cstiedr v1.5.2

README.md

Introduction

The cstiedr-ActiveResponse(AR) project is specifically designed to endow the iii-csti EDR with an active response capability. This project addresses crucial aspects such as Authentication between the Server and Agent, Secure Transmission, Status Management, and implementation of the Active Response script. Furthermore, it introduces a Python interface, allowing automatic block actions for specific agents.

Target Systems

• Server: Developed for Linux platforms(test on Ubuntu 22.04).
• Agent: Designed for both Windows 10 and Linux(test on Ubuntu 22.04).

Usage

This project encompasses three distinct roles: Server, AgentControl, and Agent.

Functional Descriptions

• Server: This component operates the authentication server, which acts as the primary server for agent key registration. Moreover, it runs the transmission server, serving as the central hub for the entire transmission architecture.
• AgentControl: Through Python scripts, this utility interacts with the server using the pre-packaged pyagentctrl module, controlling the agent to execute block actions.
• Agent: Once registered, the agent maintains a connection with the server, awaiting and executing block commands when instructed.

Execution Instructions

Server

1. Download the executable files.

2. Launch the authentication server in the first terminal window:

   cd ~/server/bin/ && ./authserver

3. Start the transmission server in a second terminal window:

   cd ~/server/bin/ && ./transserver

AgentControl

1. Download the executables and ensure Python3 is installed on your Ubuntu environment.

2. Run the authagent:

   cd ~/ctrl/bin/ && ./authagent 127.0.0.1

3. Execute the Python script:

   cd ~/ctrl/bin/ && python3 Example.py

   • Note: The script will attempt to connect with the server at 127.0.0.1:1234.
   • Important: The target agent must be in an "active" state for operations to take effect.

Agent

1. Download the executable files.

2. Execute the permission setup script:

   cd ~/project-root
   chmod +x PermissionSetup.sh
   sudo ./PermissionSetup.sh

3. Launch the authagent:

   cd ~/agent/bin/
   sudo -u cstiedr ./authagent 127.0.0.1

4. Subsequently, run:

   sudo -u cstiedr ./transagent 127.0.0.1

Contact

Author: Jerry Hung from iii-csti

Email: poplol0900@gmail.com