Tag Archives: important

Configuring Logstash and Kibana to receive and Dashboard Sonicwall Logs

Note: If you want to quickly download my Logstash config and Kibana dashboards, see the end of this post.

Locate and Update your Logstash.conf File
First, you must update your logstash configuration file, generally located in /etc/logstash or /etc/logstash/conf.d/ and named logstash.conf

Add a logstash input
In logstash.conf, you must first add an input which will allow logstash to receive the syslog from your Sonicwall appliance along with a designated “listening” port. For my configuration, I set this to port 5515. In my logstash instance, I am using Suricata SELKs, so you can also see a file input for that prior to my Sonicwall input. See below (the text highlighted in RED was the text I added to the config file).

input {
file {
path => [“/var/log/suricata/eve.json”]
#sincedb_path => [“/var/lib/logstash/”]
sincedb_path => [“/var/cache/logstash/sincedbs/since.db”]
codec => json
type => “SELKS”
}
syslog {
type => Sonicwall
port => 5515
}

Insert a logstash Filter
The next step is to insert a new filter for parsing your sonicwall logs, this is so that Logstash knows how to automatically create fields so that you can filter on specific fields in Syslog. Below is the text that I added to the configuration file.  Important: You must make sure that if you have pre-existing filters, your start and end curly braces appropriately open and close and in the filter section the text below incorporated into the filter bracketed text.

if [type] == “Sonicwall” {
kv {
exclude_keys => [ “c”, “id”, “m”, “n”, “pri” ]
}
grok {
match => [ “src”, “%{IP:srcip}:%{DATA:srcinfo}” ]
}
grok {
match => [ “dst”, “%{IP:dstip}:%{DATA:dstinfo}” ]
}
grok {
remove_field => [ “srcinfo”, “dstinfo” ]
}
geoip {
add_tag => [ “geoip” ]
source => “srcip”
database => “/opt/logstash/vendor/geoip/GeoLiteCity.dat”
}

Configure the Parsed Output Location
Finally, you need to configure the output for the config file. The output is to send into the logstash instance. Below is the configuration for this. In this case, my logstash instance is sending to localhost because it is running on the same box.

}

output {
elasticsearch {
host => “127.0.0.1”
protocol => transport
}
}

Configure the Sonicwall
Next you will need to configure your Sonicwall to send syslog messages to the logstash server. Login to your sonicwall, go to “Log->Syslog and then add a server x.x.x.x with port 5515.

Next you’ll need to turn on Sonicwall Name Resolution for Logs
Go to Log->Name Resolution and make sure to setup a DNS server to resolve names. Otherwise, the src and dst fields in the Kibana dashboards will not have names and show double IP address entries.

Finally, you’ll need to configure dashboards in Kibana. To make all of this easier, I’ve included all my files below that can be easily downloaded.

Logstash Configuration *Use Right-Click and Save As*

Kibana Dashboards
(To Import go into Kibana and select “Load” then go to “Advanced and click on “Load File”)

  • Sonic-Alerts (Filters the Top Alert Messages from the Sonicwall Syslog
  • Sonic Top (Filters the Top Source and Destination hosts and events associated with your sonicwall.



Facebooktwittergoogle_plusredditpinterestlinkedinmail

Optimized Squid Config for Squid v4.0.4

For those of you who are squid optimization geeks. Below is my latest iteration of the squid.conf file I am now using for 4.0.4

#
#Recommended minimum configuration:
#
always_direct allow all

# 3 workers, using worker #1 as the frontend is important

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD OPTIONS CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com avstats.avira.com premium.avira-update.com 8f8fb293be49781da3e3229cd4469a18.da3e3.net # RFC 4291 link-local (directly plugged) machines

# Disable alternate protocols
request_header_access Alternate-Protocol deny all
reply_header_access Alternate-Protocol deny all

#acl video urlpath_regex -i \.(mpa|m2a|mpe|avi|mov|mpg|mpg3|mpg4|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmv|flv|ts|f4v|f4m)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
#no_cache deny video
#always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
pipeline_prefetch 7
read_ahead_gap 256 MB
client_request_buffer_max_size 4096 KB
request_header_max_size 2048 KB
reply_header_max_size 2048 KB
#quick_abort_min -1 KB
#quick_abort_pct 100
#range_offset_limit -1
eui_lookup off
http_port 0.0.0.0:8080 intercept disable-pmtu-discovery=always
http_port 0.0.0.0:3128
tcp_outgoing_address 192.168.2.2
connect_retries 1

client_persistent_connections on
server_persistent_connections on
detect_broken_pconn on

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir diskd /ssd/0 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/1 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/3 54000 32 256 Q1=256 Q2=144

#cache_dir diskd /ssd2/0 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/1 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/3 68000 32 256 Q1=256 Q2=144

cache_dir ufs /ssd/0 32000 1024 256
cache_dir ufs /ssd/1 32000 1024 256
cache_dir ufs /ssd/2 32000 1024 256
cache_dir ufs /ssd/3 32000 1024 256
cache_dir ufs /ssd/4 32000 1024 256
cache_dir ufs /ssd/5 32000 1024 256

cache_dir ufs /ssd2/0 43000 1024 256
cache_dir ufs /ssd2/1 43000 1024 256
cache_dir ufs /ssd2/2 43000 1024 256
cache_dir ufs /ssd2/3 43000 1024 256
cache_dir ufs /ssd2/4 43000 1024 256
cache_dir ufs /ssd2/6 43000 1024 256

store_dir_select_algorithm round-robin
#cache_replacement_policy heap GDSF
#memory_replacement_policy heap GDSF

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
#cache images

refresh_pattern -i \.(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache content
refresh_pattern -i \.(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache videos
refresh_pattern -i \.(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(m1s|mp2v|m2v|m2s|m2ts|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xml|flow|asp|aspx)$ 0 90% 200000
refresh_pattern -i \.(json)$ 0 90% 200000
refresh_pattern -i (/cgi-bin/|\?) 0 90% 200000

#live video cache rules
refresh_pattern -i \.(m3u8|ts)$ 0 90% 200000

#cache specific sites
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i ^http:\/\/premium.avira-update.com.*\(gz) 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200
refresh_pattern -i windows.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i apple.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 4320

#cache binaries
refresh_pattern -i \.(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(exe|msi)$ 0 90% 200000
refresh_pattern -i \.(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache microsoft and adobe and other documents
refresh_pattern -i \.(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
#refresh_pattern -i ^ftp: 100000 90% 200000
#refresh_pattern -i ^gopher: 1440 0% 1440

#allow caching of other things based on cache control headers with some exceptions
refresh_pattern -i . 0 90% 200000

log_icp_queries off
icp_port 0
htcp_port 0
acl snmppublic snmp_community public
snmp_port 3401
snmp_incoming_address 192.168.2.2
snmp_access allow snmppublic all
minimum_object_size 0 KB
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
vary_ignore_expire on
cache_swap_low 90
cache_swap_high 95
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_entities on
half_closed_clients off
max_filedesc 65535
connect_timeout 10 seconds
cache_effective_group squid
buffered_logs on
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=256KB
#access_log none
netdb_filename none
client_db off
dns_nameservers 127.0.0.1 127.0.0.1 192.168.2.2 192.168.1.96
ipcache_size 10000
ipcache_low 90
ipcache_high 95
dns_v4_first on
negative_ttl 5 minutes
positive_dns_ttl 30 days
negative_dns_ttl 5 minutes
dns_retransmit_interval 1 seconds
check_hostnames off
forwarded_for delete
via off
httpd_suppress_version_string on
# mem and cache size
#collapsed_forwarding on
cache_mem 4 GB
memory_cache_mode disk
maximum_object_size 2 GB
maximum_object_size_in_memory 2 GB
digest_generation off
#digest_bits_per_entry 8
pinger_enable off
memory_pools on
max_stale 4 months


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Windows 10 Shares Your Wi-Fi With Contacts

http://krebsonsecurity.com/2015/07/windows-10-shares-your-wi-fi-with-contacts/ By Brian Krebs Krebs on Security July 29, 2015 Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends. This brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!). I first read about this disaster waiting to happen over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Survey: Nearly 1 in 4 IT firms suffered security breach

http://www.crainsdetroit.com/article/20150726/NEWS/307269992/survey-nearly-1-in-4-it-firms-suffered-security-breach By TOM HENDERSON Crain’s Detroit Business July 26, 2015 Twenty-three percent of executives at technology companies say their firms have suffered a security breach in the past 12 months, according to the national annual Technology Industry Business Outlook survey conducted by KPMG LLP, the audit, tax and advisory firm. Three-fourths of executives surveyed say their companies will spend between 1 percent and 5 percent of annual revenue on IT security in the next 12 months. “The survey findings on security are an important marker, since tech companies are the pacesetters in IT security. How much and where tech companies spend on IT security, and how successful they are, can serve as guides for all other industries,” Gary Matuszak, global chairman of KPMG’s technology, media and telecommunications practice, said in a release. The KPMG survey was of upper managers at 111 U.S.-based technology companies. Of the respondents, 54 percent were in companies with revenue of more than $1 billion a year, with the rest at companies with annual revenue between $100 million and $1 billion. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Privacy talk at DEF CON canceled under questionable circumstances

http://www.csoonline.com/article/2947377/network-security/privacy-talk-at-def-con-canceled-under-questionable-circumstances.html By Steve Ragan Salted Hash CSO July 12, 2015 Earlier this month, several news outlets reported on a powerful tool in the fight between those seeking anonymity online, versus those who push for surveillance and taking it away. The tool, ProxyHam, is the subject of a recently canceled talk at DEF CON 23 and its creator has been seemingly gagged from speaking about anything related to it. Something’s off, as this doesn’t seem like a typical cancellation. Privacy is important, and if recent events are anything to go by – such as the FBI pushing to limit encryption and force companies to include backdoors into consumer oriented products and services; or the recent Hacking Team incident that exposed the questionable and dangerous world of government surveillance; striking a balance between law enforcement and basic human freedoms is an uphill struggle. Over the last several years, reports from various watchdog organizations have made it clear that anonymity on the Internet is viewed as a bad thing by some governments, and starting to erode worldwide. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A Review of Common HIPAA Technical Safeguards

http://healthitsecurity.com/news/a-review-of-common-hipaa-technical-safeguards By Elizabeth Snell Health IT Security June 26, 2015 HIPAA technical safeguards are just one piece of the larger health data security plan that covered entities and their business associates must put together. However, it is a very important aspect. Over the next few weeks, HealthITSecurity.com will discuss some common examples of all three HIPAA safeguards, and how they could potentially benefit healthcare organizations. Not all types of safeguards are appropriate or necessary for every covered entity. But by having a comprehensive understanding of what is required by HIPAA and the HITECH Act, and how various safeguards can be used, organizations will be able to identify which ones are most applicable. From there, they can create and implement the right data security protections for their daily workflow and ensure they maintain HIPAA compliance. As previously mentioned, HIPAA technical safeguards are an important part to keeping sensitive health data secure. Whether a small primary care clinic is debating health data encryption options or a large HIE is considering BYOD for employees, understanding the basics of HIPAA technical safeguards is essential. What are HIPAA technical safeguards? The HIPAA Security Rule describes technical safeguards as ““the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” However, an important note is that the Security Rule does not require specific technology solutions. Rather, healthcare organizations need to determine reasonable and appropriate security measures for their own needs and characteristics. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 96% of UK corporations have been hacked, new data reveals

http://www.information-age.com/technology/security/123459657/96-uk-corporations-have-been-hacked-new-data-reveals By Ben Rossi Information Age 12 June 2015 New data has revealed that 96% of UK corporations have seen hackers successfully penetrate their IT systems in an attempt to steal, change or make public important data. Whilst many firms are actively engaged in policies to safeguard against cybercrime, 9.1% of UK firms have not acted to protect themselves from hacking. The data was gathere in the latest round of the Global Business Outlook Survey, conducted by Grenoble Ecole de Management, Tilburg University and the Fuqua School of Business, Duke University. The survey, which ended June 5, has been conducted for 77 consecutive quarters, making it the world’s longest-running and most comprehensive research on senior finance executives. This round elicited over 1000 responses from global CFOs and finance directors. More than half (53%) of CFOs in the UK also indicated that difficulty in hiring and retaining qualified employees is a top three concern, while the second most cited concern was rising wages and salaries. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cybersecurity: A Global Legal Perspective For Hedge Funds

http://risktech-forum.com/news/cybersecurity-a-global-legal-perspective-for-hedge-funds Hedgeweek 11 June 2015 The House of Representatives passed a new cybersecurity bill – the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking. This is just the latest chapter in what is fast becoming a key narrative within the US, where cybersecurity legislation is being rolled out to address the growing sophistication of cyber attacks. Hedge funds are now becoming a more pronounced target and to that end, lawyers are requiring to get on top of the issues to advise their clients accordingly. Ed McNicholas is a partner at Sidney Austin LLP in Washington DC. He confirms that he has just finished a treatise for the Practicing Law Institute, the aim of which is to provide a legal guide on cybersecurity. It is due to be published in June. “The law here is developing rapidly and one of the biggest things that hedge funds need to do is to ensure communication between their lawyers and their IT staff on this issue. The lawyers have, for a long time, considered it to be an IT issue but they need to get up to speed on this,” says McNicholas. McNicholas sees three big tasks facing lawyers. The first relates to managing the information assets of a hedge fund. These are highly specialised vehicles and as such an intellectual step needs to be taken by law firms in realising that this is not an issue that pertains solely to personal data. Hedge funds have significant intellectual property – trading algorithms, investor details, proprietary research etc. In relation to cybersecurity, it is important to identify those assets and understand where and with whom the manager shares those assets. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail