Shulou(Shulou.com)05/31 Report--

This article introduces how to improve the threat detection ability of small and medium-sized enterprises through Kibana, Wazuh and Bro IDS, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Recently, we have been using some open source and free tools to help small and medium-sized enterprises improve their network threat detection capabilities. We will hand in hand to teach you through Kibana,Wazuh and Bro IDS to improve the threat detection capabilities of their own enterprises.

What is Wazuh?

Wazuh is a host-based intrusion detection system with OSSEC as its engine. Through the combination with ELK, it is convenient for administrators to view system log information, alarm information, rule configuration information and so on through the log platform.

Install ELK & Wazuh

Here is a very detailed Wazuh official document, which you can refer to to install. After the installation is successful, you can access Kibana and Wazuh through http://your_server:5601.

Install Bro

BRO is an open source IDS project. It is relatively easy to install, but it is much more complicated to set up with Kibana. We have tried several online installation tutorials, but none of them were successful. So, we have created our own installation guide, and you just need to repeat our installation steps (avoid wasting time in this process).

Ubuntu installation

By default, Git is installed on Ubuntu. Therefore, you can use the following command to clone the repository. These files will be placed in a directory called bro.

Git clone-recursive git://git.bro.org/bro

Switch to the project directory

Cd bro

Run the configuration of Bro (this process should take less than a minute).

. / configuremake

At run time, you will see the completion percentage at the beginning of most output lines.

When you are finished, install Bro (which should also take less than a minute).

Sudo make install

Bro will be installed in the / usr/local/bro directory.

Now we need to add the / usr/local/bro directory to $PATH. The best way to ensure that it is available globally is to specify the path in the file under the / etc/profile.d directory. We call this file 3rd-party.sh.

Export PATH=$PATH:/usr/local/bro/bin

Now that we have Bro installed, we need to make some configuration changes to it to work properly.

Configure Bro

Here we need to modify some of the Bro configuration files. These files are located in the / usr/local/bro/etc directory and mainly contain the following three files:

Node.cfg, which is used to configure nodes to monitor.

Networks.cfg, which contains a network list of CIDR representations local to the node.

Global BroControl profile for broctl.cfg, mail, logging and other settings.

Let's take a look at what needs to be changed in each file.

Configure nodes to monitor

To configure the monitor node for Bro, we need to modify the node.cfg file.

Out of the box, Bro is configured to run in stand-alone mode. Because this is a stand-alone installation, you don't need to modify this file, but it's best to check that the values are correct.

Open the file for editing.

Sudo nano / usr/local/bro/etc/node.cfg

In the bro section, we find the interface parameter. The default value here is eth0, which should match the public interface of your Ubuntu 16.04 server. If it is inconsistent, you will have to amend it.

/ usr/local/bro/etc/node.cfg

[bro] type=standalonehost=localhostinterface=eth0

Save and close the file when you are finished. Next, we will configure the private network to which the node belongs.

In the networks.cfg file, you can configure the IP network to which the node belongs (that is, the IP network of the server interface you want to monitor).

We open the file.

Sudo nano / usr/local/bro/etc/networks.cfg

By default, this file comes with three examples of private IP address blocks.

/ usr/local/bro/etc/networks.cfg# List of local networks in CIDR notation, optionally followed by a # descriptive tag.# For example, "10.0.0.0 8" or "fe80::/64" are valid prefixes.10.0.0.0/8 Private IP space172.16.0.0/12 Private IP space192.168.0.0/16 Private IP space

Delete the existing three entries and then add our own entries. You can check the network address of the server interface with the ip addr show command. Your networks.cfg file should eventually look like this:

Example / usr/local/bro/etc/networks.cfg

192.168.1.0/24 Public IP space172.16.100.0/24 Private IP space

Save and close the file when you are finished editing. Next, we will configure mail and logging settings.

Use BroControl to manage Bro

BroControl is used to manage the installation of Bro-start and stop services, deploy Bro, and perform other administrative tasks. It is both a command line tool and an interactive shell.

If you call broctl using sudo / usr/local/bro/bin/broctl, it starts an interactive shell:

Welcome to BroControl 1.5-21Type "help" for help. [BroControl] >

You can also use the exit command to exit the interactive shell.

In shell, you can run any valid Bro command. You can also run the same command directly from the command line without calling shell. One of the advantages of running commands on the command line is that it allows you to pipe the output of broctl commands to standard Linux commands. In the next section, we will all invoke the broctl command on the command line.

First, we use broctl deploy to start Bro.

Sudo / usr/local/bro/bin/broctl deploy converts Bro logs to JSON

By default, Bro logs are TSV (Tab separated values) files! But for ElasticSearch, using JSON files can run more efficiently.

We just need to add the following to the end of the / usr/share/bro/share/site/bro.local file:

@ load tuning/json-logsredef LogAscii::json_timestamps = JSON::TS_ISO8601;redef LogAscii::use_json = T

Next, we restart Bro. By now, all our log files should have been converted to JSON format.

Sudo / usr/local/bro/bin/broctl restartFilebeat

First, we move the original wazuh filebeat configuration to a newly created directory, conf.d. You only need to copy the following command:

Cd / etc/filebeatmkdir conf.dmv filebeat.yml conf.d/cat filebeat.ymlfilebeat: config_dir: / etc/filebeat/conf.doutput: logstash: # The Logstash hosts hosts: ["127.0.0.1 virtual 5000"] EOF

Then, create our bro filebeat configuration in / etc/filebeat/conf.d/filebeat_bro.yml:

Filebeat: prospectors:-input_type: log paths:-"/ usr/local/bro/spool/bro/conn.log" document_type: json json.message_key: log json.keys_under_root: true json.overwrite_keys: true-input_type: log paths:-"/ usr/local/bro/spool/bro/dns.log" document_type: json json.message_key: log json.keys_under _ root: true json.overwrite_keys: true-input_type: log paths:-"/ usr/local/bro/spool/bro/http.log" document_type: json json.message_key: log json.keys_under_root: true json.overwrite_keys: true-input_type: log paths:-"/ usr/local/bro/spool/bro/intel.log" document_type: json json.message_key : log json.keys_under_root: true json.overwrite_keys: true# copy inputs to add additional bro logs as neededoutput: logstash: # The Logstash hosts hosts: ["127.0.0.1 true# copy inputs to add additional bro logs as neededoutput 5001"] Logstash

Our Logstash configuration / etc/logstash/conf.d/bro.conf:

Input {beats {port = > 5001 codec = > "json_lines"}} filter {# Let's get rid of those header lines They begin with a hash if [message] = ~ / ^ # / {drop {}} # Now, using the csv filter, we can define the Bro log fields if [type] = "bro-conn_log" {csv {columns = > ["ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "proto", "service", "duration", "orig_bytes", "resp_bytes" "conn_state", "local_orig", "missed_bytes", "history", "orig_pkts", "orig_ip_bytes", "resp_pkts", "resp_ip_bytes", "tunnel_parents"] # If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces. Separator = > ""} # Let's convert our timestamp into the 'ts' field, so we can use Kibana features natively date {match = > ["ts" "UNIX"]} # add geoip attributes geoip {source = > "id.orig_h" target = > "orig_geoip"} geoip {source = > "id.resp_h" target = > "resp_geoip"} # The following makes use of the translate filter (logstash contrib) to convert conn_state into human text. Saves having to look up values for packet introspection translate {field = > "conn_state" destination = > "conn_state_full" dictionary = > ["S0", "Connection attempt seen, no reply", "S1", "Connection established, not terminated", "S2", "Connection established and close attempt by originator seen (but no reply from responder)" "S3", "Connection established and close attempt by responder seen (but no reply from originator)", "SF", "Normal SYN/FIN completion", "REJ", "Connection attempt rejected", "RSTO", "Connection established, originator aborted (sent a RST)", "RSTR", "Established, responder aborted" "RSTOS0", "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder", "RSTRH", "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator", "SH", "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was' half' open)", "SHR" "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator", "OTH", "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"]} mutate {convert = > ["id.orig_p", "integer"] convert = > ["id.resp_p", "integer"] convert = > ["orig_bytes" "integer"] convert = > ["duration", "float"] convert = > ["resp_bytes", "integer"] convert = > ["missed_bytes", "integer"] convert = > ["orig_pkts", "integer"] convert = > ["orig_ip_bytes", "integer"] convert = > ["resp_pkts" "integer"] convert = > ["resp_ip_bytes", "integer"] rename = > ["id.orig_h", "id_orig_host"] rename = > ["id.orig_p", "id_orig_port"] rename = > ["id.resp_h", "id_resp_host"] rename = > ["id.resp_p" "id_resp_port"]}} output {# stdout {codec = > rubydebug} elasticsearch {hosts = > [localhost:9200 "] index = >" bro-conn-% {+ YYYY.MM.dd} "document_type = >" bro "template = >" / etc/logstash/bro.json "template_name = >" bro "template_overwrite = > true}}

You can get our bro.json file here: https://gist.github.com/netscylla/27ac9e1472d89dffa5a8267a6af9c9be

Finally, we restart logstash.

Systemctl restart logstash

And check your Kibana dashboard:

First, we go to the administration panel, and then click the index mode (index patterns), which will tell kibana the location of your bro file, as shown below:

Then go back to discover and you should be able to see your bro log!

Extract-Bro and threat intelligence

First of all, we register here to get free threat sources.

Select your Container,feeds and sensor (see the feeds screenshot below).

You will see an api code that we will copy to the clipboard or notepad.

Follow the client installation instructions for the critical-stack-intel binaries:

Then use api code (which requires networking) to connect the binaries to feed, where it should download the threat intelligence source that it has subscribed to.

Critical-stack-intel api [api_code_here]

And restart bro

Sudo / usr/local/bro/bin/broctl restart

Use the following command to list the feeds:

Critical-stack-intel list on how to improve the threat detection capabilities of small and medium-sized enterprises through Kibana, Wazuh and Bro IDS to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.