Showing posts with label bro. Show all posts
Showing posts with label bro. Show all posts

Sunday, May 8, 2022

Home Setup - Initial

 I have been using all these sites (TryHackMe, BlueLabsOnline, HacktheBox) to try and learn but I think the best way to get some knowledge is to monitor my own internet and see what kind of alerts I am getting and research them.   The other day I purchased a new switch (16 ports) up from the 8 port switch that I currently use.   Really I only needed like 10 ports but it was hard to find a 10 or 12-port switch.  The Zyxel GS-1100 16 switch I purchased was used (40$ vice MSRP of about 100$).  

I figured I could use it to create a spanning port for now, or try and acquire a cheap TAP (whereas I would not need the extra ports).     In the TAP scenario, I figure the best place to TAP would be between the router and the modem.  For spanning, I would span port 1 (the one coming from the router). 

I already have an extra NIC in my main computer, and planning on building a new SecurityOnion 2.3 VM to start with.  I thought of SecurityOnion 16.04, but believe it's better to go newer. I might also build a few other VMs.  Currently thinking also of building a Splunk VM, but curious to think of what other VMs for monitoring traffic might be best.  

I have seen other systems like OpenNSM, and DynamiteNSM, or I could try and roll something myself.  That could be interesting, not sure I know what I would be doing or what I would want in the system.


Posted by Xfaith at 10:17 AM 0 comments
Labels: , , , , , , ,

Wednesday, April 10, 2019

Suricata/Bro ingesting in Splunk

In these blog posts, I wish I was explaining how do some of these things, but currently, it's more of where I am at in the process as I learn more I will create instructional posts with images.  

So I have Zeek and Suricata data being ingested from my Security Onion VM.   I originally had the local.conf files for both something like this
[monitor:///nsm/bro/logs/....]
sourcetype:bro
index=bro

[monitor:///nsm/sensor-data/sensor/...]
sourcetype:suricata
index:suricata

But I thought it would be better to break out the sourcetypes based off the logs.  From what I am looking at SecurityOnion defaults to log files vice Json format for its log creation(correct me if I am wrong).  

So I set it up:
[monitor:///nsm/bro/logs/current/conn.log]
sourcetype:bro_conn
index=bro

[monitor:///nsm/bro/logs/current/dns.log]
sourcetype:bro_dns
index=bro

But the source types showing up in Splunk are (dns-4, tls-11, conn) so it looks like they are just random created, not using the TA's that I have installed for the most part (If anyone can assist that would be great).  

Reading over the Splunk documentation maybe it should be sourcetype:bro for all them, and it will append the _conn, _dns, ect.   

Still waiting to get the Suricata Emerging Threats to display on Splunk (maybe I am just lucky and I have no ET alerts) but I did add a second monitor of the suricata.log (where I noticed Kibana was pulling the alert information from).


Posted by Xfaith at 9:43 PM 0 comments
Labels: , , , , ,

Sunday, April 7, 2019

SecurityOnion with Splunk

Recently I installed SecurityOnion 16.04, and wanted to play with Splunk on top of SecurityOnion (I know it basically has Elastic with Kibana, but I just wanted to use a different tool at the same time. 

Setting up Splunk was pretty straight forward, installed it on a second VM running Ubuntu.  I then added the Splunk forwarder to SecurityOnion.  (7.2.5.1 for both).   Another pretty easy install.

Next, I downloaded the TA's (Technology Add-ons) from SplunkBase for Bro and Suricata.  Bro setup was easy, just setup Splunk to monitor the bro/current logs, and I was receiving data on Splunk.  Suricata was a little different, as I was only getting the Suricata stats. 

SecurityOnion uses separate log files, but I from what I understand (correct me if I am wrong) Splunk gets more details in the event data was something like the eve json that is possible with Suricata.  So with that, I decided to start up the eve json file (called it suricata.json).

I started to get the majority of my Suricata feeds into Splunk, currently only missing the actual alerts being fired.  I will need to go back and look at what is missing in either the monitoring or in the eve json file (suricata.yaml)

It is nice to be able to see the same data in two different SIEM type products, to have the ability to compare search queries and see different visualizations. 

Posted by Xfaith at 10:40 PM 0 comments
Labels: , , , , ,

Monday, March 11, 2019

Intel Threats ingesting into SecurityOnion

Earlier today I re-created my SecurityOnion VM, and turned on the port mirroring on my TP-LINK switch.  One thing I still need to figure out is if I need to mirror both ingress/egress on separate ports or is it a 1-for-1. 

I signed up for IBM X-Force Intel feeds, AlienVault OTX Threat Feeds, and Critical Threat feeds.  Currently, I only set up on the AlienVault OTX threats as I am not sure if I can have multiple threats loaded.  I think I can just have not had time to read through everything. 

I used the guide found at SecurityOnion OTX Intel Threat setup with Bro(Zeek). 

Overall the instructions provided by the SecurityOnion team were easy to follow and ran into no errors.  One thing I would have like but understand from a security point of view was the input of the API key.  It a blank field and no cursor movement to see if you have put in a specific number of characters.  I used cut/paste on my second attempt (first one I tried to hand copy from my main machine to the VM) 

Now to sit back and watch Bro and Suricata report back what's going on my network.  Next project will be adding a Splunk forwarder.  I know there is Kibana, but I would like to have the option for both. 

Can anyone think of any other type of files/feeds I should be ingesting in Bro/Suricata?   Or another application to run on SecurityOnion? 


Posted by Xfaith at 9:04 PM 0 comments
Labels: , , , , , , , , ,

Tuesday, March 5, 2019

SecurityOnion 16.04 up and running

I am still waiting on purchasing a new to me system for my security onion setup.  In the meantime I have added an additional NIC to my main computer and set up a SecurityOnion VM. 

The plan was to use the additional NIC to mirror the main ethernet cable from my router (EdgeRouter Lite) to the switch (TP LINK SG2008)

In the TP-LINK I setup port 1 Ingress/Egress to be mirrored to port 8 and ran a new ethernet cable from port 8 to the new NIC on the PC.    Next, I installed the SecurityOnion VM, and make all the necessary updates to the system.

Using the two NICs, one setup as management, and the second in promiscuous mode.   After this, I opened up Kibana to see the traffic.  On a side note, I have not used ELK stack often more used to Splunk but was able to get a general first impression.

One thing I noticed was my internet speeds also were drastically slower, but I think this was just timing and not directly related to the port mirroring.   I undid all my changes to my NIC card just in case, and tested speeds from my router (4mbs)  when I should be getting 150mbs per my internet provider. 

Later that evening, my speeds returned with no real changes by me.  So I will go back and re-setup the switch, and continue to ingest data.

Future plans:
Ingest IBM X-Force Intel Feeds
Ingest AlienVault OTX Intel Feeds
Setup Splunk forwarder
Install Splunk (new VM)
MITRE ATTA&K Framework

Posted by Xfaith at 9:43 PM 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)