Some last prep for Day1

Author: mpihelgas

Arkime/package_setup/README.md

@@ -5,16 +5,16 @@
 Download arkime package from [the official download page](https://arkime.com/downloads) and install it with your package manager.
 
 ```
-dpkg -i arkime_3.4.2-1_amd64.deb
+dpkg -i arkime_4.3.1-1_amd64.deb
 ```
 
-On debian, this will fail.
+On debian/ubuntu, this will fail.
 
 ```
 Selecting previously unselected package arkime.
 (Reading database ... 111873 files and directories currently installed.)
-Preparing to unpack arkime_3.4.2-1_amd64.deb ...
-Unpacking arkime (3.4.2-1) ...
+Preparing to unpack arkime_4.3.1-1_amd64.deb ...
+Unpacking arkime (4.3.1-1) ...
 dpkg: dependency problems prevent configuration of arkime:
  arkime depends on libwww-perl; however:
   Package libwww-perl is not installed.
@@ -42,7 +42,7 @@ cd /opt/arkime
 ```
 
 ```
-vagrant@setup:/opt/arkime$ ls -lah
+student@student-linux:/opt/arkime$ ls -lah
 total 1.3M
 drwxr-xr-x  16 root root 4.0K Jun  7 19:21 .
 drwxr-xr-x   4 root root 4.0K Jun  7 19:21 ..
@@ -66,38 +66,38 @@ drwxr-xr-x   6 root root 4.0K Jun  7 19:21 viewer
 drwxr-xr-x   4 root root 4.0K Jun  7 19:21 wiseService
 ```
 
-## Get elastic up and running
+## Get elasticsearch up and running
 
 Set up elasticsearch.
 
 ```
-docker run -ti -d --name arkime-elastic -v elastic_data:/usr/share/elasticsearch/data:rw -p 127.0.0.1:9200:9200 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.17.4
+docker run -ti -d --name arkime-elastic -v elastic_data:/usr/share/elasticsearch/data:rw -p 127.0.0.1:9200:9200 -e "discovery.type=single-node" -e "xpack.security.enabled=false" --restart unless-stopped docker.elastic.co/elasticsearch/elasticsearch:8.8.1
 ```
 
-Verify that elastic is up and running. You can check logs.
+Verify that elastic is up and running. You can check logs...
 
 ```
 docker logs arkime-elastic --follow
 ```
 
-Or interact with elastic API.
+...or interact with elastic API.
 
 ```
-vagrant@setup:~$ curl -ss localhost:9200
+student@student-linux:~$ curl -ss http://localhost:9200
 {
-  "name" : "5c7c756cb80d",
+  "name" : "43194d1deb40",
   "cluster_name" : "docker-cluster",
-  "cluster_uuid" : "574c5K-jQA2IcfoLaCgRAg",
+  "cluster_uuid" : "lWs_x9FMSNKgd3V2AcDipA",
   "version" : {
-    "number" : "7.17.4",
+    "number" : "8.8.1",
     "build_flavor" : "default",
     "build_type" : "docker",
-    "build_hash" : "79878662c54c886ae89206c685d9f1051a9d6411",
-    "build_date" : "2022-05-18T18:04:20.964345128Z",
+    "build_hash" : "f8edfccba429b6477927a7c1ce1bc6729521305e",
+    "build_date" : "2023-06-05T21:32:25.188464208Z",
     "build_snapshot" : false,
-    "lucene_version" : "8.11.1",
-    "minimum_wire_compatibility_version" : "6.8.0",
-    "minimum_index_compatibility_version" : "6.0.0-beta1"
+    "lucene_version" : "9.6.0",
+    "minimum_wire_compatibility_version" : "7.17.0",
+    "minimum_index_compatibility_version" : "7.0.0"
   },
   "tagline" : "You Know, for Search"
 }
@@ -122,7 +122,7 @@ cd /opt/arkime/db
 And call the database management script.
 
 ```
-vagrant@setup:/opt/arkime/db$ ./db.pl localhost:9200 init
+student@student-linux:/opt/arkime/db$ ./db.pl localhost:9200 init
 It is STRONGLY recommended that you stop ALL Arkime captures and viewers before proceeding.  Use 'db.pl http://localhost:9200 backup' to backup db first.
 
 There is 1 elastic search data node, if you expect more please fix first before proceeding.
@@ -136,7 +136,7 @@ Finished
 Verify the elastic indices.
 
 ```
-vagrant@setup:/opt/arkime/db$ curl -ss localhost:9200/_cat/indices
+student@student-linux:/opt/arkime/db$ curl -ss localhost:9200/_cat/indices
 green open arkime_lookups_v30  Xh0RlVK8RGCNosJqQdoM9g 1 0  0  0   226b   226b
 green open .geoip_databases    ObOMS7HdSzysFuJ1Ju8jew 1 0 40  0 38.1mb 38.1mb
 green open arkime_sequence_v30 0SLIuYNCQ1eFM5NfZLp9Aw 1 0  0  0   226b   226b

Arkime/queries/README.md

@@ -3,7 +3,7 @@
 Arkime viewer already includes comprehensive documentation under `/help` url, aka *the owl logo*. This section only serves to provide some context and examples. **Please refer to official docs for up-to-date reference for field types, supported expressions, etc**.
 
 See your `singlehost` VM Arkime installation for `/help`
- * http://192.168.56.11:8005/help
+ * http://<singlehost-ip>:8005/help
 
 ## Viewer tabs
 
@@ -53,15 +53,18 @@ User administration tab. Various user account limitations can be can be configur
 
 ## Tasks
 
-**On exercise Arkime data.**
+**NB! These tasks are meant to be performed on real cyber exercise data (not simulated traffic in `singlehost` VM). Please wait for the instructors to provide credentials and guidelines on accessing the Exercise Arkime environment.**
 
- * Find plaintext http on port 443;
- * Filter for traffic that contains data;
- * Investigate time-series data per gamenet host;
- * Drill down to specific protocols;
- * Investigate traffic between workstations;
+ * Find plaintext HTTP on port 443;
+ * Sometime there's no data in a session. Filter for traffic that contains data;
+ * Investigate time-series data per gamenet host (pick some hosts of interest);
+ * Drill down to specific protocols (HTTP, SMB, TLS, etc.);
+ * Investigate traffic between workstations, don't forget IPv6;
  * Filter only traffic for your team;
 
+If you are done with those, more tasks might be available from the instructors.
+
+
 # API
 
 [Arkime v3 API reference](https://arkime.com/apiv3)
@@ -72,24 +75,30 @@ Viewer is nothing more than HTTP endpoint behind digest authentication that aggr
 
 # Hunting trip
 
-## Task
+## RT sessions in the classroom
+
+ * We might have someone from various RT sub-teams brief us on their activities during the previous Exercise.
+ * Pay attention to: Which machines were involved? When was the attack conducted? Which protocols were used? Was it encrypted or not?
+ * Takes notes! This information might be useful later when hunting for those specific attacks/events.
+
+## Tasks
 
  * Your task is to group up and go on a hunting trip. 
   * The goal, if it can be called like that, is to investigate sessions and IP addresses to identify Red team servers, compromised hosts, strange traffic patterns and possible causes, to differentiate scoring and connectivity from malicious traffic, etc. 
   * **There are no right or wrong answers, no ground truth!!!** Only traffic that is interesting and noise. 
   * **Note down your findings and possible explanations**.
   * Present your approach and findings at the end!
-  * You may be called to give a status update during work. Don't be afraid to say you are stuck - other teams may have ideas or suggestions to help you out.
+  * You may be called to give a status update during work. Don't be afraid to say you are stuck - other people (or instructors) around you may have ideas or suggestions to help you out.
 
-Some ideas and suggestions for getting started:
+## Some ideas and suggestions for getting started:
  * No one query nor API call will give you the whole picture, you must pivot between queries.
   * Use API to your advantage for collectiong possible indicators, then investigate by hand. Write off sessions that are not interesting, collect new indicators from those that are. Rinse and repeat.
- * Start by looking for common indicators - script tags in user-agents and URL-s, mistyped domains, strange peaks of traffic, IDS alerts, well-known protocols on non-standard ports, non-standard protocol on standardized ports, etc. Then look at involved IP addresses. Anything coming from simulated internet? See what else has that IP doing.
- * IP addresses can be changed but may nevertheless exhibit common patterns, for example ja3 hashes, TLS certificate fingerprints, common URI patterns, cookies, etc.
+ * Start by looking for common indicators - script tags in user-agents and URL-s, mistyped domains, strange peaks of traffic, IDS alerts, well-known protocols on non-standard ports, non-standard protocol on standardized ports, etc. Then look at involved IP addresses. Anything coming from the simulated internet? See what else has that IP doing.
+ * IP addresses can be changed but may nevertheless exhibit common patterns, for example JA3 hashes, TLS certificate fingerprints, common URI patterns, cookies, etc.
  * Arkime lets you apply views and tag sessions. Use that! If something is not interesting, mark it as such and get rid of it. Whatever is left might be interesting.
  * So, you found one connection going to or coming from a CnC server...and then nothing. It may be initial compromise and interesting traffic is happening through some other IP or protocol. Are there any new streams that started exactly after that initial session?
  * What about traffic between targets and workstations? Any patterns or indicators for filtering out lateral movement?
- * Do not forget that you can also search from packets in Hunt tab. Just be sure to apply a strong expression beforehand. Let's not kill the capture server.
+ * Do not forget that you can also search from packets in Hunt tab. Just be sure to apply a strong expression beforehand. There's a lot of PCAPs. Let's not kill the Arkime server.
  * Have a cool idea for search but no idea how to do it in Arkime? Ask the instructurs, that's why we are here.
- * On that note, have a cool idea and making progress? Let us and other teams know. We can mark it down and help out everyone.
+ * On that note, have a cool idea and making progress? Let us and others know. We can mark it down and help out everyone.
  * ...your suggestions go here...

common/day_intro.md

@@ -12,7 +12,7 @@
   * Make students go through painful troubleshooting on purpose!
   * You don't store this knowledge from listening to lectures or copy-pasting commands
 * Coffee breaks
-  * Grab a coffee/tea when you need it
+  * Get a coffee/tea/break when you need it
 * Lunch
 * Smoking
 * Social
@@ -21,8 +21,8 @@
 ## Tooling
 
 * GitHub
-* Vagrant
+* Vagrant (optionally)
 * Linux
 * Command line
-* Jupyter notebooks
 * Docker
+* Jupyter notebooks

singlehost/README.md

@@ -1,4 +1,4 @@
-# System requirements for the classroom training
+# Minimal system requirements if you are building it for yourself in the class
 
   * Host OS: Linux or MacOS preferred, with Windows you are responsible for making vagrant and SSH work;
     * Please avoid nested virtualization (i.e, Virtualbox inside Linux inside VMware workstation on a Windows machine);