Integrating Open Source Threat Intellegence

Follow
Avatar
1 - Sumo Admin

From a security perspective, there are quite a few open source blocked/malicious ip lists available out there. Many sites also provide domain block lists or more specific command and control host/port file block lists as well. Since they are open source, they can all be downloaded and once that is done, integrated into Sumo via it's simple parsing process.  Here is an example of how do to this with a few open source IP based block lists and a Linux box.  These Linus commands run via a scheduled cron job daily. This saves the sites data to a text file on the Linux host running my collector. Sumo then reads in any updates to these text files.

curl --request GET 'http://rules.emergingthreats.net/blockrules/compromised-ips.txt' > /home/ttel001p/emergingthreats/compromised-ips.txt

curl --request GET 'http://rules.emergingthreats.net/blockrules/emerging-botcc.portgrouped.suricata.rules' > /home/ttel001p/emergingthreats/cc_ports.txt

curl --request GET 'https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist' > /home/ttel001p/emergingthreats/palevo-malicious-ip.txt

curl --request GET 'https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist' > /home/ttel001p/emergingthreats/palevo-malicious-domain.txt

 

I then run the following query on Sumo daily to create a local csv of malicious IPs.

 

_sourcehost=proc_nonpci_vendor_itsec_threats

| parse regex "(?<malicious\_ip>\d+.\d+.\d+.\d+)"

| count malicious_ip,_sourcename | sort +malicious_ip

| save /shared/req01/emergingthreats_compromised_ip.csv

 

And every 15m for the last 15m, I use the following search to look for outbound traffic from our company, bound to any of these malicious hosts.

 

__sourcecategory=*network* _ classification=*network*traffic* dest_loc=external src_loc=Payless*

| where !(dest_ip="" or isNull(dest_ip))

| count src_ip, src_user, src_host, dest_ip, dest_host, action, bytes_sent, bytes_rcvd, src_loc, dest_loc, dest_port

| lookup malicious_ip, _sourcename from /shared/req01/emergingthreats_compromised_ip.csv on malicious_ip=dest_ip

| where !(malicious_ip="" or isNull(malicious_ip))

| "Attack/Network/Traffic/Attempt" as classification | "Traffic to compromised host" as message

| "High" as Severity | "SumoLogic" as device_vendor | "RuleEngine" as device_type | "Req1-Incident-Traffic to comprimised hosts" as parse_search | "SumoLogic" as reporting_device

Good luck.

Chuck

Chuck Johnson

Sr. Security Engineer

Payless Shoesource Worldwide

https://in.linkedin.com/pub/chuck-johnson/3/54b/977

 

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Farhan Ahmed

    This is awesome. We're trying to do something similar via Jenkins jobs, AWS S3 buckets and the Sumo Lookup operator.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post