Information Security News |
*** This is a guest diary by Dylan Johnson ***
In the first installment of this diary topic I showed you how to collect, normalize, store, graph and search events using Logstash, Graphite, Statsd, Kibana and Elasticsearch however an alerting capability was missing.
https://isc.sans.edu/diary/Guest+Diary%3A+Dylan+Johnson+-+There's+value+in+them+there+logs!/15289
So we have all our logs in one place and can search and graph on a per field basis, but what if we want to go home and generate an alert when a threshold is reached?
The following details a simple yet effective approach to alerting using graphite and Seyren. We covered Graphite in the previous post so we wont revisit this one, however lets talk about Seyren.
What is Seyren ?
Seyren is a nice little alerting application that reads metrics from Graphite and compares them to a threshold you set. If that threshold is met or you approach the threshold it alerts, Simple!
As per the previous post you will need a working Graphite install plus mongodb and of course Seyren https://github.com/scobal/seyren. You will also need Maven in order to install Seyren but it’s just another step and shouldn’t pose you any problems.
Lets get the basics out of the way so you can get this up and running with minimal fuss in a dev environment. Seyren is a Java app so first off you will need Java.
The next thing you will need to do is set you environment variables, making them persistent is a wise choice.
If you are just going to play with this the mongo install shouldn’t need any additional configuration after you install it, Seyren will play with it nicely with the defaults. Configure the SMTP stuff as suggested.
#### Base
* `GRAPHITE_URL` - The location of your graphite server. Default: `http://localhost:80`
* `GRAPHITE_USERNAME` - The Http Basic auth username for the graphite server. Default: ``
* `GRAPHITE_PASSWORD` - The Http Basic auth password for the graphite server. Default: ``
* `MONGO_URL` - The mongo connection string. Default: `mongodb://localhost:27017/seyren`
* `SEYREN_URL` - The location of your seyren instance. Default: `http://localhost:8080/seyren`
#### SMTP
* `SMTP_HOST` - The smtp server to send email notifications from. Default: `localhost`
* `SMTP_PORT` - The smtp server port. Default: `25`
* `SMTP_FROM` - The from email address for sending out notifications. Default: `[email protected]`
* `SMTP_USERNAME` - The smtp server username if authenticated SMTP is used. Default: ``
* `SMTP_PASSWORD` - The smtp server password if authenticated SMTP is used. Default: ``
* `SMTP_PROTOCOL` - The smtp server protocol if authenticated SMTP is used. Default: `smtp
Download Seyren and follow the install instructions and after this you will need Go to your Seyren base install directory and run.
Nohup java -jar seyren-web/target/dependency/jetty-runner.jar --port 8888 --path /seyren seyren-web/target/seyren-web-1.0.0-SNAPSHOT.war &
This will start up your Seyren application.
Note: You can use the –port option to run this on a port of your choosing.
You should now be able to browse to http://<IP>: 8888/seyren.
WARNING: It’s probably best to run this behind an SSL enabled reverse proxy with authenticati
CREATE A CHECK
So now you have Seyren up and running you will want to create a check. Seyren polls graphite and pulls back vales in order to make comparisons between the data returned and a threshold value you set by you.
So all you need to do is add a path to your graphite data source in the alerting setup. This is the data source you will be monitoring and alerting on.
An easy way to find this path is to derive it from the graphite graph you want to monitor.
It’s the one that’s ending in. deny above! That’s your data source for your first alert!
Next we create your first check. Use your graphite data source path as found in the previous step and set your warn and error levels. When Seyren pulls back a value that matches your warn / error level from Graphite it will do something!
Create the check and you should see the following showing what your check is doing.
ADD YOUR SUBSCRIPTIONS
If you click on STATE you will be able to add your subscriptions. I just added an email recipient to receive alerts.
All this configuration data is saved in the mongodb. Once you have set up your checks you can check the state of these via the main page. The image below shows how the checks move from state to state. In this example this is because the # of denied firewall packets reached a threshold value I set. Don’t worry, you don’t get DDoS’d with messages! You get one for each change in state as below.
The Deny alert state due to values above the set threshold
The Deny alert state due to values below the set threshold, a total of two messages sent. You can all send to other destinations like hipchat etc !
ALERT HISTORY
The Seyren home page shows the alert status for all your checks as seen below.
SOME BASIC USE CASES
A couple of alert use cases that could help your PCI: DSS compliance efforts are as follows:
Obviously you have to collect the relevant data from your assets in order to do this and I will show you how to do this and parse all these logs next time!
Use Case Event Source
Failed logins -à Auditd / WinEvt / Radius / LDAP / AD
Denied Network traffic -à IPtables / Syslog
Virus Numbers -à ePO registered executable / Defender
Port Scans -à portsentry / Snorth
ModSec -à rule severity
Snort -à rule type
My previous post showed you how to normalize and analyze massive volumes of data in real-time and this post shows you how to add simple alerting automation. If you have all these components set up you now have a true basic security event management system.
In my next post I am going to use all of the tools and techniques detailed in my last two posts and show you how to use them to create a security event management system enabling an autonomous PCI:DSS and ISO27002 security event management system.
ADDITIONAL CONFIGURATION FOR SEYREN
As per the previous post you will need a working Graphite install plus mongodb and of course Seyren https://github.com/scobal/seyren
The first thing you will need to do is set you environment variables, making them persistent is a wise choice.
If you are just going to play with this the mongo install shouldn’t need any additional configuration after you install it, Seyren will play with it nicely with the defaults. Configure the SMTP stuff as suggested.
#### Base
* `GRAPHITE_URL` - The location of your graphite server. Default: `http://localhost:80`
* `GRAPHITE_USERNAME` - The Http Basic auth username for the graphite server. Default: ``
* `GRAPHITE_PASSWORD` - The Http Basic auth password for the graphite server. Default: ``
* `MONGO_URL` - The mongo connection string. Default: `mongodb://localhost:27017/seyren`
* `SEYREN_URL` - The location of your seyren instance. Default: `http://localhost:8080/seyren`
#### SMTP
* `SMTP_HOST` - The smtp server to send email notifications from. Default: `localhost`
* `SMTP_PORT` - The smtp server port. Default: `25`
* `SMTP_FROM` - The from email address for sending out notifications. Default: `[email protected]`
* `SMTP_USERNAME` - The smtp server username if authenticated SMTP is used. Default: ``
* `SMTP_PASSWORD` - The smtp server password if authenticated SMTP is used. Default: ``
* `SMTP_PROTOCOL` - The smtp server protocol if authenticated SMTP is used. Default: `smtp`
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.It's time to ask yourself an uncomfortable question: how many of your passwords are so absurdly weak that they might as well provide no security at all? Those of you using "123456," "abc123," or even just "password" might already know it's time to make some changes. And using pets' names, birth dates, your favorite sports teams, or adding a number or capital letter to a weak password isn't going to be enough.
Don’t worry, we're here to help. We’re going to focus on how to use a password manager, software that can help you go from passwords like "111111" to "6WKBTSkQq8Zn4PtAjmz7" without making you want to pull out all your hair. For good measure, we'll talk about how creating fictitious answers to password reset questions (e.g. mother's maiden name) can make you even more resistant to hacking.
A password manager helps you create long, complicated passwords for websites and integrates into your browser, automatically filling in your usernames and passwords. Instead of typing a different password into each site you visit, you only have to remember one master password.
Read 83 remaining paragraphs | Comments
We often see how attackers try to exploit our information assets in our company, coming from inside and outside the company. When you locate an internal IP address trying to affect things, it's easy to locate if you have information security controls like Network Access Control (NAC), Dynamic Host Configuration Protocol (DHCP), Firewalls and Network IPS. Problem is: what should we do if the offending ip address is outside in the Internet?
There are five Regional Internet Registry (RIR) entities in the world. For their region, they assign IP address for IPV4, IPV6 and autonomous system numbers:
Source: IANA web site
All RIR provides a tool called whois. This tool is able to tell you who is the owner of an IP address or a netblock. All contacts listed in RIR are required to provide an abuse contact. This contact is meant to provide point of contact for any required actions of stopping an attacker or to request evidence for a criminal investigation if you are a law enforcement agency.
Let's see an example. If we look for ip address 66.35.59.202, we can start using ARIN to look up for it. In the main ARIN website (http://www.arin.net), there is a text box after the "Search Whois" string. After entering 66.35.59.202, you obtain the following:
The Abuse contact information is a URL following the contact ID pointing to the specific information needed to contact the SANS Institute regarding abuse from their IP address range.
Let's see another example. If we look for IP address 200.13.232.33, we find the following:
This information means that the IP address is not within the ARIN scope and the information must be looked up at the LACNIC RIR. After looking the information into the LACNIC whois, we obtain the following:
Using google to lookup information for owership of an specific ip address is definitely not a good idea, as it looks for the IP address string inside all webpages indexed. The information google will give you will provide a lot of false positives and will delay you in your incident response process execution and / or your criminal investigation.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org
Changing the landscape of identity Network World I was asked to travel to the 2013 InfoSec security conference in Europe this year, and speak about the trends I am seeing in the identity networking game, and possibly speculate on the future of identity in networking as I see it. So I thought to ... |
Strengthening Enterprise Defenses With Threat Intelligence Dark Reading ... from "Strengthening Enterprise Defenses With Threat Intelligence," a new report published this week on Dark Reading's Security Monitoring Tech Center.] Threat intelligence is emerging as a topic of both interest and debate within the infosec community. |
Mobile Application Security: New SANS Survey Results Revealed Dark Reading SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ... |
Blended security threats require a unified response IT-Director.com (blog) In a recent survey released during Infosec Europe 2013, 93% of large organisations reported that they had been breached in the past year, as did 87% of small organisations. And the report also shows that they are being breached more often with every ... |
Arabian Gazette | GISEC – Middle East's premier InfoSec show opens Arabian Gazette GISEC – Middle East's premier InfoSec show opens. Posted by AG Reporter / June 3, 2013. share. GISEC organised and hosted by the Dubai World Trade Centre (DWTC) and will be held from June 3-5 and the GISEC conference will be held from June 4-5. |
Posted by InfoSec News on Jun 03
http://www.darkreading.com/attacks-breaches/hacking-the-tdos-attack/240155809Posted by InfoSec News on Jun 03
http://www.canada.com/entertainment/Evil+empire+USSRs+domain+space+increasingly+attractive+hideout/8459435/story.htmlPosted by InfoSec News on Jun 03
http://online.wsj.com/article/SB10001424127887323855804578508894129031084.htmlPosted by InfoSec News on Jun 03
http://www.canberratimes.com.au/it-pro/security-it/asio-hacking-failed-officials-say-20130531-2nhgk.htmlPosted by InfoSec News on Jun 03
http://thehill.com/blogs/hillicon-valley/technology/302885-lawmakers-to-obama-get-tough-with-china-on-hacking