Tag Archives: race

Configuring Logstash and Kibana to receive and Dashboard Sonicwall Logs

Note: If you want to quickly download my Logstash config and Kibana dashboards, see the end of this post.

Locate and Update your Logstash.conf File
First, you must update your logstash configuration file, generally located in /etc/logstash or /etc/logstash/conf.d/ and named logstash.conf

Add a logstash input
In logstash.conf, you must first add an input which will allow logstash to receive the syslog from your Sonicwall appliance along with a designated “listening” port. For my configuration, I set this to port 5515. In my logstash instance, I am using Suricata SELKs, so you can also see a file input for that prior to my Sonicwall input. See below (the text highlighted in RED was the text I added to the config file).

input {
file {
path => [“/var/log/suricata/eve.json”]
#sincedb_path => [“/var/lib/logstash/”]
sincedb_path => [“/var/cache/logstash/sincedbs/since.db”]
codec => json
type => “SELKS”
syslog {
type => Sonicwall
port => 5515

Insert a logstash Filter
The next step is to insert a new filter for parsing your sonicwall logs, this is so that Logstash knows how to automatically create fields so that you can filter on specific fields in Syslog. Below is the text that I added to the configuration file.  Important: You must make sure that if you have pre-existing filters, your start and end curly braces appropriately open and close and in the filter section the text below incorporated into the filter bracketed text.

if [type] == “Sonicwall” {
kv {
exclude_keys => [ “c”, “id”, “m”, “n”, “pri” ]
grok {
match => [ “src”, “%{IP:srcip}:%{DATA:srcinfo}” ]
grok {
match => [ “dst”, “%{IP:dstip}:%{DATA:dstinfo}” ]
grok {
remove_field => [ “srcinfo”, “dstinfo” ]
geoip {
add_tag => [ “geoip” ]
source => “srcip”
database => “/opt/logstash/vendor/geoip/GeoLiteCity.dat”

Configure the Parsed Output Location
Finally, you need to configure the output for the config file. The output is to send into the logstash instance. Below is the configuration for this. In this case, my logstash instance is sending to localhost because it is running on the same box.


output {
elasticsearch {
host => “”
protocol => transport

Configure the Sonicwall
Next you will need to configure your Sonicwall to send syslog messages to the logstash server. Login to your sonicwall, go to “Log->Syslog and then add a server x.x.x.x with port 5515.

Next you’ll need to turn on Sonicwall Name Resolution for Logs
Go to Log->Name Resolution and make sure to setup a DNS server to resolve names. Otherwise, the src and dst fields in the Kibana dashboards will not have names and show double IP address entries.

Finally, you’ll need to configure dashboards in Kibana. To make all of this easier, I’ve included all my files below that can be easily downloaded.

Logstash Configuration *Use Right-Click and Save As*

Kibana Dashboards
(To Import go into Kibana and select “Load” then go to “Advanced and click on “Load File”)

  • Sonic-Alerts (Filters the Top Alert Messages from the Sonicwall Syslog
  • Sonic Top (Filters the Top Source and Destination hosts and events associated with your sonicwall.


[ISN] K Street jockeys for cyber supremacy

http://thehill.com/policy/cybersecurity/233563-k-street-jockeys-for-cyber-supremacy By Elise Viebeck The Hill 02/23/15 The race for cybersecurity business is on. Washington’s law and lobby firms are rushing to establish their positions in the lucrative market for cybersecurity counsel, as businesses wake up to the threat posed by hackers worldwide. “Data privacy” — the preferred K Street term for cybersecurity — has become the topic du jour in D.C.’s legal community, and firms are jockeying for any possible edge in hiring, client outreach and events. Evidence of the race litters legal tabloids, lobbying disclosure forms and job boards, confirming that cyber threats are not only fodder for headlines — they present a major opportunity for D.C.’s lawyers and influencers. “Everyone believes this is going to be the next hot thing,” said headhunter Ivan Adler, a principal at the Arlington-based McCormick Group. […]


[ISN] Beware the Unwitting Insider Threat

http://www.nextgov.com/cybersecurity/2015/01/beware-unwitting-insider-threat/104097/ By Jack Moore Nextgov.com January 29, 2015 Rank-and-file federal employees and contractors unwilling to “embrace ‘The Suck’ of security” may be the biggest threat posed to securing federal agency networks. “Accidental or careless” insiders


[ISN] Spreading the Disease and Selling the Cure

http://krebsonsecurity.com/2015/01/spreading-the-disease-and-selling-the-cure/ By Brian Krebs Krebs on Security January 26, 2015 When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults. Rattani helps run two different “booter” or “stresser” services – grimbooter[dot]com, and restricted-stresser[dot]info. He also works on TheHosted[dot]me, a Web hosting firm marketed to Web sites looking for protection from the very attacks he helps to launch. As part of an ongoing series on booter services, I reached out to Rattani via his Facebook account (which was replete with images linking to fake Youtube sites that foist malicious software disguised as Adobe’s Flash Player plugin). It turns out, the same Google Wallet is used to accept payment for all three services, and that wallet traced back to Rattani. In a Facebook chat, Rattani claimed he doesn’t run the companies, but merely accepts Google Wallet payments for them and then wires the money (minus his cut) to a young man named Danial Rajput — his business partner back in Karachi. Rajput declined to be interviewed for this story. […]


[ISN] Obama talks cybersecurity, but Federal IT system breaches increasing [Updated]

http://arstechnica.com/tech-policy/2015/01/obama-talks-cybersecurity-but-federal-it-systems-breaches-increase/ By David Kravets Ars Technica Jan 20, 2015 Update: This post was updated Tuesday evening to reflect comments the president made during his State of the Union address: President Barack Obama urged Congress and the American public to embrace cyber security legislation during his State of the Union address Tuesday evening. The Cyber Intelligence Sharing and Protection Act, known as CISPA, was unveiled by Obama a week ago and is controversial because it allows companies to share cyber threat information with the Department of Homeland Security—data that might include their customers’ private information. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. So tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartsan effort. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe,” the president said without identifying his CISPA proposal and others by name. New research out earlier Tuesday from George Mason University, however, calls into question how effective Obama’s proposal would be. That’s because the federal government’s IT professionals as a whole have “a poor track record in maintaining good cybersecurity and information-sharing practices.” What’s more, the federal bureaucracy “systematically” fails to meet its own federal cybersecurity standards despite billions of dollars in funding. According to a paper by Eli Dourado, a George Mason research fellow, and Andrea Castillo, manager of the university’s Technology Policy Program: […]


Politically Correct way to say “Merry Christmas” (2015 Edition)

Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter or in some locations summer solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, with respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2015, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.


[ISN] Why Cybersecurity Breaches are on the Rise for Healthcare

http://healthitsecurity.com/2014/11/04/cybersecurity-breaches-rise-healthcare/ By John Trobough Health IT Security November 4, 2014 The US healthcare industry has embraced its digital future — and that future is dependent on the Internet. The passage and implementation of recent legislation has mandated the adoption of connected healthcare technology as a way to reduce costs, increase patient privacy, and improve care collaboration and quality of healthcare services. Healthcare providers are introducing Internet-enabled patient monitoring devices that transmit readings of vital signs, send alerts if readings are abnormal, enable communication between patients and their physicians or nurses and make patients’ private electronic health records available on their physicians’ tablets or smartphones wherever they are. But with all this data comes risks. The Dangers of a Networked Healthcare System As the healthcare system rapidly embraces digital information and Internet of Things (IoT) for connected care, the risk for cybersecurity breaches goes up. Other industries, including retail and financial services, have made headlines in recent years because of their vulnerabilities to cyber attackers, who are stealing credit card numbers and other private consumer information. A recent BitSight Insights report found that healthcare organizations have both a high volume of security incidents and the slowest response time compared to other industries, with the average event duration being 5.3 days. The healthcare industry also saw the largest percentage increase in cybersecurity incidents from April 2013 to March 2014. […]


[ISN] Staples confirms data breach investigation

http://www.csoonline.com/article/2836294/data-breach/staples-confirms-data-breach-investigation.html By Steve Ragan CSO Oct 20, 2014 Monday evening, investigative journalist Brian Krebs reported that multiple banking sources were seeing a pattern of credit and debit card fraud. The common thread between each case were purchases made at Staples Inc. stores in the Northeastern U.S. There isn’t a lot to go on if in fact the latest retailer to be breached is Framingham, Mass.-based Staples Inc. What’s known for sure comes from the sources that spoke on background to Krebs. They said the fraudulent transactions were traced to cards that made purchases at Staples stores in Pennsylvania, New York City, and New Jersey. In a statement to Salted Hash, Mark Cautela, Senior Public Relations Manager for Staples Inc., said that the company is investigating a potential issue involving credit and debit card data, and that law enforcement has been contacted. […]