-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #23 from redBorder/feature/#17760_ch9
Feature/#17760 ch9
- Loading branch information
Showing
44 changed files
with
423 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,3 +2,4 @@ | |
| nav: | ||
| - ... | index*.md | ||
| - Getting started: getting_started | ||
| - Use cases: use_cases | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Seguimiento de una IP con Redborder | ||
|
|
||
| Podemos usar Redborder para rastrear una IP sospechosa. Es posible aprender sobre su comportamiento utilizando el módulo de **Tráfico**. | ||
|
|
||
| Antes que nada, debemos saber la IP que queremos rastrear. Una vez que tengamos la IP, iremos al módulo de **Tráfico**. | ||
|
|
||
|  | ||
|
|
||
| Seguimiento de una IP: módulo de tráfico | ||
|
|
||
| Una vez en el módulo **Tráfico**, podemos usar el botón **Búsqueda avanzada** desde el filtro para ver solo el tráfico generado por esa IP. | ||
|
|
||
|  | ||
|
|
||
| Seguimiento de una IP: búsqueda avanzada en el módulo de Tráfico | ||
|
|
||
| Aquí podemos configurar la IP sospechosa para filtrar todo el tráfico. Utilizaremos la métrica *LAN IP* para ese propósito. | ||
|
|
||
|  | ||
|
|
||
| Seguimiento de una IP: filtrado de IP | ||
|
|
||
| Cuando apliquemos el filtro, solo veremos el tráfico de esa IP. | ||
|
|
||
|  | ||
|
|
||
| Seguimiento de una IP: tráfico filtrado | ||
|
|
||
| Es posible agregar nuevas métricas para ver el comportamiento de la IP y lo que está haciendo en nuestra red. | ||
|
|
||
|  | ||
|
|
||
| Seguimiento de una IP: añadir nuevas métricas | ||
|
|
||
| Ahora podemos ver qué puertos está utilizando esta IP. | ||
|
|
||
|  | ||
|
|
||
| Seguimiento de una IP: puertos utilizados por IP sospechosa | ||
|
|
||
| Con este caso de uso, podemos ver cómo Redborder puede filtrar el tráfico de una o más IP para que el usuario pueda detectar comportamientos incorrectos para IP particulares, pudiendo rastrear las IP con solo unos pocos clics. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Tracking an IP with Redborder | ||
|
|
||
| We can use Redborder to track a suspicious IP. It's possible to learn about its behaviour using the **Traffic** module. | ||
|
|
||
| First of all, we must know the IP we want to track. Once we have the IP, we will go to the **Traffic** module. | ||
|
|
||
|  | ||
|
|
||
| Tracking an IP: traffic module | ||
|
|
||
| Once in the **Traffic** module, we can use the **Advanced Search** from the Filter button to see only the traffic generated by that IP. | ||
|
|
||
|  | ||
|
|
||
| Tracking an IP: Advanced Search in Traffic module | ||
|
|
||
| Here we can set the suspicious IP to filter all the traffic. We will use the LAN IP metric for that purpose. | ||
|
|
||
|  | ||
|
|
||
| Tracking an IP: filtering IP | ||
|
|
||
| When we apply the filter, we will see only the traffic for that IP. | ||
|
|
||
|  | ||
|
|
||
| Tracking an IP: traffic filtered | ||
|
|
||
| It is possible to add new metrics to see the behaviour of the IP and what it is doing in our network. | ||
|
|
||
|  | ||
|
|
||
| Tracking an IP: adding new metrics | ||
|
|
||
| Now we can see what ports are being used by this IP. | ||
|
|
||
|  | ||
|
|
||
| Tracking an IP: ports being used by suspicious IP | ||
|
|
||
| With this use case, we can see how Redborder is able to filter the traffic for one or more IPs so the user can detect bad behaviours for particular IPs, being able to track IPs with only a few clicks. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| # Ataques de fuerza bruta SSH | ||
|
|
||
| En este caso, queremos proteger y monitorear un servidor *SSH* crítico, por lo que utilizaremos reglas **Siddhi** para rastrear cualquier tipo de ataque de fuerza bruta. | ||
|
|
||
| Una vez que tenemos configurado el servidor *SSH* y ya hemos creado un sensor para él en Redborder, necesitamos habilitar el motor de correlación. | ||
|
|
||
| Para habilitar el **Motor de Correlación**, debemos introducir `rbcli service enable redborder-cep` en la terminal del administrador. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: habilitar el motor de correlación | ||
|
|
||
| Después de eso tendremos que esperar aproximadamente 10 minutos para asegurarnos de que CEP se esté ejecutando. Podemos usar el comando `rbcli service` para verificar esto. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: motor de correlación habilitado | ||
|
|
||
| Después de eso, ahora podemos ir a las **Reglas del motor de correlación** desde el menú **Herramientas**. | ||
|
|
||
| Usaremos la regla Siddhi de fuerza bruta SSH. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: reglas SSH | ||
|
|
||
| Podemos ver la regla haciendo clic en el botón de edición a la derecha. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: edición de la regla SSH | ||
|
|
||
| Vamos a cambiar el número máximo de intentos a 3, para esto, debemos cambiar el campo `total_msg` para que contenga `total_msg>=3`. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: edición de la regla SSH | ||
|
|
||
| Después de eso, debemos marcar la casilla de habilitación de la regla y aplicar todos los cambios. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: aplicar cambios | ||
|
|
||
| En el módulo **Vault** veremos el sensor CEP. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: sensor CEP | ||
|
|
||
| Podemos filtrar por sensor CEP para ver los mensajes. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: sensor CEP filtrado | ||
|
|
||
| En la pestaña de mensajes podemos ver los mensajes del sensor CEP, que muestra que está alertando de que se está realizando un ataque de fuerza bruta. | ||
|
|
||
|  | ||
|
|
||
| Ataque de fuerza bruta SSH: mensajes CEP | ||
|
|
||
| !!! info "Ten en cuenta..." | ||
|
|
||
| El motor de correlación tiene un gran potencial debido a las reglas Siddhi. Las reglas predeterminadas incluidas en el administrador se pueden editar para adaptarlas a sus propósitos o crear otras nuevas. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # SSH Brute-Force Attacks | ||
|
|
||
| In this case, we want to protect and monitor a critical *SSH* server, so we will use **Siddhi** rules to track any kind of brute-force attack. | ||
|
|
||
| Once we have the *SSH* server configured and we have already created a sensor for it in Redborder, we need to enable the Correlation Engine. | ||
|
|
||
| To enable the **Correlation Engine**, we have to introduce `rbcli service enable redborder-cep` in the manager terminal. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: enabling correlation engine | ||
|
|
||
| After that, we will have to wait 10 minutes approximately to ensure that CEP is running. We can use the `rbcli service` command to verify that. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: correlation engine enabled | ||
|
|
||
| Now we can go to **Correlation Engine Rules** from the **Tools** menu. We will use the SSH brute-force Siddhi rule. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: SSH rules | ||
|
|
||
| We can see the rule by clicking the edit button on the right. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: editing SSH rule | ||
|
|
||
| We are going to change the maximum number of attempts to 3. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: editing SSH rule | ||
|
|
||
| After that, we must check the enable box of the rule and apply all the changes. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: applying changes | ||
|
|
||
| In the Vault module, we will see the CEP sensor. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: CEP sensor | ||
|
|
||
| We can filter by CEP sensor to see the messages. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: CEP sensor filtered | ||
|
|
||
| In the message tab, we can see the messages from the CEP sensor, which shows it is alerting that a brute-force attack is being done. | ||
|
|
||
|  | ||
|
|
||
| SSH brute-force attack: CEP messages | ||
|
|
||
| !!! info "Keep in mind..." | ||
|
|
||
| The correlation engine has a big potential due to Siddhi rules. The default rules included in the manager can be edited to adapt them to your purposes or create new ones. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # Detectar un ataque de Eternalblue con Redborder | ||
|
|
||
| En este caso, veremos cómo Redborder puede usar las reglas de Snort para detectar un ataque de *Eternalblue*. | ||
|
|
||
| Todo comienza con un correo electrónico malicioso que contiene un *dropper* que instala un *ransomware*. | ||
|
|
||
| El *ransomware* intentará utilizar un *exploit* conocido para tomar el control de todas las máquinas posibles. | ||
|
|
||
|  | ||
|
|
||
| Ataque Eternalblue: escenario | ||
|
|
||
| Redborder puede usar las reglas de Snort para detectar la respuesta de eco del protocolo *SMBv1* utilizada por el *ransomware*, por lo que podemos usar el módulo de intrusión para ver las firmas para identificar el ataque. | ||
|
|
||
|  | ||
|
|
||
| Ataque Eternalblue: intrusión | ||
|
|
||
| Aquí podemos ver las firmas actuales recopiladas por Redborder. | ||
|
|
||
|  | ||
|
|
||
| Ataque Eternalblue: filtrando firmas | ||
|
|
||
| Una vez que hayamos filtrado la firma de *Eternalblue*, podemos mostrar la métrica *SRC Address* para rastrear las IP involucradas en el ataque. | ||
|
|
||
|  | ||
|
|
||
| Ataque Eternalblue: selección de métrica SRC Address | ||
|
|
||
| Ahora tenemos las IP de las máquinas involucradas, por lo que es posible tomar medidas para resolver el agujero de seguridad. | ||
|
|
||
|  | ||
|
|
||
| Ataque Eternalblue: IPs envueltas en el ataque | ||
|
|
||
| !!! info "Ten en cuenta..." | ||
|
|
||
| Es importante tener una versión actualizada de las reglas de Snort para detectar comportamientos extraños y tráfico con Redborder. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # Detecting an Eternalblue Attack with Redborder | ||
|
|
||
| In this case, we will see how Redborder can use Snort rules to detect an *Eternalblue* attack. | ||
|
|
||
| It all starts with a malicious phishing email which contains a *dropper* that installs *ransomware*. | ||
|
|
||
| The *ransomware* will try to use a known *exploit* to take control of all possible machines. | ||
|
|
||
|  | ||
|
|
||
| Eternalblue attack: scenario | ||
|
|
||
| Redborder can use Snort rules to detect the *SMBv1* protocol echo response used by the *ransomware*, so we can use the intrusion module to see the signatures to identify the attack. | ||
|
|
||
|  | ||
|
|
||
| Eternalblue attack: Intrusion | ||
|
|
||
| Here we can see the current signatures collected by Redborder. | ||
|
|
||
|  | ||
|
|
||
| Eternalblue attack: filtering signature | ||
|
|
||
| Once we have filtered the *Eternalblue* signature, we can show the SRC Address metric to track IPs involved in the attack. | ||
|
|
||
|  | ||
|
|
||
| Eternalblue attack: selecting SRC Address metric | ||
|
|
||
| Now we have the IPs of the machines involved, so it is possible to take actions to solve the security hole. | ||
|
|
||
|  | ||
|
|
||
| Eternalblue attack: IPs involved in the attack | ||
|
|
||
| !!! info "Keep in mind..." | ||
|
|
||
| It is important to have an updated version of Snort rules to detect weird behaviour and traffic with Redborder. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Alerta de ataque de autenticación de fuerza bruta | ||
|
|
||
| Podemos utilizar Redborder para alertar sobre posibles ataques de fuerza bruta gracias al uso de su motor de correlación y las reglas establecidas. Primero, debemos ir a la sección **Reglas del motor de correlación** ubicada **Herramientas**. | ||
|
|
||
|  | ||
|
|
||
| Reglas del CEP | ||
|
|
||
| Luego activaremos la regla que queremos usar. En este caso **Autenticación de fuerza bruta SSH**. Finalmente, debemos aplicar los cambios. | ||
|
|
||
|  | ||
|
|
||
| Reglas del CEP: detección de autenticación por fuerza bruta | ||
|
|
||
| Esta regla es capaz de generar una alerta cuando ocurren 200 intentos fallidos de inicio de sesión en una ventana de tiempo de 20 minutos en una máquina Linux a través del protocolo *SSH*. Para esto, es necesario tener el sensor de bóveda correspondiente creado previamente haciendo referencia a la IP de la máquina que queremos proteger. Una vez hecho esto, en caso de recibir un ataque de fuerza bruta, podríamos visualizar la alerta correspondiente accediendo al módulo **Vault**. Para poder verlo fácilmente, podemos agregar una pestaña de sensor y filtrar por CEP. | ||
|
|
||
|  | ||
|
|
||
| Módulo de Vault: alerta de ataque de fuerza bruta | ||
|
|
||
| También podemos mostrar el mensaje de alerta si cambiamos a la pestaña de mensajes. | ||
|
|
||
|  | ||
|
|
||
| Módulo de Vault: mensaje de alerta de ataque de fuerza bruta |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Brute force authentication attack alert | ||
|
|
||
| We can use Redborder to alert of possible brute force attacks thanks to the use of its correlation engine and the rules that are established. First, we must go to the **Correlation Engine Rules** section located in the **Tools** part. | ||
|
|
||
|  | ||
|
|
||
| CEP rules | ||
|
|
||
| Then we will activate the rule we want to use. In this case **SSH Brute Force Authentication**. Finally, we must apply the changes. | ||
|
|
||
|  | ||
|
|
||
| CEP Rules: brute force authentication detection | ||
|
|
||
| This rule is capable of generating an alert when 200 unsuccessful log-in attempts occur in a 20 minute time window on a Linux machine via *SSH* protocol. For this, it is necessary to have the corresponding vault sensor created previously by referring to the IP of the machine which we want to protect. Once this is done, in case of receiving a brute force attack, we could visualize the corresponding alert by accessing the **Vault** module. To be able to view it easily, we can add a sensor tab and filter by CEP. | ||
|
|
||
|  | ||
|
|
||
| Vault module: brute force attack alert | ||
|
|
||
| We can also display the alert message if we switch to the message tab. | ||
|
|
||
|  | ||
|
|
||
| Vault module: brute force attack alert message |
Oops, something went wrong.