Automated response based on Alien Vault alerts | by Mohammad Larosh Khan

Automated response based on Alien Vault alerts

Scope

AlienVault OSSIM generates various alarms and it's quite possible that the analyst may miss some of the alarms that could have a devastating impact on our infrastructure. To cater this scenario, we developed a system for automated response to ensure that alarms against our critical systems are dealt promptly and effectively.  

AlienVault Configuration

We configured AlienVault (SIEM - OSSIM) for continuous monitoring of our internal network and the connected devices. AlienVault is fully operational and is generating alarms based on the directives/rules that we have created and customized according to our needs. 

AlienVault allows us to create custom policies and allows the administrator to trigger one or more of the following actions against those policies.

  1. Open a ticket
  2. Email
  3. Run scripts

As we have various policies which require different actions in response to ensure their effectiveness, we opted for the third option of running custom scripts to ensure that the policy serves its purpose in an efficient manner.

No alt text provided for this image

By default, AlienVault executes a script from its root directory, so we placed our script in the root directory and we can pass along all the above-mentioned keywords as parameters for the script.It is important to know that, if you want to have the script in a directory other than root, you need to set the path relative to the root directory. This information is not present in the official AlienVault documentation and it can cause errors. In our case, we passed SRC_IP, DST_IP and DST_PORT as arguments for our script.

lalalalaal

Fig. Automation architecture diagram

Above figure shows different components of our automated response system.

To get a better understanding of this architecture let us consider a scenario.

Scenario

We have a server that has SSH enabled on it. Users can access the server through ssh. This server is added in our AlienVault as one of the assets and hence it is being monitored 24/7. We have written a directive in our AlienVault which triggers an alarm whenever three or more wrong ssh tries are attempted on this server. There is a policy defined in AlienVault that gets triggered based on this directive. As mentioned earlier, policies can have various responses. In this case, we will be executing a custom-written script that will block the particular IP from which the server has received SSH connection requests by adding the rules in PFSense Firewall by the help of Ansible server and its Playbook. This response will ensure that the adversary attacking our system gets blocked hence securing our server.

AlienVault OSSIM is an open-source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

Ansible is an open-source automation tool, or platform, used for IT tasks such as configuration management, application deployment, intraservice orchestration and provisioning.

pfSense is a free and open-source firewall and router that also features unified threat management, load balancing, multi WAN, and more[ii]

AlienVault triggers a script in response to policies we created which then calls ansible server and it eventually add a rule in PFsense [iii]

Internal working of the system 

ssh_anomaly.sh

The first script which is placed on AlienVault that gets triggered in response to policy action is ssh_anomaly.sh which takes source IP, destination IP and destination port as parameters and calls Ansible server.

#!/bin/bash


## GET Params from AlienVault

source_ip=$1

destination_ip=$2

destination_port=$3


## These are the params of PFsense firewall and can be provided with default value or change according to need

interface="wan"

type='block'

ipproto='inet'

description="blocked for ssh anomaly"


## add ssh password of server where ansible-playbook will be executed

export SSHPASS="YOUR_ANSIBLE_PASS"


## Execute script on remote server which will execute ansible-playbook with given params

sshpass -e ssh [email protected]_IP "sh YOUR_SCRIPT_PATH_ON_ANSIBLE_SERVER/add_rule.sh $source_ip $destination_ip $destination_port $interface $type $ipproto $description"

Add_rule.sh

This is the script that gets triggered from AlienVault and passes along the parameters needed for firewall rule to Ansible-Playbook

#!/bin/sh


# Params will be received from another server via ssh call (from AlienVault)

source_ip=$1

destination_ip=$2

destination_port=$3

interface=$4

type=$5

ipproto=$6

description=$7

MY_PID=$$


# Ansible ping

ansible -i INVENTORY_PATH/inventory -m ping myhosts


# Execute ansible-playbook with given params to add a rule in firewall

# Executes playbook.yml

ansible-playbook -i INVENTORY_PATH/inventory PLAYBOOK_PATH/playbook.yml --user=ANSIBLE_USER --extra-vars "ansible_sudo_pass=ANSIBLE_PASSWORD"  --extra-var type="$type" --extra-var ipproto="$ipproto" --extra-var description="$description" --extra-var sourceip="$source_ip" --extra-var destinationip="$destination_ip" --extra-var destinationport="$destination_port" --extra-var interface="$interface" --extra-var MY_PID="$MY_PID"

Replace ANSIBLE_USER, ANSIBLE_PASSWORD, INVENTORY_PATH and PLAYBOOK_PATH with your own details.

Ansible installation can be found in references [i]

Playbook.yml

This playbook edits the config file of pfSense in order add/remove a firewall rule (blocking/unblocking a particular IP on specific port etc). This script also ensures error handling via sending email report to admin in case of failure. 

---

- hosts: myhosts

  become: true

  become_user: root

  tasks:


  - name: 'edit config.xml'

    register: output

    ignore_errors: yes             

    lineinfile:

    dest: "/cf/conf/config.xml"

    regexp: '{{ item.regexp }}'

    line: '{{ item.line }}'

    with_items:

        - { regexp: '(?<![\w\d])<filter>(?![\w\d])', line: "<filter>\n<rule><type>{{ type }}</type><ipprotocol>{{ ipproto }}</ipprotocol><descr>{{ description }}</descr><interface>{{ interface }}</interface><tracker>123456789</tracker><source><address>{{ sourceip }}</address></source><destination><address>{{ destinationip }}</address><port>{{ destinationport }}</port></destination></rule>" }

 

  - name: Sending an e-mail using Gmail SMTP servers

    mail:

      host: smtp.gmail.com

      port: 587

      username: "YOUR_EMAIL"

      password: "YOUR_PASS"

      to: RECEIVER_NAME <RECEIVER_EMAIL>

      subject: Ansible-report

      body: "Failed : {{ output.results[0].failed }}\nChanged : {{ output.results[0].changed }}\nMsg : {{ output.results[0].msg }}"

    delegate_to: localhost

    when: item.failed == True

    loop: "{{ output.results }}"


  - name: Kill bash script

    shell: sudo kill -9 {{ MY_PID }}

    when: item.failed == True

    loop: "{{ output.results }}"

    delegate_to: localhost


  - name: Reload Firewall rules

    shell: /etc/rc.filter_configure

    when: item.failed == False

    loop: "{{ output.results }}" 
No alt text provided for this image

Screenshot of rule added in the firewall


Author: Mohammad Larosh Khan - https://www.linkedin.com/in/mohammad-larosh-khan-b84ab5172/

Contributors : This article is a combined effort of me and my colleague Sikandar Iqbal - https://www.linkedin.com/in/sikandar-iqbal-63269b129/

References

[i] https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html

[ii] https://www.pfsense.org/download/

[iii] https://www.alienvault.com/documentation/usm-appliance/policy-management/action-exec-ext.htm


Originally posted: https://www.linkedin.com/pulse/automated-response-based-alien-vault-alerts-mohammad-larosh-khan/

March 6, 2020

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013