Critical Stack
467 views
Skip to first unread message
we...@advancedcybersecurity.co.uk
Feb 9, 2015, 3:05:23 PM2/9/15
to securit...@googlegroups.com
Hi Guys,
I have seen documentation for this but i know there have been some recent SO changes, what are the required steps for implementing Critical stack feeds on SO (once the API has been obtained)?
Has anyone implemented this in the last couple of weeks?
I have seen documentation for this but i know there have been some recent SO changes, what are the required steps for implementing Critical stack feeds on SO (once the API has been obtained)?
Has anyone implemented this in the last couple of weeks?
Liam Randall
Feb 9, 2015, 3:48:06 PM2/9/15
to securit...@googlegroups.com
Hey Wendy,
To setup the Critical Stack Intel feed for Bro you can follow the instructions located at:
You can also find the instructions and usage tips on our wiki:
After installing the only thing you should need to do is to follow the onscreen prompts to:
sudo broctl check
sudo broctl install
sudo broctl restart **or** (assuming you are up to date on your SO patches) "sudo nsm_sensor_ps-restart --only-bro"
The nsm_sensor_ps-restart --only-bro gives you the advantage of starting bro as a non root user.
After Bro restarts you should see the feeds.bro file loaded:
/nsm/bro/logs$ zcat */loaded_scripts.* | grep feeds.bro
/opt/critical-stack/frameworks/intel/feeds.bro
/opt/critical-stack/frameworks/intel/feeds.bro
A number of people on list have discussed leveraging the ability of SO to synch feeds from the master server to the other SO sensors. I would refer you to those other threads for the time being.
If you have any questions or problems with the client please feel free to open a ticket here:
V/r,
Liam Randall
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
we...@advancedcybersecurity.co.uk
Feb 10, 2015, 6:00:55 AM2/10/15
to securit...@googlegroups.com
Thanks Liam,
I will give it a go! is the OTX feed in critical stack??
I will give it a go! is the OTX feed in critical stack??
Liam Randall
Feb 10, 2015, 8:36:04 AM2/10/15
to securit...@googlegroups.com
The Alienvault OTX feed is not on there yet. I will ping Jamie.
Please open a ticket if you experience any issues.
V/r,
Liam Randall
we...@advancedcybersecurity.co.uk
Feb 10, 2015, 9:49:39 AM2/10/15
to securit...@googlegroups.com
Liam - Are there any other ways of operationalising critical stack against network traffic (off a span/tap) yet, other than Bro?
Liam Randall
Feb 10, 2015, 9:57:27 AM2/10/15
to securit...@googlegroups.com
You can find all of the feeds downloaded in the /opt/criticalstack/frameworks/intel directory; there is a .cache folder that has the latest copy of each feed.
Regardless of how you get the traffic (span/tap, pcap) you still need to parse it with something. The Bro intel framework features a plug in architecture that allows you to search for each type of intel (domain, ip addr, file hash, url, uri) in multiple places.
If you have a SEIM or something like that you could parse the file (it's just tab separated) and load the intel feeds there- however that's only going to check the stuff in the SEIM.
Thanks,
Liam
On Tue, Feb 10, 2015 at 9:49 AM, <we...@advancedcybersecurity.co.uk> wrote:
Liam - Are there any other ways of operationalising critical stack against network traffic (off a span/tap) yet, other than Bro?
Kevin Branch
Feb 10, 2015, 11:47:49 AM2/10/15
to securit...@googlegroups.com
I've never tried it, but I bet you could extract the IP numbers from the downloaded feeds and use them with the Snort/Suricata IP reputation features. Maybe the MD5 hashes could also be used, too. I think Suricata can do MD5 compares on files it sees.
Kevin
Michał Purzyński
Feb 10, 2015, 11:52:08 AM2/10/15
to securit...@googlegroups.com
Not going to start a war here, just making a note that Suri/Snort can
only look in src/dst IP field, and Bro's Intel framework in all over
places.
only look in src/dst IP field, and Bro's Intel framework in all over
places.
we...@advancedcybersecurity.co.uk
Feb 11, 2015, 3:40:39 AM2/11/15
to securit...@googlegroups.com
OK i have set it up, is there any instructions of how to perform initial testing? and where should we expect to see the output, under the intel heading in ELSA???
Liam Randall
Feb 11, 2015, 3:50:18 AM2/11/15
to securit...@googlegroups.com
Hey Wendy,
There are a few ways to test; Richard outlines one method here:
https://criticalstack.zendesk.com/hc/en-us/articles/204041445-Installing-and-Testing-the-Critical-Stack-Intel-ClientIt may be easier to just wget a domain off the list.
Thanks,
Liam Randall
On Wed, Feb 11, 2015 at 3:40 AM, <we...@advancedcybersecurity.co.uk> wrote:
OK i have set it up, is there any instructions of how to perform initial testing? and where should we expect to see the output, under the intel heading in ELSA???
Kevin Branch
Feb 11, 2015, 9:50:27 AM2/11/15
to securit...@googlegroups.com
My standby CriticalStack test command is
dig @8.8.8.8 ads.undertone.com
That domain is in the bad list.
Kevin
we...@advancedcybersecurity.co.uk
Feb 11, 2015, 5:40:33 PM2/11/15
to securit...@googlegroups.com
Wow that was easy to implement - all done, thanks Liam
Kevin thanks for the test - It worked great also.
Thanks Guys!
Kevin thanks for the test - It worked great also.
Thanks Guys!
Liam Randall
Feb 11, 2015, 5:45:06 PM2/11/15
to securit...@googlegroups.com
Thanks Kevin!
Thanks Wendy- we put a lot of work into making it easy to use.
The daemon runs in the back ground and will continue to stream intelligence down to your sensors.
You can poll it pretty easily and check status:
sudo service critical-stack-intel status
or ask it questions:
sudo critical-stack-intel list
Liam
Reply all
Reply to author
Forward
0 new messages