Syslog miner indicator

Reply
L1 Bithead

Hi @lmori, I changed the code uing contains directive as suggested and the hit mach are starting ramping up. For sure a wiki/doc is definetely useful for this section :-)

Schermata 2017-01-10 alle 00.40.41.png

 

 

/opt/minemeld/local/config/panos_syslog_miner_rules.ym 


- conditions: [type == 'THREAT', log_subtype == 'vulnerability', 'contains(threat_name,
''HTTP SQL Injection Attempt'') == true']
fields: null
indicators: [src_ip]
name: sql_injection
- conditions: [type == 'TRAFFIC', src_location == 'IT']
fields: null
indicators: [src_ip]
name: test_traffic
- conditions: [type == 'THREAT', src_zone == 'FIBRA', dest_port != '22']
fields: null
indicators: [src_ip, url_idx]
name: test_threat
- conditions: [type == 'THREAT', log_subtype == 'vulnerability', severity == 'informational',
'contains(threat_name, ''SSH2 Login Attempt'') == true']
fields: null
indicators: [src_ip]
name: ssh_login

 

L7 Applicator

Hi @AlbertoZanon,

rules looks fine, but if you are looking for a way to match PAN-OS syslog messages against indicators you should look into syslogMatcher node. The syslogMatcher node can also send the details of the matched PAN-OS session to logstash for archival.

syslogMiner is useful if you want to build your own EDL with indicators extracted from PAN-OS logs.

 

What scenario are you interested in ?

 

luigi

L1 Bithead

Hi,

at this stage I'm not interested in logstash + Kibana/Elasticsearch as long term repository, so syslogMiner node type seems good enough.

 

Next step is to build up a processor logic so to evaluate indicators and metrics. Any useful docs to look around?

 

My wishes are:

- extract useful indicators + fields (ie generated_time)  [done thanks to your suggestions]

- evaluate indicators against scripted conditions.

 

Some possible conditions 

1) accept indicators and create output EDL only if the same same value is seeen at least a couple of time form the same ruleid/threatid

2) accept indicatos and create output EDL only if the same value is seen from different indicators rules

 

Regards

L7 Applicator

Hi @AlbertoZanon

1) is not possible today. I would think that the best place to implement that logic is inside the syslog miner. Basically an indicator would be created only if some temporal logic is satisfied.

2) what do you mean by "different indicator rules"? different syslog miner rules or different feeds ?

 

Thanks !

luigi

L3 Networker

@lmori


Can syslog miner receive log from Palo Alto Networks NGFW platforms only?

I try send syslog CEF (correlated rule alert) from ArcSight SIEM to my hosted Minemeld. I captured traffic via tcpdump, Minemeld server get traffic from SIEM. But I not found any log on Minemeld

 

I need to send Cyber Attack alert from rule on SIEM via syslog into Minemeld.

When Minemeld receive syslog (include Source Address), It will output to stdlib.feedHCGreen.

Then PaloAlto Firewall polling via EDL. Attacker will be blocked.

 

Thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!