OpenSource theHive 4 이하 버전 설치 가이드

theHive가 5버전부터는 부분 유료로 전환되는 분위기다.

여기는 4버전까지 OpenSource로 사용할 수 있는 방안을 정리해보고자 한다.

 

How to use this image
To use the Docker image, you must use Docker⁠ (courtesy of Captain Obvious).

TheHive requires Elasticsearch to run. You can use docker-compose to start them together in Docker or install and configure Elasticsearch manually.

Use Docker-compose
Docker-compose⁠ can start multiple dockers and link them together.

The following docker-compose.yml⁠ file starts Elasticsearch and Cortex:

version: "2"
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.0
    environment:
      - http.host=0.0.0.0
      - transport.host=0.0.0.0
      - xpack.security.enabled=false
      - cluster.name=hive
      - script.inline=true
      - thread_pool.index.queue_size=100000
      - thread_pool.search.queue_size=100000
      - thread_pool.bulk.queue_size=100000
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
  cortex:
    image: thehiveproject/cortex:latest
    ports:
      - "0.0.0.0:9001:9001"
  thehive:
    image: thehiveproject/thehive:latest
    depends_on:
      - elasticsearch
      - cortex
    ports:
      - "0.0.0.0:9000:9000"
Put this file in an empty folder and run docker-compose up. TheHive is exposed on 9000/tcp port and Cortex on 9001/tcp. These ports can be changed by modifying the docker-compose file.

You can specify a custom TheHive configuration file (application.conf) by adding the following lines in the thehive section of your docker-compose file:

volumes:
    - /path/to/application.conf:/etc/thehive/application.conf
You should define where the data (i.e. the Elasticsearch database) will be located on your operating system by adding the following lines in the elasticsearch section of your docker-compose file:

volumes:
    - /path/to/data:/usr/share/elasticsearch/data
Running ElasticSearch in production mode requires a minimum vm.max_map_count of 262144. ElasticSearch documentation⁠ provides instructions on how to query and change this value.

Manual Installation of Elasticsearch

Elasticsearch can be installed on the same server as Cortex or on a different one. You can then configure Cortex according to the documentation and run Cortex docker as follow:

docker run --volume /path/to/thehive/application.conf:/etc/thehive/application.conf thehiveproject/thehive:latest --no-config
You can add the --publish docker option to expose TheHive HTTP service.

Customize the Docker Image
By default, the Cortex Docker image has minimal configuration:

choose a random secret (play.http.secret.key)
search for the Elasticsearch instance (host named elasticsearch) and add it to configuration
search for a Cortex instance (host named cortex) and add it to configuration
This behavior can be disabled by adding --no-config to the Docker command line:

docker run thehiveproject/thehive:latest --no-config

Or by adding the line command: --no-config in the thehive section of docker-compose file.

The image accepts more options:

Option	Description
--no-config	Do not try to configure Cortex (add the secret and Elasticsearch)
--no-config-secret	Do not add the random secret to the configuration
--no-config-es	Do not add the Elasticsearch hosts to configuration
--es-hosts <esconfig>	Use this string to configure the Elasticsearch hosts (format: ["host1:9300","host2:9300"])
--es-hostname <host>	Resolve this hostname to find Elasticsearch instances
--secret <secret>	Cryptographic secret needed to secure sessions
--cortex-proto <proto>	Define the protocol to connect to Cortex (default: http)
--cortex-port <port>	Define the port to connect to Cortex (default: 9001)
--cortex-url <url>	Add the Cortex connection
--cortex-hostname <host>	Resolve this hostname to find the Cortex instance
--cortex-key <key>	Define Cortex key