MineMeld syslog indicator rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

MineMeld syslog indicator rules

L1 Bithead

Hi all,

 

I've successfully connected my firewall to the syslog miner and can see logs arriving. I believe I now need to create a rule to match logs to extract the indicators.

 

Here's my recieve stats from the miner:

miner-stats.jpg

Here's the rule I'm trying to craft to extract the src_ip info..

rule.jpg 

Additionally, is it possible to extract the attacker IP from the WildFire submissions log? Looks like just threats and traffic. My use-case would be to capture attacker IPs for previously unknown samples where no further samples are seen and therefore the Threat WF sigs are not activated.

 

Thanks for the help.

 

Tim

1 accepted solution

Accepted Solutions

L7 Applicator

Hi Tim,

documentation is lacking on the syslog Miner, I will work on something better. In the meantime this a rule definition for extracing source IP from Wildfire logs. Wildfire logs are logs of type THREAT and subtype wildfire. The misc field contains the name of the file, while the url_idx field contains the hash.

 

conditions:
  - type == 'THREAT'
  - log_subtype == 'wildfire'
fields:
  - misc
  - url_idx
indicators:
  - src_ip

There are a couple of bugs in the current version of the syslog Miner (0.9.18) I am planning to fix in the next minor.

View solution in original post

6 REPLIES 6

L7 Applicator

Hi Tim,

documentation is lacking on the syslog Miner, I will work on something better. In the meantime this a rule definition for extracing source IP from Wildfire logs. Wildfire logs are logs of type THREAT and subtype wildfire. The misc field contains the name of the file, while the url_idx field contains the hash.

 

conditions:
  - type == 'THREAT'
  - log_subtype == 'wildfire'
fields:
  - misc
  - url_idx
indicators:
  - src_ip

There are a couple of bugs in the current version of the syslog Miner (0.9.18) I am planning to fix in the next minor.

Working great. Thanks again Luigi. I think I have everything I need for now, so i shouldn't be hassling you for a while 🙂

Maybe I am missing something.. however I want to only parse syslogs that have been allowed, where do I go to do this. (like where do I go to add indicator rules)

Did I miss where this was noted?

 

Hi @josev123,

you can do this in 3 ways (in order of performance):

- forward only logs of accepted session to MineMeld

- filter the session logs inside rsyslog config

- create an indicator rule that match on the condition action == "accept"

where do I go to add a indicator rule

Hi @josev123,

you should go into NODES > <syslog miner node> > RULES to add new indicator rules. Check this forum for examples of rules you can specify:

 

Screen Shot 2017-02-02 at 09.14.45.png

  • 1 accepted solution
  • 9579 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!