Qubes SIEM Using SOF-ELK
37 views
Skip to first unread message
jonbrown...@gmail.com
Sep 12, 2018, 5:26:54 PM9/12/18
to qubes-users
I do not currently have hardware that supports Qubes, but I was wondering if anyone that does would consider checking out Sof-ELK? This is a really cool SIEM that would be useful to track all network traffic coming and going between your VMs.
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source ELK stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, and the Kibana dashboard frontend. With a significant amount of customization and ongoing development, SOF-ELK® users can avoid the typically long and involved setup process the ELK stack requires. Instead, they can simply download the pre-built and ready-to-use SOF-ELK® virtual appliance that consumes various source data types (numerous log types as well as NetFlow), parsing out the most critical data and visualizing it on several stock dashboards. Advanced users can build visualizations the suit their own investigative or operational requirements, optionally contributing those back to the primary code repository.
But if you send the Qubes logs via one of the supported pathways (syslog, RELP, Beats, at-rest files loaded to the filesystem), you could write (and PR!) parsers for those log formats to take advantage of this system.
https://github.com/philhagen/sof-elk
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source ELK stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, and the Kibana dashboard frontend. With a significant amount of customization and ongoing development, SOF-ELK® users can avoid the typically long and involved setup process the ELK stack requires. Instead, they can simply download the pre-built and ready-to-use SOF-ELK® virtual appliance that consumes various source data types (numerous log types as well as NetFlow), parsing out the most critical data and visualizing it on several stock dashboards. Advanced users can build visualizations the suit their own investigative or operational requirements, optionally contributing those back to the primary code repository.
But if you send the Qubes logs via one of the supported pathways (syslog, RELP, Beats, at-rest files loaded to the filesystem), you could write (and PR!) parsers for those log formats to take advantage of this system.
https://github.com/philhagen/sof-elk
Zrubi
Sep 20, 2018, 4:10:21 AM9/20/18
to jonbrown...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The problem with those SIEM tools that they require a huge amount of
resources just to start the "framework", and then comes the data itself.
..
In Qubes we would need a solution requires low resources.
I have a home project:
http://zrubi.hu/en/2017/siem-at-home/
Where the goal is the same as it would inside Qubes:
a much less resource hungry SIEM (like) solution.
Currently the log collecting, parsing (and a very basic web based
interface with graphs) are working on my NAS which has only 512 Mb of
RAM. :)
As the Qubes internal network is very similar to a home LAN, it would
be easy to implement it inside a Qubes VM.
I also made a PoC about an IDS inside Qubes:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
which can be a good log source candidate.
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlujVd0ACgkQVjGlenYH
FQ0GNg/9H1gYKlK9PmRj56JaJDzsD3uzUBIsbaGoiBCFv/TevDC+qHXFYoHdx8Mj
n3Fi1fv/1X4IB/7ulQ5Z1CzN2erEb4VEmuljn2+9VKGoIJu7iRqPdCtsfPmOqTLB
notBZHIwVN/BlTg+XG/uDvUjK6EPJoQqCC5nwchWeEAGcjMFQA6CuddrWLhc+W0Z
7QaI+4auXKoQRLa1j/upY3i14sVk8Uhpa4mdgOvmBxkKhftLP2N6PkI1775Cdro9
8DdeOyiBSW9FnC9VZEmA5y8jXD4e2SUxw2WgPpJuH4OHWq0BCiPejUUheFeFuEx2
UNQlik+RVu8sNEAZVcovybO/WLFOF9d3Y0v/xPneVNXngBADJSS7cMH5LFjmWa7j
e7JLTYvQyc9eTK+ieWoCfOdgYUeIV8YeVXhasY77fir4/o/gm9XhIWxC5ozLmwHX
EMMQk2CJT/hUHAusXRBy8mkjzP09zRRxpnfk1wCo9PKK3+krOYmkd2Fiih6nn4j9
z+aBM1fyDnGo8hQwBJXUbV66eHfpa/4171cwCVFGx6FQA0QwGBCMRucAeP2002Zi
bZsxZ4QuwOYIGmx6wlGtclXPH339SwkbKa6q7KK9F4hq52DuOg6srPnUMixTrCvE
Ra0sBHUgq0FQJ1bkHelrXt1e33JDN2UW7YgyaE8aQ0jSrqHSmAE=
=vO1o
-----END PGP SIGNATURE-----
Hash: SHA256
resources just to start the "framework", and then comes the data itself.
..
In Qubes we would need a solution requires low resources.
I have a home project:
http://zrubi.hu/en/2017/siem-at-home/
Where the goal is the same as it would inside Qubes:
a much less resource hungry SIEM (like) solution.
Currently the log collecting, parsing (and a very basic web based
interface with graphs) are working on my NAS which has only 512 Mb of
RAM. :)
As the Qubes internal network is very similar to a home LAN, it would
be easy to implement it inside a Qubes VM.
I also made a PoC about an IDS inside Qubes:
http://zrubi.hu/en/2017/traffic-analysis-qubes/
which can be a good log source candidate.
- --
Zrubi
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlujVd0ACgkQVjGlenYH
FQ0GNg/9H1gYKlK9PmRj56JaJDzsD3uzUBIsbaGoiBCFv/TevDC+qHXFYoHdx8Mj
n3Fi1fv/1X4IB/7ulQ5Z1CzN2erEb4VEmuljn2+9VKGoIJu7iRqPdCtsfPmOqTLB
notBZHIwVN/BlTg+XG/uDvUjK6EPJoQqCC5nwchWeEAGcjMFQA6CuddrWLhc+W0Z
7QaI+4auXKoQRLa1j/upY3i14sVk8Uhpa4mdgOvmBxkKhftLP2N6PkI1775Cdro9
8DdeOyiBSW9FnC9VZEmA5y8jXD4e2SUxw2WgPpJuH4OHWq0BCiPejUUheFeFuEx2
UNQlik+RVu8sNEAZVcovybO/WLFOF9d3Y0v/xPneVNXngBADJSS7cMH5LFjmWa7j
e7JLTYvQyc9eTK+ieWoCfOdgYUeIV8YeVXhasY77fir4/o/gm9XhIWxC5ozLmwHX
EMMQk2CJT/hUHAusXRBy8mkjzP09zRRxpnfk1wCo9PKK3+krOYmkd2Fiih6nn4j9
z+aBM1fyDnGo8hQwBJXUbV66eHfpa/4171cwCVFGx6FQA0QwGBCMRucAeP2002Zi
bZsxZ4QuwOYIGmx6wlGtclXPH339SwkbKa6q7KK9F4hq52DuOg6srPnUMixTrCvE
Ra0sBHUgq0FQJ1bkHelrXt1e33JDN2UW7YgyaE8aQ0jSrqHSmAE=
=vO1o
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages