This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

MineMeld syslog indicator rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

MineMeld syslog indicator rules

Go to solution
tkirk
L1 Bithead

‎07-22-2016 03:53 AM

Hi all,

 

I've successfully connected my firewall to the syslog miner and can see logs arriving. I believe I now need to create a rule to match logs to extract the indicators.

 

Here's my recieve stats from the miner:

miner-stats.jpg

Here's the rule I'm trying to craft to extract the src_ip info..

rule.jpg 

Additionally, is it possible to extract the attacker IP from the WildFire submissions log? Looks like just threats and traffic. My use-case would be to capture attacker IPs for previously unknown samples where no further samples are seen and therefore the Threat WF sigs are not activated.

 

Thanks for the help.

 

Tim

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
lmori
L7 Applicator

‎07-22-2016 04:40 AM

Hi Tim,

documentation is lacking on the syslog Miner, I will work on something better. In the meantime this a rule definition for extracing source IP from Wildfire logs. Wildfire logs are logs of type THREAT and subtype wildfire. The misc field contains the name of the file, while the url_idx field contains the hash.

 

conditions:
  - type == 'THREAT'
  - log_subtype == 'wildfire'
fields:
  - misc
  - url_idx
indicators:
  - src_ip

There are a couple of bugs in the current version of the syslog Miner (0.9.18) I am planning to fix in the next minor.

View solution in original post

6 REPLIES 6

Go to solution
lmori
L7 Applicator

‎07-22-2016 04:40 AM

Hi Tim,

documentation is lacking on the syslog Miner, I will work on something better. In the meantime this a rule definition for extracing source IP from Wildfire logs. Wildfire logs are logs of type THREAT and subtype wildfire. The misc field contains the name of the file, while the url_idx field contains the hash.

 

conditions:
  - type == 'THREAT'
  - log_subtype == 'wildfire'
fields:
  - misc
  - url_idx
indicators:
  - src_ip

There are a couple of bugs in the current version of the syslog Miner (0.9.18) I am planning to fix in the next minor.

Go to solution
tkirk
L1 Bithead
In response to lmori

‎07-22-2016 05:32 AM

Working great. Thanks again Luigi. I think I have everything I need for now, so i shouldn't be hassling you for a while 🙂

0 Likes Likes

Go to solution
josev123
L0 Member
In response to lmori

‎01-23-2017 10:47 AM

Maybe I am missing something.. however I want to only parse syslogs that have been allowed, where do I go to do this. (like where do I go to add indicator rules)

Did I miss where this was noted?

 

0 Likes Likes

Go to solution
lmori
L7 Applicator
In response to josev123

‎01-25-2017 05:41 AM

Hi @josev123,

you can do this in 3 ways (in order of performance):

- forward only logs of accepted session to MineMeld

- filter the session logs inside rsyslog config

- create an indicator rule that match on the condition action == "accept"

Go to solution
josev123
L0 Member
In response to lmori

‎01-31-2017 08:02 AM

where do I go to add a indicator rule

0 Likes Likes

Go to solution
lmori
L7 Applicator
In response to josev123

‎02-02-2017 12:16 AM

Hi @josev123,

you should go into NODES > <syslog miner node> > RULES to add new indicator rules. Check this forum for examples of rules you can specify:

 

Screen Shot 2017-02-02 at 09.14.45.png

0 Likes Likes
  • 1 accepted solution
  • 10032 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks