Easier integration with SIEM, IDS and the like.

[johnnykv]

In order to make Conpot more attractive as a Computer Network Defence (CND) asset we should make it easier to integrate Conpot into SIEM systems. In order to facilitate this integration i propose that we extend Conpot with capabilities to report in a standardised format for Cyber (gotta love the word!) observables. My initial and inconclusive findings regarding relevant frameworks includes:

• Cybox/Stix - Structured Threat Information eXpression.
• VERIS - Verizon Enterprise Risk and Incident Sharing metrics framework)
• OpenIOC - Open Indicators of Compromise... This might be a subset of Cybox (which Stix is based on).

After a bit of study, i think Cybox/Stix is the most relevate. It seems to have good traction and nice facilities to describe observables. I would love to hear your guys take on this, especially if you know of better frameworks to do this?

An modbus entry in cybox could look something like:

<?xml version="1.0" encoding="UTF-8"?>
<cybox:Observables xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
    xmlns:PortObj="http://cybox.mitre.org/objects#PortObject-2"
    xmlns:SocketAddressObj="http://cybox.mitre.org/objects#SocketAddressObject-1"
    xmlns:NetworkConnectionObj="http://cybox.mitre.org/objects#NetworkConnectionObject-2"
    xmlns:ModbusSessionObj="http://xxx.yyy.zzz/objects#ModbusSessionObj-2"
    xmlns:example="http://example.com/"
    xsi:schemaLocation="
    http://cybox.mitre.org/cybox-2 ../cybox_core.xsd
    http://cybox.mitre.org/objects#NetworkConnectionObject-2 ../objects/Network_Connection_Object.xsd"
    cybox_major_version="2" cybox_minor_version="0" cybox_update_version="1">
    <cybox:Observable id="example:Observable-1b427720-98d7-4735-b125-754c7e08f285">
        <cybox:Description>
            This Observable specifies an example instance of a Network Connection Object with an HTTP Session.
        </cybox:Description>
        <cybox:Object id="example:Object-d1fdd983-530b-489f-9ab8-ed3cb5212c35">
            <cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
                <NetworkConnectionObj:Layer3_Protocol datatype="string">IPv4</NetworkConnectionObj:Layer3_Protocol>
                <NetworkConnectionObj:Layer4_Protocol datatype="string">TCP</NetworkConnectionObj:Layer4_Protocol>
                <NetworkConnectionObj:Layer7_Protocol datatype="string">Modbus</NetworkConnectionObj:Layer7_Protocol>
                <NetworkConnectionObj:Source_Socket_Address>
                    <SocketAddressObj:IP_Address>
                        <AddressObj:Address_Value>192.168.1.15</AddressObj:Address_Value>
                    </SocketAddressObj:IP_Address>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>5525</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Source_Socket_Address>
                <NetworkConnectionObj:Destination_Socket_Address>
                    <SocketAddressObj:IP_Address>
                        <AddressObj:Address_Value>198.49.123.10</AddressObj:Address_Value>
                    </SocketAddressObj:IP_Address>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>502</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Destination_Socket_Address>
                <NetworkConnectionObj:Layer7_Connections>
                    <NetworkConnectionObj:Modbus>
                        <ModbusSessionObj:Modbus_Request_Response>
                            <ModbusSessionObj:Modbus_Client_Request>
                                <ModbusSessionObj:Modbus_Request_Line>
                                    <ModbusSessionObj:Request datatype="string">0f0001000801ff</ModbusSessionObj:Request>
                                 </ModbusSessionObj:Modbus_Client_Request>
                            <ModbusSessionObj:Modbus_Server_Response>
                            <ModbusSessionObj:Response datatype="string"> 0f00010008</ModbusSessionObj:Request>
                            </ModbusSessionObj:Modbus_Server_Response>
                        </ModbusSessionObj:Modbus_Request_Response>
                    </NetworkConnectionObj:Modbus_Session>
                </NetworkConnectionObj:Layer7_Connections>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

[glaslos]

I like the fact that they have extensive tools available: https://github.com/STIXProject

[johnnykv]

yes, tools are important. I'll try to dig into the STIX framework in the comming days. A nice introduction to STIX: https://msm.mitre.org/docs/STIX-Whitepaper.pdf

[johnnykv]

Just to get a feel of the framework i will start by writing a few glastopf -> cybox transform for mnemosyne and publish them live on the cybox hpfriends channel. I choose to go with glastopf initially because it uses a well known protocol which have native cybox/stix support... If the glastopf endeavour goes well i will try to write some transforms for conpot.

[johnnykv]

Very basic STIX data from conpot: https://gist.github.com/johnnykv/7725345

[glaslos]

No payload?

[johnnykv]

We will have full STIX wise payloads for HTTP requests. For SNMP, modbus, S7COMM, etc we will only append the payload as some kind of basic log string since STIX don't have native formats for those formats. Another option that is well supported by STIX is appending a PCAP to a incident - but i am unsure how easy it would be to record specific PCAPs for each conpot session.

[glaslos]

Article on data sharing: http://researchcenter.paloaltonetworks.com/2013/11/threat-intelligence-sharing/

[glaslos]

Closed by #112