All Collections
User Guide
SIRP Deployment Guide
SIRP Deployment Guide
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

Introduction

SIRP is a Risk-based Security Orchestration, Automation, and Response (SOAR) platform that fuses essential cybersecurity information to enable a unified cyber response. Through a single integrated platform, it drives security visibility, so decisions can be better prioritized and response time is dramatically reduced. With SIRP, the entire cybersecurity function works as a single, cohesive unit.

Purpose

The purpose of this guide is to provide steps and guidelines for the deployment of SIRP virtual appliance using VMware, the ESX/ESXi server.

The document contains all the steps required to successfully deploy SIRP on-prem virtual appliance in your environment including:

  • Verifying the prerequisites

  • Deployment of the virtual appliance

  • Performing initial configuration

  • Troubleshooting

Prerequisites

To ensure that SIRP works correctly, ensure that the virtual appliance that you use meets the minimum software and hardware requirements.

Before you install your virtual appliance, ensure that the following minimum requirements are met:

Hypervisor for virtual machine image

VMware vSphere ESX/ESXi 5 or later

Processor

1 server-class CPU, 8 to 16 cores

Memory

Minimum of 16GB RAM, 32GB recommended

Storage

SIRP needs at least 512 GB space

Note: Disk space requirements vary based on the volume of data consumed and the size of your environment. Please refer to the SIRP Sizing Guidelines.

Network

A one-gigabit network interface

SSL Certificate

Valid SSL Certificate signed by known CA

Requirement for Network Connectivity

Below table list the ports which must be open to traffic in order to use SIRP. Use this table to design your firewall rules for your installation.

Protocol/Port

Purpose

TCP 2222

Used for administering the operating system.

TCP 80 and 8080

Port for requests sent over HTTP. SIRP redirects all HTTP requests to HTTPS.

TCP 443

HTTPS port for the web interface.
This port must be exposed to access SIRP services.

TCP 80, 443, 4444

Outbound connectivity to TCP/443 to app.sirp.io receive SIRP proprietary Threat Intelligence. TCP/80 and TCP/4444 Outbound connectivity on app.sirp.io to pull updates from the cloud server.

It is highly recommended that Internet access is provided for a SIRP upgrade and fetching new Apps and Actions. At a minimum, allow outbound connectivity to app.sirp.io on TCP/4444 and TCP/443


Supported Browsers

Use the latest, fully patched version of your browser. SIRP requires a web browser that supports HTML 5, SVG graphics, and TLS. SIRP supports these web browsers:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Internet Explorer 11

  • Microsoft Edge

  • Safari

Configuration Data

Before you deploy SIRP, ensure that you have the following information:

  • Hostname

  • IP address

  • Network mask address

  • Subnet mask

  • Default gateway address

  • Primary Domain Name System (DNS) server address

  • Secondary DNS server address (optional)

  • SMTP Server details

  • Proxy Server details

  • SSL Certificate

Note: The pre-requisites required to run Automation actions and Playbooks are provided later in the document.

Deploying SIRP On-prem Appliance

This section covers the process of deploying the SIRP on-prem appliance along with its initial configuration.

The SIRP on-prem virtual appliance ships as a .ova and .ovf file. Testing of the virtual appliance is primarily done on VMware ESXi, but it should work with any virtualization platform that can import OVAs, and supports x64 Linux guests. The operating system that the virtual appliance ships with is Ubuntu 16.x x86_64. If your virtualization platform supports .ovf files, but not .ova, you can use the following command to extract the files into the .ovf and .vmdk files.

tar -xzf SIRP.ova

Step 1 - Import

Download or copy the provided SIRP virtual machine (.ovf or .ova) file to a location that is accessible to your PC.

  • From the VMware vSphere menu bar select File > Deploy OVF Template.

The Import Library window will appear along with a dialog box for browsing to the location of the OVF file

  • Browse and select the SIRP. ovf or .ova file and click Next.

  • In the next step, enter the name for the imported virtual machine in the Save As text box and select the folder location where to save it.

Note: The default destination is the Virtual Machines folder created by VMware Fusion.

VMware Fusion will display the disk space needed for the import and the space available on the current disk.

  • Click Import

Fusion will perform OVF specification conformance and virtual hardware compliance checks. Meanwhile, a status bar will indicate the progress of this import process.

After the import is complete, the virtual machine will appear in the virtual machine library and in a separate virtual machine window.

Once the virtual machine shuts down, you must turn it on. After booting the SIRP appliance, the IP address of the system will be displayed on the command prompt. This IP address can be used to access the SIRP web interface.

Step 2 – Configure

The next step is to login to SIRP CLI and perform initial configurations. After successful ssh connection just type SIRP and baseconfig will load itself.

Sirp baseconfig includes a few initial configuration items:

  • Setup base parameters

  • Setup Certificates

  • heck Connectivity

Setup Base Parameters

Entering Setup Base Parameters will show below configurable items:

  • Configure Network Interfaces

  • Configure DNS

  • Configure Hostname

  • Configure Proxy

Configure Network Interfaces

First, configure Network Interfaces, an example of configuration is shown below:

  • Select interface to configure such as: ens160.

  • Provide IP address with Subnet Postfix: 192.168.5.152/24

  • Provide Gateway IP Address: 192.168.5.1

Configure DNS

Next, we need to configure DNS IP Address for example: 8.8.8.8

Configure Hostname

Set Hostname accordingly such as: sirp.orgname.com

Configure Proxy

Proxy URL will be provided with Port Such as: sirp.proxy.com:8080

Setup Certificate

There are a few options available to configure.

  • Install Self-Signed Certificate

  • Generate CSR

  • Upload and Install Certificate

Install Self-Signed Certificate

To install a self-signed certificate, Select Install self-signed certificate and then Select Regenerate Self-Signed Certificate to complete the procedure.

Generate CSR

Select Generate CSR to generate certificate signing request to procure a signed certificate through the internal Certificate Authority (CA). CSR will ask for certain information as shown below:

Once we get Signed certificate from Internal (CA) that will be uploaded using Upload and Install Certificate.

It will then ask for Private Key and Public Key (certificate) respectively which need to be pasted.

Check Connectivity

Finally, we are going to check connectivity with (app.sirp.io on ports 443 and 80)

If the check is successful, then we can access SIRP UI from a compatible web browser.

Finalize Configuration

To configure mail server settings, log in the SIRP Web UI from any standard browser

Login to SIRP Web UI

Browse to the IP address configured in previous steps and log in using the admin credentials provided to you during the SIRP onboarding. Alternatively, click on the link in your invitation email to register a new account.

You will be presented with a form to enter your profile details and set a password.

Update Profile Information

Once you are logged in, in the upper-left corner of the page, the dashboard contains two options: Profile and Logout. Click on Profile to verify and complete your profile information.

For an account, the email address is treated as the "username." Once set, it cannot be changed later.

Change Password

In order to change your password, click on the Change Password at the bottom right corner of the profile form then enter your current password and enter the new password twice. Then click the Change Password button.

Configure Mail Server

For email configuration settings, log in to SIRP Web UI and go to Administration -> Organization -> Email Config

Choose a Type from the dropdown based on the authentication type supported by your email server:

  • Basic: Hostname

  • User Auth: Hostname, Username, and Password

  • Advanced. Hostname, Username, Password, Port, and Encryption

Upload License

SIRP licensing works based on the number of users who will log in to SIRP.

To add a license, follow these steps:

1. Click on the Administration from the left menu.

2. Go to the Product Settings -> License.

3. Click on the Upload button to upload your SIRP license file.

Welcome Screen

In case of the machine gets stuck on the Ubuntu screen, Press ESC on the black screen a couple of times. It will show an error. Usually, it's a network error. Stop the machine. Go in preferences. Untick stay connected on start in network adapter. Boot a couple of times and it will work fine then. Alternatively, try changing the VM’s adapter.

Appendix – Connectivity for Apps

SIEM <> SIRP

SIRP ingests alerts and offenses from the SIEM using a pull mechanism.

SIRP needs to be able to connect with the SIEM in order to automatically pull alerts and offenses. Configure your firewall to allow connectivity between SIRP and your SIEM IP address.

Note: Follow the SOP of your respective SIEM to configure its app and enable ingestion.

IMAP <> SIRP

It is not uncommon for enterprises to have a single mailbox configured where users can forward suspicious emails for further investigation. The ingestion feature in the SIRP’s IMAP app is primarily designed to pull emails from such mailbox and create alerts and artifacts in SIRP.

Furthermore, in some cases, alerts from the SIEM are also ingested through email. You can configure alerts, custom searches, and rules to send notifications to a mailbox. SIRP reads that mailbox to ingest and store alerts.

Take the following steps to enable Email-based ingestion:

Step 1 – Allow Connectivity

Configure your Firewall to allow connectivity between your IMAP server and SIRP.

Step 1 – Configure IMAP App

To configure the IMAP app, the following information should be available:

IMAP Host

IMAP Port

993

Email

Password

Note: Follow the SOPs relevant to your SIEM to configure custom searches and email notifications.

Microsoft Active Directory <> SIRP

It is common for analysts to pull user information from an organization’s Active Directory for investigation. SIRP integrates with Active Directory to enrich investigations directly into SIRP without having analysts browse Active Directory separately.

To enable Active Directory enrichment, the following information should be available.

Active Directory Host

LDAP Port

389

Domain

Username

Password

Enrichment Apps

It is common for analysts to pull certain information for investigation from various websites. SIRP integrates with the most popular external sources to enrich investigations directly into SIRP without having analysts to visit websites individually. To enable basic enrichment, access to the following URLs should be allowed from SIRP:

Did this answer your question?