Question Snare Windows Agent installer

Bonjour,

Dans le cadre d'un projet au taff on m'a demandé d'industrialiser l'installation de Snare (un agent qui sauvegarde les event log de windows vers syslog notamment)

Voici ce que j'ai pondu ce matin

[code:1]#

---

#
# Silent install for SNARE Windows Agent
# Mai 2012
#
#

---

<#
.SYNOPSIS
This script will install the Snare Agent and configure it to communicate with Syslog Server

.PARAMETER InstallDir
This parameter must be a String, this is where the agent will be installed, the default value is \"C:\Program Files\Snare\\". It's not mandatory.

.PARAMETER SysLogIp
This parameter must be an IP, This is the ip address of the syslog server, it's mandatory

.PARAMETER SysLogPort
This parameter is an int, it's the listening port of the syslog server. It's not mandatory and the default one is 514

.PARAMETER DNSName
This parameter is a String. It's Mandatory and it's the DNS Name of the server

.PARAMETER AllowRemote
this switch is not mandatory, and permit to enable the Remote Web Access.

.PARAMETER RemotePort
This parameter must be a number between 1 and 65534. This is the port for the remote web access, it's not mandatory and the default value is 6161.

.PARAMETER RestrictAcces
This switch is not mandatory. It permits (or no) to limit access to the Restricted IP (or no)

.PARAMETER RestrictIp
This parameter works with RestrictAccess. It must be an ip and it's not mandatory. By default, 127.0.0.1 is used. You can use * (Ex: 192.168.10.*)

.PARAMETER Logfile
This paramater must be a string. It's not mandatory and default value is \"C:\Log\SnareInstall.log\". It sotres information avout the execution of the script

.PARAMETER CfgFileName
This parameter is a string, it's not mandatory and default value is \"C:\Temp\Settings.inf\". It's the response file for the agent silent installation

.PARAMETER Setup
This parameter is a string, it's not mandatory and default value is \"C:\temp\SnareForWindows-4.0.1.2-MultiArch.exe\". It's the commercial installer filename

.PARAMETER Reinstall
This switch is not mandatory, it permits to reinstall client with config file.

.PARAMETER VerbosePreference
This parameter will define the level of verbose. It's not mandatory and default value is \"Continue\"

.EXAMPLE
C:\PS>.\FCPv2_Install_Snare.ps1 -SysLogIp 127.0.0.1 -DNSName toto
C:\PS>.\FCPv2_Install_Snare.ps1 -SysLogIp 127.0.0.1 -SysLogPort 514 -AllowRemote 0 -DNSName toto

#>

param(
[Parameter(Mandatory=$false)]
[String]$InstallDir = \"C:\Program Files\Snare\\",
[Parameter(Mandatory=$true)]
[IPAddress]$SysLogIp,
[Parameter(Mandatory=$false)]
[Int]$SysLogPort = 514,
[Parameter(Mandatory=$true)]
[String]$DNSName,
[Parameter(Mandatory=$false)]
[Switch]$AllowRemote,
[Parameter(Mandatory=$false)]
[Int]$RemotePort = 6161,
[Parameter(Mandatory=$false)]
[Switch]$RestrictAcces,
[Parameter(Mandatory=$false)]
[String]$RestrictIp = \"127.0.0.1\",
[Parameter(Mandatory=$false)]
[String]$logfile = \"C:\Log\SnareInstall.log\",
[Parameter(Mandatory=$false)]
[String]$CfgFileName = \"C:\Temp\Settings.inf\",
[Parameter(Mandatory=$false)]
[String]$Setup = \"C:\temp\SnareForWindows-4.0.1.2-MultiArch.exe\",
[Parameter(Mandatory=$false)]
[Switch]$reinstall,
[Parameter(Mandatory=$false)]
[String]$VerbosePreference = \"Continue\"
)

function Write-Log {
param(
[Parameter(Mandatory=$true)]
[Int]$id,
[Parameter(Mandatory=$true)]
[ValidateSet(\"ERROR\",\"SUCCESS\"«»)]
[string]$Status
)

$Reason = @{
1=\"Create Directory/File\"
2=\"Generate Config File\"
3=\"Install SnareCore Agent\"
}

$CurrentDate = date -Format \"dd/MM/yyyy HH:mm:«»ss :\"
$msg = $Reason.$id

echo \"$CurrentDate $Status : $msg \" >> $logfile

if ($Status -eq \"ERROR\"«») {
Write-Warning -Message \"$CurrentDate $Status : $msg \"
if ($error) {
$error >> $LogFile
$error.clear()
}
exit $ID
}
else {
Write-Verbose -Message \"$CurrentDate $Status : $msg \"
}
}

Set-Alias wl Write-Log
Set-Alias tp Test-Path
Set-Alias of Out-File

if ($AllowRemote) { [int]$AllowRemote = 1 }
else { [int]$AllowRemote = 0 }

if ($RestrictAcces) { [int]$RestrictAcces = 1}
else {[int]$RestrictAcces = 0}

if ($reinstall) { [string]$SwitchReinstall = \"/reinstall\" }
else { [string]$SwitchReinstall = \"\" }

$Switch = \"/verysilent /suppressmsgboxes \" + $SwitchReinstall + \"/LoadInf=\" + $CfgFileName

$ConfigFile = '[Setup]
Lang=default
Group=InterSect Alliance
NoIcons=0
Dir=' + $InstallDir + '

[Service]
Account=LocalSystem
Password=

[Config]
Audit=1
Checksum=0
Clientname=\"' + $DNSName + '\"
CritAudit=0
Delimiter=\" \"
EnableUSB=0
FileAudit=0
FileExport=0
ClearTabs=0
LeaveRetention=0
OutputFilePath=\"\"

[Network]
Destination=\"' + $SysLogIp + '\"
DestPort=' + $SysLogPort + '
Syslog=1
SyslogAlt=0
SyslogDest=191
SyslogDynamicCritic=0

[Objective]
Objective0=\"1 31 32 Logon_Logoff *** 0 *\"
Objective1=\"0 31 32 Process_Events *** 0 *\"
Objective2=\"2 31 32 User_Group_Management_Events *** 0 *\"
Objective3=\"1 24 32 Reboot_Events *** 0 *\"
Objective4=\"3 31 32 Security_Policy_Events *** 0 *\"
Objective5=\"1 31 95 * *** 0 *\"

[Remote]
Allow=' + $AllowRemote + '
WebPort=' + $RemotePort + '
WebPortChange=0
Restrict=' + $RestrictAcces + '
RestrictIP=\"' + $RestrictIp + '\"
AccessKey=1
AccessKeySet=\"<removed>\"
AccessKeySetSnare1=\"<removed>\"
AccessKeySetSnare2=\"<removed>\"
AccessKeySetSnare3=\"<removed>\"
AllowBasicAuth=1
EnableCookies=1'

Try {
if (!(tp $LogFile)) { ni -type file -path $LogFile > $null }
wl 1 \"SUCCESS\"
}
Catch { wl 1 \"ERROR\" }

Try {
$ConfigFile | of $CfgFileName
wl 2 \"SUCCESS\"
}
Catch { wl 2 \"ERROR\" }

Try {
$SnareProcess = [System.Diagnostics.Process]::«»Start($setup, $Switch)
$SnareProcess.waitforexit()
wl 3 \"SUCCESS\"
}
Catch { wl 3 \"ERROR\" }

exit 0[/code:1]

Le fichier de réponse est généré pour ma boite, j'ai viré les Hash qui contenaient les mots de passe.
IL est à générer une fois un permier client installé à la main avec un SnareCore -x file.inf

En espérant que ça vous serve