SSH Analysis Example

[gingerwizard]

No description provided.

[kimchy]

@gingerwizard how do we get the data for SSH? I am wondering if, with the upcoming filebeat modules, we can have an SSH module that would parse SSH logs, and automatically install the relevant ingest plugin and Kibana dashboards for it. Later on, we can add support to automatically install watches and potentially built in ml (prelert). /cc @tsg @monicasarbu

[tsg]

Looks like it's using a Logstash codec (cef), so we'd have to check if grok is enough for parsing that format, or we'd need a CEF processor in Ingest Node. Or do you mean to parse the SSH logs in their non-CEF format?

[kimchy]

yes, I meant tailing SSH logs, out of the box (automatic detection of location based on OS and so on), in their original format (which as far as I can tell, it is non CEF)

[gingerwizard]

In this case we took the auth logs from a honeypot that @nellicus has been running and converted them to CEF format. The pattern of these logs varies depending on system configuration, but in this case each entry was already JSON - @nellicus can provide further details but sample:

{"eventid": "cowrie.client.var", "name": "LC_PAPER", "timestamp": "2016-11-15T19:22:30.382303Z", "message": "request_env: LC_PAPER=es_ES.UTF-8", "system": "SSHChannel session (0) on SSHService ssh-connection on HoneyPotSSHTransport,2,192.168.1.105", "value": "es_ES.UTF-8", "isError": 0, "src_ip": "192.168.1.105", "session": "111f70f0", "sensor": "w530"}

The conversion to CEF was more to illustrate how data collected by Arcsight could in theory be easily ingested and alerted on.

[tsg]

Small follow up here, we have a filebeat module (PR open) and a staged blog post for doing something similar to this. Let me know if you see any issues with it.