Skip to content

2. Analyzing files

Jump to bottom
Hariom Chaturvedi edited this page Aug 16, 2021 · 5 revisions

Usage

First, start the Elasticsearch, Filebeat, and Kibana containers and wait 1-2 minutes to get them in a healthy state.

sudo docker-compose up -d elasticsearch filebeat kibana

To check the running containers and their state use:

sudo docker-compose ps
        Name                 Command             State              Ports       
------------------------------------------------------------------------------------
pcapmonkey_elasticsearch   /bin/tini --           Up (healthy)   9200/tcp, 9300/tcp 
                           /usr/local/bi ...                                        
pcapmonkey_filebeat        /usr/bin/tini --       Up                                
                           /usr/loca ...                                            
pcapmonkey_kibana          /bin/tini --           Up (healthy)   127.0.0.1:5601->560
                           /usr/local/bi ...                     1/tcp

Once the containers are up and in a healthy state, head over to the Kibana web interface (http://localhost:5601/) and import filebeat.ndjson. filebeat.ndjson` has Index Patterns and few Saved Searches that might be helpful in quick analysis.

To import it, go to Stack Management from the left side menu and follow the path: Stack Management -> Saved Objects -> Import

The details of each Index Pattern are:

Object Name Description
filebeat-* @timestamp indexed Filebeat Patterns.
file* Filebeat Patterns indexed with log ingestion time.
winlogbeat* Windows Event Log Pattern indexed with ingestion time.

Analyzing PCAPs

Add all the packet captures files in the pcap/ directory. Note: The packet captures should have .pcap extension, rename them if there are any .pcapng files.

If it is the first run of Suricata, one must download all the Open Emerging Threat Rules.

sudo docker-compose run --entrypoint='suricata-update -f' suricata

Doing this will add all the rules in the config/suricata/rules/suricata.rules file. One can add their own rules in the custom.rules file.

Now start the zeek and suricata containers. Note: Make sure the Elastic stack is up and running.

sudo docker-compose up zeek suricata

Note: Ignore the warning prompted by Suricata.

<Error> - [ERRCODE: SC_ERR_FOPEN(44)] - unknown file format
<Warning> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - Failed to init pcap file /pcap//.gitignore, skipping

Zeek and Suricata will process each pcap and output the logs in the logs/ directory. The logs generated will be shipped to Elasticsearch through filebeat and can be analyzed with Kibana. In Kibana, under the Discover, select a pattern and start analyzing the logs.

Indexes

A sample screenshot of how the Discover section in Kibana will look like is below. One may require to expand the time range to see all data. Discover

There are a couple of Dashboards, ans Searches saved in the filebeat.ndjson. They can be used to visualize the Suricata and Zeek logs. Just move to the Dashboard section and select the dashboard.

Zeek Dashboard Suricata Dashboard

Example screenshot of Saved Search: Suricata Alerts Search

Video Tutorial On Pcap Analysis with Pcapmonkey: https://www.youtube.com/watch?v=zVlFRs2vCQg

Analyzing Windows Event files

Add all the event files in the import_event_logs/ directory. First, make sure that the Elastic Stack is up and running. Next, start the evtxtoelk container.

sudo docker-compose up evtxtoelk

It should output the following: evtxtoelk Output

Now, select the windows_events_original_ts* index in Kibana, and start analyzing Event Logs.

Event Logs Discover

Clone this wiki locally