Eyeing the Onion

1,476 views
1,314 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,476
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Money, Speed, Looks
  • Eyeing the Onion

    1. 1. Introductions • Brad Shoop - @bradshoop – http://eyeis.net – IT since mid-90s, security-focused since 2006 (GCIH GCFA) – Doc, testing and marketing contributor to Security Onion – Technical Editor, The Practice of NSM (a must read!) – Author Security Onion for Splunk apps – Currently work for Mandiant • Chris Rimondi - @crimondi - http://www.securitygrit.com/ – Father of three boys ages four and under • Including one < month old! – Former IT Director & Former Security Consultant – Now with Mandiant – ISSA Board Member Chattanooga
    2. 2. Agenda • Big Data and Security Onion • Splunk vs ELSA • Splunk app • What is ELSA? - Architecture Overview • Integrating Conditional Data • Dashboards
    3. 3. Security Onion Makes A Lot of Data ELSA Bro IDS Snort/Suricata OSSEC
    4. 4. SecOps Needs More Data ELSA Firewalls Windows Syslog
    5. 5. Splunk vs ELSA Splunk ELSA Google-style search Google-style search Event parsing Event parsing Custom visualization Basic visualization Custom dashboard capability Basic dashboard capability Fast (but not “ELSA fast”) Sub-second searches Multi-field groupbys Single field groupbys $$$ Open Source (GNU GPL v2)
    6. 6. Splunk vs. ELSA
    7. 7. Learning with SO for Splunk • Learn the logs! • Follow the uid! • Understand how logged events relate across toolsets: – Bro – context & alerts – Snort/Suricata – alerts – OSSEC – alerts • Identify normal from anomalous
    8. 8. Security Onion for Splunk Demo • Security Onion for Splunk – http://splunk-base.splunk.com/apps/45784/security-onion • Security Onion Server/Sensor Add-on – http://splunk-base.splunk.com/apps/52461/security-onion- serversensor-add-on
    9. 9. ELSA Architecture
    10. 10. ELSA WebAPI Architecture SO Sensor/ ELSA Peer or Forwarder SO Sensor/ ELSA Peer or Forwarder SO Sensor/ ELSA Peer or Forwarder SO Server/ ELSA Master Firewalls Sysloggers ELSA Forwarder Windows Network Network Network SSL Syslog/SSL SO Sensor ELSA as peer or forwarder. Peer mode: events indexed locally and queried remotely from the Master Forwarder mode: events are parsed, compressed, the n forwarded via SSL to Master node for indexing. Yes, it can do both!
    11. 11. elsa_web.conf apikeys: username (“secops”) and apikey (“001”) for web API authentication peers: the local ELSA instance and ELSA Peers the instance has access to query. Standalone ELSA Master apikeys": { ”secops": ”001" }, "peers": { "127.0.0.1": { "url": "http://127.0.0.1/", "username": ”secops", "apikey": ”001" } }, ELSA Master with 1 Peer apikeys": { ”secops": ”001" }, "peers": { "127.0.0.1": { "url": "http://127.0.0.1/", "username": ”secops", "apikey": ”001" }, ”192.168.0.10": { "url": "http://192.168.0.10/", "username": ”IT_ops_master", "apikey": “000" } },
    12. 12. ELSA Masters/Peers Network Events Auth Events IDS/AV/Firewall/ DNS ELSA Peer 3 user: ops apikey: 002 ELSA Peer 2 user: ops apikey: 001 ELSA Peer 1 user: secops apikey: 001 ELSA Master SecOps ELSA Master IT Ops
    13. 13. elsa_node.conf – archive/log limit archive": { # Uncomment to establish a retention period in days for archive logs #”days”: 90, “percentage”: 33, “table_size”: 10000000 }, # Size limit in bytes for logs + index size. Set this to be 90-95% of your total data disk space. # Size can also be specified as a percentage if the percent sign is included at the end (e.g. 95%). "log_size_limit" : 200000000000, #”log_size_limit” : “85%”, archive – percent of log_size_limit to devote to archive log_size_limit – the total disk limit ELSA will use
    14. 14. ELSA Forwarder Network Events Auth Events IDS/AV/Firewall/ DNS ELSA Peer 3 user: ops apikey: 002 ELSA Peer 2 user: ops apikey: 001 ELSA Peer 1 user: secops apikey: 001 ELSA Master SecOps ELSA Master IT Ops ELSA Forwarder user: ops apikey: 001 WAN Events
    15. 15. elsa_node.conf – Forwarding #"forwarding": { # "forward_only": 1, # set to zero to both forward and index/archive # "destinations": [ # { "method": "cp", "dir": "/mnt/nfs/central_server" }, # Example with password # { "method": "scp", "user": "user", "password": "password", "port": 8022, "host": "central.elsa.local", "dir": "/data/elsa/tmp/buffers" }, # Example using key # { "method": "scp", "key_path": "/root/.ssh/id_rsa.pub", "host": "central.elsa.local", "dir": "/data/elsa/tmp/buffers" } # Example using URL forwarding # { "method": "url", "url": "https://example.com/API/upload", "verify_mode": 0 } # Example for an ops log server (logs about ELSA operations for sending multiple ELSA node logs to, not the logs ELSA indexes) # { "ops": 1, "method": "url", "https://opslogs.example.com/API/upload", "verify_mode": 1 } # ] #}, method – how/where to forward events ops – ELSA instance receiving ops logs (node.log & web.log)
    16. 16. Under the Hood Sphinx Indexing ELSA Storage ELSA Buffers ELSAEvents syslog ssl (preformatted) pattern_db extract raw text file (buffers) Index (mysql) Archive (mysql) Sphinx temp index (RAM) perm index (disk)
    17. 17. Event vs. Condition • Event – Action of an asset – Time occurred – Other stuff describing action: • Source & Destination IPs • Condition – State of an asset – Time of state snapshot – Other stuff describing the state: • Configuration data
    18. 18. Event and Condition Enhancing IR Process • Sample Workflow 1. Analyst sees bad thing happen in SO 2. Analyst digs deeper into 1. Other events that happened around same time 2. Other behavior from involved assets • Now it might be helpful to know a little more about the condition of assets at time closest to event happening
    19. 19. Event and Condition Enhancing IR Process • Helpful condition (configuration) information – Processes running – Ports open – Services listening – Operating system – Known software – Known vulnerabilities
    20. 20. Where can I find this information? & More importantly how do I get this data into ELSA for easy correlation?
    21. 21. SO SecOps Sources • PRADS – already integrated? • Bro – now integrated – Known Software – Known Certs – Known Hosts • Port Scanners and Vulnerability Scanners – Nmap – Nikto – Nessus – OpenVAS
    22. 22. VAtoELSA.py VA XML Data Flatten Syslog ELSA MySQL https://github.com/ChrisRimondi/va_to_elsa
    23. 23. $ python VAtoELSA.py –i report.nessus –r nessus –e elsa_ip
    24. 24. $ python VAtoELSA.py –i report.xml –r openvas –e elsa_ip
    25. 25. Putting it all together
    26. 26. Now lets get crazy class=openvas host type="Web application abuses” risk_factor=”High” groupby:dstip | subsearch(class=bro_http uri:passwd groupby:srcip) In other words: Show me all source IP addresses that requested a resource with „passwd‟ in it where the server they communicated with had a vulnerability rated as high and of the type “Web application abuses”.
    27. 27. One more time class=nessus java risk_factor:critical groupby:srcip | subsearch(class=bro_http user_agent:java groupby:dstip, srcip) | whois | filter(cc,us) In other words: Tell me all of the sites visited that had a country code captured from whois not in the US and where the client had a user agent string containing java and a critically rated Java vulnerability as discovered by Nessus.
    28. 28. Process Data • Snapshots of processes at a particular time • Simple Python script that uses WMI to collect process information, convert to syslog and send to ELSA • Collections information on each process – Operating System – PID – Parent PID – Process Name – Creation time – Source IP
    29. 29. Currently executing Java processes
    30. 30. Something is amiss…
    31. 31. What I have learned from building lots of parsers • Familiarize yourself with existing fields and classes in ELSA: – mysql> use syslog; select * from classes; select * from fields; • Reuse instead of building new • Think about IR process: – How can I link this log type to other log types? – What would I want to filter on?
    32. 32. New Content Parsers • bro_ftp • bro_weird • bro_tunnel • bro_software • bro_ssh • bro_irc • bro_syslog • capture_loss • known_certs • known_hosts • known_services VA Integration • Nessus • Nikto • OpenVAS • Nmap Dashboards • Network Hunting • Host Hunting • SO Overview • SSL • SSH • FTP • SMTP
    33. 33. Dashboards

    ×