SIEM syslog analysis

[JohnOCFII]

Greetings,

As is expected, if I log dropped connections, I see lots of them.

Any suggestions for a simple, free SIEM/log analyzer? Ideally something that would summarize thing and show, for example, "200 SSH attempts from IP address, a.b.c.d in China... or something like that.

Thanks,

John

Feb 23 15:02:00 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=71.6.216.53 DST=71.195.11.24 LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=54321 PROTO=TCP SPT=16992 DPT=16992 SEQ=1202533037 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 23 15:02:07 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=50.7.78.226 DST=71.195.11.24 LEN=44 TOS=0x00 PREC=0x20 TTL=55 ID=22903 DF PROTO=UDP SPT=39435 DPT=27874 LEN=24
Feb 23 15:02:07 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=198.255.32.138 DST=71.195.11.24 LEN=44 TOS=0x00 PREC=0x20 TTL=56 ID=64422 DF PROTO=UDP SPT=54828 DPT=27874 LEN=24
Feb 23 15:02:07 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=198.255.30.194 DST=71.195.11.24 LEN=44 TOS=0x00 PREC=0x20 TTL=56 ID=5828 DF PROTO=UDP SPT=38984 DPT=27874 LEN=24

 

[skeal]

Greetings,

As is expected, if I log dropped connections, I see lots of them.

Any suggestions for a simple, free SIEM/log analyzer? Ideally something that would summarize thing and show, for example, "200 SSH attempts from IP address, a.b.c.d in China... or something like that.

Thanks,

John

Feb 23 15:02:00 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=71.6.216.53 DST=71.195.11.24 LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=54321 PROTO=TCP SPT=16992 DPT=16992 SEQ=1202533037 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 23 15:02:07 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=50.7.78.226 DST=71.195.11.24 LEN=44 TOS=0x00 PREC=0x20 TTL=55 ID=22903 DF PROTO=UDP SPT=39435 DPT=27874 LEN=24
Feb 23 15:02:07 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=198.255.32.138 DST=71.195.11.24 LEN=44 TOS=0x00 PREC=0x20 TTL=56 ID=64422 DF PROTO=UDP SPT=54828 DPT=27874 LEN=24
Feb 23 15:02:07 kernel: DROP IN=eth0 OUT= MAC=1c:87:2c:4a:20:d0:2c:0b:e9:15:9c:22:08:00 SRC=198.255.30.194 DST=71.195.11.24 LEN=44 TOS=0x00 PREC=0x20 TTL=56 ID=5828 DF PROTO=UDP SPT=38984 DPT=27874 LEN=24

Skynet could get you close.
Search skynet and look for posts by @Adamm

 

[JohnOCFII]

Skynet could get you close.
Search skynet and look for posts by @Adamm

Thanks for the pointer to SkyNet. It looks to be a nice enhancement to the firewall, but I didn't see anything about log analysis when I read the info on GitHub.

 

[MichaelCG]

There is always Splunk...not sure how much is built-in without a bit of work, but it for sure is a SIEM that has uber amounts of flexibility.

 

[JohnOCFII]

There is always Splunk...not sure how much is built-in without a bit of work, but it for sure is a SIEM that has uber amounts of flexibility.

Thanks for the pointer -- I was actually thinking of something like a lightweight Splunk -- I didn't realize they still had a free option. http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/MoreaboutSplunkFree

 

[JohnOCFII]

FYI -- getting to something like they discuss in this article is my goal: https://danielmiessler.com/blog/monitoring-ssh-bruteforce-attempts-using-splunk/

 

[darkone338]

FYI -- getting to something like they discuss in this article is my goal: https://danielmiessler.com/blog/monitoring-ssh-bruteforce-attempts-using-splunk/

check out the home monitor app on Splunkbase. Might go some way to getting you what you want.

https://splunkbase.splunk.com/app/1214/

 

[JohnOCFII]

check out the home monitor app on Splunkbase. Might go some way to getting you what you want.

https://splunkbase.splunk.com/app/1214/

That looks like a great start -- thanks!

 

[CarlyElise]

Curious to know is anyone running splunk/Home Monitor with Skynet 4? my Asus logs “Drop” which home monitor ingests with no problem but sky net uses [BLOCKED - INBOUND] and [BLOCKED - INVALID] which I have not been able to get to work yet. thoughts???