Enabled Mordor Ingestion via NXLog

2019-12-03 02:03:23 -05:00 · 2019-12-03 02:03:23 -05:00 · 7b297e65da
parent 75da37ac92
commit 7b297e65da
12 changed files with 68 additions and 34 deletions
--- a/docker/helk-kibana-analysis-alert-basic.yml
+++ b/docker/helk-kibana-analysis-alert-basic.yml
@ -43,6 +43,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -103,7 +104,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1G -Xms1G
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-kibana-analysis-alert-trial.yml
+++ b/docker/helk-kibana-analysis-alert-trial.yml
@ -45,6 +45,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -104,7 +105,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1G -Xms1G
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-kibana-analysis-basic.yml
+++ b/docker/helk-kibana-analysis-basic.yml
@ -43,6 +43,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -103,7 +104,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1G -Xms1G
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-kibana-analysis-trial.yml
+++ b/docker/helk-kibana-analysis-trial.yml
@ -45,6 +45,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -104,7 +105,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1G -Xms1G
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-kibana-notebook-analysis-alert-basic.yml
+++ b/docker/helk-kibana-notebook-analysis-alert-basic.yml
@ -43,6 +43,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -103,7 +104,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1G -Xms1G
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-kibana-notebook-analysis-alert-trial.yml
+++ b/docker/helk-kibana-notebook-analysis-alert-trial.yml
@ -45,6 +45,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -105,7 +106,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1g -Xms1g
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-kibana-notebook-analysis-basic.yml
+++ b/docker/helk-kibana-notebook-analysis-basic.yml
@ -43,6 +43,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -103,7 +104,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1G -Xms1G
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-kibana-notebook-analysis-trial.yml
+++ b/docker/helk-kibana-notebook-analysis-trial.yml
@ -45,6 +45,7 @@ services:
    ports:
      - "5044:5044"
      - "8531:8531"
+      - "3515:3515"
    restart: always
    depends_on:
      - helk-kibana
@ -105,7 +106,7 @@ services:
      REPLICATION_FACTOR: 1
      ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
      ZOOKEEPER_NAME: helk-zookeeper
-      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat
+      KAFKA_CREATE_TOPICS: winlogbeat, SYSMON_JOIN, filebeat, nxlog_mordor
      KAFKA_HEAP_OPTS: -Xmx1g -Xms1g
      LOG_RETENTION_HOURS: 4
    ports:
--- a/docker/helk-logstash/pipeline/0006-nxlog-mordor-input.conf
+++ b/docker/helk-logstash/pipeline/0006-nxlog-mordor-input.conf
@ -0,0 +1,12 @@
+# HELK NXLog Windows Logs Syslog TCP Mordor input conf
+# HELK build Stage: Alpha
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: GPL-3.0
+
+input {
+   tcp {
+      port => 3515
+      type => "nxlog-mordor"
+      codec => json { charset => "CP1252" }
+   }
+}
--- a/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf
+++ b/docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf
@ -67,7 +67,7 @@ filter {
    }
  }

-  else if [Message] {
+  else if [Message] and [type] != "nxlog-mordor" {
    fingerprint {
      source => "Message"
      target => "[@metadata][log_hash]"
--- a/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf
+++ b/docker/helk-logstash/pipeline/8802-meta-powershell-enrichment_and_additions-filter.conf
@ -4,33 +4,33 @@
 # License: GPL-3.0

 filter {
+  if [source_name] == "Microsoft-Windows-PowerShell" or [source_name] == "PowerShell" {
+    # Per Roberto's desire to have certain things like powershell non ascii and other enrichment's kept outside of the main powershell logstash config
+    # we are going to perform that enrichment in the config file previously, -- however in that file we are storing the field with, zDamTyILGeKD4H0.IbPK6g, appended [@metadata]
+    # this is so that users/whom-ever will the have option to delete this section and the field would get dropped during logstash output because appended with [@metadata]
+    # and also so we don't have to perform another for loop all over again (save some cycles on the hardware ;)

-  # Per Roberto's desire to have certain things like powershell non ascii and other enrichment's kept outside of the main powershell logstash config
-  # we are going to perform that enrichment in the config file previously, -- however in that file we are storing the field with, zDamTyILGeKD4H0.IbPK6g, appended [@metadata]
-  # this is so that users/whom-ever will the have option to delete this section and the field would get dropped during logstash output because appended with [@metadata]
-  # and also so we don't have to perform another for loop all over again (save some cycles on the hardware ;)
+    # 4103
+    if [@metadata][powershell_param_value_has_non_ascii] != "" {
+      mutate {
+        copy => { "[@metadata][powershell_param_value_has_non_ascii]" => "meta_powershell_param_value_has_non_ascii" }
+        add_field => { "z_logstash_pipeline" => "copy-8802-001" }
+      }
+    }

-  # 4103
-  if [@metadata][powershell_param_value_has_non_ascii] != "" {
-    mutate {
-      copy => { "[@metadata][powershell_param_value_has_non_ascii]" => "meta_powershell_param_value_has_non_ascii" }
-      add_field => { "z_logstash_pipeline" => "copy-8802-001" }
+    # 4104
+    if [@metadata][powershell_scriptblock_text_has_non_ascii] != "" {
+      mutate {
+        copy => { "[@metadata][powershell_scriptblock_text_has_non_ascii]" => "meta_powershell_scriptblock_text_has_non_ascii" }
+        add_field => { "z_logstash_pipeline" => "copy-8802-002" }
+      }
+    }
+
+    if [@metadata][powershell_scriptblock_text_length] {
+      mutate {
+        copy => { "[@metadata][powershell_scriptblock_text_length]" => "meta_powershell_scriptblock_text_length" }
+        add_field => { "z_logstash_pipeline" => "copy-8802-003" }
+      }
    }
  }
-
-  # 4104
-  if [@metadata][powershell_scriptblock_text_has_non_ascii] != "" {
-    mutate {
-      copy => { "[@metadata][powershell_scriptblock_text_has_non_ascii]" => "meta_powershell_scriptblock_text_has_non_ascii" }
-      add_field => { "z_logstash_pipeline" => "copy-8802-002" }
-    }
-  }
-
-  if [@metadata][powershell_scriptblock_text_length] {
-    mutate {
-      copy => { "[@metadata][powershell_scriptblock_text_length]" => "meta_powershell_scriptblock_text_length" }
-      add_field => { "z_logstash_pipeline" => "copy-8802-003" }
-    }
-  }
-
 }
--- a/docker/helk-logstash/pipeline/9964-nxlog-mordor-output.conf
+++ b/docker/helk-logstash/pipeline/9964-nxlog-mordor-output.conf
@ -0,0 +1,14 @@
+# HELK NXLog Windows Logs Syslog TCP Mordor Output conf
+# HELK build Stage: Alpha
+# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# License: GPL-3.0
+
+output {
+   if [type] == "nxlog-mordor" {
+     kafka {
+       bootstrap_servers => "helk-kafka-broker:9092"
+       codec => "json"
+       topic_id => "nxlog_mordor"
+     }
+   }
+}