.host: 127.0.0.1

script.inline: true

cluster.name: hive

thread_pool.index.queue_size: 100000

thread_pool.search.queue_size: 100000

thread_pool.bulk.queue_size: 100000

?xpack.security.enabled: true

強(qiáng)烈建議避免將此服務(wù)暴露給不受信任的區(qū)域。

如果Elasticsearch和thehive運(yùn)行在同一主機(jī)上(而不是在docker)荸百，編輯/etc/ Elasticsearch /elasticsearch.yml和設(shè)置網(wǎng)絡(luò)闻伶。主機(jī)參數(shù)為127.0.0.1。thehive使用動(dòng)態(tài)腳本進(jìn)行部分更新够话。因此蓝翰，必須使用script.inline: true來(lái)激活它們。

還必須設(shè)置集群名稱(例如女嘲，hive)畜份。線程池隊(duì)列大小必須設(shè)置一個(gè)較高的值(100000)。默認(rèn)大小將容易使隊(duì)列超載欣尼。

第六步：

手動(dòng)安裝xpack:https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-5.6.16.zip

./elasticsearch-plugin install file:///root/x-pack-5.6.16.zip

-> Downloading file:///root/x-pack-5.6.16.zip

[=================================================] 100%??

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@? ? WARNING: plugin requires additional permissions? ? @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

* java.io.FilePermission \\.\pipe\* read,write

* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries

* java.lang.RuntimePermission getClassLoader

* java.lang.RuntimePermission setContextClassLoader

* java.lang.RuntimePermission setFactory

* java.net.SocketPermission * connect,accept,resolve

* java.security.SecurityPermission createPolicy.JavaPolicy

* java.security.SecurityPermission getPolicy

* java.security.SecurityPermission putProviderProperty.BC

* java.security.SecurityPermission setPolicy

* java.util.PropertyPermission * read,write

* javax.net.ssl.SSLPermission setHostnameVerifier

See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html

for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@? ? ? ? WARNING: plugin forks a native controller? ? ? ? @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

This plugin launches a native controller that is not subject to the Java

security manager nor to system call filters.

Continue with installation? [y/N]y

-> Installed x-pack

自動(dòng)安裝：

進(jìn)入：/usr/share/elasticsearch/bin

./elasticsearch-plugin install x-pack

并且破解相關(guān)文件（過(guò)程見(jiàn)：https://blog.csdn.net/dymkkj/article/details/91043669） ：

/usr/share/elasticsearch/plugins/x-pack/x-pack-5.6.16.jar

第七步：

sudo systemctl enable elasticsearch.service

?sudo systemctl start elasticsearch.service

? sudo systemctl status elasticsearch.service

第八步：更改用戶密碼

默認(rèn)用戶名密碼為： elastic:changeme

curl --user elastic:changeme http://127.0.0.1:9200

{

? "name" : "0Gxn_d0",

? "cluster_name" : "hive",

? "cluster_uuid" : "UC3wm1J-SRO_GwVBnEPxow",

? "version" : {

? ? "number" : "5.6.16",

? ? "build_hash" : "3a740d1",

? ? "build_date" : "2019-03-13T15:33:36.565Z",

? ? "build_snapshot" : false,

? ? "lucene_version" : "6.6.1"

? },

? "tagline" : "You Know, for Search"

}

更改密碼(http://www.reibang.com/p/f1b009113e61)：

curl -XPUT -u elastic '127.0.0.1:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{"password" : "2020@qwerty"}'

curl --user elastic:2020@qwerty http://127.0.0.1:9200

二爆雹、安裝cortex

yum install https://dl.bintray.com/thehive-project/rpm-stable/thehive-project-release-1.1.0-2.noarch.rpm

yum install cortex

yum install python-pip python2.7-dev python3-pip python3-dev ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl libmagic1 build-essential git libssl-dev

pip3 install cortexutils

sudo systemctl enable cortex.service

sudo systemctl start cortex.service

sudo systemctl status cortex.service

firewall-cmd --zone=public --add-port=9001/tcp --permanent

firewall-cmd --reload

相關(guān)配置文件在：/etc/cortex中，需要進(jìn)行部分修改，以下給出模板：

# Sample Cortex application.conf file

## SECRET KEY

#

# The secret key is used to secure cryptographic functions.

#

# IMPORTANT: If you deploy your application to several? instances,? make

# sure to use the same key.

#這個(gè)地方需要添加相關(guān)秘鑰顶别，具體生成方法請(qǐng)參照官網(wǎng)

play.http.secret.key="XpN0jSW03tWKGQr2MSpI6mizC0oEa8BPY3FgENBgDvCKbk0obep19pDcy2oE7tad"

#http.port = "9001"

## ElasticSearch

search {

? # Name of the index

? index = cortex

? # Address of the ElasticSearch instance

? uri = "http://127.0.0.1:9200"

}

# ElasticSearch cluster name

cluster {

name = hive

}

## Cache

#

# If an analyzer is executed against the same observable, the previous report can be returned without re-executing the

# analyzer. The cache is used only if the second job occurs within cache.job (the default is 10 minutes).

cache.job = 10 minutes

## Authentication

auth {

method.basic = true

# "provider" parameter contains the authentication provider(s). It can be multi-valued, which is useful

# for migration.

# The available auth types are:

# - services.LocalAuthSrv : passwords are stored in the user entity within ElasticSearch). No

#? configuration are required.

# - ad : use ActiveDirectory to authenticate users. The associated configuration shall be done in

#? the "ad" section below.

# - ldap : use LDAP to authenticate users. The associated configuration shall be done in the

#? "ldap" section below.

provider = [local]

ad {

# The Windows domain name in DNS format. This parameter is required if you do not use

# 'serverNames' below.

#domainFQDN = "mydomain.local"

# Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN

# above. If this parameter is not set, TheHive uses 'domainFQDN'.

#serverNames = [ad1.mydomain.local, ad2.mydomain.local]

# The Windows domain name using short format. This parameter is required.

#domainName = "MYDOMAIN"

# If 'true', use SSL to connect to the domain controller.

#useSSL = true

}

ldap {

# The LDAP server name or address. The port can be specified using the 'host:port'

# syntax. This parameter is required if you don't use 'serverNames' below.

#serverName = "ldap.mydomain.local:389"

# If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.

#serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]

# Account to use to bind to the LDAP server. This parameter is required.

#bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"

# Password of the binding account. This parameter is required.

#bindPW = "***secret*password***"

# Base DN to search users. This parameter is required.

#baseDN = "ou=users,dc=mydomain,dc=local"

# Filter to search user in the directory server. Please note that {0} is replaced

# by the actual user name. This parameter is required.

#filter = "(cn={0})"

# If 'true', use SSL to connect to the LDAP directory server.

#useSSL = true

}

}

## ANALYZERS

#

analyzer {

? # Absolute path where you have pulled the Cortex-Analyzers repository.

? #放分析器的地方

? #path = ["/opt/Cortex-Analyzers/analyzers"]

? urls = ["https://dl.bintray.com/thehive-project/cortexneurons/analyzers.json"]

? # Sane defaults. Do not change unless you know what you are doing.

? fork-join-executor {

? ? # Min number of threads available for analysis.

? ? parallelism-min = 2

? ? # Parallelism (threads) ... ceil(available processors * factor).

? ? parallelism-factor = 2.0

? ? # Max number of threads available for analysis.

? ? parallelism-max = 4

? }

}

? #放應(yīng)答器的地方

responder {

path = ["/opt/thehive/responders","/opt/cortex/github-aacgood/Cortex-Analyzers/Responders"]

}

# It's the end my friend. Happy hunting!

進(jìn)入首頁(yè)后需要初始化數(shù)據(jù)庫(kù)

更新數(shù)據(jù)庫(kù)

創(chuàng)建用戶名

生成新的組織

使用新組織添加用戶

使用新用戶獲取相關(guān)秘鑰

獲取的秘鑰將用于thehive的配置文件中谷徙，以便于thehive使用cortex

三、安裝thehive

yum install thehive

sudo systemctl enable thehive.service

sudo systemctl start thehive.service

sudo systemctl status thehive.service

firewall-cmd --zone=public --add-port=9000/tcp --permanent

firewall-cmd --reload

安裝完后驯绎，啟動(dòng)服務(wù)前完慧，需要進(jìn)行配置文件的更改：

# Secret Key

# The secret key is used to secure cryptographic functions.

# WARNING: If you deploy your application on several servers, make sure to use the same key.

#需要更改的地方

play.http.secret.key="PBnMSnyrQZD8sY5J69VL0Nj9jfEs0UJnNd3Pupv5MpA2nmJ9bSmYZAoxlAv4dNQn"

# Elasticsearch

search {

? ## Basic configuration

? # Index name.

? index = the_hive

? # ElasticSearch instance address.

? uri = "http://127.0.0.1:9200/"

? ## Advanced configuration

? # Scroll keepalive.

? #keepalive = 1m

? # Scroll page size.

? #pagesize = 50

? # Number of shards

? #nbshards = 5

? # Number of replicas

? #nbreplicas = 1

? # Arbitrary settings

? #settings {

? #? # Maximum number of nested fields

? #? mapping.nested_fields.limit = 100

? #}

? ## Authentication configuration

#@kindsjay@JamesCullum. Changing the application.conf key "search.username" to "user" and "search.password" to "password #resolved this for me on both RC01 and RC02. Thanks to@ag-michaelfor pointing me towards this fix.

#https://github.com/TheHive-Project/TheHive/issues/1055

# 加es的用戶認(rèn)證，請(qǐng)將"search.username" 更改為 "user" and #"search.password" 更改為 "password"

? #search.username = ""

? #search.password = ""

? ## SSL configuration

? #search.keyStore {

? #? path = "/path/to/keystore"

? #? type = "JKS" # or PKCS12

? #? password = "keystore-password"

? #}

? #search.trustStore {

? #? path = "/path/to/trustStore"

? #? type = "JKS" # or PKCS12

? #? password = "trustStore-password"

? #}

}

# Authentication

auth {

? # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)

? # available auth types are:

? # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.

? # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key

? # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key

? # oauth2 : use OAuth/OIDC to authenticate users. Configuration is under "auth.oauth2" and "auth.sso" keys

? provider = [local]

? # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true.

? #method.basic = true

? ad {

? ? # The Windows domain name in DNS format. This parameter is required if you do not use

? ? # 'serverNames' below.

? ? #domainFQDN = "mydomain.local"

? ? # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN

? ? # above. If this parameter is not set, TheHive uses 'domainFQDN'.

? ? #serverNames = [ad1.mydomain.local, ad2.mydomain.local]

? ? # The Windows domain name using short format. This parameter is required.

? ? #domainName = "MYDOMAIN"

? ? # If 'true', use SSL to connect to the domain controller.

? ? #useSSL = true

? }

? ldap {

? ? # The LDAP server name or address. The port can be specified using the 'host:port'

? ? # syntax. This parameter is required if you don't use 'serverNames' below.

? ? #serverName = "ldap.mydomain.local:389"

? ? # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.

? ? #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]

? ? # Account to use to bind to the LDAP server. This parameter is required.

? ? #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"

? ? # Password of the binding account. This parameter is required.

? ? #bindPW = "***secret*password***"

? ? # Base DN to search users. This parameter is required.

? ? #baseDN = "ou=users,dc=mydomain,dc=local"

? ? # Filter to search user in the directory server. Please note that {0} is replaced

? ? # by the actual user name. This parameter is required.

? ? #filter = "(cn={0})"

? ? # If 'true', use SSL to connect to the LDAP directory server.

? ? #useSSL = true

? }

? oauth2 {

? ? # URL of the authorization server

? ? #clientId = "client-id"

? ? #clientSecret = "client-secret"

? ? #redirectUri = "https://my-thehive-instance.example/index.html#!/login"

? ? #responseType = "code"

? ? #grantType = "authorization_code"

? ? # URL from where to get the access token

? ? #authorizationUrl = "https://auth-site.com/OAuth/Authorize"

? ? #tokenUrl = "https://auth-site.com/OAuth/Token"

? ? # The endpoint from which to obtain user details using the OAuth token, after successful login

? ? #userUrl = "https://auth-site.com/api/User"

? ? #scope = "openid profile"

? }

? # Single-Sign On

? sso {

? ? # Autocreate user in database?

? ? #autocreate = false

? ? # Autoupdate its profile and roles?

? ? #autoupdate = false

? ? # Autologin user using SSO?

? ? #autologin = false

? ? # Attributes mappings

? ? #attributes {

? ? #? login = "sub"

? ? #? name = "name"

? ? #? groups = "groups"

? ? #? #roles = "roles"

? ? #}

? ? # Name of mapping class from user resource to backend user ('simple' or 'group')

? ? #mapper = group

? ? # Default roles for users with no groups mapped ("read", "write", "admin")

? ? #defaultRoles = []

? ? #groups {

? ? #? # URL to retreive groups (leave empty if you are using OIDC)

? ? #? #url = "https://auth-site.com/api/Groups"

? ? #? # Group mappings, you can have multiple roles for each group: they are merged

? ? #? mappings {

? ? #? ? admin-profile-name = ["admin"]

? ? #? ? editor-profile-name = ["write"]

? ? #? ? reader-profile-name = ["read"]

? ? #? }

? ? #}

? }

}

# Maximum time between two requests without requesting authentication

session {

? warning = 5m

? inactivity = 1h

}

# Max textual content length

play.http.parser.maxMemoryBuffer= 1M

# Max file size

play.http.parser.maxDiskBuffer = 1G

# Cortex

# TheHive can connect to one or multiple Cortex instances. Give each

# Cortex instance a name and specify the associated URL.

#

# In order to use Cortex, first you need to enable the Cortex module by uncommenting the next line

play.modules.enabled += connectors.cortex.CortexConnector

#需要更改的地方

cortex {

? "LOCAL CORTEX" {

? ? url = "http://127.0.0.1:9001"

? ? key ="ZN4hcdcFSJP3DmfCvYZsjGC9GyOrKj7j"

? ? }

? #"CORTEX-SERVER-ID" {

? #? url = ""

? #? key = ""

? #? # HTTP client configuration (SSL and proxy)

? #? ws {}

? #}

}

# MISP

# TheHive can connect to one or multiple MISP instances. Give each MISP

# instance a name and specify the associated Authkey that must? be used

# to poll events, the case template that should be used by default when

# importing events as well as the tags that must be added to cases upon

# import.

# Prior to configuring the integration with a MISP instance, you must

# enable the MISP connector. This will allow you to import events to

# and/or export cases to the MISP instance(s).

#play.modules.enabled += connectors.misp.MispConnector

misp {

? # Interval between consecutive MISP event imports in hours (h) or

? # minutes (m).

? interval = 1h

? #"MISP-SERVER-ID" {

? #? # MISP connection configuration requires at least an url and a key. The key must

? #? # be linked with a sync account on MISP.

? #? url = ""

? #? key = ""

? #

? #? # Name of the case template in TheHive that shall be used to import

? #? # MISP events as cases by default.

? #? caseTemplate = "<Template_Name_goes_here>"

? #

? #? # Optional tags to add to each observable? imported? from? an? event

? #? # available on this instance.

? #? tags = ["misp-server-id"]

? #

? #? ## MISP event filters

? #? # MISP filters is used to exclude events from the import.

? #? # Filter criteria are:

? #? # The number of attribute

? #? max-attributes = 1000

? #? # The size of its JSON representation

? #? max-size = 1 MiB

? #? # The age of the last publish date

? #? max-age = 7 days

? #? # Organization and tags

? #? exclusion {

? #? ? organisation = ["bad organisation", "other organisations"]

? #? ? tags = ["tag1", "tag2"]

? #? }

? #

? #? ## HTTP client configuration (SSL and proxy)

? #? # Truststore to use to validate the X.509 certificate of the MISP

? #? # instance if the default truststore is not sufficient.

? #? # Proxy can also be used

? #? ws {

? #? ? ssl.trustManager.stores = [ {

? #? ? ? path = /path/to/truststore.jks

? #? ? } ]

? #? ? proxy {

? #? ? ? host = proxy.mydomain.org

? #? ? ? port = 3128

? #? ? }

? #? }

? #

? #? # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)

? #? # Default is ImportAndExport

? #? purpose = ImportAndExport

? #} ## <-- Uncomment to complete the configuration

}

同樣需要初始化

祝好運(yùn)剩失！