Merge branch 'development' of https://github.com/mmguero-dev/Malcolm …

…into kubernetes
idaholab · Mar 29, 2023 · 08727f2 · 08727f2
2 parents 95fb337 + 0c28230
commit 08727f2
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
@@ -196,6 +196,8 @@ Should Malcolm analyze live network traffic with Suricata? (y/N): y
 
 Should Malcolm analyze live network traffic with Zeek? (y/N): y
 
+Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek? (y/N): n
+
 Specify capture interface(s) (comma-separated): eth0
 
 Capture filter (tcpdump-like filter expression; leave blank to capture all traffic) (): not port 5044 and not port 8005 and not port 9200

diff --git a/scripts/install.py b/scripts/install.py
@@ -824,11 +824,22 @@ def tweak_malcolm_runtime(
             'Should Malcolm enrich network traffic using NetBox?',
             default=netboxEnabled,
         )
+        netboxSiteName = (
+            InstallerAskForString(
+                'Specify default NetBox site name',
+                default='',
+            )
+            if netboxEnabled
+            else ''
+        )
+        if len(netboxSiteName) == 0:
+            netboxSiteName = 'Malcolm'
 
         # input packet capture parameters
         pcapNetSniff = False
         pcapTcpDump = False
         liveZeek = False
+        zeekICSBestGuess = False
         liveSuricata = False
         pcapIface = 'lo'
         tweakIface = False
@@ -849,6 +860,10 @@ def tweak_malcolm_runtime(
         liveSuricata = InstallerYesOrNo('Should Malcolm analyze live network traffic with Suricata?', default=False)
         liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=False)
 
+        zeekICSBestGuess = (autoZeek or liveZeek) and InstallerYesOrNo(
+            'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', default=False
+        )
+
         if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata:
             pcapIface = ''
             while len(pcapIface) <= 0:
@@ -998,6 +1013,12 @@ def tweak_malcolm_runtime(
                 'FREQ_LOOKUP',
                 TrueOrFalseNoQuote(autoFreq),
             ),
+            # NetBox default site name
+            EnvValue(
+                os.path.join(args.configDir, 'netbox-common.env'),
+                'NETBOX_DEFAULT_SITE',
+                netboxSiteName,
+            ),
             # enable/disable netbox
             EnvValue(
                 os.path.join(args.configDir, 'netbox-common.env'),
@@ -1202,6 +1223,12 @@ def tweak_malcolm_runtime(
                 'EXTRACTED_FILE_UPDATE_RULES',
                 TrueOrFalseNoQuote(fileScanRuleUpdate),
             ),
+            # disable/enable ICS best guess
+            EnvValue(
+                os.path.join(args.configDir, 'zeek.env'),
+                'ZEEK_DISABLE_BEST_GUESS_ICS',
+                '' if zeekICSBestGuess else TrueOrFalseNoQuote(not zeekICSBestGuess),
+            ),
             # live traffic analysis with Zeek
             EnvValue(
                 os.path.join(args.configDir, 'zeek-live.env'),