Arcsight flexConnector for Suricata

regex=(suricata)\\[.*\\]:\\s(.*) token.count=2 token[0].name=type token[0].type=String token[1].name=body token[1].type=String event.deviceVendor=__stringConstant(“suricata”) event.deviceProduct=__stringConstant(“ids”) event.sourceUserPrivileges=__stringConstant(“suricata”) event.deviceProcessName=__stringConstant(“suricata”) event.flexString2=body submessage.messageid.token=type submessage.token=body submessage.count=1 submessage[0].messageid=suricata submessage[0].pattern.count=1 submessage[0].pattern[0].regex=\\[\\d+:\\d+:\\d+\\]\\s+(.*)\\[Classification:\\s+([^]]+)\\].*}\\s+(\\d+.\\d+.\\d+.\\d+):\\d+\\s+\\-\\>\\s+(\\d+.\\d+.\\d+.\\d+)\\:(\\d+).* submessage[0].pattern[0].mappings=$1|$2|$3|$4|$5 submessage[0].pattern[0].fields=event.message,event.name,event.attackerAddress,event.targetAddress,event.targetPort

Arcsight flexConnector for Nginx with Bitrix

##################### # ### TESTSOFT.NET ### # ############################ ### ArcSight Parser For Nginx and Bitrix Stock Logformat v1.0 ### regex=(nginx):\\s(.*) token.count=2 token[0].name=type token[0].type=String token[1].name=body token[1].type=String event.deviceVendor=__stringConstant(“nginx”) event.deviceProduct=__stringConstant(“webserver”) event.sourceUserPrivileges=__stringConstant(“nginx”) event.deviceProcessName=__stringConstant(“nginx”) event.flexString2=body event.name=type event.message=body submessage.messageid.token=type submessage.token=body submessage.count=1 submessage[0].messageid=nginx submessage[0].pattern.count=5 #1.1.1.1 – – [29/Aug/2020:15:38:17 -0400] “GET /test/test/ HTTP/1.1” 401 597 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,…

Arcsight flexConnector for Apache with modsecurity

The parser requires a little improvement, but in general, it processes 90% of incoming events. ##################### # ### TESTSOFT.NET ### # ############################ ### ArcSight Parser For Apache and ModSecurity Stock Logformat v1.0 ### regex=(httpd)(?:\\[.*\\])?:\\s(.*) token.count=2 token[0].name=type token[0].type=String token[1].name=body token[1].type=String event.deviceVendor=__stringConstant(“apache”) event.deviceProduct=__stringConstant(“webserver”) event.sourceUserPrivileges=__stringConstant(“apache”) event.deviceProcessName=__stringConstant(“apache”) event.flexString2=body event.flexString2Label=__stringConstant(“raw”) event.name=type event.message=body submessage.messageid.token=type submessage.token=body submessage.count=1 submessage[0].messageid=httpd submessage[0].pattern.count=3 ### Example ###…

Linux firewalld commands

Examples of simple commands when configuring firewalld sudo firewall-cmd –permanent –list-ports sudo firewall-cmd –permanent –list-service sudo firewall-cmd –permanent –list-all sudo firewall-cmd –get-active-zones sudo firewall-cmd –get-zone-of-interface=eth0 sudo firewall-cmd –permanent –zone=public –add-port=8080/tcp sudo firewall-cmd –permanent –zone=public –remove-port=8080/tcp sudo firewall-cmd –permanent –zone=public –add-service=http sudo firewall-cmd –permanent –zone=public –remove-service=http sudo firewall-cmd –permanent –zone=public –add-service=openvpn sudo firewall-cmd –permanent –zone=public –remove-service=openvpn…

Testsoft links

Parse Grokdebug Elastic.co/guide Syslog input plugin Winlogbeat quick start: installation and configuration Winlogbeat configure Windows System Monitor (Sysmon)

Linux commands to view and find security events

Сollection of commands for auditing linux systems w who whoami last -f /var/log/btmp lastb /var/log/btmp — failed login attempts. /var/run/utmp — current login sessions /var/log/wtmp — list of all login sessions. id uname -a pwd ps -aux pstree ls -ltr ls -lah | tee content ls -la lsof -i cat /proc/self/environ netstat -nvp netstat -anp…