Critical Path Security: SecurityOnion@Home

Recently  I have been trying to learn more about other types of information you can get from Zeek/Suricata (IP Reputation/DNS Rep), which previously lead me to add IOCs to Suricata with Datasets.  

Today I am adding CriticalPathSecurity Threat Intel to Zeek on Security Onion 2.3.130.  Overall it was a pretty simple install, and only really required one file edit (Salt file).  

Following these steps

• Clone the Critical Path Security Intelligence Feeds:
• git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git /opt/so/saltstack/local/zeek/policy/intel/Zeek-Intelligence-Feeds
• Copy the __load.zeek__ from default to local
• cp /opt/so/saltstack/default/zeek/policy/intel/ /opt/so/saltstack/local/zeek/policy/intel/
• Edit __load.zeek__
• (Added @load integration/collective-intel   & file instead of using one intel.dat, I added each file separately under the folder that Salt/Docker matches out on the host machine)
• Update Salt
• salt systemname_standalone system.highstate 

__load.zeek__

Lets check the Intel Dashboards under Security Onion 2.3.130

Intel Dashboard Security Onion 2.3.130

The first IP address listed here was from abuse.ch and I did a nslookup for it to appear in the list.   

 

Home Setup - Initial

 I have been using all these sites (TryHackMe, BlueLabsOnline, HacktheBox) to try and learn but I think the best way to get some knowledge is to monitor my own internet and see what kind of alerts I am getting and research them.   The other day I purchased a new switch (16 ports) up from the 8 port switch that I currently use.   Really I only needed like 10 ports but it was hard to find a 10 or 12-port switch.  The Zyxel GS-1100 16 switch I purchased was used (40$ vice MSRP of about 100$).  

I figured I could use it to create a spanning port for now, or try and acquire a cheap TAP (whereas I would not need the extra ports).     In the TAP scenario, I figure the best place to TAP would be between the router and the modem.  For spanning, I would span port 1 (the one coming from the router). 

I already have an extra NIC in my main computer, and planning on building a new SecurityOnion 2.3 VM to start with.  I thought of SecurityOnion 16.04, but believe it's better to go newer. I might also build a few other VMs.  Currently thinking also of building a Splunk VM, but curious to think of what other VMs for monitoring traffic might be best.  

I have seen other systems like OpenNSM, and DynamiteNSM, or I could try and roll something myself.  That could be interesting, not sure I know what I would be doing or what I would want in the system.

Zeek CommunityID - SecurityOnion 16.04

Having recently found out about the Zeek CommunityID, I have been trying to get this implemented in SecurityOnion 16.04. Before anyone even says anything, yes I know that SecurityOnion 2.3 already has the Zeek CommunityID enabled. Lets just say I am currenlty stuck to use 16.04. I can do minor updates/adds to the system. So I am currently on SecurityOnion 16.0.4.7 and figured it would be easy to implement, boy have I been wrong. First things first SO does not have the Zeek Package Manager installed by default, which means I need to try and get the plugin installed with out the package manager also (Plugins are minor, apllications are more of a hassle). I found a site which walks through the steps on installing the plugin https://dactiv.llc/blog/enable-zeek-community-id/ Of course this states in a normal install of Zeek. Tried to go through the steps, and got stuck on ./configure && make && make install. The system failed with the error Either 'zeek-config' must be in PATH or '--zeek-dist=' used. So I went to the Zeek Community, and SecurityOnion community and asked for some help, thier first response was to upgrade SO. Cant, so back to square one. SecurityOnion folks mentioned to put it in /policy but that did not seem to work. So talking with Corelight I have been attempting to get this operational, still trying, if anyone has suggestions please let me know. I understand its a restricted playground to get it operational.

Suricata/Bro ingesting in Splunk

In these blog posts, I wish I was explaining how do some of these things, but currently, it's more of where I am at in the process as I learn more I will create instructional posts with images.  

So I have Zeek and Suricata data being ingested from my Security Onion VM.   I originally had the local.conf files for both something like this

[monitor:///nsm/bro/logs/....]

sourcetype:bro

index=bro

[monitor:///nsm/sensor-data/sensor/...]

sourcetype:suricata

index:suricata

But I thought it would be better to break out the sourcetypes based off the logs.  From what I am looking at SecurityOnion defaults to log files vice Json format for its log creation(correct me if I am wrong).  

So I set it up:

[monitor:///nsm/bro/logs/current/conn.log]

sourcetype:bro_conn

index=bro

[monitor:///nsm/bro/logs/current/dns.log]

sourcetype:bro_dns

index=bro

But the source types showing up in Splunk are (dns-4, tls-11, conn) so it looks like they are just random created, not using the TA's that I have installed for the most part (If anyone can assist that would be great).  

Reading over the Splunk documentation maybe it should be sourcetype:bro for all them, and it will append the _conn, _dns, ect.   

Still waiting to get the Suricata Emerging Threats to display on Splunk (maybe I am just lucky and I have no ET alerts) but I did add a second monitor of the suricata.log (where I noticed Kibana was pulling the alert information from).

Intel Threats ingesting into SecurityOnion

Earlier today I re-created my SecurityOnion VM, and turned on the port mirroring on my TP-LINK switch.  One thing I still need to figure out is if I need to mirror both ingress/egress on separate ports or is it a 1-for-1. 

I signed up for IBM X-Force Intel feeds, AlienVault OTX Threat Feeds, and Critical Threat feeds.  Currently, I only set up on the AlienVault OTX threats as I am not sure if I can have multiple threats loaded.  I think I can just have not had time to read through everything. 

I used the guide found at SecurityOnion OTX Intel Threat setup with Bro(Zeek). 

Overall the instructions provided by the SecurityOnion team were easy to follow and ran into no errors.  One thing I would have like but understand from a security point of view was the input of the API key.  It a blank field and no cursor movement to see if you have put in a specific number of characters.  I used cut/paste on my second attempt (first one I tried to hand copy from my main machine to the VM) 

Now to sit back and watch Bro and Suricata report back what's going on my network.  Next project will be adding a Splunk forwarder.  I know there is Kibana, but I would like to have the option for both. 

Can anyone think of any other type of files/feeds I should be ingesting in Bro/Suricata?   Or another application to run on SecurityOnion?