Closed Jymit closed 6 years ago
{ "name": "Jymit S K", "title": "------- Engineer", "company": "-------", "email": "jymit@" }
On-Prem to AWS S2 Snapshot
sudo bin/elasticsearch-plugin install repository-s3
$ bin/elasticsearch-plugin list
repository-s3
Docs (https://www.elastic.co/guide/en/elasticsearch/plugins/6.3/repository-s3-usage.html)
The plugin provides a repository type named s3 which may be used when creating a repository. The repository defaults to using IAM Role credentials for authentication. The only mandatory setting is the bucket name:
bin/elasticsearch-keystore add s3.client.default.access_key
bin/elasticsearch-keystore add s3.client.default.secret_key
bin/elasticsearch-keystore list
keystore.seed
s3.client.default.access_key
s3.client.default.secret_key
. . .
a day in the life of a network analyst with the Elastic Stack
Preamble We have customers who use the Elastic Stack within SOCs, NOCs, Network I am sure we can also be found in a war room. The following is sharing some tools that may be leveraged day to day by such analysts to perform their day to day roles alongside the Elastic Stack. Note, their are a variety of tools that can be used but this knowledge share comes from the tools used in SANS FOR572 training. See here for more on that. Supplementary resources here
I write this as we have many soc.....
What is SOF-ELK: SOF-ELK is the "Security Operations and Forensics Elasticsearch, Logstash, and Kibana - an appliance-like VM that's ready to ingest a variety of log and NetFlow data for DFIR and security operations purposes." See here for the GitHub page. It currently runs on RH7.2 with Elasticsearch v2.4.1, Kibana v4.5.4
What is SIFT:
What is Wireshark:
What is BRO:
What is Moloch:
Moloch is the biblical name of a Canaanite god associated with child sacrifice.
But in this instance it is an open source, large scale, full packet capturing, indexing, and database system.
See here for more.
Some common Tcpdump Filters:
The timezone is always in UTC.
-n Do not resolve names to IP
-s A snaplength of 0 captures everything. -s 100 (capture the first 100bytes of each packet)
-i Interface to listen on
-w Write out to file
-c 1000 Capture the first 1000 packets from the network interface
-G 86400 Rotate the ouput file every 86400 seconds
sudo tcpdump -n -s 0 -i eth0 -w outout.pcap 'host 172.16.101.193 and port 80'
Listening on interface eth0 and writing out to a pcap file called output.pcap
file outout.pcap md5sum outout.pcap capinfos -Hae outout.pcap
Some common Wireshark Filters: tcp.port==80 ip.src==204.51.94.202 (not tcp.port==80 and not tcp.port==8080) and http contains “stolen” dns.flags.response==1 and dns.count.answers > 5 and dns.query.name contains “co.cc” http and http.cookie mathces “(?i) username” ip.addr==192.168.1.64 and http.response.code >=300 and http.response.code < 400 http.response.code in {200 206 404 301 302} host 192.168.1.64 dns.a !=65.175.87.70 dns.a && !(dns.a==65.175.87.70)
Encoding with base64 as well as decoding:
$ openssl enc -base64 <<< 'Hello, World!'
SGVsbG8sIFdvcmxkIQo=
$ echo `echo SGVsbG8sIFdvcmxkIQo= |base64 --decode`
Hello, World!
Elasticsearch & F5 BigIP Virtual edition (trial) in downloads. On GCP: https://console.cloud.google.com/launcher/browse?filter=category:networking&q=f5&pli=1
Elastic Stack Network Troubleshooting
We may get a customer who says they have great network connections between nodes {for transport 9300} in the cluster and never face network drops.
As much as it is easy for us to say go check with your network team for any drops in service between Tuesday, 3 July 2018 15:48:37 and Tuesday, 3 July 2018 15:52:37 (epoch equiv 1530632917 and 1530633157
) because we saw a master node ping three times and not hear anything back.
We should have in our tool bag options to aid the networking troubleshooting process, aid in confirming this is not an Elastic Stack issue and seek to be more efficient with ticket time keeping and movement.
If we have node a and node b who are seeing network drops. We have checked the respective elasticsearch.logs on both sides.
netstat ping traceroute tcpdump pcap wireshark dns?
self note.... find cool cli for 9200 9300 quick troubleshooting
using external feeds/tools for enrichment.
Other:
{}
Elastic Stack Machine Learning
https://www.elastic.co/guide/en/x-pack/5.4/ml-apis.html https://www.elastic.co/guide/en/x-pack/5.4/ml-get-job.html
single job multimetric job
scenario 1 For wifi logging collected into Elasticsearch, across all business units. Run ML to create a baseline to then say when the number of connected Mac addr are below the baseline, this is to be know as anomalous and fire an action {email, log, slack, hipchat etc}
Note to date.