lennartkoopmann

rule "Extract Snort alert fields"
when
  has_field("message")
then
  let m = regex("^\\s?\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)] \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}):(\\d{1,5}) -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}):(\\d{1,5})\\R?", to_string($message.message));
  
  set_field("snort_alert", true);
  
  set_field("generator_id", m["0"]);
  set_field("signature_id", m["1"]);

lennartkoopmann

rule "command_and_control_sunburst_dst_ip"
// Written by Recon InfoSec SOC Team
//
// https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
// https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
// https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
when
  has_field("dst_ip_is_internal")
  AND
  to_string($message.dst_ip_is_internal) == "false"

lennartkoopmann

rule "command_and_control_sunburst_dst_hostname"
// Written by Recon InfoSec SOC Team
//
// https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
// https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
// https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
when
  has_field("dst_ip_is_internal")
  AND
  to_string($message.dst_ip_is_internal) == "false"

lennartkoopmann

pi@parabola:~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:0f:0e:d4  
          inet addr:172.16.0.136  Bcast:172.16.0.255  Mask:255.255.255.0
          inet6 addr: fe80::8966:2353:4688:c9a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:349 errors:0 dropped:8 overruns:0 frame:0
          TX packets:378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:75761 (73.9 KiB)  TX bytes:69865 (68.2 KiB)

lennartkoopmann

pi@parabola:~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:0f:0e:d4  
          inet addr:172.16.0.136  Bcast:172.16.0.255  Mask:255.255.255.0
          inet6 addr: fe80::8966:2353:4688:c9a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1327 errors:0 dropped:22 overruns:0 frame:0
          TX packets:1118 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:290630 (283.8 KiB)  TX bytes:233228 (227.7 KiB)

lennartkoopmann

interfaces: {
  rest_listen_uri: "https://0.0.0.0:22900/"
  http_external_uri: "https://nzyme.example.org:22900/"
  use_tls: true
  tls_certificate_path: /path/to/cert.pem
  tls_key_path: /path/to/key.pem
}

lennartkoopmann

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

# Details about the issuer of the certificate
[req_distinguished_name]
C = US
ST = Some-State
L = Some-City

lennartkoopmann

{
  type: email
  enabled: false

  # One of: SMTP, SMTPS or SMTP_TLS
  transport_strategy: SMTP_TLS

  host: smtp.example.org
  port: 587
  username: "your_username"

lennartkoopmann

alerting {
  # Notifications and callbacks for triggered alerts.
  callbacks: [
    {
      type: email
      enabled: false

      # One of: SMTP, SMTPS or SMTP_TLS
      transport_strategy: SMTP_TLS

lennartkoopmann

output.logstash:
   hosts: ["192.168.191.10:5044", "192.168.191.20:5044"]
   loadbalance: false
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
   - name: Microsoft-Windows-Sysmon/Operational