Tag Archives: race

Configuring Logstash and Kibana to receive and Dashboard Sonicwall Logs

Note: If you want to quickly download my Logstash config and Kibana dashboards, see the end of this post.

Locate and Update your Logstash.conf File
First, you must update your logstash configuration file, generally located in /etc/logstash or /etc/logstash/conf.d/ and named logstash.conf

Add a logstash input
In logstash.conf, you must first add an input which will allow logstash to receive the syslog from your Sonicwall appliance along with a designated “listening” port. For my configuration, I set this to port 5515. In my logstash instance, I am using Suricata SELKs, so you can also see a file input for that prior to my Sonicwall input. See below (the text highlighted in RED was the text I added to the config file).

input {
file {
path => [“/var/log/suricata/eve.json”]
#sincedb_path => [“/var/lib/logstash/”]
sincedb_path => [“/var/cache/logstash/sincedbs/since.db”]
codec => json
type => “SELKS”
syslog {
type => Sonicwall
port => 5515

Insert a logstash Filter
The next step is to insert a new filter for parsing your sonicwall logs, this is so that Logstash knows how to automatically create fields so that you can filter on specific fields in Syslog. Below is the text that I added to the configuration file.  Important: You must make sure that if you have pre-existing filters, your start and end curly braces appropriately open and close and in the filter section the text below incorporated into the filter bracketed text.

if [type] == “Sonicwall” {
kv {
exclude_keys => [ “c”, “id”, “m”, “n”, “pri” ]
grok {
match => [ “src”, “%{IP:srcip}:%{DATA:srcinfo}” ]
grok {
match => [ “dst”, “%{IP:dstip}:%{DATA:dstinfo}” ]
grok {
remove_field => [ “srcinfo”, “dstinfo” ]
geoip {
add_tag => [ “geoip” ]
source => “srcip”
database => “/opt/logstash/vendor/geoip/GeoLiteCity.dat”

Configure the Parsed Output Location
Finally, you need to configure the output for the config file. The output is to send into the logstash instance. Below is the configuration for this. In this case, my logstash instance is sending to localhost because it is running on the same box.


output {
elasticsearch {
host => “”
protocol => transport

Configure the Sonicwall
Next you will need to configure your Sonicwall to send syslog messages to the logstash server. Login to your sonicwall, go to “Log->Syslog and then add a server x.x.x.x with port 5515.

Next you’ll need to turn on Sonicwall Name Resolution for Logs
Go to Log->Name Resolution and make sure to setup a DNS server to resolve names. Otherwise, the src and dst fields in the Kibana dashboards will not have names and show double IP address entries.

Finally, you’ll need to configure dashboards in Kibana. To make all of this easier, I’ve included all my files below that can be easily downloaded.

Logstash Configuration *Use Right-Click and Save As*

Kibana Dashboards
(To Import go into Kibana and select “Load” then go to “Advanced and click on “Load File”)

  • Sonic-Alerts (Filters the Top Alert Messages from the Sonicwall Syslog
  • Sonic Top (Filters the Top Source and Destination hosts and events associated with your sonicwall.


[ISN] Banks: Card Breach at Hilton Hotel Properties

http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-properties/ By Brian Krebs Krebs on Security Sept 25, 2015 Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims. In August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity. However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts. In a written statement, a Hilton spokesperson said the company is investigating the breach claims. […]


[ISN] The Biggest Cyberattack Against the US in Recent History Just Keeps Getting Worse

http://www.motherjones.com/politics/2015/09/hack-china-cyberwar-fingerprints-obama By AJ Vicens Mother Jones Sep. 23, 2015 On the eve of Chinese President Xi Jinping’s first state visit to Washington, DC, the Obama administration released alarming new numbers about one of the biggest computer hacks in American history—traceable, officials say, to China—a move that could potentially heighten tension ahead of the historic meeting. The Office of Personnel Management announced that it had substantially underestimated the number of people whose fingerprints were stolen during the attack earlier this year. About 5.6 million of 21.5 million federal employees, contractors, applicants, and others had their fingerprints stolen during a hack of the OPM’s background check databases, the agency reported Wednesday morning. That figure is higher than the 1.1 million previously reported. An interagency group including the FBI, the Department of Homeland Security, and the Department of Defense are reviewing how the fingerprint information could be used in nefarious ways, but it downplayed the immediate impact. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a statement issued Wednesday morning, as President Barack Obama and a host of dignitaries hosted Pope Francis at the White House. “However, this probability could change over time as technology evolves.” […]


[ISN] Hackers threaten to take down websites of Hong Kong banks unless they pay bitcoin ransoms

http://www.scmp.com/tech/enterprises/article/1859117/hackers-threaten-take-down-websites-hong-kong-banks-unless-they-pay By James Griffiths scmp.com 18 September, 2015 Hackers have targeted banking institutions in Hong Kong with server-disabling attacks, threatening to take down their services unless they receive ransom payments, experts said on Thursday. According to web security and performance firm Akamai, a group of cybercriminals known as DD4BC have been targeting websites in Asia and around the world with more than 100 distributed denial-of-service (DDoS) attacks since at least September 2014. The attackers then demanded payment in the untraceable cryptocurrency bitcoin to stop the DDoS attacks, which can take down servers and cost businesses thousands of dollars per hour to fight against. “DD4BC has been using the threat of DDoS attacks to secure bitcoin payments from its victims for protection against future attacks,” said Akamai senior vice president Stuart Scholly. “The latest attacks – focused primarily on the financial service industry – involved new strategies and tactics intended to harass, extort and ultimately embarass the victim publicly.” […]


[ISN] Russian Spy Gang Hijacks Satellite Links to Steal Data

http://www.wired.com/2015/09/turla-russian-espionage-gang-hijacks-satellite-connections-to-steal-data/ By Kim Zetter Security Wired.com 09.09.15 IF YOU’RE A state-sponsored hacker siphoning data from targeted computers, the last thing you want is for someone to locate your command-and-control server and shut it down, halting your ability to communicate with infected machines and steal data. So the Russian-speaking spy gang known as Turla have found a solution to this—hijacking the satellite IP addresses of legitimate users to use them to steal data from other infected machines in a way that hides their command server. Researchers at Kaspersky Lab have found evidence that the Turla gang has been using the covert technique since at least 2007. Turla is a sophisticated cyber-espionage group, believed to be sponsored by the Russian government, that has for more than a decade targeted government agencies, embassies, and militaries in more than 40 countries, including Kazakhstan, China, Vietnam, and the US, but with a particular emphasis on countries in the former Eastern Bloc. The Turla gang uses a number of techniques to infect systems and steal data, but for some of its most high-profile targets, the group appears to use a satellite-based communication technique to help hide the location of their command servers, according to Kaspersky researchers. Ordinarily, hackers will lease a server or hack one to use as a command station, sometimes routing their activity through multiple proxy machines to hide the location of the command server. But these command-and-control servers can still often be traced to their hosting provider and taken down and seized for forensic evidence. […]


[ISN] Trust no one: A better way to close the security gap?

http://gcn.com/articles/2015/08/19/zero-trust-security.aspx By Paul McCloskey GCN.com Aug 19, 2015 Agencies are increasingly turning to predictive analytics to root out fraud, but those aren’t the only tools being used to spot and control anomalous behavior. New identity security tools are emerging to help enterprises that might be victimized in fraud schemes enabled by insiders or attackers using insider credentials. Those users have been at the center of several recent high-profile attacks. Their privileges were exploited as the result of sophisticated spear-phishing attacks, including the one on health insurer Anthem earlier this year in which 80 million records were stolen. “These are privileged users with access to everything in the database — not just their records; they have the ability to go from system to system inside a corporate or government infrastructure,” said Ken Ammon, chief strategy officer at Xceedium. “What happens is criminals target those individuals because they know their roles or their accounts are extremely powerful in the organization,” Ammon said. “If they can send them an email that they might click on, it installs as a super user who now can download the entire corporate database from network to network.” To help defend against that vulnerability, Xceedium has embraced a policy of “zero trust,” whereby access is extended only for a specific reason and for a specific amount of time. […]


[ISN] Bruce Schneier: ‘We’re in early years of a cyber arms race’

http://www.theregister.co.uk/2015/08/19/bruce_schneier_linuxcon/ By Neil McAllister The Register 19 Aug 2015 LinuxCon 2015 Security guru Bruce Schneier says there’s a kind of cold war now being waged in cyberspace, only the trouble is we don’t always know who we’re waging it against. Schneier appeared onscreen via Google Hangouts at the LinuxCon/CloudOpen/ContainerCon conference in Seattle on Tuesday to warn attendees that the modern security landscape is becoming increasingly complex and dangerous. “We know, on the internet today, that attackers have the advantage,” Schneier said. “A sufficiently funded, skilled, motivated adversary will get in. And we have to figure out how to deal with that.” Using the example of last November’s crippling online attack against Sony Pictures, Schneier said it was clear that many of these new attacks were the work of well-funded nation-states. “Many of us, including myself, were skeptical for several months. By now it does seem obvious that it was North Korea, as amazing as that sounds,” he said. […]


[ISN] Virginia Finally Drops Americas’ ‘Worst Voting Machines’

http://www.wired.com/2015/08/virginia-finally-drops-americas-worst-voting-machines/ By Kim Zetter Security Wired.com 08.17.15 IF YOU VOTED in a Virginia election any time between 2003 and April of this year, your vote was at serious risk of being compromised by hackers. That’s the assessment reached by Virginia’s board of elections, which recently decertified some 3,000 WINVote touchscreen voting machines after learning about security problems with the systems, including a poorly secured Wi-Fi feature for tallying votes. The problems with the machines are so severe that Jeremy Epstein, a computer scientist with SRI International who tried for years to get them banned, called them the worst voting machines in the country. If the WINVote systems weren’t hacked in a past election, he noted in a recent blog post and during a presentation last week at the USENIX security conference, “it was only because no one tried.” The decision to decommission the machines, which came after the state spent a decade repeatedly ignoring concerns raised by Epstein and others, is a stark reminder as the nation heads into the 2016 presidential election season that the ongoing problem of voting machine security is still not taken seriously by election officials. Virginia officials only examined the WINVote systems after Governor Terry McAuliffe tried to vote with one during the state’s general elections last November. Dismayed at the problems he encountered first hand trying to select a candidate in a Senate race, he demanded an investigation. But even after serious vulnerabilities were then uncovered, some election officials argued against replacing the machines. Richard Herrington, secretary of the Fairfax City Electoral Board, asserted that no voting system was secure. […]