Skip to content

Releases: ZacharyPax/WatchtowerStack

Watchtower 2.1.1

21 Mar 19:55
@ZacharyPax ZacharyPax
v2.1.1
a921d35
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Watchtower 2.1.1 Latest
Latest

Watchtower 2.1.1

For date/revision related files, Watchtower 2.1.1 consists of:

Watchtower Prometheus Blackbox Configuration Rev 1
Watchtower 2.1.0 Grafana Dashboard Rev 17
Watchtower VirusTotal Results OpenSearch Rev 3
Sankey SOC Elastic Push Rev 2
data-aggregation Rev 2
REC Pihole Active Lists 3-12-2024
All files without a date or revision number
All other files contained in the release's zip archive

Changes since Watchtower 2.1.0

  • Added a network inventory web server
  • Upgraded Security Onion to 2.4.50
  • Added a new node (Rebekah)
  • Added a new node (Zipporah)
  • Significant performance improvements by load balancing resources and utilizing new nodes
  • Improved Grafana dashboard
  • Removed image decoding on Zeek/Strelka to prevent the decoding of sensitive information
  • Updated all hypervisors
  • Fixed dpkg issue on Watchtower-Forensic
  • Updated Proxmox Backup Server
  • Added dedicated network switch "Elijah" between Zipporah, Eve, and Rebeka so that Jehoahaz, Hezekiah, Vashti, and Zechariah can communicate without entering Meraki stack
  • Updated arpwatch database
  • Updated Dashy configuration with buttons for inventory and new Zechariah virtual machine
  • Added ability for Hezekiah on Eve on Watchtower to automatically delete malicious files as detected by VirusTotal
  • Implemented Yara rule detection parallel to VirusTotal API
  • Various OSSEC configuration changes
  • Updated Wazuh to 4.7.3
  • Updated Grafana to 10.3.3
Assets 3
Loading

Watchtower 2.1.0

23 Feb 13:12
@ZacharyPax ZacharyPax
2.1.0
645146e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Watchtower 2.1.0

Watchtower 2.1.0

Based on Watchtower 2.1.0 rc1 with fixed bugs.

For date/revision related files, Watchtower 2.1.0 consists of:

Watchtower Prometheus Blackbox Configuration Rev 1
Watchtower 2.0.0 Grafana Dashboard Rev 10 (proposed rename as) Watchtower 2.1.0 Grafana Dashboard Rev 10
Sankey SOC Elastic Push Rev 2
data-aggregation Rev 2
REC Pihole Active Lists 2-16-2024
All files without a date or revision number
All other files contained in the release's zip archive

Features added since Watchtower 2.0.0

  • SMB Lateral Movement Detection
  • Shared Services VPN Tunnel Access Alert
  • Software Installation Event Dashboard
  • Automatic scanning of hashes for downloaded files with VirusTotal
  • New VirusTotal API Custom Dashboard in OpenSearch on Hezekiah in Wazuh
  • Active Directory Visibility in Grafana
  • Migration of QNAP Data to Synology
  • Created many utility scripts
  • Prevent Zeek from decoding/recreating SMTP/HTTP .pdf and .doc documents for the purpose of not aggregating sensitive information from iVUE Vault captured in transit
  • Allow Zeek to index .jpeg and .png files from HTTP into Strelka in /nsm
  • Added a new Watchtower Observatory button for H: drive access without background SMB radiation noise from group policy and whatnot
  • Added processes running graph to Grafana Dashboard
  • Add more lists for DNS blocking
  • TCP 57314 opened on David for Strelka UI Docker container on Korah
    • Strelka UI proof-of-concept operational
  • Rebuilt Prometheus
  • Rebuilt HTTPd
Assets 3
Loading

Watchtower 2.1.0 rc1

20 Feb 13:24
@ZacharyPax ZacharyPax
v2.1.0-beta
b23be00
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Watchtower 2.1.0 rc1

Watchtower 2.1.0 rc1

Likely to become release 2.1.0 after registry bug is fixed

For date/revision related files, Watchtower 2.1.0 rc1 consists of:

  • Watchtower Prometheus Blackbox Configuration Rev 1
  • Watchtower 2.0.0 Grafana Dashboard Rev 8 (proposed rename as) Watchtower 2.1.0 Grafana Dashboard Rev 8
  • Sankey SOC Elastic Push Rev 2
  • data-aggregation Rev 2
  • REC Pihole Active Lists 2-16-2024
  • All files without a date or revision number

Features added since Watchtower 2.0.0

  • SMB Lateral Movement Detection
  • Shared Services VPN Tunnel Access Alert
  • Software Installation Event Dashboard
  • Automatic scanning of hashes for downloaded files with VirusTotal
  • Active Directory Visibility in Grafana
  • Migration of QNAP Data to Synology
  • Created many utility scripts
  • Prevent Zeek from decoding/recreating SMTP/HTTP .pdf and .doc documents for the purpose of not aggregating sensitive information from iVUE Vault captured in transit
  • Allow Zeek to index .jpeg and .png files from HTTP into Strelka in /nsm
  • Added a new Watchtower Observatory button for H: drive access without background SMB radiation noise from group policy and whatnot
  • Added processes running graph to Grafana Dashboard
  • Add more lists for DNS blocking
  • TCP 57314 opened on David for Strelka UI Docker container on Korah
    • Strelka UI proof-of-concept operational
  • Rebuilt Prometheus
  • Rebuilt HTTPd
  • Properly installed VirtIO Red Hat drivers on Vashti
  • QEMU Guest Integration Fixed on Vashti
  • Major upgrade to Watchtower Stack Sankey Generator
  • Added Prometheus Blackbox support for ICMP and HTTP Status Monitoring
  • Dozens if not hundreds of bug-fixes and performance improvements
Assets 2
Loading

Watchtower 2.0.0

22 Jan 16:41
@ZacharyPax ZacharyPax
v2.0.0
4a96c28
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
Watchtower 2.0.0
  • MINOR UPDATE: Updated “Adam” Proxmox Hypervisor (192.168.0.138)
  • MINOR UPDATE: Updated RAID0 Proxmox Backup Server (192.168.0.116)
  • MINOR UPDATE: Updated RAIDZ Proxmox Backup Server (192.168.0.182)
  • MINOR UPDATE: Updated Hezekiah (192.168.0.181)
  • INFO: Running latest Wazuh (4.7.2)
  • MAJOR UPDATE: Updated Jehoahaz (192.168.0.67)
  • INFO: Major Grafana update I’ve held back (OSS 10.0 -> OSS 10.2.3)
  • MAJOR UPDATE: Rebuilt David Virtual Machine.
  • INFO: Updated Security Onion to version 2.4.40!
  • IMPROVEMENT: Increased endpoint event log retention by an additional three weeks via PBS
  • INFO: Cron Job not changed.
  • INFO: Increased frequency of garbage collection.
  • INFO: New retention period – ≈90 days hot and ≈118 days cold
  • IMPROVEMENT: Prometheus cold retention increased by an additional three weeks.
  • INFO: New retention period – ≈14 days hot and ≈44 days cold
  • IMPROVEMENT: Created query on Jehoahaz to alert when JA3 Proofpoint IDS known-malicious hashes are detected, including hashes of SSL/TLS encrypted downloads.
  • IMPROVEMENT: Created query on Jehoahaz to alert when cryptocurrency mining activity is detected.
  • IMPROVEMENT: Created query on Jehoahaz to alert when botnet activity is detected.
  • IMPROVEMENT: Changed mathematical formulas used to calculate real-time CPU usage with Prometheus to increase accuracy.
  • NEW: Backing up databases into a cold-storage state is now practical due to accurate PCAP retention statistics in the Influx database. This cold-storage should be off-hypervisor to prevent performance bottlenecks.
  • NEW: Created “watchtower-environment-preparation.sh” – a simple Bash Script on Adam to improve cold-boot times and usability if someone other than me needs to boot from a pre-hypervisor state.
  • INFO: See ‘Watchtower Basic Installation Procedure’ page 5 and page 8 for detailed explanations of some of the following procedures.
  • INFO: Turns off swap.
  • INFO: Uses ‘brctl’ to create promiscuous sniffing bridges.
  • INFO: Forces the forwarding of traffic to David.
  • INFO: Prevents the aging of MAC addresses on the packet-level to increase network visibility to the guest virtual machines.
  • INFO: Starts Proxmox Virtual Environment Prometheus Exporter for integration with Vashti and Jehoahaz.
  • INFO: [filesystem root]/watchtower-custom/watchtower-environment-preparation.sh
  • NEW: Developed strategy to keep non-Elastic non-PCAP historical data of connections made at a rate of approximately 850 megabytes per day.
  • CHANGE: Disabled arpwatch@enp3s0f0.service on Adam
  • CHANGE: Merged ‘Sankey Generator’ with ‘Watchtower Observatory’
  • CHANGE: Removed total throughput indicator on Grafana.
  • FIX: Fixed syntax of custom JSON rule for brute-force detection on Windows endpoints with Wazuh.
  • CHANGE: Formally decreased brute-force alert from >5 failed attempts to >3.
  • FIX: Changed 192.168.0.0/24 subnet to 192.168.0.67/32 in firewall host-group allowed to consume Redis database logs.
  • INFO: This fixed a minor vulnerability where any user on VLAN 1 could intercept SHA1 and MD5 hashes of files being transmitted via SMTP, HTTP, or SMB.
  • FIX: Added 192.168.3.0/24 subnet to analyst firewall host-group.
  • FIX: Fixed syntax error in Berkeley packet filter configuration that caused some hosts to not be whitelisted that should have been.
  • FIX: Fixed broken Grafana dashboard after Grafana update.
  • FIX: TLS Client/Server hashes and new Elastic ‘id’ instead of ‘_id’ index location interfering with custom Grafana JSON.
  • FIX: Creating a case in Security Onion breaks the Elasticsearch Database by creating an index with the color “white” instead of “green.”
  • FIX: Correlations never used to work properly, now they do. I’m not sure what fixed this issue.
  • FIX: Kernel Samepage Merging not working very well (update + more current guest kernels.)
  • INFO: This has led to a substantial increase in performance due to lowered memory pressure.
  • FIX: Fixed broken Dashy iconography.
Assets 2
Loading