mirror of https://github.com/infosecn1nja/HELK.git
139 lines
3.6 KiB
Plaintext
139 lines
3.6 KiB
Plaintext
{
|
|
"cells": [
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"# Network Sniffing\n",
|
|
"Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data."
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Rule Content\n",
|
|
"```\n",
|
|
"- title: Network Sniffing\n",
|
|
" id: f4d3748a-65d1-4806-bd23-e25728081d01\n",
|
|
" status: experimental\n",
|
|
" description: Network sniffing refers to using the network interface on a system\n",
|
|
" to monitor or capture information sent over a wired or wireless connection. An\n",
|
|
" adversary may place a network interface into promiscuous mode to passively access\n",
|
|
" data in transit over the network, or use span ports to capture a larger amount\n",
|
|
" of data.\n",
|
|
" author: Timur Zinniatullin, oscd.community\n",
|
|
" date: 2019/10/21\n",
|
|
" modified: 2019/11/04\n",
|
|
" references:\n",
|
|
" - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\n",
|
|
" logsource:\n",
|
|
" product: linux\n",
|
|
" service: auditd\n",
|
|
" category: null\n",
|
|
" detection:\n",
|
|
" selection1:\n",
|
|
" type: execve\n",
|
|
" a0: tcpdump\n",
|
|
" a1: -c\n",
|
|
" a3|contains: -i\n",
|
|
" selection2:\n",
|
|
" type: execve\n",
|
|
" a0: tshark\n",
|
|
" a1: -c\n",
|
|
" a3: -i\n",
|
|
" condition: selection1 or selection2\n",
|
|
" falsepositives:\n",
|
|
" - Legitimate administrator or user uses network sniffing tool for legitimate reason\n",
|
|
" level: low\n",
|
|
" tags:\n",
|
|
" - attack.credential_access\n",
|
|
" - attack.discovery\n",
|
|
" - attack.t1040\n",
|
|
"\n",
|
|
"```"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"## Querying Elasticsearch"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Import Libraries"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"from elasticsearch import Elasticsearch\n",
|
|
"from elasticsearch_dsl import Search\n",
|
|
"import pandas as pd"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Initialize Elasticsearch client"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"es = Elasticsearch(['http://helk-elasticsearch:9200'])\n",
|
|
"searchContext = Search(using=es, index='logs-*', doc_type='doc')"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Run Elasticsearch Query"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"s = searchContext.query('query_string', query='(type:\"execve\" AND a1:\"\\-c\" AND ((a0:\"tcpdump\" AND a3.keyword:*\\-i*) OR (a0:\"tshark\" AND a3:\"\\-i\")))')\n",
|
|
"response = s.execute()\n",
|
|
"if response.success():\n",
|
|
" df = pd.DataFrame((d.to_dict() for d in s.scan()))"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "markdown",
|
|
"metadata": {},
|
|
"source": [
|
|
"### Show Results"
|
|
]
|
|
},
|
|
{
|
|
"cell_type": "code",
|
|
"execution_count": null,
|
|
"metadata": {},
|
|
"outputs": [],
|
|
"source": [
|
|
"df.head()"
|
|
]
|
|
}
|
|
],
|
|
"metadata": {},
|
|
"nbformat": 4,
|
|
"nbformat_minor": 4
|
|
}
|