Thursday, January 18, 2018

Bro x509 and Logstash

Everyone knows that Bro is a great tool for monitoring network traffic.  But Logstash is a great tool for manipulating log files.

Below is a Logstash filter that will add some valuable fields to your x509 Bro log.
The field names are:

  • cert.expired
  • cert.date.not_valid_after
  • cert.date.not_valid_before
  • cert.lifespan.days
  • cert.lifespan.hours
  • cert.lifespan.seconds

# BRO x509
filter {
  if [doctype] == "x509" {
    mutate {
      remove_field => [ "host" ]
      rename => {
        "id" => "[bro][fuid]"
        "basic_constraints.ca" => "[basic_constraints][ca]"
        "certificate.curve" => "[cert][curve]"
        "certificate.exponent" => "[cert][exponent]"
        "certificate.issuer" => "[cert][issuer]"
        "certificate.key_alg" => "[cert][key][alg]"
        "certificate.key_length" => "[cert][key][length]"
        "certificate.key_type" => "[cert][key][type]"
        "certificate.not_valid_after" => "[cert][not_valid_after]"
        "certificate.not_valid_before" => "[cert][not_valid_before]"
        "certificate.serial" => "[cert][serial]"
        "certificate.sig_alg" => "[cert][sig_alg]"
        "certificate.subject" => "[cert][subject]"
        "certificate.version" => "[cert][version]"
        "san.dns" => "san_dns"
      }
    }
    date {
      match => [ "[cert][not_valid_after]", "UNIX" ]
      target => "[cert][date][not_valid_after]"
    }
    date {
      match => [ "[cert][not_valid_before]", "UNIX" ]
      target => "[cert][date][not_valid_before]"
    }
    ruby {
      code => "
        vafter = event.get('[cert][not_valid_after]');
        vbefore = event.get('[cert][not_valid_before]');
        seconds = (vafter - vbefore).ceil;
        hours = (seconds / 3600).ceil;
        days = (seconds / 84600).ceil;
        validcheck = event.get('[cert][date][not_valid_after]') - event.get('@timestamp');
        if validcheck > 0
          expired = false
        else
          expired = true
        end
        event.set('[cert][expired]', expired);
        event.set('[cert][lifespan][seconds]', seconds);
        event.set('[cert][lifespan][hours]', hours);
        event.set('[cert][lifespan][days]', days);
      "
    }
  }
}


Below is what the output looks like in Kibana

Wednesday, January 17, 2018

Arpnamer

I just released a neat utility to log arp scans to json, syslog or straight text file that will map the mac address, IP, hostname and oui data.

https://github.com/panaman/arpnamer