Introduction

I recently started working with Extrahop and wanted to make some labs to understand the product portfolio. I have EVE-NG already setup as a lab platform so I decided to build the labs on that.

Extrahop VMs do not have an EVE-NG template out of the box. In this post I will show you how to add Extrahop VMs as custom device types in EVE-NG.

The following software was used in this post.

  • EVE-NG - 4.0.1-62
  • Extrahop Discovery Appliance 1100v - 8.6.2.1446
  • Extrahop Explore Appliance 5100v - 8.6.2.1446
  • Extrahop Trace Appliance 1150v - 8.6.2.1446
  • Extrahop Command Appliance - 8.6.2.1446

Pre Flight Check

This post assumes that you have downloaded the Extrahop appliances and they have been moved to the EVE-NG host in the /tmp/ directory. I used scp to transfer them from my MAC to the EVE-NG host. For example:

scp ~/Downloads/extrahop-eca-kvm-8.6.2.1446.tar.gz <user>@<eve-ip>:/tmp/

Note

When downloading the VM images from Extrahop, ensure that you download the KVM image type. EXCEPT for the Trace appliance, which only has the VMware option available.

Add Devices

Note

All commands run on the EVE-NG host will be executed as the root user.

First up, lets add the VMs to EVE-NG. Base VM images are stored in the /opt/unetlab/addons/qemu/ directory.

The following steps will be completed from the /tmp/ directory.

Extrahop Discovery Appliance (EDA)

Create a directory for the EDA.

cmd

mkdir /opt/unetlab/addons/qemu/eda-8.6.2.1446/
    

Extract the EDA .tar file.

cmd

tar -xvf extrahop-eda-1100v-kvm-8.6.2.1446.tar.gz
    

Move the boot and data disks to the EDA directory.

cmd

mv eda-1100v-kvm/extrahop-boot.qcow2 /opt/unetlab/addons/qemu/eda-8.6.2.1446/virtioa.qcow2
mv eda-1100v-kvm/extrahop-data.qcow2 /opt/unetlab/addons/qemu/eda-8.6.2.1446/virtiob.qcow2
    

Create a third disk that will be used for on-box packet captures.

cmd

/opt/qemu/bin/qemu-img create -f qcow2 /opt/unetlab/addons/qemu/eda-8.6.2.1446/virtioc.qcow2 100G
    

Extrahop Explore Appliance (EXA)

Create a directory for the EXA.

cmd

mkdir /opt/unetlab/addons/qemu/exa-8.6.2.1446/
    

Extract the EXA .tar file.

cmd

tar -xvf extrahop-exa-5100v-xs-kvm-8.6.2.1446.tar.gz
    

Move the boot disk to the EXA directory.

cmd

/opt/qemu/bin/qemu-img create -f qcow2 /opt/unetlab/addons/qemu/exa-8.6.2.1446/virtiob.qcow2 100G
    

Create a second disk that will be used as a data store.

cmd

/opt/qemu/bin/qemu-img create -f qcow2 /opt/unetlab/addons/qemu/eda-8.6.2.1446/virtioc.qcow2 100G
    

Extrahop Command Appliance (ECA)

Create a directory for the ECA.

cmd

mkdir /opt/unetlab/addons/qemu/eca-8.6.2.1446/
    

Extract the ECA .tar file.

cmd

tar -xvf extrahop-eca-kvm-8.6.2.1446.tar.gz
    

Move the boot and data disks to the ECA directory.

cmd

mv eca-kvm/extrahop-boot.qcow2 /opt/unetlab/addons/qemu/eca-8.6.2.1446/virtioa.qcow2
mv eca-kvm/extrahop-data.qcow2 /opt/unetlab/addons/qemu/eca-8.6.2.1446/virtiob.qcow2
    

Extrahop Trace Appliance (ETA)

Create a directory for the ETA.

cmd

mkdir /opt/unetlab/addons/qemu/eta-8.6.2.1446/
    

Extract the ETA .tar file.

cmd

tar -xvf extrahop-eta-1150v-vmware-8.6.2.1446.ova
    

Convert the boot and data disks from vmdk to qcow2 and move them to the ETA directory.

cmd

/opt/qemu/bin/qemu-img convert -p -f vmdk -O qcow2 extrahop-eta-1150v-vmware-disk1.vmdk /opt/unetlab/addons/qemu/eta-8.6.2.1446/virtioa.qcow2
/opt/qemu/bin/qemu-img convert -p -f vmdk -O qcow2 extrahop-eta-1150v-vmware-disk2.vmdk /opt/unetlab/addons/qemu/eta-8.6.2.1446/virtiob.qcow2
    

Create a third disk that will be used as a packet capture store.

cmd

/opt/qemu/bin/qemu-img create -f qcow2 /opt/unetlab/addons/qemu/eta-8.6.2.1446/virtioc.qcow2 100G
    

That's it for the creation of the VM images. Next up we need to define some device templates.

Device Templates

Device templates are stored in the /opt/unetlab/html/templates/intel/ directory. For each device type, you need to add a yaml file to this directory that defines the devices default parameters.

Extrahop Discovery Appliance

Create a file named eda.yml in the /opt/unetlab/html/templates/intel/ directory with the following contents.

file

# /opt/unetlab/html/templates/intel/eda.yml
---
type: qemu
name: eda
cpulimit: 1
icon: vanalytic.png
cpu: 2
ram: 4096
eth_format: eth{0}
ethernet: 2
qemu_nic: virtio-net-pci
console: telnet
qemu_arch: x86_64
qemu_options: -machine type=pc,accel=kvm -cpu host,+ssse3 -vga std -usbdevice tablet -boot order=dc
    

Extrahop Explore Appliance

Create a file named exa.yml in the /opt/unetlab/html/templates/intel/ directory with the following contents.

file

# /opt/unetlab/html/templates/intel/exa.yml
---
type: qemu
name: exa
cpulimit: 1
icon: vanalytic.png
cpu: 4
ram: 8192
eth_format: eth{0}
ethernet: 1
qemu_nic: virtio-net-pci
console: telnet
qemu_arch: x86_64
qemu_options: -machine type=pc,accel=kvm -cpu host,+ssse3 -vga std -usbdevice tablet -boot order=dc
    

Extrahop Command Appliance

Create a file named eca.yml in the /opt/unetlab/html/templates/intel/ directory with the following contents.

file

# /opt/unetlab/html/templates/intel/eca.yml
---
type: qemu
name: eca
cpulimit: 1
icon: vdirector.png
cpu: 2
ram: 4096
eth_format: eth{0}
ethernet: 2
qemu_nic: virtio-net-pci
console: telnet
qemu_arch: x86_64
qemu_options: -machine type=pc,accel=kvm -cpu host,+ssse3 -vga std -usbdevice tablet -boot order=dc
    

Extrahop Trace Appliance

Create a file named eta.yml in the /opt/unetlab/html/templates/intel/ directory with the following contents.

file

# /opt/unetlab/html/templates/intel/eta.yml
---
type: qemu
name: eta
cpulimit: 1
icon: vanalytic.png
cpu: 2
ram: 16384
eth_format: eth{0}
ethernet: 2
qemu_nic: virtio-net-pci
console: telnet
qemu_arch: x86_64
qemu_options: -machine type=pc,accel=kvm -cpu host,+ssse3 -vga std -usbdevice tablet -boot order=dc
    

Custom Templates File

Custom device types also need to be defined in the /opt/unetlab/html/includes/custom_templates.yml file. This allows them to be selected as devices from the web interface. Add the four appliance types to this file.

Note

The name parameter needs to match what is defined in the device template.

file

# /opt/unetlab/html/includes/custom_templates.yml
---
custom_templates:
  - name: "eda"
    listname: "Extrahop Discovery Appliance"
  - name: "exa"
    listname: "Extrahop Explore Appliance"
  - name: "eca"
    listname: "Extrahop Command Appliance"
  - name: "eta"
    listname: "Extrahop Trace Appliance"
...
    

Finally, run the fix permissions script.

cmd

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
    

And thats it for the templates. If you browse to the web interface and start a lab, you will be able to add the Extrahop virtual appliances.

Summary

In this post, I covered the process to add Extrahop Discovery, Explore, Command and Trace virtual appliances to EVE-NG as custom device types. Time to get my lab on 🥳 Keep an eye out for future post around the Extrahop product portfolio.

Tags

eveng extrahop