Unblocking The Main Thread Solving ANRs and Frozen Frames
Eyeing the Onion
1.
2.
3. Introductions
• Brad Shoop - @bradshoop – http://eyeis.net
– IT since mid-90s, security-focused since 2006 (GCIH GCFA)
– Doc, testing and marketing contributor to Security Onion
– Technical Editor, The Practice of NSM (a must read!)
– Author Security Onion for Splunk apps
– Currently work for Mandiant
• Chris Rimondi - @crimondi - http://www.securitygrit.com/
– Father of three boys ages four and under
• Including one < month old!
– Former IT Director & Former Security Consultant
– Now with Mandiant
– ISSA Board Member Chattanooga
4. Agenda
• Big Data and Security Onion
• Splunk vs ELSA
• Splunk app
• What is ELSA? - Architecture Overview
• Integrating Conditional Data
• Dashboards
9. Learning with SO for Splunk
• Learn the logs!
• Follow the uid!
• Understand how logged events relate across
toolsets:
– Bro – context & alerts
– Snort/Suricata – alerts
– OSSEC – alerts
• Identify normal from anomalous
15. ELSA WebAPI Architecture
SO Sensor/
ELSA Peer or
Forwarder
SO Sensor/
ELSA Peer or
Forwarder
SO Sensor/
ELSA Peer or
Forwarder
SO Server/
ELSA Master
Firewalls Sysloggers
ELSA
Forwarder
Windows
Network Network Network
SSL
Syslog/SSL
SO Sensor ELSA as peer
or forwarder.
Peer mode: events
indexed locally and
queried remotely from
the Master
Forwarder mode: events
are
parsed, compressed, the
n forwarded via SSL to
Master node for
indexing.
Yes, it can do both!
16.
17. elsa_web.conf
apikeys: username (“secops”) and apikey (“001”) for web API authentication
peers: the local ELSA instance and ELSA Peers the instance has access to query.
Standalone ELSA Master
apikeys": { ”secops": ”001" },
"peers": {
"127.0.0.1": {
"url": "http://127.0.0.1/",
"username": ”secops",
"apikey": ”001"
}
},
ELSA Master with 1 Peer
apikeys": { ”secops": ”001" },
"peers": {
"127.0.0.1": {
"url": "http://127.0.0.1/",
"username": ”secops",
"apikey": ”001"
},
”192.168.0.10": {
"url": "http://192.168.0.10/",
"username": ”IT_ops_master",
"apikey": “000"
}
},
19. elsa_node.conf – archive/log
limit
archive": {
# Uncomment to establish a retention period in days for archive logs
#”days”: 90,
“percentage”: 33,
“table_size”: 10000000
},
# Size limit in bytes for logs + index size. Set this to be 90-95% of your total data disk space.
# Size can also be specified as a percentage if the percent sign is included at the end (e.g. 95%).
"log_size_limit" : 200000000000,
#”log_size_limit” : “85%”,
archive – percent of log_size_limit to devote to archive
log_size_limit – the total disk limit ELSA will use
23. Event vs. Condition
• Event
– Action of an asset
– Time occurred
– Other stuff describing action:
• Source & Destination IPs
• Condition
– State of an asset
– Time of state snapshot
– Other stuff describing the state:
• Configuration data
24. Event and Condition
Enhancing IR Process
• Sample Workflow
1. Analyst sees bad thing happen in SO
2. Analyst digs deeper into
1. Other events that happened around same
time
2. Other behavior from involved assets
• Now it might be helpful to know a little
more about the condition of assets at
time closest to event happening
25. Event and Condition
Enhancing IR Process
• Helpful condition (configuration)
information
– Processes running
– Ports open
– Services listening
– Operating system
– Known software
– Known vulnerabilities
26. Where can I find this
information?
&
More importantly how
do I get this data into
ELSA for easy
correlation?
27. SO SecOps Sources
• PRADS – already integrated?
• Bro – now integrated
– Known Software
– Known Certs
– Known Hosts
• Port Scanners and Vulnerability Scanners
– Nmap
– Nikto
– Nessus
– OpenVAS
32. Now lets get crazy
class=openvas host type="Web application
abuses” risk_factor=”High” groupby:dstip |
subsearch(class=bro_http uri:passwd
groupby:srcip)
In other words: Show me all source IP
addresses that requested a resource with
„passwd‟ in it where the server they
communicated with had a vulnerability
rated as high and of the type “Web
application abuses”.
33. One more time
class=nessus java risk_factor:critical
groupby:srcip | subsearch(class=bro_http
user_agent:java groupby:dstip, srcip) |
whois | filter(cc,us)
In other words: Tell me all of the sites
visited that had a country code captured
from whois not in the US and where the
client had a user agent string containing
java and a critically rated Java vulnerability
as discovered by Nessus.
34. Process Data
• Snapshots of processes at a particular
time
• Simple Python script that uses WMI to
collect process information, convert to
syslog and send to ELSA
• Collections information on each process
– Operating System
– PID
– Parent PID
– Process Name
– Creation time
– Source IP
37. What I have learned from
building lots of parsers
• Familiarize yourself with existing fields
and classes in ELSA:
– mysql> use syslog; select * from classes;
select * from fields;
• Reuse instead of building new
• Think about IR process:
– How can I link this log type to other log
types?
– What would I want to filter on?