I've successfully connected my firewall to the syslog miner and can see logs arriving. I believe I now need to create a rule to match logs to extract the indicators.
Here's my recieve stats from the miner:
Here's the rule I'm trying to craft to extract the src_ip info..
Additionally, is it possible to extract the attacker IP from the WildFire submissions log? Looks like just threats and traffic. My use-case would be to capture attacker IPs for previously unknown samples where no further samples are seen and therefore the Threat WF sigs are not activated.
Thanks for the help.
Solved! Go to Solution.
documentation is lacking on the syslog Miner, I will work on something better. In the meantime this a rule definition for extracing source IP from Wildfire logs. Wildfire logs are logs of type THREAT and subtype wildfire. The misc field contains the name of the file, while the url_idx field contains the hash.
conditions: - type == 'THREAT' - log_subtype == 'wildfire' fields: - misc - url_idx indicators: - src_ip
There are a couple of bugs in the current version of the syslog Miner (0.9.18) I am planning to fix in the next minor.
Maybe I am missing something.. however I want to only parse syslogs that have been allowed, where do I go to do this. (like where do I go to add indicator rules)
Did I miss where this was noted?
you can do this in 3 ways (in order of performance):
- forward only logs of accepted session to MineMeld
- filter the session logs inside rsyslog config
- create an indicator rule that match on the condition action == "accept"
you should go into NODES > <syslog miner node> > RULES to add new indicator rules. Check this forum for examples of rules you can specify:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!