Critical Path Security: SecurityOnion@Home

Recently  I have been trying to learn more about other types of information you can get from Zeek/Suricata (IP Reputation/DNS Rep), which previously lead me to add IOCs to Suricata with Datasets.  

Today I am adding CriticalPathSecurity Threat Intel to Zeek on Security Onion 2.3.130.  Overall it was a pretty simple install, and only really required one file edit (Salt file).  

Following these steps

• Clone the Critical Path Security Intelligence Feeds:
• git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git /opt/so/saltstack/local/zeek/policy/intel/Zeek-Intelligence-Feeds
• Copy the __load.zeek__ from default to local
• cp /opt/so/saltstack/default/zeek/policy/intel/ /opt/so/saltstack/local/zeek/policy/intel/
• Edit __load.zeek__
• (Added @load integration/collective-intel   & file instead of using one intel.dat, I added each file separately under the folder that Salt/Docker matches out on the host machine)
• Update Salt
• salt systemname_standalone system.highstate 

__load.zeek__

Lets check the Intel Dashboards under Security Onion 2.3.130

Intel Dashboard Security Onion 2.3.130

The first IP address listed here was from abuse.ch and I did a nslookup for it to appear in the list.   

 

Home Setup - Initial

 I have been using all these sites (TryHackMe, BlueLabsOnline, HacktheBox) to try and learn but I think the best way to get some knowledge is to monitor my own internet and see what kind of alerts I am getting and research them.   The other day I purchased a new switch (16 ports) up from the 8 port switch that I currently use.   Really I only needed like 10 ports but it was hard to find a 10 or 12-port switch.  The Zyxel GS-1100 16 switch I purchased was used (40$ vice MSRP of about 100$).  

I figured I could use it to create a spanning port for now, or try and acquire a cheap TAP (whereas I would not need the extra ports).     In the TAP scenario, I figure the best place to TAP would be between the router and the modem.  For spanning, I would span port 1 (the one coming from the router). 

I already have an extra NIC in my main computer, and planning on building a new SecurityOnion 2.3 VM to start with.  I thought of SecurityOnion 16.04, but believe it's better to go newer. I might also build a few other VMs.  Currently thinking also of building a Splunk VM, but curious to think of what other VMs for monitoring traffic might be best.  

I have seen other systems like OpenNSM, and DynamiteNSM, or I could try and roll something myself.  That could be interesting, not sure I know what I would be doing or what I would want in the system.

Blue Teams Labs Online: 6 Challenges Done

Been using Blue Teams Labs Online for about a week now, and last night knocked out two more challenges. One the challenges had me stumped for a few days, I was way over thinking the question leading to multiple rabbit holes. Finally after multiple trys, I finally figured out what exactly it was asking and was able to provide the last answer for the challenge. So far each challenge (CTF, Digital Forensics, Incident Response) have been on the EASY path. I of course did not find them to easy, well for the most part say 80% of the challenge questions each were easy, they had the last one/two that have been stumping me. I need to remember that EASY does not mean to go find the most difficult way to solve the problem. The most obvious answer is probably the correct answer. Either way I have learned alot in just the six challenges and think next I will try and tackle an Investigation.