[netsa-tools-discuss] Planning to offload Qradar SIEM noisy rules to SILK

Chris Inacio inacio at cert.org
Tue Nov 10 10:24:23 EST 2015 

Asad,

I know that you have posted some questions about Analyst Pipeline configurations recently.  Which version of Pipeline are you running?

Second, do you know if the ASA exports an IPFIX/NetFlow v9 field with the event-name (or type) field in some form?  

It would likely be simpler to direct the output from the ASA directly into Pipeline in IPFIX/NetFlow v9 format and include that event type information in the set of fields which could then be matched in Pipeline for an evaluation.  Pipeline 5.x includes support to match against all IPFIX fields.  We would likely need to support you some more in accomplishing this type of configuration.  The documentation for the related schemaTools isn’t complete at this point and using that field would likely require a new schema definition.

This is likely to be the easiest way to capture some of the events you would like alerts on from your ASA.

Regards,
--
Chris Inacio
inacio at cert.org



> On Nov 9, 2015, at 3:03 AM, asad <a.alii85 at gmail.com> wrote:
> 
> Hello,
> 
> This is to update the community that the work was done using following
> folders directories which makes job of "event-full" information a lot
> easy for cisco asa. Below Is how silk identify nature of flows coming
> to its pipeline.
> 
> 
> 
> in  innull  int2int  inweb  out  outnull  outweb
> 
> regards
> asad
> 
> On 11/2/15, asad <a.alii85 at gmail.com> wrote:
>> Hello,
>> 
>> I have an interesting case, where the SIEM Qradar is busy 90% of time using
>> information from traffic logs of different firewall e.g cisco asa. This was
>> done before the introduction of SILK into the env.
>> 
>> Now, these rules how the work are very useful for correlation itself, for
>> e.g in 1 hour time 100 different destinations were communicated with the
>> same dest port and from same source IP.
>> 
>> Qradar has builtin-rules to use data from traffic log to detect these
>> suspicious traffic which after analysis comes either as scanners, malware
>> or just noisy servers i.e NMS.
>> 
>> My plan is to transfer the logic behind these rules to SILK analysis
>> pipeline , for start I'm using cisco asa since its the most nosiest of log
>> source into SIEM.
>> 
>> Most of the conditions in the logic are fairly easy to transfer into
>> alerting parms provided with pipeline.conf, however I'm unable to know how
>> can I reproduce the following. For e.g certain rules work in SIEM based
>> upon event-name coming from cisco asa traffic log e.g "firewall accepts,
>> firewall deny, session open and session close".
>> 
>> I know that cisco asa nsel format is event driven, there is no information
>> of FLAGS that goes into flow data from cisco asa. Thus, I want to know in
>> the absence of FLAGS information does the SILK provide the ability to
>> gather 'event-name" information e.g session created and can be used as part
>> of filter or better alerting condition?
>> 
>> As without the info of event-name its very difficult to replicate logic
>> into SILK.
>> 
>> Hoping for some assistance on the issue.
>> 
>> regards
>> asad
>> 
>

More information about the netsa-tools-discuss mailing list