From a security perspective, there are quite a few open source blocked/malicious ip lists available out there. Many sites also provide domain block lists or more specific command and control host/port file block lists as well. Since they are open source, they can all be downloaded and once that is done, integrated into Sumo via it's simple parsing process. Here is an example of how do to this with a few open source IP based block lists and a Linux box. These Linus commands run via a scheduled cron job daily. This saves the sites data to a text file on the Linux host running my collector. Sumo then reads in any updates to these text files.
curl --request GET 'http://rules.emergingthreats.net/blockrules/compromised-ips.txt' > /home/ttel001p/emergingthreats/compromised-ips.txt
curl --request GET 'http://rules.emergingthreats.net/blockrules/emerging-botcc.portgrouped.suricata.rules' > /home/ttel001p/emergingthreats/cc_ports.txt
curl --request GET 'https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist' > /home/ttel001p/emergingthreats/palevo-malicious-ip.txt
curl --request GET 'https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist' > /home/ttel001p/emergingthreats/palevo-malicious-domain.txt
I then run the following query on Sumo daily to create a local csv of malicious IPs.
| parse regex "(?<malicious\_ip>\d+.\d+.\d+.\d+)"
| count malicious_ip,_sourcename | sort +malicious_ip
| save /shared/req01/emergingthreats_compromised_ip.csv
And every 15m for the last 15m, I use the following search to look for outbound traffic from our company, bound to any of these malicious hosts.
__sourcecategory=*network* _ classification=*network*traffic* dest_loc=external src_loc=Payless*
| where !(dest_ip="" or isNull(dest_ip))
| count src_ip, src_user, src_host, dest_ip, dest_host, action, bytes_sent, bytes_rcvd, src_loc, dest_loc, dest_port
| lookup malicious_ip, _sourcename from /shared/req01/emergingthreats_compromised_ip.csv on malicious_ip=dest_ip
| where !(malicious_ip="" or isNull(malicious_ip))
| "Attack/Network/Traffic/Attempt" as classification | "Traffic to compromised host" as message
| "High" as Severity | "SumoLogic" as device_vendor | "RuleEngine" as device_type | "Req1-Incident-Traffic to comprimised hosts" as parse_search | "SumoLogic" as reporting_device
Sr. Security Engineer
Payless Shoesource Worldwide
Please sign in to leave a comment.