MHN to remote syslog
642 views
Skip to first unread message
antoni...@gmail.com
Dec 27, 2015, 6:03:59 AM12/27/15
to Modern Honey Network
Hi,
I'm looking for a solution to send MHN alerts through syslog to a SIEM (IBM QRadar).
I plan to use rsyslog to send logs to QRadar. But I don't find log files with alerts.
Thanks for your help.
I'm looking for a solution to send MHN alerts through syslog to a SIEM (IBM QRadar).
I plan to use rsyslog to send logs to QRadar. But I don't find log files with alerts.
Thanks for your help.
Jason Trost
Dec 27, 2015, 11:00:18 AM12/27/15
to antoni...@gmail.com, Modern Honey Network
There are 3 scripts you could run depending on the format of the data you wanted for your SIEM. Each of these scripts will install and configure hpfeeds-logger.
The scripts are here: /opt/mhn/scripts
They are:
- install_hpfeeds-logger-arcsight.sh logs to /var/log/mhn/mhn-arcsight.log as CEF
- install_hpfeeds-logger-json.sh logs to /var/log/mhn/mhn-json.log as JSON
- install_hpfeeds-logger-splunk.sh logs to /var/log/mhn/mhn-splunk.log as keyvalue pairs.
If these formats are not agreeable you could extend hpfeeds-logger to add another formatter: https://github.com/threatstream/hpfeeds-logger/tree/master/hpfeedslogger/formatters.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
Antonin Hily
Dec 27, 2015, 11:38:54 AM12/27/15
to Modern Honey Network, antoni...@gmail.com
Hi,
thanks for your reply.
I activated Splunk hpfeeds.
It works, and I can receive logs (on QRadar and an ELK external server).
But it seems that the logs are not trained in the same way.
Here are 4 examples (sent to my ELK from MHN server (mhn-splunk.log)):
message: MHN 2015-12-27T16:25:41.797073 src="217.109.X.X", direction="inbound", protocol="ip", ids_type="network", dionaea_action="reject", type="dionaea.connections", app="dionaea", dest="195.154.54.202", vendor_product="Dionaea", dest_port="443", signature="Connection to Honeypot", src_port="54420", sensor="217c8f2a-ac92-11e5-a528-005056001854", transport="tcp", severity="high"
message: MHN 2015-12-27T16:26:26.805317 p0f_link="generic tunnel or VPN", direction="inbound", protocol="ip", ids_type="network", dest="195.154.54.202", app="p0f", transport="tcp", dest_port="443", src="217.109.X.X", src_port="54780", severity="informational", vendor_product="p0f", type="p0f.events", signature="Packet Observed by p0f", sensor="a564205a-ac92-11e5-a528-005056001854"
message: MHN 2015-12-27T16:26:27.224347 direction="inbound", protocol="ip", ids_type="network", dest="212.129.43.187", app="p0f", transport="tcp", dest_port="80", src="66.249.74.78", src_port="49474", severity="informational", vendor_product="p0f", type="p0f.events", p0f_os="???", signature="Packet Observed by p0f", sensor="a564205a-ac92-11e5-a528-005056001854"
message: MHN 2015-12-27T16:27:13.442824 tcp_flags="******S*", direction="inbound", protocol="ip", ids_type="network", snort_classification="3", dest="195.154.54.202", app="snort", snort_priority="2", tcp_len="20", snort_header="1:2010937:2", ip_id="256", eth_src="BC:16:65:50:49:67", src="216.99.158.167", ip_len="40960", dest_port="3306", ip_ttl="111", eth_dst="00:50:56:00:AD:5B", src_port="6000", severity="high", vendor_product="Snort", type="snort.alerts", signature="ET POLICY Suspicious inbound to mySQL port 3306", sensor="450345c4-ac92-11e5-a528-005056001854"
Do you have an idea on how to create a good filter for logstash?
Because it's the same flow of logs, so I can't create type.
Many thanks for your help.
Antonin
thanks for your reply.
I activated Splunk hpfeeds.
It works, and I can receive logs (on QRadar and an ELK external server).
But it seems that the logs are not trained in the same way.
Here are 4 examples (sent to my ELK from MHN server (mhn-splunk.log)):
message: MHN 2015-12-27T16:25:41.797073 src="217.109.X.X", direction="inbound", protocol="ip", ids_type="network", dionaea_action="reject", type="dionaea.connections", app="dionaea", dest="195.154.54.202", vendor_product="Dionaea", dest_port="443", signature="Connection to Honeypot", src_port="54420", sensor="217c8f2a-ac92-11e5-a528-005056001854", transport="tcp", severity="high"
message: MHN 2015-12-27T16:26:26.805317 p0f_link="generic tunnel or VPN", direction="inbound", protocol="ip", ids_type="network", dest="195.154.54.202", app="p0f", transport="tcp", dest_port="443", src="217.109.X.X", src_port="54780", severity="informational", vendor_product="p0f", type="p0f.events", signature="Packet Observed by p0f", sensor="a564205a-ac92-11e5-a528-005056001854"
message: MHN 2015-12-27T16:26:27.224347 direction="inbound", protocol="ip", ids_type="network", dest="212.129.43.187", app="p0f", transport="tcp", dest_port="80", src="66.249.74.78", src_port="49474", severity="informational", vendor_product="p0f", type="p0f.events", p0f_os="???", signature="Packet Observed by p0f", sensor="a564205a-ac92-11e5-a528-005056001854"
message: MHN 2015-12-27T16:27:13.442824 tcp_flags="******S*", direction="inbound", protocol="ip", ids_type="network", snort_classification="3", dest="195.154.54.202", app="snort", snort_priority="2", tcp_len="20", snort_header="1:2010937:2", ip_id="256", eth_src="BC:16:65:50:49:67", src="216.99.158.167", ip_len="40960", dest_port="3306", ip_ttl="111", eth_dst="00:50:56:00:AD:5B", src_port="6000", severity="high", vendor_product="Snort", type="snort.alerts", signature="ET POLICY Suspicious inbound to mySQL port 3306", sensor="450345c4-ac92-11e5-a528-005056001854"
Do you have an idea on how to create a good filter for logstash?
Because it's the same flow of logs, so I can't create type.
Many thanks for your help.
Antonin
Le dimanche 27 décembre 2015 17:00:18 UTC+1, Jason Trost a écrit :
There are 3 scripts you could run depending on the format of the data you wanted for your SIEM. Each of these scripts will install and configure hpfeeds-logger.The scripts are here: /opt/mhn/scriptsThey are:
- install_hpfeeds-logger-arcsight.sh logs to /var/log/mhn/mhn-arcsight.log as CEF
- install_hpfeeds-logger-json.sh logs to /var/log/mhn/mhn-json.log as JSON
- install_hpfeeds-logger-splunk.sh logs to /var/log/mhn/mhn-splunk.log as keyvalue pairs.
If these formats are not agreeable you could extend hpfeeds-logger to add another formatter: https://github.com/threatstream/hpfeeds-logger/tree/master/hpfeedslogger/formatters.
On Sun, Dec 27, 2015 at 6:03 AM, <antoni...@gmail.com> wrote:
Hi,
I'm looking for a solution to send MHN alerts through syslog to a SIEM (IBM QRadar).
I plan to use rsyslog to send logs to QRadar. But I don't find log files with alerts.
Thanks for your help.
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jason Trost
Dec 27, 2015, 11:51:39 AM12/27/15
to Antonin Hily, Modern Honey Network
If you're using logstash you should use the JSON formatter. We created this specifically for ELK.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/ef50f4d0-84c9-4b19-a182-08b54755a414%40googlegroups.com.
Antonin Hily
Dec 28, 2015, 3:42:03 AM12/28/15
to Modern Honey Network, antoni...@gmail.com
Hi Jason,
thanks for your reply and your help.
I was using the JSON format. But strangely, it was not working.
I finally found out why.
It was enough to put the tag to true in rsyslog.conf
$InputFileTag true
There are sometimes still errors to be addressed:
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [timestamp]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"Dec 28 08:17:01\""}}}}, :level=>:warn}
thanks for your reply and your help.
I was using the JSON format. But strangely, it was not working.
I finally found out why.
It was enough to put the tag to true in rsyslog.conf
$InputFileTag true
There are sometimes still errors to be addressed:
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [timestamp]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"Dec 28 08:17:01\""}}}}, :level=>:warn}
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/ef50f4d0-84c9-4b19-a182-08b54755a414%40googlegroups.com.
Jason Trost
Dec 28, 2015, 5:44:35 AM12/28/15
to Antonin Hily, Modern Honey Network
Do you have an example record that causes the timestamp error? Unless something is modifying the timestamp field it should never be in that format. See this line that sets it:
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/ef50f4d0-84c9-4b19-a182-08b54755a414%40googlegroups.com.
--Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/45451ef1-14de-4948-aa39-25df1f7742f7%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages