mushorg / conpot

ICS/SCADA honeypot
GNU General Public License v2.0
1.25k stars 415 forks source link

Easier integration with SIEM, IDS and the like. #106

Closed johnnykv closed 10 years ago

johnnykv commented 11 years ago

In order to make Conpot more attractive as a Computer Network Defence (CND) asset we should make it easier to integrate Conpot into SIEM systems. In order to facilitate this integration i propose that we extend Conpot with capabilities to report in a standardised format for Cyber (gotta love the word!) observables. My initial and inconclusive findings regarding relevant frameworks includes:

After a bit of study, i think Cybox/Stix is the most relevate. It seems to have good traction and nice facilities to describe observables. I would love to hear your guys take on this, especially if you know of better frameworks to do this?

An modbus entry in cybox could look something like:

<?xml version="1.0" encoding="UTF-8"?>
<cybox:Observables xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
    xmlns:PortObj="http://cybox.mitre.org/objects#PortObject-2"
    xmlns:SocketAddressObj="http://cybox.mitre.org/objects#SocketAddressObject-1"
    xmlns:NetworkConnectionObj="http://cybox.mitre.org/objects#NetworkConnectionObject-2"
    xmlns:ModbusSessionObj="http://xxx.yyy.zzz/objects#ModbusSessionObj-2"
    xmlns:example="http://example.com/"
    xsi:schemaLocation="
    http://cybox.mitre.org/cybox-2 ../cybox_core.xsd
    http://cybox.mitre.org/objects#NetworkConnectionObject-2 ../objects/Network_Connection_Object.xsd"
    cybox_major_version="2" cybox_minor_version="0" cybox_update_version="1">
    <cybox:Observable id="example:Observable-1b427720-98d7-4735-b125-754c7e08f285">
        <cybox:Description>
            This Observable specifies an example instance of a Network Connection Object with an HTTP Session.
        </cybox:Description>
        <cybox:Object id="example:Object-d1fdd983-530b-489f-9ab8-ed3cb5212c35">
            <cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
                <NetworkConnectionObj:Layer3_Protocol datatype="string">IPv4</NetworkConnectionObj:Layer3_Protocol>
                <NetworkConnectionObj:Layer4_Protocol datatype="string">TCP</NetworkConnectionObj:Layer4_Protocol>
                <NetworkConnectionObj:Layer7_Protocol datatype="string">Modbus</NetworkConnectionObj:Layer7_Protocol>
                <NetworkConnectionObj:Source_Socket_Address>
                    <SocketAddressObj:IP_Address>
                        <AddressObj:Address_Value>192.168.1.15</AddressObj:Address_Value>
                    </SocketAddressObj:IP_Address>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>5525</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Source_Socket_Address>
                <NetworkConnectionObj:Destination_Socket_Address>
                    <SocketAddressObj:IP_Address>
                        <AddressObj:Address_Value>198.49.123.10</AddressObj:Address_Value>
                    </SocketAddressObj:IP_Address>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>502</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Destination_Socket_Address>
                <NetworkConnectionObj:Layer7_Connections>
                    <NetworkConnectionObj:Modbus>
                        <ModbusSessionObj:Modbus_Request_Response>
                            <ModbusSessionObj:Modbus_Client_Request>
                                <ModbusSessionObj:Modbus_Request_Line>
                                    <ModbusSessionObj:Request datatype="string">0f0001000801ff</ModbusSessionObj:Request>
                                 </ModbusSessionObj:Modbus_Client_Request>
                            <ModbusSessionObj:Modbus_Server_Response>
                            <ModbusSessionObj:Response datatype="string"> 0f00010008</ModbusSessionObj:Request>
                            </ModbusSessionObj:Modbus_Server_Response>
                        </ModbusSessionObj:Modbus_Request_Response>
                    </NetworkConnectionObj:Modbus_Session>
                </NetworkConnectionObj:Layer7_Connections>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>
glaslos commented 11 years ago

I like the fact that they have extensive tools available: https://github.com/STIXProject

johnnykv commented 11 years ago

yes, tools are important. I'll try to dig into the STIX framework in the comming days. A nice introduction to STIX: https://msm.mitre.org/docs/STIX-Whitepaper.pdf

johnnykv commented 11 years ago

Just to get a feel of the framework i will start by writing a few glastopf -> cybox transform for mnemosyne and publish them live on the cybox hpfriends channel. I choose to go with glastopf initially because it uses a well known protocol which have native cybox/stix support... If the glastopf endeavour goes well i will try to write some transforms for conpot.

johnnykv commented 10 years ago

Very basic STIX data from conpot: https://gist.github.com/johnnykv/7725345

glaslos commented 10 years ago

No payload?

johnnykv commented 10 years ago

We will have full STIX wise payloads for HTTP requests. For SNMP, modbus, S7COMM, etc we will only append the payload as some kind of basic log string since STIX don't have native formats for those formats. Another option that is well supported by STIX is appending a PCAP to a incident - but i am unsure how easy it would be to record specific PCAPs for each conpot session.

glaslos commented 10 years ago

Article on data sharing: http://researchcenter.paloaltonetworks.com/2013/11/threat-intelligence-sharing/

glaslos commented 10 years ago

Closed by #112