MineMeld: threat intelligence automation – architecture and hardening [1]

This post is the first of a series on Threat Intelligence Automation topic
Post 2: Foundation: write a custom prototype and SOC integration
Post 3: Export internal IoC to the community
Post 4: Search received IoC events with Splunk
Post 5: Connect to a TAXII service

Last slide at my HackInBo talk (italian) was about how to automatically integrate threat intelligence feeds into our near-real-time Information Security Operation Center (i-SOC) SPLUNK engine to reduce the time spent by SOC security analysts on IoC (Indicators of Compromise) analysis.

Threat Intelligence
Threat Intelligence question from #HiB17

At the time I was testing an open source project from PaloAlto: MineMeld. It was the right choice; after extensive tests MineMeld now help me to solve the challenges I had in the past while playing with IoC coming from various threat intelligence sources: collection automation, unduplication, aging and SOC integration.

MineMeld can also share our internal IoC to the italian infosec community we are now building from the ground. We are working hard on this and I’m really confident we will succeed (want to join? DM me on twitter or in the comments). Continue reading “MineMeld: threat intelligence automation – architecture and hardening [1]”

Configure Linux High Availability Cluster in Ubuntu with Corosync and DRBD file sync

Synchronization by Taxydromos69
Synchronization by Taxydromos69

I already wrote how to configure a basic High Availability Ubuntu cluster. The steps to setup a basic cluster are detailed in the previous post, so please read the post if you don’t know how to make the cluster up&running. Same conventions are used here.

One of the topic I didn’t covered on the old post was “application replication/synchronization between the nodes“. Now it’s time to show you how to keep in sync files between cluster nodes, using DRBD software. DRBD is a powerful component of Linux kernel and is designed to keep in sync data via TCP/IP between nodes volumes. In this post we will setup a clustered freeradius service that sync /etc/freeradius/clients.conf file between nodes. Continue reading “Configure Linux High Availability Cluster in Ubuntu with Corosync and DRBD file sync”

Configure basic Linux High Availability Cluster in Ubuntu with Corosync

Jellyfish Cluster - photo by robin on flickr
Jellyfish Cluster – photo by robin on flickr

[Read also: HA Cluster with DRBD file sync which adds file sync configuration between cluster nodes]

[UPDATED on March 7, 2017: tested the configuration also with Ubuntu 16.04 LTS]

This post show how to configure a basic High Availability cluster in Ubuntu using Corosync (cluster manager) and Pacemaker (cluster resources manager) software available in Ubuntu repositories (tested on Ubuntu 14.04 and 16.04 LTS). More information regarding Linux HA can be found here.

The goal of this post is to setup a freeradius service in HA. To do this we use two Ubuntu 14.04 or 16.04 LTS Server nodes, announcing a single virtual IP from the active cluster node. Notice that in this scenario each freeradius cluster istance is a standalone istance; I don’t cover application replication/synchronization between the nodes (rsync or shared disk via DRBD). Maybe I can do a new post in the future 🙂 [I did the post] Continue reading “Configure basic Linux High Availability Cluster in Ubuntu with Corosync”

Configure OTRS to process multiple Tickets in email Subject

Postfix email relay
Postfix email relay

OTRS Help Desk is an open source application (with Enterprise support) that has a lot of useful features: ITSM, Surveys, Time Accounting and System monitoring.

I use it on my company as a Service Desk for Security purposes (and more).
As you can read from our Success Story one of the feature we currently appreciate is the ability to track all the email exchanges into tickets simply putting ticket number in email Subject end CCing the proper configured email address. This allow us to interact with external parties without the need for other people to access our OTRS istance.  Continue reading “Configure OTRS to process multiple Tickets in email Subject”

SNORT rules Advanced Parser for pulledpork

Lone Hacker in Wharehouse by Brian Klug
Lone Hacker in Wharehouse by Brian Klug

Security Onion is an Ubuntu based distribution created to handle a lot of Security task.

One of the security tool installed is SNORT, the best open source Intrusion Detection System (IDS). Security Onion use Pulledpork to get IDS rules and process them.

I wrote a perl script to make advanced modification to the downloaded SNORT rules. This script can handle rule transformation based on regular expression and multiple substitution patterns. Continue reading “SNORT rules Advanced Parser for pulledpork”

Rsyslog – Store and Forward messages to other hosts

Forward by Bruce Berrien
Forward by Bruce Berrien

One of the problems I encountered in my job is to get syslog (udp/514) logs from a server that support only one syslog destination and resend these logs to two or more servers (log archiving, security appliance etc).

To do this I used rsyslog and Ubuntu Server (14.04 LTS) acting like a syslog relay.
In this scenario the remote appliance sends the log to the Ubuntu Server (listening on port udp/514) and the server store&forward the logs to one or more server/device.  Continue reading “Rsyslog – Store and Forward messages to other hosts”