QuickStart - new install¶
The Corelight-update utility can run as a service at a scheduled intervals, if enabled, to check for updates to the configured data sources, and distribute updated content to the Fleet Manager policies and sensors.
System requirements¶
The minimum system requirements are:
An x86_64 or ARM64 processor.
4 GB memory.
A host running a Linux OS.
Network connectivity to the data sources you’re deploying to the sensors. This includes Internet-based and internally-hosted threat intelligence repositories.
To push content directly to your sensors, the Corelight-update host requires network connectivity to the sensor’s management interface.
To push content using Fleet Manager, the Corelight-update host requires network connectivity to the Fleet Manager web interface for API access.
Installation overview¶
Select a host to install the Corelight-update utility. If you have a Corelight Fleet Manager installation, Corelight-update can be run on the same host.
1. Set up the Corelight stable package repository
3. Add the corelight-update group to existing users (optional)
5. Add proxy configuration (optional)
1. Set up the Corelight stable package repository¶
Run the script using:
curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh | sudo bash(Optional) To download the script before running it:
curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh sudo chmod +x script.deb.sh sudo ./script.deb.sh
Run the script using:
curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh | sudo bash(Optional) To download the script before running it:
curl -O https://packages.corelight.com/install/repositories/corelight/stable/script.rpm.sh sudo chmod +x script.rpm.sh sudo ./script.rpm.sh
Refresh the package cache:
sudo apt-get updateIf you are running Debian, install
debian-archive-keyringso that official Debian repositories are verified. Ubuntu installations can skip this step.sudo apt-get install debian-archive-keyringEnsure the required tools (curl, gpg, apt-transport-https) are installed before proceeding:
sudo apt-get install curl gnupg apt-transport-httpsTo install a deb repo, you need to install the GPG key that is used to sign repository metadata. Use a utility called apt-key.
curl -L https://packages.corelight.com/corelight/stable/gpgkey | sudo apt-key add -Verify the file named
/etc/apt/sources.list.d/corelight_stable.listcontains the repository configuration below.In the example below, check that the strings ubuntu and trusty represent your Linux distribution and version:
deb https://packages.corelight.com/corelight/stable/ubuntu/ trusty main deb-src https://packages.corelight.com/corelight/stable/ubuntu/ trusty main
Valid options for os and dist parameters can be found in Packagecloud’s supported OS list.
Update the local APT cache:
sudo apt-get update
Install
pygpgme, a package that allows yum to handle gpg signatures, and a package calledyum-utilsthat contains the tools you need for installing source RPMs.sudo yum install pygpgme yum-utilsYou might need to install the EPEL repository for your system to install these packages. If you do not install
pygpgme, GPG verification will not work.- Create a file named
/etc/yum.repos.d/corelight_stable.repothat contains the repository configuration below. Replace el and 6 in the
baseurl=path with your Linux distribution and version. Valid options for os and dist parameters can be found in the supported OS list in the docs.
[corelight_stable] name=corelight_stable baseurl=https://packages.corelight.com/corelight/stable/el/6/$basearch repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packages.corelight.com/corelight/stable/gpgkey sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300 [corelight_stable-source] name=corelight_stable-source baseurl=https://packages.corelight.com/corelight/stable/el/6/SRPMS repo_gpgcheck=1 gpgcheck=0 enabled=1 gpgkey=https://packages.corelight.com/corelight/stable/gpgkey sslverify=1 sslcacert=/etc/pki/tls/certs/ca-bundle.crt metadata_expire=300
- Create a file named
Update the local yum cache:
sudo yum -q makecache -y --disablerepo='*' --enablerepo='corelight_stable'
2. Install Corelight-update¶
sudo apt install corelight-update
sudo yum install corelight-update
3. Add the corelight-update group to existing users (optional)¶
As part of the installation, a system user and group are added to the OS to manage the Corelight-update service. All files and directories that are created for Corelight-update will belong to the user corelight-update, and the group corelight-update.
To avoid using sudo when running corelight-update commands, you can add your user to the corelight-update group. For example, use this command to append the corelight-update group to the users assigned groups:
sudo usermod -aG corelight-update <username>
Tip
Changes made with the usermod command do not take effect in the current session. Logging out and in again will apply the changes.
4. Configure Corelight-update¶
The Corelight-update utility uses a configuration database to track and maintain the sensor inventory, the global service configuration and interval, the policy assignments, and the integrations.
To configure Corelight-update, open the default policy file and start filling-in the various configuration options. Once you’ve completed the configuration file, Corelight-update will load the policy file automatically.
A default policy named defaultPolicy is created automatically as part of the installation process. The default policy is functional, but also optional, and can be replaced with custom named policies.
There is a configuration sample file provided with the default policy:
/etc/corelight-update/configs/defaultPolicy/db-config.yaml
Attention
To use Corelight-update for Fleet-managed sensors, you must associate the Fleet Manager sensor policy or suricata policy name with the Corelight-update policy name. See Review the Fleet Manager policy integration options below.
4.1 Review the Fleet Manager policy integration options¶
For Fleet-managed sensors:
Corelight-update uploads Suricata rulesets and Intel files to their respective policies. The Suricata and Intel policies are associated to a sensor policy, and Fleet Manager deploys the content to the sensors in that policy.
Corelight-update uploads Input files and YARA files to update the enrichment sources. The sources are associated to a sensor policy, and Fleet Manager deploys the content to the sensors in that policy.
For unsigned package bundles, Corelight-update uploads the bundle as a resource. The resource is associated to a sensor policy, and Fleet Manager deploys the content to the sensors in that policy.
For signed package bundles, Corelight-update uses the Fleet Manager sensor policy name to define the group of sensors that it should deploy content to.
As of Fleet Manager v27.8, Fleet Manager uses separate policies for sensors and Suricata rulesets.
Corelight-update provides a several options you can use to associate the Corelight-update policy to a Fleet Manager policies:
When defining the Corelight-update policy to use Fleet Manager:
Add the Fleet Manager sensor policy name in the Corelight-update
sensor_policy:field.Add the Fleet Manager suricata policy name in the Corelight-update
suricata_policy:field.Add the Fleet Manager intel policy name in the Corelight-update
intel_policy:field.
Note
If the
sensor_policy,intel_policy:, orsuricata_policyfields are empty, Corelight-update will use the name of the Corelight-update policy in those fields.Use the same name for the Corelight-update policy, the Fleet Manager sensor policy, and Fleet Manager suricata and intel policies.
Change the Corelight-update policy name to match the existing Fleet Manager sensor and suricata policy name (this assumes both Fleet Manager policies use the same name).
For example, to remove the default Corelight-update policy, and create a new policy named “myFleetPolicy”:
Remove the default policy:
corelight-update remove -policies defaultPolicyAdd a new policy named “myFleetPolicy”:
corelight-update add -policies "myFleetPolicy"Verify the policy is defined:
corelight-update show -policies
Once the new policy is created, a default configuration file is created, and placed into a folder with the policy name. For example:
/etc/corelight-update/configs/myFleetPolicy/db-config.yaml.
4.2 Customize the Corelight-update policy¶
Use the configuration file to create a customized Corelight-update configuration that defines the Fleet Manager details, sensor inventory, the Corelight-update service configuration, the content assignments, and integrations.
To view a sample policy configuration yaml that enables and pushes the default ETOpen and Corelight suricata rulesets to a single, unmanaged sensor, see Default policy sources.
Add any sensors that are not Fleet-managed to the Corelight-update policy inventory. For information on configuring the sensor inventory, and the use of encrypted passwords, see Policy inventory settings.
Configure the content you want to deploy to your sensors in the Corelight-update policy configuration. This content can include threat intel, Zeek input files and package bundles, and Suricata rulesets. See Policy sources.
Configure a custom third-party integration that provides support for a vendor-specific threat source, including source-based customizations and authentication. See Third-party integrations settings.
4.3 Customize global settings¶
Customize the default interval settings for data downloading and processing, enable global integrations, modify the web service, or deploy global Suricata configuration files. See General settings.
Customize the default network communication between Corelight-update and Fleet Manager or sensors, including how much time to wait for a status of a file upload. See Network communication settings.
5. Add proxy configuration (optional)¶
See Using a proxy with Corelight-update for instructions.
6. Run Corelight-update¶
Run corelight-update using the CLI commands, or enable the service. See Corelight-update Service.
For additional corelight-update command options, see CLI commands.