File names
Sabbo
I am looking for a list/report of all original filenames for particular file types. Using Elsa i can drill into "Files/Mime type/x-dosexec", but the results do not have the filenames that i would expect, the output details hashes, IP addresses and an identifier that looks like this: "FGs8eR2ymrE5Pr3Efl".
I know i can query for "FGs8eR2ymrE5Pr3Efl" and see the associated hosts and URI's but this is extremely manual and does not scale when monitoring an environment that has hundreds (or thousands) of those filetypes per day.
Surely there is an easier way to just pull a list of filenames by file type (exe/PDF/JAR/ZIP/MP4 etc)?
Wes
Sabbo,
You could try using the following example queries for HTTP and FTP traffic to see names in bulk, substituting the desired mime type, etc.
#For HTTP traffic
class=BRO_HTTP mime_type="application/x-dosexec" groupby:uri
#For FTP traffic
class=BRO_FTP mime_type="application/pdf" groupby:arg
Thanks,
Wes
Sabbo
I had a play around and queries such as: "mime_type="application/x-dosexec" groupby:uri" work great.
I understand what "URI" is but what is "arg" and what other "groupby:" options are there?
Thanks,
Seth Hall
> On Jan 19, 2016, at 10:42 AM, Sabbo <cr...@advancedcybersecurity.co.uk> wrote:
>
> I understand what "URI" is but what is "arg" and what other "groupby:" options are there?
https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html
It's the argument given to an FTP command which happens to be the file name in the case of get and put commands.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
Wes
Sabbo,
If you type "class=BRO_HTTP groupby:mime_type" in ELSA, it will query all the file types identified within HTTP traffic, and group them with the count for each. If you search by mime_type and remove the groupby parameter (class=BRO_HTTP "mime_type="application/x-dosexec"), you can group by other parameters, such as "host", "program", "class"(to the right of result options in the search results, and directly underneath the query tab).
Thanks,
Wes
Sabbo
Port 53 && contains file/files
Any ideas? This has proved an efficient query for me in the past.
Sabbo
Useragent == ZmEu
or
Useragent contains "tor"
or
file extension == php/cgi/asp/aspx
or
site ends cn/ru/info
Wes
Sabbo,
To answer the first question, you could try looking through the available parameters for class=BRO_DNS. Otherwise, I am not sure off the top of my head.
For the others, you could try the following or similar approaches.
#Useragent == ZmEu ; Match the search string exactly
class=BRO_HTTP user_agent="Mozilla"
#Useragent contains "tor"
class=BRO_HTTP groupby:user_agent | grep tor
#file extension == php/cgi/asp/aspx; Use the following to get an idea of #mime_type/arg:
#class=BRO_HTTP groupby:mime_type
#class=BRO_FTP groupby:mime_type
Ex. mime_type="text/html" OR mime_type="text/plain" , then group however you would like.
For the site portion, I'll have to look into it.
Thanks,
Wes
Doug Burks
https://github.com/Security-Onion-Solutions/security-onion/wiki/ELSAQueryTips
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Current_Plugins
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com