Syslog Collection

By timadmin in Networking, Security Monitoring 0 Comment

Lately I’ve been thinking about ways to collect syslog data from network devices (especially Cisco and pfSense). Traditionally I’ve used commercial solutions, but would really like to have a simple open source solution to supply my clients early in a network consulting engagement. This post documents the search, and hopefully ends with a Preferred Solution.

A long time ago I discovered a tool called Logstash (https://en.wikipedia.org/wiki/Elasticsearch) which sounds like it was made for the job. I may always love the logo! It turns out that Logstash is a log-parsing engine, and feeds its data into an Elastic database which uses Kibana for presentation. It looks like setting this up requires many servers and is way bigger and complex than I really want.

Next up is a tool called syslog-ng (https://www.syslog-ng.com/). It looks like a powerful tool, but the open source version includes only command line support. Most of my clients are more comfortable with graphical user interfaces (aka GUIs), so I’d like to expose syslog data to them through a GUI even if I manage it using the command line. Searching for an accompanying tool let me to an interesting option: Logzilla (https://www.syslog-ng.com/community/b/blog/posts/web-interfaces-for-your-syslog-server-an-overview/). According to the post “Logzilla focuses on logs from Cisco devices” – a perfect fit!

Logzilla is another open source solution (https://www.logzilla.net/). They’re marketing it as Network Event Orchestration (NEO). The NEO engine can be used at no cost for less than one million events per day. It runs in a docker container and has the following system requirements:

  • Docker version 18+
  • 8 CPU cores
  • 8 GB RAM
  • 1000 Disk IOPs

Logzilla makes a VM image available: https://logzilla.sh/LogZilla-NEO.ova. It is a sizeable download, but makes for an easy install.

What if I want to run NEO on a FreeBSD system? Then I’d need to install Docker to FreeBSD (which is broken today), as detailed here: https://wiki.freebsd.org/Docker. Then it looks like I would need to install the application using the following command: curl -fsSL https://logzilla.sh |bash.

Firewall Logs

By timadmin in Security Monitoring 0 Comment

A firewall’s primary function is to control traffic. Troubleshooting authorized connections or verifying configuration changes are necessary functions to support that primary function. While we can use a firewall to detect and notify administrators of suspicious activity, there is a balance between collecting log information to support administrative functions and conserving resources (processor, bandwidth, and useability of data).  As we learn what normal traffic is we should tailor the log information to reflect that normal;  sometimes an adversary will be able to cloak their activity within that normal traffic.  An owner would be wise to install an Intrusion Detection System and even a Network Monitoring System in order to better detect adversarial activity.  In cases where an owner chooses not to install more capable detection layers then I think that we are well served by maintaining a robust ability to detect abnormal activity using log information.  We can only effectively detect abnormal activity with log information alone by reducing the noise floor generated by normal activity so that a casual network administrator can recognize the abnormal activity.

In the case where an owner puts forth minimal effort to control traffic and correct configuration errors, we will have much less sensitivity to abnormal traffic.  This is a consequence of that owner’s decisions and can only be avoided by giving up on detection entirely.

Installing Suricata to FreeBSD

By timadmin in Security Monitoring 0 Comment

I’ve been working through a Suricata course which details how to use Suricata on a Ubuntu base. Since I tend to work more with FreeBSD, here are my notes on how to install Suricata on FreeBSD.

Launch a working FreeBSD system, login, launch a terminal session, then elevate to root privileges. Then run the following commands:

  • freebsd-update fetch
  • freebsd-update install
  • pkg install suricata
  • vi /etc/rc.conf
    • suricata_enable=”YES”
    • suricata_netmap=”YES”
  • vi /usr/local/etc/suricata
    • change all occurences of eth0 to the actual interface identifier, determined by ifconfig
  • service suricata start

Then we can check the health of our installation:

  • suricata –build-info
  • suricata -V – Display version information
  • /var/log/suricata – Log file location, check the contents and ensure that they are growing
  • /usr/local/etc/suricata/suricata.yaml – Configuration file

The Practice of NSM References

By timadmin in Security Monitoring 3 Comments

I’ve resumed reading The Practice of Network Security Monitoring, by Richard Bejtlich.  In the past I’ve stalled once Security Onion is installed as I haven’t had a good place to implement it and continue learning how it works.  So yesterday I skipped ahead to Chapter 9, NSM Operations and read the chapter.  I was surprised to see a bunch of promising references, so I’m going to list them here for future use along with a couple of choice quotes.

First, an opening quote:  “Too many security organizations put tools before operations. <snip> A tool-driven team will not be as effective as a mission-driven team.  When the mission is defined by running software, analysts become captive to the features and limitations of their tools.” [The Practice of Network Security Monitoring, Richard Bejtlich, page 185]

A textbook reference:  Incident Response and Computer Forensics, Third Edition (McGraw Hill Education, 2014 – Jason Luttgens, Matthew Pepe, Kevin Mandia)

Finally, a closing quote:  “…intruders conduct campaigns, and CIRTs defend in waves.” [The Practice of Network Security Monitoring, Richard Bejtlich, page 200]

Network Security Monitoring – Reading List

By timadmin in Security Monitoring 0 Comment

I’ve restarted my read of The Practice of Network Security Monitoring by Richard Bejtlich and immediately found that I need to list references to read in the future. Here’s the first installment:

  • Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition. Stuart McClure, Joel Scambray, & George Kurtz
  • Blue Team Handbook: Incident Response Edition: A condensed field guide for the incident responder. Gary Murdock