致我心中的 “散装”(开源)SIEM(二)

发表于 更新于 分类于
本文字数: 5.6k 阅读时长 ≈ 5 分钟

背景

XXX

SIEM v0.2 的不足

XXX

SIEM v0.3 的改进

1. Workflow

XXX

2. Normalized

Workflow

![image-20220218183243830](/Users/canon/Library/Application Support/typora-user-images/image-20220218183243830.png)

Configure

No File Script Log Note
1 60_normalized-general.conf
2 61_normalized-alert.conf
3 62_normalized-flow.conf
4 63_normalized-fileinfo.conf
5 64_normalized-http.conf 64_normalized-http.rb 64_normalized-http.log
6 65_normalized-tls.conf

3. Enrichment

Workflow

![image-20220221134544143](/Users/canon/Library/Application Support/typora-user-images/image-20220221134544143.png)

Configure

No File Script Log Note
1 70_enrichment-general-geo-1-private_ip.conf
2 70_enrichment-general-geo-2-public_ip.conf
3 71_enrichment-alert-1-direction.conf 71_enrichment-alert-1-direction.rb
4 71_enrichment-alert-2-killChain.conf 71_enrichment-alert-2-killChain.rb 71_enrichment-alert-2-killChain.log
5 71_enrichment-alert-3-cve.conf 71_enrichment-alert-3-cve.rb 71_enrichment-alert-3-cve.log
6 71_enrichment-alert-4-whitelist_ip.conf 71_enrichment-alert-4-whitelist_ip.rb 71_enrichment-alert-4-whitelist_ip.log ****

KillChain

Suricata

Imput

  • Redis template
1
2
3
4
# key: str killchain:{provider}:{rule id}
# value: json str {"steps"=>{KillChain steps}, "description"=>{KillChain description}, "class"=>{rule class}}

localhost:6379> set killchain:suricata:2028933 '{"steps": 4, "description": "Exploitation", "class"=>exploit}'

Output

1
2
3
4
5
6
7
8
9
{
    "threat": {
        "killchain": {
            "steps": 1,
            "description": "侦查跟踪",
            "class": "scan"
        }
    }
}
Imperva

Vulnerability

Input

  • Redis template
1
2
3
4
# key: str enrichment:{class}:{cve}
# value: str {create time create user}

localhost:6379> set enrichment:cve:CVE-2016-8618 '2022-02-16 Canon'

Output

1
2
3
4
5
6
7
8
9
{
    "rule": {
        "cve": "CVE-2015-9381" // none
    },
  	"vulnerability": {
        "id": "CVE-2015-9381",
        "enumeration": "CVE"
    }
}

4. ThreatIntel

Workflow

![image-20220221105601713](/Users/canon/Library/Application Support/typora-user-images/image-20220221105601713.png)

Configure

Shodan

No File Script Log Note
1 85_threatintel-siem-event-1-shodan.conf 85_threatintel-siem-event-1-shodan.rb

Input

  • Redis template
1
2
3
4
5
# key: list spider:{provider}:ioc
# value: str ioc

localhost:6379> LPUSH spider:shodan:ioc 8.8.8.8 # Spider Queue
localhost:6379> SETEX alert:8.8.8.8 86400 true # IoC Cache

Output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{
    "source": {
        "ip": "84.17.52.20"
    },
    "threat": {
        "hunting": {
            "details": {
                "tcp": [
                    {
                        "http-simple-new": 81
                    },
                    {
                        "https": 443
                    },
                    {
                        "http-simple-new": 8080
                    },
                    {
                        "https-simple-new": 8081
                    },
                    {
                        "https": 8443
                    },
                    {
                        "https-simple-new": 9002
                    }
                ],
                "udp": []
            },
            "domains": "cdn77.com",
            "hostnames": "unn-84-17-52-20.cdn77.com",
            "ports": [
                8443,
                8081,
                9002,
                8080,
                81,
                443
            ],
            "services": [
                "https",
                "https-simple-new",
                "http-simple-new"
            ]
        }
    }
}

3. Filter

3.1 Whitelist

3.1.1 IP

  • Redis template

Input

1
2
3
4
# key: str whitelist:{class}:{ip}
# value: json str {"type": "cdn", "action": "pass|drop"}

localhost:6379> set whitelist:ip:8.8.8.8 '{"type": "cdn", "action": "pass"}'

Output

1
2
3
4
5
6
7
8
9
10
11
{
    "source": {
        "ip": "x.x.x.x"
    },
    "whitelist": {
        "type": "cdn", // 描述白名单类型,如:CDN、红队测试IP、办公网出口IP
        "action": "drop", // drop|pass 事件是否需要进入SIEM消费
        "origin": "source" // source|destination 描述实际匹配到白名单来源是"source"还是"destination"
    },
    "isWhitelist": true // 仅作为筛选条件
}

Differences

  • v0.2
1
2
3
4
5
6
7
8
9
10
11
12
{
    "source": {
        "ip": "x.x.x.x",
      	"isWhitelist": true,
      	"whitelistType": "exit_whitelist"
    },
    "destination.": {
        "ip": "y.y.y.y",
      	"isWhitelist": true,
      	"whitelistType": "exit_whitelist"
    }
}
  • v0.3
1
2
3
4
5
6
7
8
9
10
11
{
    "source": {
        "ip": "x.x.x.x"
    },
    "whitelist": {
        "type": "cdn",
        "action": "drop",
        "origin": "source"
    },
    "isWhitelist": true
}

3.1.2 Rule

3.1.2.1 SID
  • Redis template

Input

1
2
3
4
# key: str whitelist:{class}:{provider}:{rule id}
# value: str {rule name}

localhost:6379> set whitelist:sid:suricata:2101201 "GPLWEB_SERVER_403_Forbidden"

Workflow

![image-20220224143316558](/Users/canon/Library/Application Support/typora-user-images/image-20220224143316558.png)

Input

  • Redis template
1
2
3
4
5
6
7
# key: str whitelist:{class}:{provider}:{rule name}
# value: str add by {user} {date} {sid} # default

# Suricata
localhost:6379> set "whitelist:rule:suricata:GPLWEB_SERVER_403_Forbidden" "add by Canon 2022.02.24 2101201"
# Imperva
localhost:6379> set "whitelist:rule:imperva:Suspicious Response Code" "add by Canon 2022.02.24"

Workflow

![image-20220224150916372](/Users/canon/Library/Application Support/typora-user-images/image-20220224150916372.png)