GET SIEM in practice: make friends with Prelude + Cisco IPS and reveal HeartBleed operation through correlation / Sudo Null IT News FREE

Good twenty-four hours to all!
The SIEM base itself has recently been favourite. In eyeshot of the complex complexness of these systems, the issues associated with their use are profound and voluminous. Thither are quite a a few articles (on Habré and not only) devoted to SIEM. However, the big majority of them touch on the topic in terms of theory, methodological analysis and general principles for the construction of processes. Only there are

no

catastrophically few articles describing the functional aspects of the application / configuration of these systems . This article describes how to brand IPS and SIEM friends in practice using the examples of Cisco IPS and Preliminary, as well as an example of a correlation rule that reveals the no-hit exploitation of the HeartBleed vulnerability that has become painful in past years.

1. Founding / command of the problem

Soh, we have implemented IPS in Inline , what next?
Obviously, the next step is to somehow monitor what IPS catches, in what quantity, whom and from where they are attacking, etc.
To equal more than specific:

1. It is requisite to maintain a set of active signatures in hand for the protected hosts.
2. For the effective operation of IPS-sensors, you mustiness constantly "keep up on": you need to constantly adapt the sensing element to specific networks and dealings. This is achieved by setting up rules with exceptions.
3. Among the many alerts received from IPS, IT is needful to highlight the truly important and serious.
4. For critical alerts, it is also necessary to provide the correct set of battleful actions (blocking dealings, resetting sessions, IP bans, etc.) undertaken past the sensor, as healthy as notifying the administrator about them.
5. The state of the sensor itself also needs to be monitored (load of the scanning engine, update errors, licence validity periods, etc.).

To resolve much problems, you need to choose a convenient and simultaneously functional tool around.

2. Native IPS Case Viewer

At that place are many ways to collect and process events from IPS.
Of the standard event viewers from Cisco sensors, there are such options:

2.1 Viewing Events Topically on the Sensing element

This tool, the principle of which can equal described as "in the forehead." Each sensor has its own local event lay in. Course, you can see in it only what was found forthwith on a specific sensing element.

Any grouping / collection of events on whatsoever dregs is not provided. The maximum that you can afford is to filter the displayed events reported to a number of criteria (signature criticality, sampling time, show / not show sensor system events). The outcome listing itself looks like this:

Really, using this functionality makes sense either for debugging (when transferring events to extrinsic systems), or when the organization uses one single sensing element (although even for so much a situation, the solution, to put it gently, is non the most convenient )

2.2 Coregonus artedi IPS Manager Express

The next "native" alternative to the previous tool is IME. This is a free Cisco solution that allows configuration and event monitoring for up to 10 IPS sensors. In terms of configuration, IT is meriting noting that here we are talk well-nig a common console for devices, i.e. In that respect is no way to create configuration policies (with the exception of cardinal parameters related to the Global Correlation, Report Filtering, and Network Involution features).
As for the collection of events, the post is much meliorate here: alerts from various sensors are collected in a common database.

Event collection is supported both from IPS-applications / modules, and from IOS-IPS routers. Information technology is possible to group and sink in events according to single criteria. In each event, you fire "fail" to view many detailed information:

Some other useful feature of IME is the ability to notify via e-mail about events received from IPS. There are only cardinal selection criteria for alerts: Onset Severity Rating and RiskRating.

Although IME is a reasonably operational tool, it is non without some limitations. Unitary of the significant drawbacks is that IME is non a client-server system, but is essentially a regular covering that uses a MySQL database. In old versions, IME was not even supported along server and x64-bit operating systems. Besides, the restrictions are the maximum number of supported devices (no than 10) and the numeral of processed events per second (100 EPS).

2.3 Cisco Security Manager

CSM is already positioned as a full-fledged Enterprise solution fashioned for focused management of various devices (IPS, ASA / Pix chest, IOS routers, etc.). The number of devices that can be controlled depends on the permit purchased. The management itself is already carried out on the basis of policies: you canful produce a reference set of settings, which can later be replicated.
In terms of assembling, storing and displaying events, CSM is selfsame similar to IME:

Here, as in IME, it is attainable to mathematical group / aggregate and filter displayed events according to various criteria. In addition to events from IPS, CSM also has the power to caterpillar tread events from ASA / FWSM / PIX firewalls.
You terminate also "fail" into each sleepless to view more than detailed selective information:

Although CSM is positioned equally an Enterprise solution, unlike the same IME, it does not know how to collect alerts from IOS-IPS (but simultaneously knows how to configure them through policies). Also, CSM cannot e-post alerts about events captured by IPS.

Cesium-Red Planet

At that place

was lul such a CS-MARS system , but this throw has been closed for quite some time, therefore it is mentioned sole atomic number 3 a historical reference.

3. SIEM

The solutions described above are each good in their have way. Only, from the point of view of collecting events, they are quite narrowly focused: in addition to events from IPS (and from firewalls, in the case of CSM), we bequeath not be healthy to see anything other in them.

Quite often, in my practice, colleagues from neighboring departments have questions:

• We give here <channel loading increased | serve stopped responding | system has moved off | something happened> perform not know what is connected with?
• And you (IS) didn't notice anything suspicious there?
• etc

It is in much cases that it becomes necessary to check events from routers, switches, logs from UNIX / windows, logs of specific systems, antiviruses, postal service gateways, etc. In fact, the list goes on and on.
And yet, liken all this with all strange according to or s criteria (make correlation), convey additional information on the set about the hosts participating in the case: what charitable of resource is vulnerable operating room not, which ports are open, etc.
This is where SIEM systems pertain the deliverance. They are healthy to ut all of the above, and with due diligence - also automated.

One of such systems is a trifle-known in Runet beast named Prelude. It volition be discussed.
Why exactly virtually him?

1. I like him.
2. Information technology kit and caboodle (and for quite some time).
3. He has an OSS rendering.
4. Has native compatibility with some other OSS systems .
5. If desired, you can connect any source that writes a log.
6. From it you can gather your own "Swiss knife" for your tasks of identifying, investigation and responding to incidents.
7. The correlation faculty is implemented as board scripts in Python, which agency flexibility in the fullest sense of the word. A full-fledged programming oral communicatio provides the ability to write whatsoever correlation rules.
8. In that respect is a convenient Prewikka interface.

Prelude is settled on the IDMEF format , which predefines the fields in received messages. In add-on to predefined fields, you can also produce your own, with a forename and data formatting (additive data), where you nates write everything that does not agree into standard fields. Based on the data recorded in various William Claude Dukenfield, filtering, aggregation and coefficient of correlation of events can be carried out.

3.1 Preliminary Computer architecture

In a simplified version, the system architecture tush be represented as follows:

Manager

- is the core of the system. It is responsible for receiving already normalized (unpaired) events from LML agents, the correlation module, third-company systems or subordinate managers (getable in the technical version). The received messages are written to the database. He is also responsible for email alerts.

LML

is a system federal agent and a primary consequence provider. It receives logs from versatile systems (via a local file out or through syslog to a UDP port). Information technology parses / normalizes the received logs based on a set of rules consisting of regular expressions. Normalized events are granted to Manager. LML can bring off both locally (on the same waiter as the Director), and remotely.

Correlator

- correlation module. Connects to Manager as an agent. Correlates events received by Manager based on plugins implemented as Python scripts.

DataBase

is the database itself, where all events processed by the system are stored.

3 ^rd Party Systems

- third-party systems with IDMEF support, allowing you to connect them now to Manager.

Prewikka

is the main scheme port implemented on the Web. Designed to display processed events, their aggregation / filtering, statistics turnout, etc.

It all looks like this:

Events are displayed in a table, in the columns of which information just about / nearly is located:

• classification of alerts (Classification), containing Fields with the name of the event, a sign of its (unsuccessful) completion, id-event (signature add up, vulnerability number away CVE, etc.), criticality of the event, etc.
• source / objective (Source / Target) containing fields with ip-dea, mac-speech (if it was present in the event), the groundbreaking username, process, lodge, etc.
• analyzer (Analyzer - event source) containing fields with informatics-address, analyzer family, etc.

The bi of IDMEF fields displayed depends on the type of event and the rule for processing IT. Few fields can be indexed, i.e. hold back treble values. For example, in that location may be two userid.name fields, in indefinite of which the prize samaccountname will be written, and in the second - the SID of the same chronicle. And, e.g., in the upshot of an event from the system for checking the integrity of files in the germ and direct information, neither the address, nor the port, nor the protocol leave be displayed - these fields testament be occupied with information about the changed file, checksums and opposite additional information.
Anyway, you dismiss "fail" to view more detailed information:

4. How to pick up events from sensors?

Before connecting IPS to our system equally a source, you motive to understand how you can pay back from the IPS the alerts stored in it.
There are two methods for transmitting events from Cisco sensors (and united semi-method for IOS-IPS) to external systems:

1)

Via SNMP Trap

, which sends the sensor itself upon the fact of a signature or system event.
Gangways sent away the sensor are as follows:

          #012iso.3.6.1.2.1.1.3.0 15:1:47:08.58#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.1#011iso.3.6.1.4.1.9.9.383.1.1.1.0 6822393729640#011iso.3.6.1.4.1.9.9.383.1.1.2.0 "07 DE 04 0A 0B 2C 0E 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3.0 "07 DE 04 0A 07 2C 0E 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4.0 "IPS-Sensing element-01"#011iso.3.6.1.4.1.9.9.383.1.2.2.0 2147516416#011iso.3.6.1.4.1.9.9.383.1.2.3.0 "Heartbleed"#011iso.3.6.1.4.1.9.9.383.1.2.4.0 "OpenSSL Info Revealing"#011iso.3.6.1.4.1.9.9.383.1.2.5.0 4187#011iso.3.6.1.4.1.9.9.383.1.2.6.0 0#011iso.3.6.1.4.1.9.9.383.1.2.7.0 "S785"#011iso.3.6.1.4.1.9.9.383.1.2.13.0 0#011iso.3.6.1.4.1.9.9.383.1.2.14.0 "iBCRX+m57XRkOtzSnz0MSIw/CJWscqWUKqhEjadJYMWue6yLZAgTFpc8+LuL#012H/4o5rulPzbm1D9tQZ2tnoY/qfwSZ3H1VE2Wt2/rwUHcjVaKjGue9I0FdGZN#012JgpdbIcOOiBxB0T0JJ0qsqAzTMO37pf6GNOcByoHVgcgubBM2x148331MWSP#012O4hROt/p8Zpk8ZmNBIfUwy4yA0ByxPANY4e+ixHoPOe0aJGk1GUthnyAhKn8#012ztzv/kfCXHyPH5X7DBXTTXYZN+Xv6vnWYJV3tojoaOIpv6shRYLjeg84qeO5#012vY3P0uXwcYSCj1YY4rdgQpQvL8PkOxYDAgAEDgAAAA=="#011iso.3.6.1.4.1.9.9.383.1.2.15.0 "FgMCANwBAADYAwJTQ1uQnZtyC7wMvCuSqEiXz705BMwWCoUDkJ93BDPU3gAA#012ZsAUwArAIsAhADkAOACIAIfAD8AFADUAhMASwAjAHMAbABYAE8ANwAMACsAT#012wAnAH8AeADMAMgCaAJkARQBEwA7ABAAvAJYAQcARwAfADMACAAUABAAVABIA#012CQAUABEACAAGAAMA/wEAAEkACwAEAwABAgAKADQAMgAOAA0AGQALAAwAGAAJ#012AAoAFgAXAAgABgAHABQAFQAEAAUAEgATAAEAAgADAA8AEAARACMAAAAPAAEB#012GAMCAAMBQAAYAwIAAwFAAA=="#011iso.3.6.1.4.1.9.9.383.1.2.16.0 "192.168.1.1:51716"#011iso.3.6.1.4.1.9.9.383.1.2.17.0 "osIdSource=\"unidentified\" osRelevance=\"relevant\" osType=\"anonymous\" 10.10.10.1:443"#011iso.3.6.1.4.1.9.9.383.1.2.21.0 "InterfaceAttributes:  linguistic context=\"single_vf\" physical=\"Unknown\" backplane=\"PortChannel0/0\" ; "#011iso.3.6.1.4.1.9.9.383.1.2.25.0 70#011iso.3.6.1.4.1.9.9.383.1.2.26.0 5#011iso.3.6.1.4.1.9.9.383.1.2.27.0 6#011iso.3.6.1.4.1.9.9.383.1.2.42.0 70#011iso.3.6.1.4.1.9.9.383.1.2.49.0 "vs0"#011iso.3.6.1.4.1.9.9.383.1.3.1.0 "high"                  

2)

Done the SDEE standard.

In this case, the IPS-detector acts as a Entanglement host, and external systems connect thereto severally and pick up new alerts. This method acting is used in CSM and IME products. Lake herring's SDEE uses the CIDEE extension, which describes additional fields.
You can find SDEE alerts in "thoroughgoing spring" through the browser by scoring https: // in the handle bar

/ cgi-bin / sdee-host (authentication will be required).
The alerts themselves look like this:

                                                            IPS-Detector-01                  sensorApp                  27106                                1392668796044445000                                  17                  TCP segment is out of state guild                                vsx                302                                                      192.168.0.1                    443                                                        10.10.10.1                    24479                                                                                        true                                25                25                ge0_3                tcp                                    

Running a little ahead, it is immediately worth noting that the use of SDEE has its pros and cons. Data received via SDEE contains Sir Thomas More information about the alert compared to the SNMP trap. E.g., there is info about the actions taken over by the sensor. But to exportation data via SDEE to SIEM, a special connector is required (in Preliminary information technology is sole in the commercialised version).

3)

Via syslog(only for IOS-IPS). For completeness, it is also worth noting some of the features of IOS-IPS. They also support SDEE, but they cannot station alerts via SNMP. Unlike its "older" brothers, IOS-IPS can write information about alerts to the local syslog depositary of the router. The syslog of the router, in turn, can be transferred to an international host. However, the data that is written to syslog is extremely meagerly: For iOS 12.x :

            Aug 20 14:21:35 MSK: %IPS-4-SIGNATURE: Sig:15002 Subsig:1 Sev:50  [192.168.1.1:1066 -> 10.10.10.1:5938] RiskRating:30                      

Straight the name of the signature is missing. Only her SingatureID and SubsibgnatureID. For iOS 15.x :

            Mar  3 11:15:24 MSK: %IPS-4-Signature tune: Sig:11020 Subsig:0 Sev:25 BitTorrent Client Activity [192.168.1.1:62809 -> 10.10.10.1:6881] VRF:NONE RiskRating:25                      

But through SDEEthe same alerts will be presented in a "normal" descriptor, i.e. with detailed selective information:

                                                            IOS-IPS-ROUTER                                1397799251079951920                                  0                  jabber:                                tcp                25                                                      192.168.1.1                    61208                                                        10.10.10.1                    5222                                    NONE                                                  Fa0/1                  NONE                                                    

5. Setup

To go through the version conceived on OSS, only the option with SNMP traps is suitable.
The connection diagram leave look like this:

1. IPS catches the lash out and sends SNMP-Trap about it. (IOS-IPS like a sho sends a log to rsyslogd).
2. We accept SNMP-Trap and institutionalize it to syslog.
3. rsyslogd writes the standard ladder to a file.
4. LML parses the log up, normalizes it, pulls the values ​​from the fields of interest to us, and writes them to the corresponding IDMEF fields (mapping).
5. The normalized event is passed to Handler, which it writes to the database. After that, the upshot becomes available for viewing direct Prewikka.
6. Incoming events from IPS can too be sent to the correlation module (this stage will be considered separately).

5.1 Preparation

You must get-go install and configure Prelude itself. How to do this has already been described here .
In addition to Prewikka and prelude-manager, we will need prelude-lml and prelude-correlator .
Additive information put up likewise make up saved on the official Prelude website .

To handle snmp traps, you will demand to configure the snmptrapd and rsyslogd daemons (or similar).
The main task is to take snmp traps and write them to a data file.
You tail do this, for example like this:

snmptrapd.conf

            donotlogtraps  no printeventnumbers  yes ignoreauthfailure  yes authCommunity log,put to death public traphandle default /usr/sbin/snmptthandler                      

rsyslog.conf

            if $programname == 'snmptrapd' \ then /var/log/snmptrapd & ~                      

5.2 Sensor side setting

The next step is to military force our detector to send snmp-traps every time the signature is triggered, as well atomic number 3 in case of errors along the sensor itself. To do this, globally enable SNMP traps and delimit the target host and community where to beam them:

In addition, it is necessary to assign the military action "Petition SNMP Go" through Event Action for every RiskRating ranges (we Don River't want to suffer sight of anything) Override:

After these settings, when IPS is triggered, in our log / volt-ampere / log / snmptrapd events should embark on to come along:

            Apr 18 16:01:59 prelude-server snmptrapd[11106]: 2014-04-18 16:01:59 10.0.0.1 [UDP: [10.0.0.1]:60457->[192.168.0.1]]:#012iso.3.6.1.2.1.1.3.0 24:12:04:52.86#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.1#011iso.3.6.1.4.1.9.9.383.1.1.1.0 6822393753725#011iso.3.6.1.4.1.9.9.383.1.1.2.0 "07 DE 04 13 16 01 3B 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3.0 "07 DE 04 13 12 01 3B 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4.0 "IPS-SENSOR-01"#011iso.3.6.1.4.1.9.9.383.1.2.2.0 2147516416#011iso.3.6.1.4.1.9.9.383.1.2.3.0 "[ \\x26=?.]/etc/passwd[ \\x26=?]"#011iso.3.6.1.4.1.9.9.383.1.2.4.0 "Unix Password Indian file Entree Attempt"#011iso.3.6.1.4.1.9.9.383.1.2.5.0 3201#011iso.3.6.1.4.1.9.9.383.1.2.6.0 1#011iso.3.6.1.4.1.9.9.383.1.2.7.0 "S238"#011iso.3.6.1.4.1.9.9.383.1.2.13.0 0#011iso.3.6.1.4.1.9.9.383.1.2.15.0 "R0VUIC9uZXdzL2luZGV4LnBocD9FTEVNRU5UX0lEPS4uLy4uLy4uLy4uLy4u#012Ly4uLy4uLy4uLy4uL2V0Yy9wYXNzd2QgSFRUUC8xLjENCkhvc3Q6IA=="#011iso.3.6.1.4.1.9.9.383.1.2.16.0 "192.168.1.1:22238"#011iso.3.6.1.4.1.9.9.383.1.2.17.0 "osIdSource=\"unknown\" osRelevance=\"in question\" osType=\"unknown\" 10.10.10.1:80"#011iso.3.6.1.4.1.9.9.383.1.2.21.0 "InterfaceAttributes:  context=\"single_vf\" corporeal=\"Unknown\" backplane=\"PortChannel0/0\" ; "#011iso.3.6.1.4.1.9.9.383.1.2.25.0 65#011iso.3.6.1.4.1.9.9.383.1.2.26.0 5#011iso.3.6.1.4.1.9.9.383.1.2.27.0 6#011iso.3.6.1.4.1.9.9.383.1.2.42.0 65#011iso.3.6.1.4.1.9.9.383.1.2.49.0 "vs0"#011iso.3.6.1.4.1.9.9.383.1.3.1.0 "medium"                      

Here 10.0.0.1 is the IPS-SENSOR-01 detector speak, 192.168.0.1 is the address of the prelude-server where Prelude and snmptrapd are actually installed.

5.3 Configuring LML

Now you need to configure the part where all the "magic" of turn the SNMP-Trap received from the sensor into an event that testament be conveniently presented in the graphical port takes site. The preliminary-lml module is responsible for this. Information technology mustiness be installed on the Sami server where the SNMP traps come and is qualified Eastern Samoa an agent in the prelude-managing director.
It is configured in several stages.

1) We determine the format (and, if necessary, the encoding) of the original log. This is done in the prelude-lml.conf file :

            [format=Cisco-IPS] time-format = "%b %d %H:%M:%S" prefix-regex = "^(?P.{15}) (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" file = /var/log/snmptrapd                                                                                          

With this stage setting, we specify ahead what the time format of the events coming into the log up looks like, the address of the analyser (in this grammatical case, the address of the waiter itself), the name and number of the process that received the log.
Later, with a direct analysis of the event, whol these values ​​rear embody redefined. If the event cannot be parsed away a set of rules, the values ​​defined at this stage will remain.

2) We indicate to which of the incoming events which set of log depth psychology rules to apply. This is done in the pcre.rules file away and looks wish this for our example:

            regex=snmptrapd;                        include = cisco-ips.rules;                      

3) You moldiness make over the specific jell of rules: cisco-ips.rules . In fact, this paragraph deserves to devote a separate clause thereto. In order not to double the size of it of the article, I'll just list the main points:

• a set of rules consists of a sequence of regular expressions;
• we can influence the order of their processing, as well as create "sub-rules" of various nesting;
• in each rule, we can "pull out" from the log the desired value in the fles of a unsettled and participate it in the related IDMEF field. This treat is called mapping;
• "Sub-rules" can be called optionally, which allows changing values ​​in events depending on their composition.

Example: by default, we assign to wholly events the measure of the "severity" tied equal to "noesis". Further, if the alert sent by the sensor contains a different Attack Severity Military rank value, we rewrite our attribute. This allows you to bind in general to any parametric quantity and write events to the database as we delight. What level of criticality should SIEM assign to incoming events (with or without corrective actions) is already a more methodological question. Victimization the rules, you can follow up whatever spacious / likeable option.
The following set of rules was developed empirically:

cisco-ips.rules

                ##### # Copyright (C) 2013 Vladimir Lapshin                                      # Copyright (C) 2013 lei_wulong # # This file is part of the Prelude-LML program. # # This syllabu is free software; you lavatory redistribute information technology and/or modify # it nether the terms of the GNU Cosmopolitan Public License as published by # the Free Software Instauratio; either version 2, Oregon (at your option) # any late version. # # This program is distributed in the hope that it will be recyclable, # but WITHOUT Whatsoever WARRANTY; without plane the implied warranty of # MERCHANTABILITY or Fittingness FOR A PARTICULAR PURPOSE.  See the # GNU Common Public License for more details. # # You should have received a copy of the GNU Common State-supported License # along with this program; see the file in COPYING.  If not, compose to # the Spare Software package Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### #<>).type=twine; \  additional_data(-1).meaning=Cisco Signature Template:; \  additional_data(-1).data=http://tools.cisco.com/security measur/center/viewIpsSignature.x?signatureId=$1&signatureSubId=$2; chained; dumb; regex=011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.13(?:\.0)? (\d+); \  id=5004; \  butt(0).node.call(0).vlan_name=$1; chained; silent; regex=011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.16(?:\.0)? "(?:0\.0\.0\.0 \[)?([\w:]+?|\d+?\.\d+?\.\d+?\.\d+?)(?:\])?(?::(\d+?))?"; \  id=5005; \  source(0).node.speech(0).category=ipv4-addr; \  source(0).lymph node.accost(0).destination=$1; \  source(0).table service.port=$2; chained; silent; #ANOMALY Spying regex=011iso.3.6.1.4.1.9.9.383.1.2.16(?:\.0)? "[\d\.\:]+"\#011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.21(?:\.0)? ".\s+adExtraData: numDestIps=\d+\S currentThreshold=\d+\S communications protocol=\d+; \  id=5006; \  target(0).node.computer address(0).category=ipv4-addr; \  object(0).node.address(0).address=0.0.0.0; \  target(0).avail.port=0; \  quarry(0).service of process.portlist=0; \  additional_data(0).eccentric=strand; \  additional_data(0).meaning=osIdSource:; \  additional_data(0).information=unsuspected; \  additional_data(1).typecast=string; \  additional_data(1).meaning=osRelevance:; \  additional_data(1).data=chartless; \  additional_data(2).type=string; \  additional_data(2).meaning=osType:; \  additional_data(2).information=unknown; chained; silent; regex=\[UDP: \[([^\]]+)\]:\d+->\[[^\]]+\]\]:.012iso\.3\.6\.1\.2\.1\.1\.3\.0 \d?\d?\d?:?\d\d:\d\d:\d\d\.\d\d.011iso\.3\.6\.1\.6\.3\.1\.1\.4\.1\.0 iso\.3\.6\.1\.4\.1\.9\.9\.383\.0\.1.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.1\.1 \d+.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.1\.2 "[\d\w\s]+".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.1\.3 "[\d\w\s]+".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.1\.4 "(\S+)".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.1 "(info|low|medium|high)(?:rmational)?".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.2 \d+.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.3 "([^"]+)"#011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.4 "([^"]+)".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.5 (\d+).011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.6 (\d+).011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.7 "[^"]+".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.12 \d+.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.13 \d+.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.16 "([^"]+)".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.21 "\.\s+adExtraData: numDestIps=(\d+). currentThreshold=(\d+). protocol=(\d+) . ".011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.25 \d+.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.26 \d+.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.27 \d+.011iso\.3\.6\.1\.4\.1\.9\.9\.383\.1\.2\.42 \d+; \   id=5030; \   rescript=1; \   classification.school tex=$5; \   classification.reference(0).origin=vendor-specific; \   compartmentalization.source(0).name=$6.$7; \   classification.reference(0).significance=ips_id; \   classification.mention(0).url=http://tools.lake herring.com/security/center/viewIpsSignature.x?signatureId=$6&A;signatureSubId=$7; \   assessment.bear upon.severity=$3; \   judgement.impact.type=other; \   assessment.impact.description=$4; \   source(0).node.savoir-faire(0).category=ipv4-addr; \   reference(0).node.treat(0).address=$8; \   target(0).node.address(0).category=ipv4-addr; \   target(0).node.address(0).address=0.0.0.0; \   analyzer(0).node.address(0).address=$1; \   analyser(0).node.name=$2; \   analyzer(0).manufacturer=Cisco; \   analyzer(0).class=IPS; \   analyzer(0).name=Cisco IPS; \ utmost; #>>ALERT>> #<>ERROR>> #<>MESSAGE TYPE>> #<                                                                                                              \[(\d+.\d+.\d+.\d+)\]\]:; \  categorization.text=snmp unknown message; \  classification.reference(0).origin=marketer-particularized; \  id=5090; \  revision=1; \  assessment.impact.harshness=high; \  assessment.touch.eccentric=other; \  assessment.impact.description=This event was generated away snmptrapd; \  source(0).thickening.address(0).address=$1; \  analyzer(0).knob.address(0).address=$2; \ last; #>>MAIN RULE>> #EOF                                                

This rule set contains the pursuing precept:

• the incoming log first waterfall under the generalised key signature of the IPS outcome: rule 5090;
• optionally checked message type - error / system content / alert: rules from 5080 to 5089;
• if the received subject matter refers to an error, we determine its type: rules from 5040 to 5079;
• if the received message is a touch triggering - we draw exterior everything that interests us: rules from 5000 to 5039;

Those. Log processing by the rule goes from top to derriere. But part of the rules with chained keys ; silent they do not participate in this processing until they are explicitly granted a link from a subordinate rule (with the optgoto nam ).

For IOS-IPS, you can also redirect logs to our server and similarly apply this set of rules:

cisco-ios-ips.rules

                # # Copyright (C) 2013 lei_wulong # # This file is part of the Prelude-LML syllabu. # # This program is free software; you can redistribute information technology and/operating theater modify # information technology under the terms of the GNU General Public License as published by # the Liberated Software Foundation; either version 2, or (at your option) # any later translation. # # This program is distributed in the hope that IT testament Be useful, # but WITHOUT ANY WARRANTY; without even the implicit warranty of # MERCHANTABILITY or FITNESS FOR A Especial PURPOSE.  See the # GNU National Common License for more details. # # You should have received a copy of the GNU All-purpose Public License # along with this program; see the single file COPYING.  If not, write to # the Unhampered Software Foundation garment, 675 Flock Ave, Cambridge, MA 02139, USA. # ##### ##RULES FOR CISCO IOS-IPS### ## id consortium = [580-599] regex=Subsig\:\d+\s+Sev\:25; \  id=580; \  assessment.touch on.severity=info; \  silent regex=Subsig\:\d+\s+Sev\:50; \  id=581; \  assessment.impact.severity=low gear; \  silent regex=Subsig\:\d+\s+Sev\:75; \  id=582; \  assessment.bear on.severity=moderate; \  silent regex=Subsig\:\d+\s+Sev\:100; \  id=583; \  appraisal.impact.severity=high; \  silent ### For IOS 12.4(11)### regex=(\d+\.\d+\.\d+\.\d+)\s+\d+\:\s+(.+?)\:.+?\%IPS-4-SIGNATURE\: Sig\:(\d+)\s+Subsig\:(\d+)\s+Sev\:(\d+)\s+\[([\d\.]+)\:(\d+)\s+\-\>\s+([\d\.]+)\:(\d+)\]\s+RiskRating\:(\d+); \  classification.text=$3.$4; \  classification.reference(0).origin=vendor-specific; \  classification.reference(0).significant=cisco_id; \  classification.reference(0).name=$3.$4; \  classification.reference(0).url=http://tools.Coregonus artedi.com/security/center/viewIpsSignature.x?signatureId=$3&signatureSubId=$4; \  id=584; \  revision=2; \  analyzer(0).name=Coregonus artedi IPS; \  analyzer(0).manufacturer=Lake herring; \  analyzer(0).class=IPS; \  analyser(0).node.address(0).address=$1; \  analyser(0).guest.name=$2; \  assessment.impact.type=other; \  rootage(0).node.address(0).category=ipv4-addr; \  source(0).knob.destination(0).address=$6; \  target(0).node.address(0).category=ipv4-addr; \  target(0).node.address(0).come up to=$8; \  source(0).military service.port=$7; \  target(0).service.port=$9; \  additional_data(0).type=whole number; \  additional_data(0).substance=Signature Severity; \  additional_data(0).information=$5; \  additional_data(1).type=integer; \  additional_data(1).significant=Risk Rating; \  additional_data(1).data=$10; \ ###FOR IOS 15.1 ### regex=(\d+\.\d+\.\d+\.\d+)\s+\d+\:\s+(.+?)\:.+?\%IPS-4-SIGNATURE\: Sig\:(\d+)\s+Subsig\:(\d+)\s+Sev\:(\d+)\s+(.+?)\s+\[([\d\.]+)\:(\d+)\s+\-\>\s+([\d\.]+)\:(\d+)\]\s+VRF\:(.+?)\s+RiskRating\:(\d+); \  classification.schoolbook=$6; \  classification.character reference(0).descent=vendor-specialised; \  classification.reference(0).meaning=cisco_id; \  categorization.reference(0).mention=$3.$4; \  classification.reference(0).url=http://tools.cisco.com/security measur/center/viewIpsSignature.x?signatureId=$3&signatureSubId=$4; \  Gem State=585; \  alteration=2; \  analyzer(0).public figure=Cisco IPS; \  analyzer(0).manufacturer=Cisco; \  analyser(0).class=IPS; \  analyzer(0).thickening.address(0).address=$1; \  analyzer(0).client.name=$2; \  assessment.impact.type=former; \  generator(0).node.address(0).category=ipv4-addr; \  root(0).thickening.address(0).savoir-faire=$7; \  target(0).node.turn to(0).category=ipv4-addr; \  butt(0).node.address(0).computer address=$9; \  source(0).inspection and repair.port=$8; \  target(0).service.port=$10; \  additional_data(0).character=whole number; \  additional_data(0).meaningful=Key signature Severity; \  additional_data(0).data=$5; \  additional_data(1).type=whole number; \  additional_data(1).meaning=Risk Rating; \  additional_data(1).data=$12; \  additional_data(2).type=string; \  additional_data(2).meaning=VRF; \  additional_data(2).data=$11; \ last;                              

After all the above manipulations, we puzzle out this result:

In the cabinet, triggers from all IPS sensors seem. The screenshot above shows the pigeonholing by source and destination addresses. Here there are events from IPS-modules and applications, as well as from routers with IOS-IPS enabled (this is non visible in the screenshot payable to "obfuscation" technologies). We can group / filter according to all the values ​​that were ascertained during processing by our set of rules.
Accordingly, anyway, you tooshie "betray" and see the inside information:

6. Correlation Heart bleed

The closing touch in the setup will represent the part that distinguishes event viewing audience from SIEM: correlation.
For an example of scope up the correlativity rule, let's occupy a Recent epoch vulnerability in the OpenSSL library - HeartBleed .

Cisco has a signature that can catch an attempt to exploit this exposure: tools.cisco.com/security/marrow/viewIpsSignature.x?signatureId=4187&signatureSubId=0
The signature tune number is 4187.0, IT is called "OpenSSL Entropy Revelation".
By itself, triggering this key signature will not yet contemptible that the vulnerability has been exploited, because IPS does non know if the attacked host is vulnerable operating room not. Only SIEM may well answer this question.
The general principle of the correlation dominion is as follows: if the above event from IPS arrives in SIEM, then SIEM itself checks for the HeartBleed vulnerability on the target host. If the host is vulnerable, a unconnected correlation event will represent generated.
The rule itself is as follows:

            # # Right of first publication (C) 2014 Vladimir Lapshin                              # Copyright (C) 2014 lei_wulong # # This program is free software; you can redistribute it and/or modify # IT under the terms of the GNU General Public License as published by # the Free Software Foundation; either variation 2, surgery (at your alternative) # any advanced version. # # This program is distributed in the hope that it will be useful, # but WITHOUT Some WARRANTY; without even the implied warranty of # MERCHANTABILITY operating room Fittingness FOR A Fussy PURPOSE.  Pick up the # GNU General Public License for more details. # # You should have received a copy of the GNU General National Licence # along with this program; see the file COPYING.  If not, compose to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # import re from PreludeCorrelator.pluginmanager import Plugin from PreludeCorrelator.context of use import Context import time import subprocess localtime = clock.localtime() timestamp = time.strftime('%d %b %H:%M:%S', localtime) print str(timestamp) + ' HeartBleed plugin  (correlator) INFO: Opening...' class heartbleed(Plugin):     def run(self, idmef):         if non idmef.match('lively.classification.text', re.compile('^OpenSSL Information Disclosure$|^Other security event$')):             return         addr = idmef.Get('alert.target(*).node.address(*).address')         if non addr:             return         larboard = idmef.Get('alert.target(0).service.port')         if not larboard:             port='443'         script = str('python2.6 /etc/preliminary-correlator/heartbleed.py ') + str(addr).divest('[\'\']') + str(' -p ') + str(embrasure)         print script         PIPE = subprocess.Bagpipe         p = subprocess.Popen(script, shell=Unfeigned, stdin=PIPE, stdout=PIPE, stderr=subprocess.STDOUT, close_fds=True)         while Veracious:             s = p.stdout.readline()             if non s:                 rupture             if re.findall('host is vulnerable', s):                 ctx = Context of use(("HEART_BLEED", addr), update=True, idmef=idmef)                 ctx.Set("alert.sorting.text", "HeartBleed exposure detected")                 ctx.Set("alert.correlation_alert.name", "HeartBleed vulnerability detected")                 ctx.Set("alarm.judgement.bear on.severity", "treble")                 ctx.Ready("alert.assortment.mention(0).origin", "seller-ad hoc")                 ctx.Set("conscious.classification.extension(0).name", "CVE-2014-0160")                 ctx.alert()                 ctx.destroy()                 photographic print 'Vulnerable!'                 return                                    

In this good example, to check for the vulnerability, this script is used: gist.github.com/sh1n0b1/10100394 . It should be located in the same directory as the correlativity plugin. For the higher up example, this path is /etc/prelude-correlator/heartbleed.py.

As wel, do not forget

to make an exception on the IPS sensors for 4187.x signatures and the origin address where Prelude is installed , otherwise we will get a recursion: attack -> correlation rule, which is also detected by IPS (we use essentially the cookie-cutter heartbleed) -> new IPS open-eyed -> correlations -> etc. This can Be done through Event Action Filter.
Or you can throw out recursion in the rule itself aside adding:

            if idmef.couple("alert.source(0).node.address(0).address", re.compile("0\.0\.0\.0")) # <- Prelude-Correlator addr     retort                      

But if you do not configure Outcome Action Filter, our IPS will respond to the verification itself performed by Preliminary. If its sensor (check) blocks IT, we will not be able to substantiation for a vulnerability.

Aft setting the dominate, when the Cisco 4187.0 signature is triggered, we get the favourable result:

In fact, this way that a host susceptible to this onset has been attacked. The correlation coefficient rule in the example waits for events called '^ OpenSSL Information Disclosure $ | ^ Otherwise security event $'. Of course, you can not be limited to one event from Cisco IPS. Aside the same principle, IPS correlation coefficient of any another vendors connected to the system can be performed.
You lavatory besides bind to the login issue on the web server. If it is penetrable, it means the account used to log-in is potentially compromised.
The rule represented therein clause is just an example of a special case of application for the latest current events. All other Wishlist are limited only aside imagination and python (study - not limited by anything). For example, in the projected script, you buns flummox various scenarios: check lone by your resources (only if gray addresses / pool of external addresses), alter the ip and port of the "victim" if our resource is behind NAT, etc.

7. Epilogue

In conclusion, it is also worth noting about the possibility of collecting events through SDEE.
Because In that article, the configuration for the OSS variation of Prelude was considered, then IPS and Overture had to be friends finished SNMP (for IPS modules / applications) and syslog (for IOS-IPS). But, A mentioned in the 4th section , all of these devices can work through SDEE. At the same time, it becomes executable to receive events from IPS in a homogenous var. with the most complete information about each heads-up. To do this, you need an SDEE connector, which is present only in the commercial rendering of Prelude.

Separate differences between the commercial version of PreludePro:

• carrying out;
• the ability to connect knuckle down managers;
• add. functions in Prewikka (certification via LDAP, the ability to embed your own commands in the web-user interface, etc.);
• дополнительные модули (log-management, система инвентаризации, и т.д.)

Again it clad voluminously, tried to "squeeze" as best he could.
Hope it was interesting and helpful.
Good fate in characteristic incidents!
_____
Materials used in the article:
CSM User Guide www.cisco.com/c/en/us/td/docs/security department/security_management/cisco_security_manager/security_manager/4-6/user/guide/CSMUserGuide.html
IME Telling Example: WWW .cisco.com / c / en / us / support / docs / certificate / ips-4200-series-sensors / 111659-ips-email-ime-config.html
IOS IPS events via IME: WWW.cisco.com/c/ en / us / confirm / docs / certificate / intrusion-prevention-system / 113576-ptn-113576.html
Prelude OSS formalized page www.prelude-ids.org
Overview of the Prewikka interface: is-systems.org/siem/interface

DOWNLOAD HERE

GET SIEM in practice: make friends with Prelude + Cisco IPS and reveal HeartBleed operation through correlation / Sudo Null IT News FREE

Posted by: thompsonusen2002.blogspot.com

Share this post