Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Eyeing the Onion

2,047 views

Published on

Published in: Technology
  • Be the first to comment

Eyeing the Onion

  1. 1. Introductions • Brad Shoop - @bradshoop – http://eyeis.net – IT since mid-90s, security-focused since 2006 (GCIH GCFA) – Doc, testing and marketing contributor to Security Onion – Technical Editor, The Practice of NSM (a must read!) – Author Security Onion for Splunk apps – Currently work for Mandiant • Chris Rimondi - @crimondi - http://www.securitygrit.com/ – Father of three boys ages four and under • Including one < month old! – Former IT Director & Former Security Consultant – Now with Mandiant – ISSA Board Member Chattanooga
  2. 2. Agenda • Big Data and Security Onion • Splunk vs ELSA • Splunk app • What is ELSA? - Architecture Overview • Integrating Conditional Data • Dashboards
  3. 3. Security Onion Makes A Lot of Data ELSA Bro IDS Snort/Suricata OSSEC
  4. 4. SecOps Needs More Data ELSA Firewalls Windows Syslog
  5. 5. Splunk vs ELSA Splunk ELSA Google-style search Google-style search Event parsing Event parsing Custom visualization Basic visualization Custom dashboard capability Basic dashboard capability Fast (but not “ELSA fast”) Sub-second searches Multi-field groupbys Single field groupbys $$$ Open Source (GNU GPL v2)
  6. 6. Splunk vs. ELSA
  7. 7. Learning with SO for Splunk • Learn the logs! • Follow the uid! • Understand how logged events relate across toolsets: – Bro – context & alerts – Snort/Suricata – alerts – OSSEC – alerts • Identify normal from anomalous
  8. 8. Security Onion for Splunk Demo • Security Onion for Splunk – http://splunk-base.splunk.com/apps/45784/security-onion • Security Onion Server/Sensor Add-on – http://splunk-base.splunk.com/apps/52461/security-onion- serversensor-add-on
  9. 9. ELSA Architecture
  10. 10. ELSA WebAPI Architecture SO Sensor/ ELSA Peer or Forwarder SO Sensor/ ELSA Peer or Forwarder SO Sensor/ ELSA Peer or Forwarder SO Server/ ELSA Master Firewalls Sysloggers ELSA Forwarder Windows Network Network Network SSL Syslog/SSL SO Sensor ELSA as peer or forwarder. Peer mode: events indexed locally and queried remotely from the Master Forwarder mode: events are parsed, compressed, the n forwarded via SSL to Master node for indexing. Yes, it can do both!
  11. 11. elsa_web.conf apikeys: username (“secops”) and apikey (“001”) for web API authentication peers: the local ELSA instance and ELSA Peers the instance has access to query. Standalone ELSA Master apikeys": { ”secops": ”001" }, "peers": { "127.0.0.1": { "url": "http://127.0.0.1/", "username": ”secops", "apikey": ”001" } }, ELSA Master with 1 Peer apikeys": { ”secops": ”001" }, "peers": { "127.0.0.1": { "url": "http://127.0.0.1/", "username": ”secops", "apikey": ”001" }, ”192.168.0.10": { "url": "http://192.168.0.10/", "username": ”IT_ops_master", "apikey": “000" } },
  12. 12. ELSA Masters/Peers Network Events Auth Events IDS/AV/Firewall/ DNS ELSA Peer 3 user: ops apikey: 002 ELSA Peer 2 user: ops apikey: 001 ELSA Peer 1 user: secops apikey: 001 ELSA Master SecOps ELSA Master IT Ops
  13. 13. elsa_node.conf – archive/log limit archive": { # Uncomment to establish a retention period in days for archive logs #”days”: 90, “percentage”: 33, “table_size”: 10000000 }, # Size limit in bytes for logs + index size. Set this to be 90-95% of your total data disk space. # Size can also be specified as a percentage if the percent sign is included at the end (e.g. 95%). "log_size_limit" : 200000000000, #”log_size_limit” : “85%”, archive – percent of log_size_limit to devote to archive log_size_limit – the total disk limit ELSA will use
  14. 14. ELSA Forwarder Network Events Auth Events IDS/AV/Firewall/ DNS ELSA Peer 3 user: ops apikey: 002 ELSA Peer 2 user: ops apikey: 001 ELSA Peer 1 user: secops apikey: 001 ELSA Master SecOps ELSA Master IT Ops ELSA Forwarder user: ops apikey: 001 WAN Events
  15. 15. elsa_node.conf – Forwarding #"forwarding": { # "forward_only": 1, # set to zero to both forward and index/archive # "destinations": [ # { "method": "cp", "dir": "/mnt/nfs/central_server" }, # Example with password # { "method": "scp", "user": "user", "password": "password", "port": 8022, "host": "central.elsa.local", "dir": "/data/elsa/tmp/buffers" }, # Example using key # { "method": "scp", "key_path": "/root/.ssh/id_rsa.pub", "host": "central.elsa.local", "dir": "/data/elsa/tmp/buffers" } # Example using URL forwarding # { "method": "url", "url": "https://example.com/API/upload", "verify_mode": 0 } # Example for an ops log server (logs about ELSA operations for sending multiple ELSA node logs to, not the logs ELSA indexes) # { "ops": 1, "method": "url", "https://opslogs.example.com/API/upload", "verify_mode": 1 } # ] #}, method – how/where to forward events ops – ELSA instance receiving ops logs (node.log & web.log)
  16. 16. Under the Hood Sphinx Indexing ELSA Storage ELSA Buffers ELSAEvents syslog ssl (preformatted) pattern_db extract raw text file (buffers) Index (mysql) Archive (mysql) Sphinx temp index (RAM) perm index (disk)
  17. 17. Event vs. Condition • Event – Action of an asset – Time occurred – Other stuff describing action: • Source & Destination IPs • Condition – State of an asset – Time of state snapshot – Other stuff describing the state: • Configuration data
  18. 18. Event and Condition Enhancing IR Process • Sample Workflow 1. Analyst sees bad thing happen in SO 2. Analyst digs deeper into 1. Other events that happened around same time 2. Other behavior from involved assets • Now it might be helpful to know a little more about the condition of assets at time closest to event happening
  19. 19. Event and Condition Enhancing IR Process • Helpful condition (configuration) information – Processes running – Ports open – Services listening – Operating system – Known software – Known vulnerabilities
  20. 20. Where can I find this information? & More importantly how do I get this data into ELSA for easy correlation?
  21. 21. SO SecOps Sources • PRADS – already integrated? • Bro – now integrated – Known Software – Known Certs – Known Hosts • Port Scanners and Vulnerability Scanners – Nmap – Nikto – Nessus – OpenVAS
  22. 22. VAtoELSA.py VA XML Data Flatten Syslog ELSA MySQL https://github.com/ChrisRimondi/va_to_elsa
  23. 23. $ python VAtoELSA.py –i report.nessus –r nessus –e elsa_ip
  24. 24. $ python VAtoELSA.py –i report.xml –r openvas –e elsa_ip
  25. 25. Putting it all together
  26. 26. Now lets get crazy class=openvas host type="Web application abuses” risk_factor=”High” groupby:dstip | subsearch(class=bro_http uri:passwd groupby:srcip) In other words: Show me all source IP addresses that requested a resource with „passwd‟ in it where the server they communicated with had a vulnerability rated as high and of the type “Web application abuses”.
  27. 27. One more time class=nessus java risk_factor:critical groupby:srcip | subsearch(class=bro_http user_agent:java groupby:dstip, srcip) | whois | filter(cc,us) In other words: Tell me all of the sites visited that had a country code captured from whois not in the US and where the client had a user agent string containing java and a critically rated Java vulnerability as discovered by Nessus.
  28. 28. Process Data • Snapshots of processes at a particular time • Simple Python script that uses WMI to collect process information, convert to syslog and send to ELSA • Collections information on each process – Operating System – PID – Parent PID – Process Name – Creation time – Source IP
  29. 29. Currently executing Java processes
  30. 30. Something is amiss…
  31. 31. What I have learned from building lots of parsers • Familiarize yourself with existing fields and classes in ELSA: – mysql> use syslog; select * from classes; select * from fields; • Reuse instead of building new • Think about IR process: – How can I link this log type to other log types? – What would I want to filter on?
  32. 32. New Content Parsers • bro_ftp • bro_weird • bro_tunnel • bro_software • bro_ssh • bro_irc • bro_syslog • capture_loss • known_certs • known_hosts • known_services VA Integration • Nessus • Nikto • OpenVAS • Nmap Dashboards • Network Hunting • Host Hunting • SO Overview • SSL • SSH • FTP • SMTP
  33. 33. Dashboards

×