Hi All, just a quick update from me, because a few things have changed since I created this video, you can find an updated version of this docker-compose.yml file on my GitHub, which will hopefully iron out any issues you may have while completing this. github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update/blob/main/docker-compose.yml
@@JEANLEONARDOESTRADAROQUE-h1s I had the same issue on my case it worked to change the 10.0.x IP of MISP in the docker-compose file to the public IP assigned to the host running the services.
Fantastic so far. Now I have all my security in 1 place. Can't help wondering if smaller containers like alpine and all in 1 like pods are more efficient. For example wazuh, hive and cortex could all be in 1 container, reducing the number of databases. They are made to work together
Thanks for watching! Yes you could most definitely use Alpine and run docker, then create a docker compose file and launch all those containers from one place.
Hi .. so i tried installing following your tutorial but instead of strangebee/thehive i used thehiveproject/thehive4 . Everything installed well and i can see all the containers are up and services listening on the designated ports. My problem is when i try to browse the servers IP on the browser i get nothing both on http and https, that is for thehive and misp. Cortex loads but i cant get past the update database. What could i be missing.
Hi George, two things come to mind, it sounds like your containers are not communicating correctly on the container internal network. Double check that all your containers have been joined to the SOC_NET network like I use in my docker-compose.yml file. The other thing is because you are using a different TheHive image (version4), the entrypoint script used by the docker container in version 4 may not be accepting or interpreting all the setup commands we are providing in the command section, which links up the databases and other services correctly. With previous versions of TheHive you had to supply a application.conf file which includes all the setup for Casandra, Elasticsearch etc. It is really a tough one for me to answer without looking at your logs to see where its failing. Can I suggest that when you run docker-compose up and it begins to spew out all that setup text in your terminal, that you work through that and see if you can spot any errors or warnings and troubleshoot from there.
Trouble with cortex. After entering user credentials and pressing create nothing happened. After page reload i get "user init not found". Same thing after redoing everything over.
@@zedhacking i think it had something to do with the username or password in my case. after i entered some random genereated string into the fields it worked.
Great video series. What if we have more than 2 analysts? I mean that TheHive version 5 supports only 2 normal users. Can you provide old hive (ex. version 4) docker-compose file, with MISP and cortex?
why after finishing all the installation, and the system is up and running with all configuration, 2 or 3 day, it will rest all users and delete the organization created?
Hello my friend. I don't understand your architecture where you have installed docker (in a Virtualbox VM in internal network or in your Host Machine where you installed virtualbox)? I saw your architecture in previous episodes that uses a FW with NAT interface (For WAN) and Internal Network (For LAN). Please give more details about this installations
Hi, thanks for watching, in this video, I am using a single Ubuntu Server running Docker and it is connected to an internal virtual network along with a Windows VM on the same internal virtual network. The firewall is also on this internal network to provide internet access. I am then using PowerShell on the windows VM to SSH into the Ubuntu Server to configure the docker-compose.yml file, hopefully this helps.
Hello Mr. LS111, great content, howvere i keep getting this error. docker.errors.DockerException: Error while fetching server API version: HTTPConnection.request() got an unexpected keyword argument 'chunked' Please can you help out?
Good afternoon! I tried to install according to your configuration, but with the docker stratum, an error occurs that there is not enough memory. What are the requirements for a virtual server? How is the OS version? How many processors? How much RAM memory?
Hi there! I used 12GB RAM, 6 vCPU's on Ubuntu 20.04 server running Docker. You should be able to get away with 8GB RAM though. Hope this helps and thanks for watching!
@@ls111cyberEd Thx. I reduced the virtual server memory to 4 GB and reinstalled the project. No matter how strange it may sound, but at the moment I don’t see any messages about running out of memory and killing the process, the error associated with cassandra has also disappeared, but when initializing the database schema in thehive, an error occurs, which leads to the suspension of the process: docker-compose-thehive-1 | [info] o.t.s.m.Database [|] Creating database schema docker-compose-thehive-1 | [info] o.t.s.m.Operations [|] *** UPDATE SCHEMA OF thehive-enterprise (4): Update graph: Add taskRule in share docker-compose-thehive-1 | [error] o.t.s.m.Database [|] *********************************************************************** docker-compose-thehive-1 | [error] o.t.s.m.Database [|] * Database initialisation has failed. Restart application to retry it * docker-compose-thehive-1 | [error] o.t.s.m.Database [|] *********************************************************************** docker-compose-thehive-1 | [error] o.t.t.TheHiveStarter [|] TheHive startup failure docker-compose-thehive-1 | org.thp.scalligraph.ScalligraphApplicationImpl$InitialisationFailure: Database initialisation failure Have you had similar problems? Do you have any idea how to fix it? Special thanks for your work.
i have followed the same steps but couldn’t load up the misp . apart from that all are working. page loading error comes for misp. could someone please help?
basically every thing is installed properly but on Ubuntu VM, so the ip address is not the same. When i try to connect with my IP address it doesn't work, even if i changed the HOSTNAME in the docker-compose file with my IP and i tried it with localhost, it didn't work too. what should i do
Hi, thanks for watching. In a enterprise environment, it is generally a best practice to separate each of these services across multiple servers for scalability and redundancy reasons. In the context of this video, it was my intention to create a single, easy deployment lab using docker containers, to save whoever is watching the time and frustrations of setting up each individual service themselves, so that they can almost immediately start exploring examples of the types of tools used in a SOC.
hello , i got this error when i try to install it ERROR: The Compose file './docker-compose.yml' is invalid because: Unsupported config option for services.cassandra: 'mem_limit' Unsupported config option for services.elasticsearch: 'mem_limit' Unsupported config option for services.thehive: 'mem_limit'
only comment with "#" this lines and ready! example like this: cassandra: image: 'cassandra:4' restart: unless-stopped #mem_limit: 1000m ports: and other comments
Hi Maurice, thanks for watching, yes you can definitely do this, you will need to manually install each service on its respective VM and all your VM's will need to be part of the same virtual network.
Hi, thanks for watching! Please try using the updated docker-compose.yml config on my GitHub, there were a few changes that happened roughly 2 weeks ago with The Hive docker image where it seems they have removed the :latest tag. I have updated the .yml to use version 5.2. Hopefully, this helps. github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update/blob/main/docker-compose.yml
Hello, I am getting Protocol initialization request, step 1 (OPTIONS): failed to send request (io.netty.channel.StacklessClosedChannelException)) thehive_1 | [warn] o.t.s.u.Retry [|] An error occurs (java.lang.IllegalArgumentException: Could not instantiate implementation: org.janusgraph.diskstorage.cql.CQLStoreManager), retrying (2/10) it continues 10 times and fails. Any ideas - I seem to be stuck.
I got the same error and I think Cassandra doesn't do very well with the set mem_limit (=1000m). You can remove the mem_limit and try using "- MAX_HEAP_SIZE=1G" & "- HEAP_NEWSIZE=1G" options under the environment block for Cassandra.
Hi All, just a quick update from me, because a few things have changed since I created this video, you can find an updated version of this docker-compose.yml file on my GitHub, which will hopefully iron out any issues you may have while completing this.
github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update/blob/main/docker-compose.yml
MISP does not start, it stays loading in Firefox and never appears
i have the same problem, have you found the problem ?@@JEANLEONARDOESTRADAROQUE-h1s
@@JEANLEONARDOESTRADAROQUE-h1s I had the same issue on my case it worked to change the 10.0.x IP of MISP in the docker-compose file to the public IP assigned to the host running the services.
Fantastic so far. Now I have all my security in 1 place. Can't help wondering if smaller containers like alpine and all in 1 like pods are more efficient. For example wazuh, hive and cortex could all be in 1 container, reducing the number of databases. They are made to work together
Thanks for watching! Yes you could most definitely use Alpine and run docker, then create a docker compose file and launch all those containers from one place.
salute! i got a problem with starting MISP - "Could not locate the PGP public key", what can i do?
Did you solve it?
I'm waiting for Ep11! Thank you so much!!!
I'm waiting for Ep12! Thank you so much!!! @LS11 Cyber Security Education
Just what i was looking for! Thank you for uploading..
Hi .. so i tried installing following your tutorial but instead of strangebee/thehive i used thehiveproject/thehive4 . Everything installed well and i can see all the containers are up and services listening on the designated ports. My problem is when i try to browse the servers IP on the browser i get nothing both on http and https, that is for thehive and misp. Cortex loads but i cant get past the update database. What could i be missing.
Hi George, two things come to mind, it sounds like your containers are not communicating correctly on the container internal network. Double check that all your containers have been joined to the SOC_NET network like I use in my docker-compose.yml file. The other thing is because you are using a different TheHive image (version4), the entrypoint script used by the docker container in version 4 may not be accepting or interpreting all the setup commands we are providing in the command section, which links up the databases and other services correctly. With previous versions of TheHive you had to supply a application.conf file which includes all the setup for Casandra, Elasticsearch etc.
It is really a tough one for me to answer without looking at your logs to see where its failing. Can I suggest that when you run docker-compose up and it begins to spew out all that setup text in your terminal, that you work through that and see if you can spot any errors or warnings and troubleshoot from there.
Trouble with cortex. After entering user credentials and pressing create nothing happened. After page reload i get "user init not found".
Same thing after redoing everything over.
same here
@@zedhacking i think it had something to do with the username or password in my case.
after i entered some random genereated string into the fields it worked.
Great video series. What if we have more than 2 analysts? I mean that TheHive version 5 supports only 2 normal users. Can you provide old hive (ex. version 4) docker-compose file, with MISP and cortex?
Can you help.
How to configure minio to be able to save the attachment on theHive
You are awesome man! Appreciate it
Glad I could help, thanks for watching!
Thank you very much for your video. Did you run your yaml code on Wazuh configured windows 10 vm? Or your computer have virtualbox ?
why after finishing all the installation, and the system is up and running with all configuration, 2 or 3 day, it will rest all users and delete the organization created?
Thank you . I have a issue, cortex not updating
Hi, I deployed TheHive Cortex but I can not create analyzer in Cortex. There is no option for "Data Type". Please Help ;d
Hello my friend. I don't understand your architecture where you have installed docker (in a Virtualbox VM in internal network or in your Host Machine where you installed virtualbox)? I saw your architecture in previous episodes that uses a FW with NAT interface (For WAN) and Internal Network (For LAN). Please give more details about this installations
Hi, thanks for watching, in this video, I am using a single Ubuntu Server running Docker and it is connected to an internal virtual network along with a Windows VM on the same internal virtual network. The firewall is also on this internal network to provide internet access. I am then using PowerShell on the windows VM to SSH into the Ubuntu Server to configure the docker-compose.yml file, hopefully this helps.
can i work on the same soar build but with using elk stack as siem instead of wazuh ?
Hello Mr. LS111, great content, howvere i keep getting this error.
docker.errors.DockerException: Error while fetching server API version: HTTPConnection.request() got an unexpected keyword argument 'chunked'
Please can you help out?
Same here
Good afternoon!
I tried to install according to your configuration, but with the docker stratum, an error occurs that there is not enough memory.
What are the requirements for a virtual server?
How is the OS version?
How many processors?
How much RAM memory?
Hi there! I used 12GB RAM, 6 vCPU's on Ubuntu 20.04 server running Docker. You should be able to get away with 8GB RAM though. Hope this helps and thanks for watching!
@@ls111cyberEd Thx.
I reduced the virtual server memory to 4 GB and reinstalled the project. No matter how strange it may sound, but at the moment I don’t see any messages about running out of memory and killing the process, the error associated with cassandra has also disappeared, but when initializing the database schema in thehive, an error occurs, which leads to the suspension of the process:
docker-compose-thehive-1 | [info] o.t.s.m.Database [|] Creating database schema
docker-compose-thehive-1 | [info] o.t.s.m.Operations [|] *** UPDATE SCHEMA OF thehive-enterprise (4): Update graph: Add taskRule in share
docker-compose-thehive-1 | [error] o.t.s.m.Database [|] ***********************************************************************
docker-compose-thehive-1 | [error] o.t.s.m.Database [|] * Database initialisation has failed. Restart application to retry it *
docker-compose-thehive-1 | [error] o.t.s.m.Database [|] ***********************************************************************
docker-compose-thehive-1 | [error] o.t.t.TheHiveStarter [|] TheHive startup failure
docker-compose-thehive-1 | org.thp.scalligraph.ScalligraphApplicationImpl$InitialisationFailure: Database initialisation failure
Have you had similar problems? Do you have any idea how to fix it?
Special thanks for your work.
i have followed the same steps but couldn’t load up the misp . apart from that all are working. page loading error comes for misp. could someone please help?
having the same problem with misp
did u find the way to fix it ?
basically every thing is installed properly but on Ubuntu VM, so the ip address is not the same.
When i try to connect with my IP address it doesn't work, even if i changed the HOSTNAME in the docker-compose file with my IP and i tried it with localhost, it didn't work too.
what should i do
any video for same topic but TheHive4?
So the Thehive, cortex, misp and all of those stuffs are in a only single server? It's good to do that if I have to up the service in a company?
Hi, thanks for watching. In a enterprise environment, it is generally a best practice to separate each of these services across multiple servers for scalability and redundancy reasons. In the context of this video, it was my intention to create a single, easy deployment lab using docker containers, to save whoever is watching the time and frustrations of setting up each individual service themselves, so that they can almost immediately start exploring examples of the types of tools used in a SOC.
I don't understand when to start following the steps , please help
hello , i got this error when i try to install it
ERROR: The Compose file './docker-compose.yml' is invalid because:
Unsupported config option for services.cassandra: 'mem_limit'
Unsupported config option for services.elasticsearch: 'mem_limit'
Unsupported config option for services.thehive: 'mem_limit'
only comment with "#" this lines and ready!
example like this:
cassandra:
image: 'cassandra:4'
restart: unless-stopped
#mem_limit: 1000m
ports:
and other comments
cause u are using ubuntu right? maybe u could use RHEL for this issue or you can #mem_limit
you can update docker-compose to 1.29 and it will work
is it also possible to build individual VMs for HIVE, MISP, and CORTEX and integrate them as you have with Docker?
Hi Maurice, thanks for watching, yes you can definitely do this, you will need to manually install each service on its respective VM and all your VM's will need to be part of the same virtual network.
how to add responders and analyzers to the container?
Hi, thanks for watching, you can check these two videos:
th-cam.com/video/F9aCAYwP9do/w-d-xo.html
th-cam.com/video/YuMn02vTe5k/w-d-xo.html
sometimes docker compose up will do the trick.
please how can i solve this error : error the hive latest not found manifest unknown
Hi, thanks for watching! Please try using the updated docker-compose.yml config on my GitHub, there were a few changes that happened roughly 2 weeks ago with The Hive docker image where it seems they have removed the :latest tag. I have updated the .yml to use version 5.2. Hopefully, this helps.
github.com/ls111-cybersec/thehive-cortex-misp-docker-compose-lab11update/blob/main/docker-compose.yml
use the new link with yml file instead of old
How do I reset the web console password to Cortex UI
How to find Ip address
Please I am facing many issues ...could we meet online for troubleshooting
You should remove the old link. It get cought up with a zombie on autopilot, like me, who just use the wrong yml code without thinking :)
we are waiting for you 💔
Hi, thanks for watching! Please checkout my latest video if you have not already seen it:
th-cam.com/video/F9aCAYwP9do/w-d-xo.html
Hello,
I am getting
Protocol initialization request, step 1 (OPTIONS): failed to send request (io.netty.channel.StacklessClosedChannelException))
thehive_1 | [warn] o.t.s.u.Retry [|] An error occurs (java.lang.IllegalArgumentException: Could not instantiate implementation: org.janusgraph.diskstorage.cql.CQLStoreManager), retrying (2/10)
it continues 10 times and fails.
Any ideas - I seem to be stuck.
I got the same error and I think Cassandra doesn't do very well with the set mem_limit (=1000m). You can remove the mem_limit and try using "- MAX_HEAP_SIZE=1G" & "- HEAP_NEWSIZE=1G" options under the environment block for Cassandra.
Same for me