MHN to remote syslog

[antoni...@gmail.com]

Hi,

I'm looking for a solution to send MHN alerts through syslog to a SIEM (IBM QRadar).

I plan to use rsyslog to send logs to QRadar. But I don't find log files with alerts.

Thanks for your help.

[Jason Trost]

There are 3 scripts you could run depending on the format of the data you wanted for your SIEM.  Each of these scripts will install and configure hpfeeds-logger.

The scripts are here: /opt/mhn/scripts

They are:

• install_hpfeeds-logger-arcsight.sh logs to /var/log/mhn/mhn-arcsight.log as CEF
  
• install_hpfeeds-logger-json.sh logs to /var/log/mhn/mhn-json.log as JSON
  
• install_hpfeeds-logger-splunk.sh logs to /var/log/mhn/mhn-splunk.log as keyvalue pairs.
  

If these formats are not agreeable you could extend hpfeeds-logger to add another formatter: https://github.com/threatstream/hpfeeds-logger/tree/master/hpfeedslogger/formatters.

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone:  386.235.0078 | Twitter:  @jason_trost

[Antonin Hily]

Hi,

thanks for your reply.
I activated Splunk hpfeeds.

It works, and I can receive logs (on QRadar and an ELK external server).
But it seems that the logs are not trained in the same way.

Here are 4 examples (sent to my ELK from MHN server (mhn-splunk.log)):

message: MHN 2015-12-27T16:25:41.797073 src="217.109.X.X", direction="inbound", protocol="ip", ids_type="network", dionaea_action="reject", type="dionaea.connections", app="dionaea", dest="195.154.54.202", vendor_product="Dionaea", dest_port="443", signature="Connection to Honeypot", src_port="54420", sensor="217c8f2a-ac92-11e5-a528-005056001854", transport="tcp", severity="high"
   
message: MHN 2015-12-27T16:26:26.805317 p0f_link="generic tunnel or VPN", direction="inbound", protocol="ip", ids_type="network", dest="195.154.54.202", app="p0f", transport="tcp", dest_port="443", src="217.109.X.X", src_port="54780", severity="informational", vendor_product="p0f", type="p0f.events", signature="Packet Observed by p0f", sensor="a564205a-ac92-11e5-a528-005056001854"

message: MHN 2015-12-27T16:26:27.224347 direction="inbound", protocol="ip", ids_type="network", dest="212.129.43.187", app="p0f", transport="tcp", dest_port="80", src="66.249.74.78", src_port="49474", severity="informational", vendor_product="p0f", type="p0f.events", p0f_os="???", signature="Packet Observed by p0f", sensor="a564205a-ac92-11e5-a528-005056001854"

message: MHN 2015-12-27T16:27:13.442824 tcp_flags="******S*", direction="inbound", protocol="ip", ids_type="network", snort_classification="3", dest="195.154.54.202", app="snort", snort_priority="2", tcp_len="20", snort_header="1:2010937:2", ip_id="256", eth_src="BC:16:65:50:49:67", src="216.99.158.167", ip_len="40960", dest_port="3306", ip_ttl="111", eth_dst="00:50:56:00:AD:5B", src_port="6000", severity="high", vendor_product="Snort", type="snort.alerts", signature="ET POLICY Suspicious inbound to mySQL port 3306", sensor="450345c4-ac92-11e5-a528-005056001854"

Do you have an idea on how to create a good filter for logstash?
Because it's the same flow of logs, so I can't create type.

Many thanks for your help.

Antonin

Le dimanche 27 décembre 2015 17:00:18 UTC+1, Jason Trost a écrit :

There are 3 scripts you could run depending on the format of the data you wanted for your SIEM.  Each of these scripts will install and configure hpfeeds-logger.

The scripts are here: /opt/mhn/scripts

They are:

• install_hpfeeds-logger-arcsight.sh logs to /var/log/mhn/mhn-arcsight.log as CEF
  
• install_hpfeeds-logger-json.sh logs to /var/log/mhn/mhn-json.log as JSON
  
• install_hpfeeds-logger-splunk.sh logs to /var/log/mhn/mhn-splunk.log as keyvalue pairs.
  

If these formats are not agreeable you could extend hpfeeds-logger to add another formatter: https://github.com/threatstream/hpfeeds-logger/tree/master/hpfeedslogger/formatters.

On Sun, Dec 27, 2015 at 6:03 AM, <antoni...@gmail.com> wrote:

Hi,

I'm looking for a solution to send MHN alerts through syslog to a SIEM (IBM QRadar).

I plan to use rsyslog to send logs to QRadar. But I don't find log files with alerts.

Thanks for your help.

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jason Trost]

If you're using logstash you should use the JSON formatter.  We created this specifically for ELK.

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone:  386.235.0078 | Twitter:  @jason_trost

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/ef50f4d0-84c9-4b19-a182-08b54755a414%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Antonin Hily]

Hi Jason,

thanks for your reply and your help.

I was using the JSON format. But strangely, it was not working.
I finally found out why.
It was enough to put the tag to true in rsyslog.conf
$InputFileTag true

There are sometimes still errors to be addressed:
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [timestamp]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"Dec 28 08:17:01\""}}}}, :level=>:warn}

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone:  386.235.0078 | Twitter:  @jason_trost

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/ef50f4d0-84c9-4b19-a182-08b54755a414%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jason Trost]

Do you have an example record that causes the timestamp error?  Unless something is modifying the timestamp field it should never be in that format.  See this line that sets it:

https://github.com/threatstream/hpfeeds-logger/blob/master/hpfeedslogger/formatters/json_formatter.py#L7

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e2f7f43d-8f17-450c-9c4e-61ba15737011%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone:  386.235.0078 | Twitter:  @jason_trost

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/ef50f4d0-84c9-4b19-a182-08b54755a414%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Jason Trost | VP of Threat Research | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone:  386.235.0078 | Twitter:  @jason_trost

--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.

To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.

To post to this group, send email to modern-hon...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/45451ef1-14de-4948-aa39-25df1f7742f7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.