jswan

Most organizations of any substantial size are already compromised, by opportunistic malware if nothing else. Using some free tools to find those intrusions is a good way to get the attention at least of middle management.

I'm not sure I fully understand your question, but from the perspective of doing security-oriented network forensics the data sources I use most frequently are: Web proxy logs NetFlow Authentication logs (AD, RADIUS, VPN, etc) DHCP DNS query logs IDS logs Web server and file server logs Firewall logs The things I…

I regularly (at least daily) look at alerts and/or reports for: IDS NetFlow Authentication Probably weekly I look at filtered reports for DNS and DHCP. Other people look at web and file server logs, mainly for operational reasons. The other stuff would be forensics related. We don't have a fully automated way to pull…

I think you'd have to be extremely selective about the kinds of anomalies reported. For most kinds of indicators, people who aren't security analysts probably can't tell a false positive from a true positive except in circumstances where the indicator is of extremely high fidelity, and it's hard to tune for fidelity…

I want to see DPI data made available as IPFIX export, along the lines of what Cisco is doing with AVC: http://www.cisco.com/c/en/us/td/docs/routers/access/ISRG2/AVC/api/guide/AVC_Metric_Definition_Guide/5_AVC_Metric_Def.pdf Their ART and NRT metrics, along with other DPI data such as HTTP host and URI strings, can be sent…

For a couple of years now, I've been using a Python script to do geoIP lookups on VPN logins that come into Kiwi syslog. I get a summary once a day that includes the country code and reverse DNS name (if available), along with the VPN user group to which the user belongs. We have a low enough volume that my "anomaly…

Probably the ease of use: we are using nxlog to deliver Windows event logs to Logstash, which is really easy for Windows admins to set up on their own. ELK is very JSON oriented, and nxlog has a native JSON output, so the whole log ingestion pipeline requires very little configuration. Then, since Kibana has a very simple…

What are you using for a SIEM that's less expensive than NetFlow?

As long as possible. Logs are a gold mine of historical security, performance, and operational data. Some recent examples: 1) Approximating long-term reliability of several WAN links. Routing protocol state changes are a decent proxy for heavy packet loss events, so by mining our long term syslog history for them I was…

One great way to reduce security costs is by implementing solutions that can be used for multiple purposes, and doing that first. Examples: 1) Log collectors and analyzers can be used by both security and operations personnel, if you use tools that don't lock you into a ops-specific or security-specific workflow. 2)…

I think it's worth making a distinction between DPI and full packet capture. Usually, DPI refers generically to any system that extracts metadata from network traffic at a higher layer than layer 4 -- in other words, you're getting application layer data that's more specific that TCP/UDP port number, ICMP message type,…

It's not enough to evaluate controls. In a large enough network, there exist so many ways to evade controls that you probably won't find all of them. Co-incident with controls, we need to be implementing and monitoring better detection and response tools and plans.

Good stuff Glen. If you want to get human-readable ASCII flows from the CLI like you do in Wireshark, there's a nice Linux/UNIX tool called tcpflow that will do it for you. Replicating what you're doing would look something like: tcpflow -C -r httpcapture.pcap | less The -C sends the output to the terminal without flow…

It's merely a sad commentary on the amount of my life spent staring at pcaps...

I'm not sure what you mean by this. If you are doing unsampled NetFlow with a 60-second active flow export timer, you see traffic events in near real-time. The flow records themselves are accurately timestamped, so you have sub-minute granularity if you need it. Not all analyzers give you this degree of granularity (NTA,…

Minor correction: the TTL value you highlighted is the IP TTL, not the DNS TTL. In order to see the DNS TTL with tcpdump you need to use -vvv, and it shows up in brackets as a time value rather than a number of seconds like it does in some other tools: sudo tcpdump -vvv -ni eth0 udp port 53 and host 8.8.8.8 tcpdump:…

If you understand your network topology, NetFlow is probably the single most useful tool you can have after basic performance monitoring/alerting. The biggest problems people run into at the beginning usually have to do with not really understanding their own network topology -- this is common in cases where the network…

We've been rolling out ELKstack (Elasticsearch/Logstash/Kibana). Right now we have about 45 days of logs (about 200 million entries) on tap, but we're still some way from having all devices reporting. Searching and aggregating is near-instantaneous for the types of queries we're usually doing. Most of our teams have…

If you're a Linux shop, I'd also throw out a plug for ELSA. It uses a mysql back-end with a Sphinxsearch front-end for full-text indexing. It has a steeper learning curve and requires more care-and-feeding than ELK on the data ingestion side, but it offers SQL capabilities as well as alerting and LDAP integration. It's…

This article starts out OK, but ends up misusing the terminology it intends to clarify. Malware, hacking, spam, and phishing are not threats. They are attack vectors or TTPs (tactics, techniques, procedures) that are employed by a threat to exploit a vulnerability. Threats are human actors. Furthermore, the explanation of…

My understanding is that Pari is available only to Cisco channel partners, who then typically charge a fee to customers to run reports. The charge varies depending on the types of reports requested. I had my reseller run an end-of-life/end-of-support report for me, which included serial numbers. It produces nice reports,…

"show inventory" is more universal than "show version", but it's not 100% reliable either. "show snmp chassis" is also pretty reliable. Cisco has a tool called "Pari" that reliably produces serial number reports. Maybe you have a contact who can tell you how that works?

In addition to this, is there a way to get only chassis serial numbers and not component serial numbers? I just went through this with our annual Smartnet checkup and it was a huge pain. I ended up dumping all the serial numbers out through a physical entities report and writing some custom perl scripts and Excel stuff to…

Adam, the cleartext information would be the actual NetFlow data packets. You would also need to configure a static NAT translation on your hub site firewall to send the packets to NTA. Whether or not this is a security risk depends on your risk profile--someone intercepting the packets might be able to decode them to…

Gotcha--I want to be able to do nested groups.

There are probably five different ways you can do this. Unfortunately I don't have time to post configs for all of them. If you want to post sanitized configs for the remote and headend routers I can have a look, but I can't promise anything.

Yes, I copied all the files in the zip archive: .Schema into Schemas .Reports files into reports .cfg file into Orion root folder I did it again just to be certain, and I'm still getting the same problem. I have not run any repairs. Are there any services that need to be restarted?

Adam, I haven't been on the forums in a couple of weeks, but I can have a look if you want to post configs. Just to restate the fundamental problem: IOS doesn't (or didn't--I haven't checked to see if this has changed in recent code) allow you to export NetFlow packets through a "traditional" IPSec tunnel--that is, one…

The problem is if you use NCM AD authentication and then save this credential in NPM, it can cause the issues you're describing. When they change their AD password, NPM will continue to try to use their old AD password to try to connect to NCM which is likely causing the lockout issues you're experiencing. By the way, this…

Just chipping in to support email + plain text. Can't wait for this feature...