Eyeing the Onion

Introductions
• Brad Shoop - @bradshoop – http://eyeis.net
– IT since mid-90s, security-focused since 2006 (GCIH GCFA)
– Doc, testing and marketing contributor to Security Onion
– Technical Editor, The Practice of NSM (a must read!)
– Author Security Onion for Splunk apps
– Currently work for Mandiant
• Chris Rimondi - @crimondi - http://www.securitygrit.com/
– Father of three boys ages four and under
• Including one < month old!
– Former IT Director & Former Security Consultant
– Now with Mandiant
– ISSA Board Member Chattanooga

Agenda
• Big Data and Security Onion
• Splunk vs ELSA
• Splunk app
• What is ELSA? - Architecture Overview
• Integrating Conditional Data
• Dashboards

Security Onion Makes A Lot of
Data
ELSA
Bro IDS
Snort/Suricata
OSSEC

SecOps Needs More Data
ELSA
Firewalls
Windows
Syslog

Splunk vs ELSA
Splunk ELSA
Google-style search Google-style search
Event parsing Event parsing
Custom visualization Basic visualization
Custom dashboard capability Basic dashboard capability
Fast (but not “ELSA fast”) Sub-second searches
Multi-field groupbys Single field groupbys
$$$ Open Source (GNU GPL v2)

Learning with SO for Splunk
• Learn the logs!
• Follow the uid!
• Understand how logged events relate across
toolsets:
– Bro – context & alerts
– Snort/Suricata – alerts
– OSSEC – alerts
• Identify normal from anomalous

Security Onion for Splunk Demo
• Security Onion for Splunk
– http://splunk-base.splunk.com/apps/45784/security-onion
• Security Onion Server/Sensor Add-on
– http://splunk-base.splunk.com/apps/52461/security-onion-
serversensor-add-on

ELSA WebAPI Architecture
SO Sensor/
ELSA Peer or
Forwarder
SO Sensor/
ELSA Peer or
Forwarder
SO Sensor/
ELSA Peer or
Forwarder
SO Server/
ELSA Master
Firewalls Sysloggers
ELSA
Forwarder
Windows
Network Network Network
SSL
Syslog/SSL
SO Sensor ELSA as peer
or forwarder.
Peer mode: events
indexed locally and
queried remotely from
the Master
Forwarder mode: events
are
parsed, compressed, the
n forwarded via SSL to
Master node for
indexing.
Yes, it can do both!

elsa_web.conf
apikeys: username (“secops”) and apikey (“001”) for web API authentication
peers: the local ELSA instance and ELSA Peers the instance has access to query.
Standalone ELSA Master
apikeys": { ”secops": ”001" },
"peers": {
"127.0.0.1": {
"url": "http://127.0.0.1/",
"username": ”secops",
"apikey": ”001"
}
},
ELSA Master with 1 Peer
apikeys": { ”secops": ”001" },
"peers": {
"127.0.0.1": {
"url": "http://127.0.0.1/",
"username": ”secops",
"apikey": ”001"
},
”192.168.0.10": {
"url": "http://192.168.0.10/",
"username": ”IT_ops_master",
"apikey": “000"
}
},

ELSA Masters/Peers
Network Events Auth Events
IDS/AV/Firewall/
DNS
ELSA Peer 3
user: ops
apikey: 002
ELSA Peer 2
user: ops
apikey: 001
ELSA Peer 1
user: secops
apikey: 001
ELSA Master
SecOps
ELSA Master
IT Ops

elsa_node.conf – archive/log
limit
archive": {
# Uncomment to establish a retention period in days for archive logs
#”days”: 90,
“percentage”: 33,
“table_size”: 10000000
},
# Size limit in bytes for logs + index size. Set this to be 90-95% of your total data disk space.
# Size can also be specified as a percentage if the percent sign is included at the end (e.g. 95%).
"log_size_limit" : 200000000000,
#”log_size_limit” : “85%”,
archive – percent of log_size_limit to devote to archive
log_size_limit – the total disk limit ELSA will use

ELSA Forwarder
Network Events
Auth Events
IDS/AV/Firewall/
DNS
ELSA Peer 3
user: ops
apikey: 002
ELSA Peer 2
user: ops
apikey: 001
ELSA Peer 1
user: secops
apikey: 001
ELSA Master
SecOps
ELSA Master
IT Ops
ELSA Forwarder
user: ops
apikey: 001
WAN Events

elsa_node.conf – Forwarding
#"forwarding": {
# "forward_only": 1, # set to zero to both forward and index/archive
# "destinations": [
# { "method": "cp", "dir": "/mnt/nfs/central_server" },
# Example with password
# { "method": "scp", "user": "user", "password": "password", "port": 8022, "host":
"central.elsa.local", "dir": "/data/elsa/tmp/buffers" },
# Example using key
# { "method": "scp", "key_path": "/root/.ssh/id_rsa.pub", "host": "central.elsa.local",
"dir": "/data/elsa/tmp/buffers" }
# Example using URL forwarding
# { "method": "url", "url": "https://example.com/API/upload", "verify_mode": 0 }
# Example for an ops log server (logs about ELSA operations for sending multiple ELSA node logs to,
not the logs ELSA indexes)
# { "ops": 1, "method": "url", "https://opslogs.example.com/API/upload", "verify_mode": 1 }
# ]
#},
method – how/where to forward events
ops – ELSA instance receiving ops logs (node.log & web.log)

Under the Hood
Sphinx
Indexing
ELSA
Storage
ELSA
Buffers
ELSAEvents
syslog
ssl
(preformatted)
pattern_db
extract
raw text ﬁle
(buffers)
Index
(mysql)
Archive
(mysql)
Sphinx
temp index
(RAM)
perm index
(disk)

Event vs. Condition
• Event
– Action of an asset
– Time occurred
– Other stuff describing action:
• Source & Destination IPs
• Condition
– State of an asset
– Time of state snapshot
– Other stuff describing the state:
• Configuration data

Event and Condition
Enhancing IR Process
• Sample Workflow
1. Analyst sees bad thing happen in SO
2. Analyst digs deeper into
1. Other events that happened around same
time
2. Other behavior from involved assets
• Now it might be helpful to know a little
more about the condition of assets at
time closest to event happening

Event and Condition
Enhancing IR Process
• Helpful condition (configuration)
information
– Processes running
– Ports open
– Services listening
– Operating system
– Known software
– Known vulnerabilities

Where can I find this
information?
&
More importantly how
do I get this data into
ELSA for easy
correlation?

SO SecOps Sources
• PRADS – already integrated?
• Bro – now integrated
– Known Software
– Known Certs
– Known Hosts
• Port Scanners and Vulnerability Scanners
– Nmap
– Nikto
– Nessus
– OpenVAS

VAtoELSA.py
VA XML Data
Flatten
Syslog ELSA
MySQL
https://github.com/ChrisRimondi/va_to_elsa

$ python VAtoELSA.py –i report.nessus –r nessus –e
elsa_ip

$ python VAtoELSA.py –i report.xml –r openvas –e
elsa_ip

Now lets get crazy
class=openvas host type="Web application
abuses” risk_factor=”High” groupby:dstip |
subsearch(class=bro_http uri:passwd
groupby:srcip)
In other words: Show me all source IP
addresses that requested a resource with
„passwd‟ in it where the server they
communicated with had a vulnerability
rated as high and of the type “Web
application abuses”.

One more time
class=nessus java risk_factor:critical
groupby:srcip | subsearch(class=bro_http
user_agent:java groupby:dstip, srcip) |
whois | filter(cc,us)
In other words: Tell me all of the sites
visited that had a country code captured
from whois not in the US and where the
client had a user agent string containing
java and a critically rated Java vulnerability
as discovered by Nessus.

Process Data
• Snapshots of processes at a particular
time
• Simple Python script that uses WMI to
collect process information, convert to
syslog and send to ELSA
• Collections information on each process
– Operating System
– PID
– Parent PID
– Process Name
– Creation time
– Source IP

Currently executing Java processes

What I have learned from
building lots of parsers
• Familiarize yourself with existing fields
and classes in ELSA:
– mysql> use syslog; select * from classes;
select * from fields;
• Reuse instead of building new
• Think about IR process:
– How can I link this log type to other log
types?
– What would I want to filter on?

New Content
Parsers
• bro_ftp
• bro_weird
• bro_tunnel
• bro_software
• bro_ssh
• bro_irc
• bro_syslog
• capture_loss
• known_certs
• known_hosts
• known_services
VA Integration
• Nessus
• Nikto
• OpenVAS
• Nmap
Dashboards
• Network Hunting
• Host Hunting
• SO Overview
• SSL
• SSH
• FTP
• SMTP

Eyeing the Onion

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to Eyeing the Onion

Similar to Eyeing the Onion (20)

Recently uploaded

Recently uploaded (20)

Eyeing the Onion

Editor's Notes