Categories
Software

Reporting Network Threats with Graylog

In an average 5 min time-span my network firewall is scanned about 25-50 times (+/-). It is scanned from all over the world including Morocco, Hong Kong, Los Angeles, Moscow, Beijing and London (to name a few). I’m sure sophisticated and not-so-sophisticated hackers are using VPN’s or TOR to show they are in another location or to hide their tracks. What are they trying to accomplish? Well, basically, they are checking if any doors are unlocked to try and get access or information. In computer network security this means network services are running either unlocked, unprotected or protected with weak or known passwords. Most folks would be unaware in such a circumstance to poor network security until they get hacked. Some folks purposely leave hosts exposed with services to capture details on hacker methods (those are called honeypots). I noticed that I have a lot of port scanning of 1433 (MS Sql Server), 21 (FTP), 22 (SSH) and 23 (Telnet) among many others. If those ports are listened to by a service on my home network that is exposed to the general internet then these scans will pick that up and essentially report back that I have a running service. Additionally, they could be trying known generic passwords or any security vulnerabilities.

This report was generated with live syslog data from my wifi router which is being ingested by Graylog and processing done on the router log messages to lookup any known threats. These threat and Geo Location lookups are built-in features of Graylog.

More detail on how to set this up on your own Graylog instance can be found at https://www.graylog.org/post/integrating-threat-intelligence-into-graylog-3 and https://www.graylog.org/post/how-to-set-up-graylog-geoip-configuration

I found a useful blog that identified items to check when setting this up.

  1. Check your processing order, your order is wrong, if you use pipeline rules. Please move your Message Filter chain before Pipeline Processor.
  2. Check if your geoip lookup table works. Put a internet ip address to section Test Lookup in field Key, and it should return GEO information.
  3. If not, check your data adaptor if you use correct Database type for your downloaded file. I use GeoLite2-City.mmdb and Database type: City Database. If you use only Country database, change correct type.
  4. Best is to put MaxDB databases to /etc/graylog/server directory, check if graylog service can read file.
  5. You need extracted field with ip addresss, for example src_ip with only ip adresses to use in lookup table. I couldn’t see any ip field in your fields screenshot. So create extractor or pipeline rule for ip field extraction first.
  6. You can use geo ip lookup table in several parts: Extractor, Converter, Decorator or Pipeline Rule.
  7. There is no special geoip map icon in field.
  8. If you want to create World Map widget, create widget from field src_ip_geo_location (or Show top values) and change Visualization type to World Map.
  9. If you use Selinux (CentOS, RHEL) try to disable to check, if it’s not blocking access to geoip db file.

The full thread is available here https://community.graylog.org/t/geo-ip-not-working/14846/8

By Rich

Lover of science, technology, ice hockey and the outdoors. Houston is home.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.