Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance #67

Closed
mmguero opened this issue Oct 1, 2019 · 1 comment
Closed

integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance #67

mmguero opened this issue Oct 1, 2019 · 1 comment
Assignees
@mmguero

Comments

@mmguero
Copy link
Collaborator

mmguero commented Oct 1, 2019

https://github.com/mitre-attack/car/tree/master/implementations/bzar

The BZAR project uses the Bro/Zeek Network Security Monitor to detect ATT&CK-based adversarial activity.

MITRE ATT&CK is a publicly-available, curated knowledge base for cyber adversary behavior, reflecting the various phases of the adversary lifecycle and the platforms they are known to target. The ATT&CK model includes behaviors of numerous threats groups.

BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, raise notices, and write to the Notice Log.
@mmguero mmguero added enhancement New feature or request zeek Relating to Malcolm's use of Zeek labels Oct 1, 2019
@mmguero mmguero self-assigned this Oct 1, 2019
@mmguero mmguero mentioned this issue Oct 1, 2019
Merged
mmguero referenced this issue Oct 3, 2019
@mmguero
integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance (#68)
cd5614e 
* integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance

idaholab#67

* use the cidr plugin to assign internal_source, external_source, internal_destination, external_destination tags based on srcIp and dstIp Zeek logs
@mmguero
Copy link
Collaborator Author

mmguero commented Oct 3, 2019

For 1.6.1

@mmguero mmguero closed this as completed Oct 3, 2019
mmguero referenced this issue Oct 28, 2019
@mmguero
Malcolm v1.7.0 development (#74)
e2b96d8 
* integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance (#68)

* integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance

idaholab#67

* use the cidr plugin to assign internal_source, external_source, internal_destination, external_destination tags based on srcIp and dstIp Zeek logs

* bump development version to 1.6.1

* UI tweaks for the iso

* tweaks to ISO for UI and STIG hardening

* added localepurge to trim ISO

* tweaks for ISO STIG

* iso tweaks

* stig script tweaks

* swap out pdf reader for iso

* tweak location of clamd socket file

* address issue #43; remove overly complicated duplicate checking in result cache

* zeek updates (#72)

- Zeek 3.0
- New parsers/analyzers, complete list:
  - Amazon.com, Inc.'s ICS protocol analyzers
  - Corelight's bro-xor-exe plugin
  - Corelight's community ID flow hashing plugin
  - J-Gras' Bro::AF_Packet plugin
  - Lexi Brent's EternalSafety plugin
  - MITRE Cyber Analytics Repository's Bro/Zeek ATT&CK-Based Analytics (BZAR) script
  - Salesforce's gQUIC analyzer
  - Salesforce's HASSH SSH fingerprinting plugin
  - Salesforce's JA3 TLS fingerprinting plugin
  - SoftwareConsultingEmporium's Bro::LDAP analyzer
- Dashboards for all new protocols
- Documentation updates


-------------------------------------------

* zeek updates:

- use Zeek 3.0
- install Amazon Zeek ICS plugins (https://github.com/amzn?utf8=%E2%9C%93&q=zeek&type=&language=)
- haven't yet looked at parsed fields list or built parsers/dashboards for new plugins, may be incomplete

* should have existing field tweaks done now, need to do new logs

* new logstash field definitions for the following:

bacnet
ethernet/ip
s7comm
known_certs
known_hosts
mqtt
ntp
profinet
tds

testing still in progress

* hopefully fix issue with zeek not running with the override file

* zeek-updates development (#69)

* add WISE views for new zeek fields, using new format to define most of them

https://molo.ch/wise#common-source-settings

* added links in comments for different log types

* working on new dashboards, not done yet

* more work on new dashboards

* more work on ICS stuff

* more work on new zeek log types

* updated navigation panel for new dashboards

* updated version for 1.7.0

* more work on new zeek log types

* more work on new zeek log types

* updated navigation panel for new dashboards

* sync sensor shared script with malcolm shared script

* fix dockerfile

* added patch for zeek pull #632 (zeek/zeek#632) Fix redef'ing a table with a new &default attribute

* update documentation

* documentation

* a few other plugins i've researched

* documentation

* fix building of plugin

* more work on new parsers (ldap)

* fix some stuff with the ldap parsing

* update dashboards

* use ZeroMQ-based approach for file scanning queue (#73)

* working on a new method for doing the file carving stuff

* maybe working now

* fix supervisor options

* comments

* fix dockerfile

* put a sleep in the main loopp so our CPUs don't melt

* fix annoying clipit history clear timeout in ISO

* sync sensor shared script with malcolm shared script

* added human-readable names to types created with Moloch WISE

* update elastic to 6.8.4

* Topic/htadmin fixes (#75)

* initial code, unchanged from time immemorial

* initial code, unchanged from time immemorial

* first pass at integrating changes

* first pass at integrating changes

* update auth_setup for htadmin changes

* seems to be workign now

* get htadmin from git
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero