3. Introductions
• Brad Shoop - @bradshoop – http://eyeis.net
– IT since mid-90s, security-focused since 2006 (GCIH GCFA)
– Doc, testing and marketing contributor to Security Onion
– Technical Editor, The Practice of NSM (a must read!)
– Author Security Onion for Splunk apps
– Currently work for Mandiant
• Chris Rimondi - @crimondi - http://www.securitygrit.com/
– Father of three boys ages four and under
• Including one < month old!
– Former IT Director & Former Security Consultant
– Now with Mandiant
– ISSA Board Member Chattanooga

4. Agenda
• Big Data and Security Onion
• Splunk vs ELSA
• Splunk app
• What is ELSA? - Architecture Overview
• Integrating Conditional Data
• Dashboards

5. Security Onion Makes A Lot of
Data
ELSA
Bro IDS
Snort/Suricata
OSSEC

6. SecOps Needs More Data
ELSA
Firewalls
Windows
Syslog

7. Splunk vs ELSA
Splunk ELSA
Google-style search Google-style search
Event parsing Event parsing
Custom visualization Basic visualization
Custom dashboard capability Basic dashboard capability
Fast (but not “ELSA fast”) Sub-second searches
Multi-field groupbys Single field groupbys
$$$ Open Source (GNU GPL v2)

8. Splunk vs. ELSA

9. Learning with SO for Splunk
• Learn the logs!
• Follow the uid!
• Understand how logged events relate across
toolsets:
– Bro – context & alerts
– Snort/Suricata – alerts
– OSSEC – alerts
• Identify normal from anomalous

13. Security Onion for Splunk Demo
• Security Onion for Splunk
– http://splunk-base.splunk.com/apps/45784/security-onion
• Security Onion Server/Sensor Add-on
– http://splunk-base.splunk.com/apps/52461/security-onion-
serversensor-add-on

14. ELSA Architecture

15. ELSA WebAPI Architecture
SO Sensor/
ELSA Peer or
Forwarder
SO Sensor/
ELSA Peer or
Forwarder
SO Sensor/
ELSA Peer or
Forwarder
SO Server/
ELSA Master
Firewalls Sysloggers
ELSA
Forwarder
Windows
Network Network Network
SSL
Syslog/SSL
SO Sensor ELSA as peer
or forwarder.
Peer mode: events
indexed locally and
queried remotely from
the Master
Forwarder mode: events
are
parsed, compressed, the
n forwarded via SSL to
Master node for
indexing.
Yes, it can do both!

17. elsa_web.conf
apikeys: username (“secops”) and apikey (“001”) for web API authentication
peers: the local ELSA instance and ELSA Peers the instance has access to query.
Standalone ELSA Master
apikeys": { ”secops": ”001" },
"peers": {
"127.0.0.1": {
"url": "http://127.0.0.1/",
"username": ”secops",
"apikey": ”001"
}
},
ELSA Master with 1 Peer
apikeys": { ”secops": ”001" },
"peers": {
"127.0.0.1": {
"url": "http://127.0.0.1/",
"username": ”secops",
"apikey": ”001"
},
”192.168.0.10": {
"url": "http://192.168.0.10/",
"username": ”IT_ops_master",
"apikey": “000"
}
},

18. ELSA Masters/Peers
Network Events Auth Events
IDS/AV/Firewall/
DNS
ELSA Peer 3
user: ops
apikey: 002
ELSA Peer 2
user: ops
apikey: 001
ELSA Peer 1
user: secops
apikey: 001
ELSA Master
SecOps
ELSA Master
IT Ops

19. elsa_node.conf – archive/log
limit
archive": {
# Uncomment to establish a retention period in days for archive logs
#”days”: 90,
“percentage”: 33,
“table_size”: 10000000
},
# Size limit in bytes for logs + index size. Set this to be 90-95% of your total data disk space.
# Size can also be specified as a percentage if the percent sign is included at the end (e.g. 95%).
"log_size_limit" : 200000000000,
#”log_size_limit” : “85%”,
archive – percent of log_size_limit to devote to archive
log_size_limit – the total disk limit ELSA will use

20. ELSA Forwarder
Network Events
Auth Events
IDS/AV/Firewall/
DNS
ELSA Peer 3
user: ops
apikey: 002
ELSA Peer 2
user: ops
apikey: 001
ELSA Peer 1
user: secops
apikey: 001
ELSA Master
SecOps
ELSA Master
IT Ops
ELSA Forwarder
user: ops
apikey: 001
WAN Events

21. elsa_node.conf – Forwarding
#"forwarding": {
# "forward_only": 1, # set to zero to both forward and index/archive
# "destinations": [
# { "method": "cp", "dir": "/mnt/nfs/central_server" },
# Example with password
# { "method": "scp", "user": "user", "password": "password", "port": 8022, "host":
"central.elsa.local", "dir": "/data/elsa/tmp/buffers" },
# Example using key
# { "method": "scp", "key_path": "/root/.ssh/id_rsa.pub", "host": "central.elsa.local",
"dir": "/data/elsa/tmp/buffers" }
# Example using URL forwarding
# { "method": "url", "url": "https://example.com/API/upload", "verify_mode": 0 }
# Example for an ops log server (logs about ELSA operations for sending multiple ELSA node logs to,
not the logs ELSA indexes)
# { "ops": 1, "method": "url", "https://opslogs.example.com/API/upload", "verify_mode": 1 }
# ]
#},
method – how/where to forward events
ops – ELSA instance receiving ops logs (node.log & web.log)

22. Under the Hood
Sphinx
Indexing
ELSA
Storage
ELSA
Buffers
ELSAEvents
syslog
ssl
(preformatted)
pattern_db
extract
raw text file
(buffers)
Index
(mysql)
Archive
(mysql)
Sphinx
temp index
(RAM)
perm index
(disk)

23. Event vs. Condition
• Event
– Action of an asset
– Time occurred
– Other stuff describing action:
• Source & Destination IPs
• Condition
– State of an asset
– Time of state snapshot
– Other stuff describing the state:
• Configuration data

24. Event and Condition
Enhancing IR Process
• Sample Workflow
1. Analyst sees bad thing happen in SO
2. Analyst digs deeper into
1. Other events that happened around same
time
2. Other behavior from involved assets
• Now it might be helpful to know a little
more about the condition of assets at
time closest to event happening

25. Event and Condition
Enhancing IR Process
• Helpful condition (configuration)
information
– Processes running
– Ports open
– Services listening
– Operating system
– Known software
– Known vulnerabilities

26. Where can I find this
information?
&
More importantly how
do I get this data into
ELSA for easy
correlation?

27. SO SecOps Sources
• PRADS – already integrated?
• Bro – now integrated
– Known Software
– Known Certs
– Known Hosts
• Port Scanners and Vulnerability Scanners
– Nmap
– Nikto
– Nessus
– OpenVAS

28. VAtoELSA.py
VA XML Data
Flatten
Syslog ELSA
MySQL
https://github.com/ChrisRimondi/va_to_elsa

29. $ python VAtoELSA.py –i report.nessus –r nessus –e
elsa_ip

30. $ python VAtoELSA.py –i report.xml –r openvas –e
elsa_ip

31. Putting it all together

32. Now lets get crazy
class=openvas host type="Web application
abuses” risk_factor=”High” groupby:dstip |
subsearch(class=bro_http uri:passwd
groupby:srcip)
In other words: Show me all source IP
addresses that requested a resource with
„passwd‟ in it where the server they
communicated with had a vulnerability
rated as high and of the type “Web
application abuses”.

33. One more time
class=nessus java risk_factor:critical
groupby:srcip | subsearch(class=bro_http
user_agent:java groupby:dstip, srcip) |
whois | filter(cc,us)
In other words: Tell me all of the sites
visited that had a country code captured
from whois not in the US and where the
client had a user agent string containing
java and a critically rated Java vulnerability
as discovered by Nessus.

34. Process Data
• Snapshots of processes at a particular
time
• Simple Python script that uses WMI to
collect process information, convert to
syslog and send to ELSA
• Collections information on each process
– Operating System
– PID
– Parent PID
– Process Name
– Creation time
– Source IP

35. Currently executing Java processes

36. Something is amiss…

37. What I have learned from
building lots of parsers
• Familiarize yourself with existing fields
and classes in ELSA:
– mysql> use syslog; select * from classes;
select * from fields;
• Reuse instead of building new
• Think about IR process:
– How can I link this log type to other log
types?
– What would I want to filter on?

38. New Content
Parsers
• bro_ftp
• bro_weird
• bro_tunnel
• bro_software
• bro_ssh
• bro_irc
• bro_syslog
• capture_loss
• known_certs
• known_hosts
• known_services
VA Integration
• Nessus
• Nikto
• OpenVAS
• Nmap
Dashboards
• Network Hunting
• Host Hunting
• SO Overview
• SSL
• SSH
• FTP
• SMTP

39. Dashboards