MineMeld syslog indicator rules

Reply
L1 Bithead

MineMeld syslog indicator rules

Hi all,

 

I've successfully connected my firewall to the syslog miner and can see logs arriving. I believe I now need to create a rule to match logs to extract the indicators.

 

Here's my recieve stats from the miner:

miner-stats.jpg

Here's the rule I'm trying to craft to extract the src_ip info..

rule.jpg 

Additionally, is it possible to extract the attacker IP from the WildFire submissions log? Looks like just threats and traffic. My use-case would be to capture attacker IPs for previously unknown samples where no further samples are seen and therefore the Threat WF sigs are not activated.

 

Thanks for the help.

 

Tim

L7 Applicator

Re: MineMeld syslog indicator rules

Hi Tim,

documentation is lacking on the syslog Miner, I will work on something better. In the meantime this a rule definition for extracing source IP from Wildfire logs. Wildfire logs are logs of type THREAT and subtype wildfire. The misc field contains the name of the file, while the url_idx field contains the hash.

 

conditions:
  - type == 'THREAT'
  - log_subtype == 'wildfire'
fields:
  - misc
  - url_idx
indicators:
  - src_ip

There are a couple of bugs in the current version of the syslog Miner (0.9.18) I am planning to fix in the next minor.

L1 Bithead

Re: MineMeld syslog indicator rules

Working great. Thanks again Luigi. I think I have everything I need for now, so i shouldn't be hassling you for a while :)

L0 Member

Re: MineMeld syslog indicator rules

Maybe I am missing something.. however I want to only parse syslogs that have been allowed, where do I go to do this. (like where do I go to add indicator rules)

Did I miss where this was noted?

 

Highlighted
L7 Applicator

Re: MineMeld syslog indicator rules

Hi @josev123,

you can do this in 3 ways (in order of performance):

- forward only logs of accepted session to MineMeld

- filter the session logs inside rsyslog config

- create an indicator rule that match on the condition action == "accept"

L0 Member

Re: MineMeld syslog indicator rules

where do I go to add a indicator rule

L7 Applicator

Re: MineMeld syslog indicator rules

Hi @josev123,

you should go into NODES > <syslog miner node> > RULES to add new indicator rules. Check this forum for examples of rules you can specify:

 

Screen Shot 2017-02-02 at 09.14.45.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!