Using Elastalert to Generate Case Alerts for TheHive

TheHive is a security incident response platform that can be used to triage and enrich alerts from your security systems. Unfortunately it doesn’t have a mechanism for alerting you if there is a new event. One way to solve this is to use Elastalert.

Elastalert is a alerting tool for Elasticsearch data. It performs queries and can send the results into other systems, one of which is email.

1. Install elastalert using the documentation
2. Edit /etc/elastalert/config.yaml to use TheHive’s Elasticsearch database
3. Create the elastalert (elastalert_status) index in Elasticsearch
4. In the rules sub directory create the file thehive-email-alert.yaml
5. Add the following content and save

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

# (Optional)
# Elasticsearch port
# es_port: 14900

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: TheHive New Alert Email

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: the_hive_*

timestamp_field: date
timestamp_type: unix_ms

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 15

aggregation:
minutes: 15

aggregation_key: "title"


# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
#filter:
#- query:
# query_string:
# query: "*"

# (Required)
# The alert is use when a match is found
alert:
- "email"

# (required, email specific)
# a list of email addresses to send alerts to
email:
- "myemailaddress@example.com"
from_addr: "thehivealerts@mythehiveserver.com"
smtp_host: "smtp.example.com"
email_reply_to: "myoperationsteam@example.com"
alert_subject_args:
- "title"
alert_subject: "New TheHive case: {0}"

6. Test it works by running

elastalert-test-rule --config /etc/elastalert/config.yaml /etc/elastalert/rules/thehive-email-alert.yaml --days 7 --alert

7. Start Elastalert

systemctl start elastalert

Cisco VPN Client no longer works on Windows 10

After upgrading to Windows 10 (or installing fresh I guess), Cisco VPN Client (the old IKE1 version) no longer works. If you upgraded the “Cisco VPN Client” service is missing and if you type in “VPN” into Cortana the “VPN Client” no longer shows up. Trying to reinstall gives the error

Your app does not work with Windows 10

Ryan Ternier has worked out a fix and I’m publishing it here so it’s easier for me to find…here it is in the long form:

1. Click on the Start button -> Settings -> System-> Apps and Features -> Uninstall Cisco VPN Client
2. Now download the Sonicwall VPN Client from http://help.mysonicwall.com/applications/vpnclient/
3. Install the Sonicwall VPN Client
4. Extract the vpnclient-winx64-msi-5.0.07.0440-k9.exe and right click vpnclient_setup.msi and select Install
5. Run through the installer steps
6. Once done click on Start button and type Regedit as administrator
7. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA and edit the “DisplayName” REG_SZ object.
8. Change the contents of DisplayName from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”
9. Either reboot or start up services.msc and start the Cisco VPN service
10. Open the VPN client as normal and try and connect
11. It should now work again.

Thanks to Ryan Ternier and OCGrumpa in post http://weblogs.asp.net/rternier/getting-cisco-s-ipsec-vpn-client-working-on-windows-10.

Firesight integration with OSSIM

Firesight, which is now Cisco, was originally developed by the same guys who wrote snort. The software runs the professional VRT snort feed underneath. The output is a slightly different format but we can tweak OSSIM to read in the syslog alerts.

1. In your Firesight intrusion policy click on Advanced Settings -> Syslog Alerting.

2. Type in the IP of your OSSIM server and assign a priority etc.

3. Save and push the policy to your Sourcefire nodes.

4. Now on the OSSIM box connect over SSH and select Jailbreak from the menu.

5. Now we need to send the alerts into the alerts file. Create a new file /etc/rsyslog.d/zzzzz_snort_syslog.conf and add in this text:

if $msg contains 'SFIMS' then -/var/log/snort/alert
& ~
if $syslogtag contains 'SFIMS' then -/var/log/snort/alert
#Stop
& ~

6. Now you need to edit the snort-syslog config file so that it can understand the Firesight format. Edit /etc/ossim/agent/plugins/snort_syslog.cfg and at the bottom add:

[05_snort-syslog-sourcefire-format]
event_type=event
regexp=(\w+\s+\d{1,2}\s+\d\d:\d\d:\d\d)\s+([a-zA-Z0-9\-]+)\s+[SFIMS:]{1,6}\s+\[([a-zA-Z0-9_\s]+)\s+\(([0-9a-z\-]+)\)\]\[(.+)\]\[(([0-9]+)\:([0-9]+)\:[0-9]+)\]\s+\"(.+)\"\s+\[Classification\:\s+(.+)\]\s+User\:\s+(.+)\,\s+Application\:\s+(.+)\,\s+Client:\s+(.+)\,\s+App Protocol\:\s+(.+)\,\s+Interface Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Interface Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Ingress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Security Zone Egress\:\s+([a-zA-Z\-\_0-9]+)\,\s+Context\:\s+([a-zA-Z\-\_0-9]+)\,\s+\[Priority\:\s+([0-9]+)\]\s+\{([A-Z]+)\}\s+([0-9.]+):([0-9]+)\s->\s([0-9.]+):([0-9]+)
date={normalize_date($1)}
device={resolv($2)}
plugin_id=1001
plugin_sid={$8}
protocol={$21}
src_ip={$22}
src_port={$23}
dst_ip={$24}
dst_port={$25}
userdata1={$5}
userdata2={$4}
userdata3={$9}
userdata4={$15}
userdata5={$16}
userdata6={$17}
userdata7={$18}
userdata8={$20}

7. Save the file.

8. Now enable the collector. Type ossim-setup to load the ossim curses gui, choose Configure Sensor -> Configure Data Source Plugins -> Select snort-syslog then click OK -> Back -> Apply all Changes. This will start the snort-syslog collector.

9. Generate some dummy alerts in Sourcefire and then come back and check in the OSSIM GUI to see they have been processed.

Keeping OSSIM DB tables in check

In every OSSIM install I have done I’ve found the built in system for keeping the database size to manageable level doesn’t work very well. Eventually several tables gobble up all the disk space and fill the mysql partition. To make matters worse the default install uses a single ibdata file which doesn’t get released when you delete entries from the table.

So, I wrote this script to periodically check several problem tables and remove the oldest entries when they get to a certain size. What this size is depends on your environment. The problem tables I found to be were:

• alienvault.extra_data
• alienvault_siem.extra_data
• alienvault.host_qualification
• alienvault_siem.acid_event

I’ve just copied and pasted the same code 4 times as I was feeling lazy. You can find the mysql root password in /etc/ossim/ossim_setup.conf. Input that into the MYSQL_PASS variable. By default to script looks for when the number of rows in the table is greated than the THRESHOLD_ROWS value of 5000000. It will remove the number of rows that are more than this up to 5000000 in one go, so you should probably set this to run frequently, say hourly in a busy system.

#!/bin/bash
MYSQL_USER="root"
MYSQL_PASS="123456789"
THRESHOLD_ROWS=5000000
TARGET_DB="alienvault"
TARGET_TABLE="extra_data"
TARGET_COL_ORDER="event_id"
ROWS_PER_RUN=5000000

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count($TARGET_COL_ORDER) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

TARGET_DB="alienvault_siem"
TARGET_TABLE="extra_data"
TARGET_COL_ORDER="event_id"

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count($TARGET_COL_ORDER) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

TARGET_DB="alienvault"
TARGET_TABLE="host_qualification"
TARGET_COL_ORDER="hex(host_id)"

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count(host_id) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

TARGET_DB="alienvault_siem"
TARGET_TABLE="acid_event"
TARGET_COL_ORDER="timestamp"

echo "Getting row count from table $TARGET_DB.$TARGET_TABLE"
numrows=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "select count($TARGET_COL_ORDER) from $TARGET_DB.$TARGET_TABLE" | grep -v count | grep -v "-"`

echo "Got $numrows rows from table $TARGET_DB.$TARGET_TABLE"

if [ $numrows -gt $THRESHOLD_ROWS ]
then
        let "rowstodelete = $numrows - $THRESHOLD_ROWS"
        if [ $rowstodelete -gt $ROWS_PER_RUN ]
        then
                echo "Deleting $ROWS_PER_RUN from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $ROWS_PER_RUN"`
        else
                echo "Deleting  $rowstodelete from table $TARGET_DB.$TARGET_TABLE"
                result=`mysql -u $MYSQL_USER --password=$MYSQL_PASS -e "delete from $TARGET_DB.$TARGET_TABLE order by $TARGET_COL_ORDER ASC LIMIT $rowstodelete"`
        fi
        echo "Result=$result (blank is good)"
else
        echo "Number of rows = $numrows which not more than $THRESHOLD_ROWS so nothing to do."
fi

You can also download the script here.

Cisco ASDM errors with “javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure” on connecting

After changing the Remote Access -> Advanced -> SSL Settings -> Active Algorithms you are no longer able to connect with ASDM and get this error:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

No help is given by ASDM as to why you are unable to connect. However, the problem is caused by the client not being able to negotiate a common encryption scheme from the “active algorithms” list. To fix:

1. Open SSH to the ASA

2. Type the following:

ciscoasa(config)# ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
ciscoasa(config)# no http server enable
ciscoasa(config)# http server enable

3. Try and reconnect with ASDM

 

OpenVPN errors with “All TAP-Win32 adapters on this system are currently in use.”

OpenVPN may work for a while then suddenly not be able to connect. If you delve into the logs you may find this error:

All TAP-Win32 adapters on this system are currently in use.

OpenVPN uses a TAP interface which appears in the “Network Connections”. To fix this error try these steps:

1. Go to control panel -> Network Connections (or Windows Key -> type network -> click Settings, then select Network Connections”
2. Find the interface with the description “TAP-Windows Adapter”. Right click it and select Disable, then enable it again.
3. If the interface is already disabled just enable it.
4. Retry OpenVPN

 

 

 

NXlog – Parsing Squid access logs to json

For those of you using nxlog agents to parse logs here is a working squid access.log configuration:

<Extension squid_parse_action>
      Module xm_csv
      Fields $HTTPMethod, $HTTPResponseStatus
      FieldTypes string, string
      Delimiter '/'
      EscapeControl FALSE
      UndefValue -
</Extension>

<Extension squid_parse_hierarchy>
      Module xm_csv
      Fields $action, $dst_ip
      FieldTypes string, string
      Delimiter '/'
      EscapeControl FALSE
      UndefValue -
</Extension>

<Input in_file_squid_access_log>
      Module im_file
      File "/var/log/squid/access.log"
      SavePos TRUE
      ReadFromLast TRUE
      Exec if $raw_event =~ /^(\S+)\s+(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+)/ \
      { \
           $epochtimetmp = $1; \
           $duration = $2; \
           $src_ip = $3; \
           squid_parse_action->parse_csv($4);\
           $FileSize = $5; \
           $HTTPMethod = $6; \
           $HTTPURL = $7; \
           $ident = $8; \
           squid_parse_hierarchy->parse_csv($9); \
           $contenttype = $10; \
           if $epochtimetmp =~ s/\.//g; \
           $epochtime=integer($epochtimetmp)*1000;\
           $EventTime = datetime($epochtime); \
           $type = "squid_access_log"; \
           $Hostname = hostname(); \
           $MessageSourceAddress = hostname(); \
           $Message = $raw_event; \
           to_json();\
      } \
      else \
      {\
           $Hostname = hostname(); \
           $MessageSourceAddress = hostname(); \
           $Message=$raw_event; \
           to_json();\
      }
</Input>

The timestamp in the squid log file is in unixtime and is in seconds with milliseconds after the decimal place. The datetime function converts unix/epoch time into datetime but expects an integer containing microseconds. For this reason the function removes the decimal place and multiplies the result by 1000 to get the number of microseconds.

rancid-run exits immediately after upgrade to 3.x from 2.x

After upgrading I had the issue where rancid-run exited straight away after launching. As a result no system configurations were collected. The following is seen in the latest log file in the var/logs directory:

starting: Wed Oct 29 12:30:15 GMT 2014

ending: Wed Oct 29 12:30:15 GMT 2014

It turns out that in version 3 the delimiter in the router.db has changed from a colon : to a semi-colon ;. This is to avoid problems with IPv6 addresses. More here.

Old format of router.db:

10.0.0.1:cisco:up

New format:

10.0.0.1;cisco;up

Virtualbox headless startup script in vbScript

I wanted a VM to start up every time I booted up my machine instead of waiting for me to start the machine manually. To do this I created a vbscript and added it to my Scheduled Tasks to run on startup:

strMyCommand = """C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe"" -startvm myservervm"
exec strMyCommand, 0, 0

function exec (tmpprogramme,intWindowStyle, boolWaitforFinish )
Set WshShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run tmpprogramme, intWindowStyle, boolWaitforFinish
end function

Copy and paste the text into a vbs file and save it.

The command launches the command vboxheadless -startvm myservervm to boot the VM without showing it on the desktop taskbar. To stop the server load the Virtualbox Manager and shutdown/suspend/save it. Then you can start it using the Manager software if you wish as normal.

A hacked together bash script to scan for heartbleed vulnerable services

Here’s a script to scan networks to look for services vulnerable to the heartbleed OpenSSL bug. It uses NMAP to scan for pingable hosts and obtain a list of network ports open and then uses the hb_test.py script to check if they’re vulnerable.

Grab the hb_test.py script here.

Edit the network variable in the script to change the list of networks to scan.

#!/bin/bash

# This is the string we're looking for in the python script output
pattern="server is vulnerable"

#Networks to scan
network="192.168.0.0/24 192.168.1.0/24"

echo -ne "Scanning network(s) $network                                                 \r"

#Use NMAP to find the IPs that ping in the networks listed
network_ips=(`nmap -n -sn -PE $network | grep "Nmap scan" | awk {'print $5'} | awk 1 ORS=' '`)

for ip in "${network_ips[@]}"
do
        echo -ne "NMAP port scan on $ip                                              \r"
		# Get a list of open ports on the IP address
        ports=(`nmap  -sT $ip | grep open | awk '{print $1}' | awk -F '/' '{print $1}' | awk 1 ORS=' '`)
        rc=$?
        if [[ $rc -eq 0 ]] ; then
                for p in "${ports[@]}"
                do
                        echo -ne "Scanning $ip on port $p                            \r"
						# If the port is 25 then let's try STARTTLS
                        if [[ $p -eq 25 ]] ; then
                                echo -ne "Scanning $ip on port $p (smtp)             \r"
                                output=`timeout 1 python ./hb_test.py $ip -s -p $p 2>&1`
                        else
								# Otherwise just do normal SSL
                                output=`timeout 1 python ./hb_test.py $ip -p $p 2>&1`
                        fi
						# Check if the text output matched
                        if [ "x" != "x`echo $output | grep "$pattern"`" ]; then
                                echo "$ip - port $p - VULNERABLE"
                        fi
                done
        fi
done