search

splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
152 stars 107 forks source link

Parser for ThreatWise (Metallic.io) #2255

Closed jzcal8300 closed 6 months ago

jzcal8300 commented 10 months ago

What is the sc4s version ? 2.49.8

Is there a pcap available? No, I do have sample data:

When event syslogs are sent from Appliances, PING and SCAN events are represented by a single line; all other events are represented by two lines.

The first event line (which for PING and SCAN events is the only line) has the following format:

Date Time TSOC_name-IP-sensors Trap_type[Session_ID]Protocol : Service Timestamp : Trap_IP : Trap_port : Attacker_IP : Attacker_port : Interface : Emulated_OS : Session_ID

where

Trap_type is traps for an emulation trap event or nis for an NIS event Protocol is transport type (IP / TCP / UDP) Service is generally the emulated service NIS events do not have Event_type or Timestamp For example (PING):

Nov 7 14:45:56 threatwise-192.168.200.40-sensors traps[22]IP : PING : 1667832356.249 : 192.168.200.41 : 0 : 192.168.200.254 : 0 : eth0 : Windows_Server : 22

Events that are neither PING nor SCAN have an additional line in the following format:

Date Time TSOC_name-IP-sensors Trap_type[Session_ID]Protocol : Service : Event_type : Interface : Emulated_OS : Session-ID | Details

where, in addition to fields as in first line,

Event_type is the attack type or stage: Scan / Connection / Reconnaissance / Interaction / Infection Details is a set of pipe (|) -separated fields depending on attack type

Nov 9 10:19:25 threatwise-192.168.200.40-sensors traps[90]IP : OS SCAN : 1667989127.549 : 192.168.200.41 : 80 : 192.168.200.64 : 37501 : eth0 : Linux_Server : 90

Nov 9 10:19:25 threatwise-192.168.200.40-sensors traps[90]IP : OS SCAN : Scan : eth0 : Linux_Server : 90|Port scanning : 80,3306,443,80,80,80,80,80,80,80,80,80 : 1667989165.837

Nov 9 13:21:59 threatwise-192.168.200.40-sensors traps[91]TCP : SMB : 1668000108.064 : 192.168.200.41 : 445 : 192.168.200.154 : 3876 : eth0 : Windows_Server : 91

Nov 9 13:21:59 threatwise-192.168.200.40-sensors traps[91]TCP : SMB : Reconnaissance : eth0 : Windows_Server : 91|Establish Connection: from port 3876 : 1668000108.066|Logon: , Domain: TESTLAB , Username: Administrator (SMB2) : 1668000108.09|Logon: Failure : with no DC : 1668000108.098|Establish Connection: from port 3877 : 1668000108.124|Logon: , Domain: TESTLAB , Username: Administrator (SMB2) : 1668000108.149

What the vendor name? Metallic

What's the product name? Threatwise (TSOC)

Feature Request description: Create a parser for threatwise logs

Should it support TCP or UDP? UDP

Do you want to have it for local usage or prepare a github PR? local

ikheifets-splunk commented 9 months ago

Hello, @jzcal8300 ! Can you please to send me .pcap file with logs that producing your device. You can send me on my email: ikheifets@splunk.com

jzcal8300 commented 9 months ago

I will get those over to you as soon as possible. We are now running SC4S version 3.6.0

ikheifets-splunk commented 9 months ago

Hello, @jzcal8300 !

Splunk support send me your attachments. But can you give me please real .pcap file, that I can open in WireShark. By such file I can understood what protocol using your device for logs, which port it using for logs streaming, what logs headers it's using, etc.

Also have another moment that wanna discuss according to the logs. You send me lots of different logs, can you please send me pcap with only specific for your device logs. I really don't know what logs from that I need to parse, you provide too many different logs

jzcal8300 commented 7 months ago

Hi ikheifets-splunk,

Was wondering if you received my email with a pcap for this parser?

Thanks,

ikheifets-splunk commented 7 months ago

Hello, @jzcal8300 ! The pcap file that you sent me on 24 Jan, not consisting syslog messages. I just opened your pcap using Wireshark and it consist only noise :(

ikheifets-splunk commented 7 months ago

@jzcal8300, In general it's not okay that we can't solve this issue for 3 months and you can't provide me real example of log message.

Please schedule a call and send me invite on email: ikheifets@splunk.com. I will be available during next week, at 14:00-20:00 (UTC +1)

jzcal8300 commented 7 months ago

@ikheifets-splunk Sorry that it has taken so long. I will get a call scheduled and send you the invite.

Thanks

ikheifets-splunk commented 6 months ago

@jzcal8300 I will provide local parser that you will embed on your SC4S instance, because you don't provide me a pcap with you logs, by this reason we will recognise your device by IP/hostname.

block parser app-netsource-metallic_threatwise() {
    channel {
        rewrite {
            r_set_splunk_dest_default(
                index('netops')
                sourcetype('metallic:threatwise')
                vendor('metallic')
                product('threatwise')
                template('t_hdr_msg')
            );
        };
    };
};

application app-netsource-metallic_threatwise[sc4s-network-source] {
    filter {
        host("metallic-") or netmask(192.168.100.1/24);
    };  
    parser { app-netsource-metallic_threatwise(); };
};

On todays call I will tell how to embed this local parser on your SC4S instance

ikheifets-splunk commented 6 months ago

Resolved on call with @jzcal8300