Scirius Security Platform Host ID analyzer #960
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Scirius Security Platform (SSP) from Stamus Networks is a Network
Detection and Response solution that is analysing the network
traffic of an organization to detect threats and provide insight
on the monitored networks.
SSP is not SaaS but is on install on premise or in the cloud.
That to say, there is no public/centralized instance and all
SSP users need to connect to the SSP of their organization.
One of the feature fo SSP is the capability to build host
identification of IP addresses.
This patch is using this feature to extract all known information
about an IP address artifact (by using the REST API of SSP).
Configuration is key, url and ssl_verify:
```
{
"data":"10.7.5.5",
"dataType":"ip",
"tlp":0,
"config":{
"key":"XXXXXXXXXXXXXXXXXXXX",
"url":"https://10.0.0.1/",
"ssl_verify": false
}
}
```
The result is an artifact with the hostnames corresponding to the IP
address as weel as first seen and last seen for this IP in taxonomies:
```
{
"success": true,
"summary": {
"taxonomies": [
{
"level": "info",
"namespace": "SSP",
"predicate": "first-seen",
"value": "2021-03-08T21:25:34.996876+01:00"
},
{
"level": "info",
"namespace": "SSP",
"predicate": "last-seen",
"value": "2021-03-08T21:25:34.996876+01:00"
}
]
},
"artifacts": [
{
"tags": [
"first-seen:2021-03-08T21:25:34.999945+01:00",
"last-seen:2021-03-08T21:50:23.644160+01:00"
],
"dataType": "fqdn",
"data": "phantasmedia-dc.phantasmedia.com"
}
],
"full": {
"ip": "10.7.5.5",
"host_id": {
"first_seen": "2021-03-08T21:25:34.996876+01:00",
"last_seen": "2021-03-08T21:25:34.996876+01:00",
"hostname": [
{
"host": "phantasmedia-dc.phantasmedia.com",
"first_seen": "2021-03-08T21:25:34.999945+01:00",
"last_seen": "2021-03-08T21:50:23.644160+01:00"
}
],
"net_info": [
{
"agg": "sweden.internet",
"first_seen": "2021-03-08T21:25:34.996876+01:00",
"last_seen": "2021-03-08T22:01:37.001216+01:00"
}
],
"tls.ja3": [
{
"agent": [
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0"
],
"string": "769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,65281-10-11,23-24,0",
"hash": "6734f37431670b3ab4292b8f60f29984",
"first_seen": "2021-03-08T21:56:58.309064+01:00",
"last_seen": "2021-03-08T22:00:12.487521+01:00"
},
{
"agent": [
"User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705"
],
"string": "769,47-53-5-10-49171-49172-49161-49162-50-56-19-4,65281-0-10-11,23-24,0",
"hash": "1d095e68489d3c535297cd8dffb06cb9",
"first_seen": "2021-03-08T21:57:04.883618+01:00",
"last_seen": "2021-03-08T21:57:04.883618+01:00"
}
],
"http.user_agent": [
{
"agent": "test",
"first_seen": "2021-03-08T22:00:14.851391+01:00",
"last_seen": "2021-03-08T22:00:14.851391+01:00"
},
{
"agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)",
"first_seen": "2021-03-08T22:00:50.975367+01:00",
"last_seen": "2021-03-08T22:00:50.975367+01:00"
},
{
"agent": "WinHTTP sender/1.0",
"first_seen": "2021-03-08T22:01:39.827278+01:00",
"last_seen": "2021-03-08T22:01:39.827278+01:00"
}
],
"hostname_count": 1,
"net_info_count": 1,
"tls.ja3_count": 2,
"http.user_agent_count": 3,
"services": [
{
"proto": "tcp",
"port": 88,
"values": [
{
"first_seen": "2021-03-08T21:25:39.000157+0100",
"last_seen": "2021-03-08T21:26:00.000642+0100",
"app_proto": "krb5"
}
]
},
{
"proto": "tcp",
"port": 135,
"values": [
{
"first_seen": "2021-03-08T21:26:38.000967+0100",
"last_seen": "2021-03-08T21:51:22.000422+0100",
"app_proto": "dcerpc"
}
]
},
{
"proto": "tcp",
"port": 389,
"values": [
{
"first_seen": "2021-03-08T21:25:38.000940+0100",
"last_seen": "2021-03-08T21:56:50.000475+0100",
"app_proto": "unknown"
}
]
},
{
"proto": "tcp",
"port": 445,
"values": [
{
"first_seen": "2021-03-08T21:25:55.000262+0100",
"last_seen": "2021-03-08T21:55:56.000211+0100",
"app_proto": "smb"
},
{
"first_seen": "2021-03-08T21:52:45.000518+0100",
"last_seen": "2021-03-08T21:52:45.000518+0100",
"app_proto": "unknown"
}
]
},
{
"proto": "tcp",
"port": 3268,
"values": [
{
"first_seen": "2021-03-08T21:49:02.000600+0100",
"last_seen": "2021-03-08T21:50:52.001114+0100",
"app_proto": "unknown"
}
]
},
{
"proto": "tcp",
"port": 49155,
"values": [
{
"first_seen": "2021-03-08T21:26:38.001079+0100",
"last_seen": "2021-03-08T21:51:22.001006+0100",
"app_proto": "dcerpc"
}
]
},
{
"proto": "tcp",
"port": 49158,
"values": [
{
"first_seen": "2021-03-08T21:26:08.000171+0100",
"last_seen": "2021-03-08T21:50:42.000992+0100",
"app_proto": "dcerpc"
}
]
}
],
"services_count": 8,
"tenant": 4
}
}
}
```
The full sub object contains all the known information about the IP
address.
Host Identification module in SSP keep track of how many TLS agents, HTTP agents and services have been seen.
Scirius Security Platform supports multitenant where multiple organization network can use the same platform. If this feature is activated then the tenant option with value being the one of the organization has to be used to get access to the correct data. This matches the organization approach of Cortex and TheHive.
regit
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Scirius Security Platform (SSP) is a network threat detection solution based on Suricata. One of the features of SSP is the capability to build and maintain host identity card for the hosts in the network. This data are accessible via a REST API. By using this data, the analyzer can create some artifacts such as fqdn and get other information such as used user agent, username seen on the host.
Scirius Security Platform is a per organization product so users of the analyzer will need to point the analyzer to their own instance of SSP running and analyzing their network.
See description in d4ccae4 for information about the data structure.
Implement #958.