HASecuritySolutions
diff --git a/‎.gitattributes
+17 b/‎.gitattributes
+17
diff --git a/‎.gitignore
+43 b/‎.gitignore
+43
diff --git a/‎Field Name Guidelines.docx
14.3 KB b/‎Field Name Guidelines.docx
14.3 KB
diff --git a/‎autorun.conf
+37 b/‎autorun.conf
+37
diff --git a/‎bro.tar
107 KB b/‎bro.tar
107 KB
diff --git a/‎configfiles-OPTIONAL/1000_preprocess_log_elapsed.conf
+13 b/‎configfiles-OPTIONAL/1000_preprocess_log_elapsed.conf
+13
diff --git a/‎configfiles-OPTIONAL/8998_postprocess_log_elapsed.conf
+19 b/‎configfiles-OPTIONAL/8998_postprocess_log_elapsed.conf
+19
diff --git a/‎configfiles-setup_required/8007_postprocess_dns_top1m_tagging.conf
+25 b/‎configfiles-setup_required/8007_postprocess_dns_top1m_tagging.conf
+25
diff --git a/‎configfiles-setup_required/8502_postprocess_freq_analysis_bro_dns.conf
+71 b/‎configfiles-setup_required/8502_postprocess_freq_analysis_bro_dns.conf
+71
diff --git a/‎configfiles-setup_required/8503_postprocess_freq_analysis_bro_http.conf
+45 b/‎configfiles-setup_required/8503_postprocess_freq_analysis_bro_http.conf
+45
diff --git a/‎configfiles-setup_required/8504_postprocess_freq_analysis_bro_ssl.conf
+91 b/‎configfiles-setup_required/8504_postprocess_freq_analysis_bro_ssl.conf
+91
@@ -0,0 +1,17 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Custom for Visual Studio
+*.cs     diff=csharp
+
+# Standard to msysgit
+*.doc	 diff=astextplain
+*.DOC	 diff=astextplain
+*.docx diff=astextplain
+*.DOCX diff=astextplain
+*.dot  diff=astextplain
+*.DOT  diff=astextplain
+*.pdf  diff=astextplain
+*.PDF	 diff=astextplain
+*.rtf	 diff=astextplain
+*.RTF	 diff=astextplain
@@ -0,0 +1,43 @@
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# =========================
+# Operating System Files
+# =========================
+
+# OSX
+# =========================
+
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Thumbnails
+._*
+
+# Files that might appear on external disk
+.Spotlight-V100
+.Trashes
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
@@ -0,0 +1,37 @@
+# Author: Justin Henderson
+# Email: [email protected]
+# Last Update: 11/18/2015
+#
+# This conf file is based on accepting logs for autorunsc that are in tab delimited format
+# The command ran to generate these logs is : NEED_TO_ADD_COMMAND
+input {
+	tcp {
+      port => 5001
+      type => "autorun"
+  }
+}
+
+filter {
+  if [type] == "autorun" {
+    # This is the initial parsing of the log
+	grok {
+		match => { "message" => "%{DATA:Time}\t%{DATA:EntryLocation}\t%{DATA:Entry}\t%{DATA:Enabled}\t%{DATA:Category}\t%{DATA:Profile}\t%{DATA:Description}\t%{DATA:Publisher}\t%{DATA:ImagePath}\t%{DATA:Version}\t%{DATA:LaunchString}\t%{DATA:MD5}\t%{DATA:SHA1}\t%{DATA:PESHA1}\t%{DATA:PESHA256}\t%{GREEDYDATA:IMP}"}
+	}
+	# Drop the message field as it is not very readable and unneccessary
+	mutate {
+		remove_field => [ "message"]
+	}
+  }
+}
+
+
+output {
+  if [type] == "autorun" {
+    elasticsearch {
+	  # Because of the amount of data and the data usage of this type of log I prefer it in a different index.
+	  # If you do not want this then comment out the index field below
+	  index => "autorun-%{+YYYY.MM.dd}"
+    }
+  }
+}
+
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: [email protected]
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event['task_start'] = Time.now.to_f;"
+  }
+  mutate {
+    #add_tag => [ "conf_file_1000"]
+  }
+}
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: [email protected]
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event['task_end'] = Time.now.to_f;"
+  }
+  ruby {
+    code => "event['logstash_time'] = event['task_end'] - event['task_start']"
+  }
+  mutate {
+    remove_field => [ 'task_start', 'task_end' ]
+  }
+  mutate {
+	#add_tag => [ "conf_file_8998"]
+  }
+}
@@ -0,0 +1,25 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: [email protected]
+# Last Update: 4/11/2017
+
+filter {
+  if [type] == "dns" {
+    if [highest_registered_domain] {
+      rest {
+        request => {
+          url => "http://localhost:20000/alexa/%{highest_registered_domain}"
+        }
+        sprintf => true
+        json => false
+        target => "site"
+      }
+      if [site] != "0" and [site] {
+        mutate {
+          add_tag => [ "top-1m" ]
+          remove_field => [ "site" ]
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,71 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: [email protected]
+# Last Update: 4/11/2017
+
+filter {
+  if [type] == "dns" {
+    # If Query exists run a frequency analysis against it.  In order for this to work you must have
+    # freq.py and the corresponding frequency table in /opt/freq/.  This is a huge boost to security
+    # and I highly recommend you set this up.  Example, if a frequency score less than 6 exists
+    # then there is a likelihood that something malicious is happening.
+    #
+    # For higher accuracy, please generate your own frequency tables.  For questions on setup,
+    # please refer to https://github.com/SMAPPER
+    if [query_type_name] == "A" or [query_type_name] == "AAAA" and "top-1m" not in [tags] {
+      if [parent_domain] and [parent_domain_length] > 5 {
+        mutate {
+          add_field => { "freq_parent_domain" => "%{parent_domain}"}
+        }
+        mutate {
+          gsub => [ "freq_parent_domain", "\W", "" ]
+        }
+        rest {
+          request => {
+            url => "http://localhost:10004/measure/%{freq_parent_domain}"
+          }
+          sprintf => true
+	  json => false
+          target => "parent_domain_frequency_score"
+        }
+        mutate {
+          remove_field => [ "freq_parent_domain" ]
+        }
+        if [parent_domain_frequency_score] {
+          mutate {
+            convert => [ "parent_domain_frequency_score", "float" ]
+            add_field => { "frequency_scores" => "%{parent_domain_frequency_score}" }
+          }
+        }
+      }
+      if [subdomain] and [subdomain_length] > 5 {
+        mutate {
+          add_field => { "freq_subdomain" => "%{subdomain}"}
+        }
+        mutate {
+          gsub => [ "freq_subdomain", "\W", "" ]
+        }
+        rest {
+          request => {
+            url => "http://localhost:10004/measure/%{freq_subdomain}"
+          }
+          sprintf => true
+	  json => false
+          target => "subdomain_frequency_score"
+        }
+        mutate {
+          remove_field => [ "freq_subdomain" ]
+        }
+        if [subdomain_frequency_score] {
+          mutate {
+            convert => [ "subdomain_frequency_score", "float" ]
+            add_field => { "frequency_scores" => "%{subdomain_frequency_score}" }
+          }
+        }
+      }
+    }
+	mutate {
+	  #add_tag => [ "conf_file_8502"]
+	}
+  }
+}
@@ -0,0 +1,45 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: [email protected]
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "bro_http" {
+    # If uri exists run a frequency analysis against it.  In order for this to work you must have
+    # freq.py and the corresponding frequency table in /opt/freq/.  This is a huge boost to security
+    # and I highly recommend you set this up.  Example, if a frequency score less than 6 exists
+    # then there is a likelihood that something malicious is happening.
+    #
+    # For higher accuracy, please generate your own frequency tables.  For questions on setup,
+    # please refer to https://github.com/SMAPPER
+    if [virtual_host]{
+      if [sub_domain] and [sub_domain_length] > 5 {
+        mutate {
+          add_field => { "freq_virtual_host" => "%{virtual_host}" }
+        }
+        mutate {
+          gsub => [ "freq_virtual_host", "\W", "" ]
+        }
+        rest {
+          request => {
+            url => "http://localhost:10002/measure/%{freq_virtual_host}"
+          }
+          sprintf => true
+          target => "virtual_host_frequency_score"
+        }
+        mutate {
+          remove_field => [ "freq_virtual_host" ]
+        }
+      }
+      if [virtual_host_frequency_score] {
+        mutate {
+          convert => [ "virtual_host_frequency_score", "float" ]
+          add_field => { "frequency_scores" => "%{virtual_host_frequency_score}" }
+        }
+      }
+    }
+	mutate {
+	  #add_tag => [ "conf_file_8503"]
+	}
+  }
+}
@@ -0,0 +1,91 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: [email protected]
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "bro_ssl" {
+    # If CHANGE_ME exists run a frequency analysis against it.  In order for this to work you must have
+    # freq.py and the corresponding frequency table in /opt/freq/.  This is a huge boost to security
+    # and I highly recommend you set this up.  Example, if a frequency score less than 6 exists
+    # then there is a likelihood that something malicious is happening.
+    #
+    # For higher accuracy, please generate your own frequency tables.  For questions on setup,
+    # please refer to https://github.com/SMAPPER
+    if [server_name] {
+      mutate {
+        add_field => { "freq_common_name" => "%{server_name}" }
+      }
+      mutate {
+        gsub => [ "freq_common_name", "\W", "" ]
+      }
+      rest {
+        request => {
+          url => "http://localhost:10004/measure/%{freq_common_name}"
+        }
+        sprintf => true
+        target => "server_name_frequency_score"
+      }
+      mutate {
+        remove_field => [ "freq_common_name" ]
+      }
+      if [server_name_frequency_score] {
+        mutate {
+          convert => [ "server_name_frequency_score", "float" ]
+          add_field => { "frequency_scores" => "%{server_name_frequency_score}" }
+        }
+      }
+    }
+    if [issuer_common_name] {
+      mutate {
+        add_field => { "freq_common_name" => "%{issuer_common_name}" }
+      }
+      mutate {
+        gsub => [ "freq_common_name", "\W", "" ]
+      }
+      rest {
+        request => {
+          url => "http://localhost:10004/measure/%{freq_common_name}"
+        }
+        sprintf => true
+        target => "issuer_common_name_frequency_score"
+      }
+      mutate {
+        remove_field => [ "freq_common_name" ]
+      }
+      if [issuer_common_name_frequency_score] {
+        mutate {
+          convert => [ "issuer_common_name_frequency_score", "float" ]
+          add_field => { "frequency_scores" => "%{issuer_common_name_frequency_score}" }
+        }
+      }
+    }
+    if [certificate_common_name] {
+      mutate {
+        add_field => { "freq_common_name" => "%{certificate_common_name}" }
+      }
+      mutate {
+        gsub => [ "freq_common_name", "\W", "" ]
+      }
+      rest {
+        request => {
+          url => "http://localhost:10004/measure/%{freq_common_name}"
+        }
+        sprintf => true
+        target => "certificate_common_name_frequency_score"
+      }
+      mutate {
+        remove_field => [ "freq_common_name" ]
+      }
+      if [certificate_common_name_frequency_score] {
+        mutate {
+          convert => [ "certificate_common_name_frequency_score", "float" ]
+          add_field => { "frequency_scores" => "%{certificate_common_name_frequency_score}" }
+        }
+      }
+    }
+	mutate {
+	  #add_tag => [ "conf_file_8504"]
+	}
+  }	
+}