SIEM integration
You can configure OpenSnitch to send intercepted events to third-party SIEM solutions.
Firstly, configure a logger (only syslog is supported as of v1.6.0):
/etc/opensnitch/default-config.json
"Server": {
"Address": "unix:///tmp/osui.sock",
"LogFile": "/var/log/opensnitchd.log",
"Loggers": [
{
"Name": "syslog",
"Server": "127.0.0.1:514",
"Protocol": "udp",
"Format": "rfc5424",
"Tag": "opensnitchd"
}
]
},
(...)syslog logger possible fields and values:
| Option | Description |
|---|---|
| Name | Name that identifies the logger: syslog, remote or remote_syslog |
| Server | Server address. Leave it empty to log events to the local daemon |
| Protocol | Only applicable if Server is not empty |
| Format | possible values: rfc3164, rfc5424, csv or json. RFC5424 will log events witht the format KEY=VALUE |
| Tag | Optional tag to identify events in the syslog. If empty, syslog will use the name of the daemon |
After modify the configuration, restart OpenSnitch.
Now you should see the events on your SIEM, for example:
-
Unzip this file opensnitch-grafana-siem.zip
The setup is based on the following example, so all the commands to set it up applies: https://github.com/grafana/loki/tree/main/examples/getting-started
-
Enter into the directory where the
docker-compose.yamlis and execute:# docker-compose up -d siem_minio_1 done siem_write_1 done siem_read_1 done siem_gateway_1 done siem_grafana_1 done siem_promtail_1 done syslog-ng done
-
Add logger configuration as explained above to send events to 127.0.0.1 on port 514:
"Server": {
(...)
"Loggers": [
{
"Name": "syslog",
"Server": "127.0.0.1:514",
"Protocol": "udp",
"Format": "rfc5424",
"Tag": "opensnitchd"
}
]
},- Restart opensnitch:
# service opensnitch restart - Execute
docker psand verify that nginx, grafana, promtail, syslog-ng and loki are running. - Open a web browser and open
127.0.0.1:3000. Login with admin:admin - Go to Configuration -> Data Sources -> click on Test, and verify that the
Data source is connected and labels found - Go to Explore -> select Loki in the combo box and expand the "Log browser" dropdown box. There should be a label named "opensnitch"
- Click on it, and execute the query to list the events collected.
The zip file contains a dashboard.json. Hover the mouse over the + icon, click on Import and paste the content of the file.
Then you can open the dashboard and monitorized the events.
-
Unzip this file opensnitch-elasticstack-siem.zip
The setup is based on the following example, so all the commands to set it up applies: https://github.com/grafana/loki/tree/main/examples/getting-started
Note: The example is modified to use versions 8.7.1 instead of 5.4. To review the changes execute from that directory
git diff .Docs: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-tcp.html https://www.elastic.co/guide/en/logstash/current/plugins-inputs-udp.html
-
Enter into the directory where the
docker-compose.ymlis and execute:# docker-compose up -d Recreating docker-elk-elasticsearch_logstash_1 ... Recreating docker-elk-elasticsearch_logstash_1 ... done Recreating docker-elk-syslog_logstash_1 ... Recreating docker-elk-syslog_logstash_1 ... done Recreating docker-elk-kibana_logstash_1 ... Recreating docker-elk-kibana_logstash_1 ... done
-
Add the logger configuration as explained above to send events to 127.0.0.1 on port 3333:
"Server": {
(...)
"Loggers": [
{
"Name": "remote",
"Server": "127.0.0.1:3333",
"Protocol": "tcp",
"Format": "json",
"Tag": "opensnitchd"
}
]
},-
Restart opensnitch:
# service opensnitch restart -
Execute
docker psand verify that elasticsearch, logstash and kibana are running.If everything went fine, LogStash should be receiving events like this one (
docker logs -f -n 100 <container id>) :{ "@timestamp" => 2023-07-19T13:49:54.546806822Z, "document" => { "Type" => 0, "Rule" => "000-allow-domains", "Action" => "allow", "Event" => { "protocol" => "udp", "dst_ip" => "9.9.9.9", "process_args" => [ [0] "/usr/bin/firefox-esr" ], (...) } -
Open a web browser and head to
127.0.0.1:5601. -
You'll need to create a Data View with a pattern to match a Data Stream, for example:
logs-*
- Click on the left Menu -> Analytics -> Discover, to view collected events:
- To create a dashboard to visualize the data, go to Analytics -> Dashboard -> Create Dasboard
Notes
-
Configure data retention policy to reduce the size of the DB:
Management -> Data -> Index Lifecycle Policies -> Delete phase
-
Verify that the TCP ports 3333 and 9200 are open:
~ $ ss -lptn | grep -E "(3333|9200)" tcp LISTEN 0 1024 [::ffff:127.0.0.1]:3333 *:* users:(("java",pid=3712866,fd=107)) tcp LISTEN 0 4096 *:9200 *:* users:(("java",pid=3712294,fd=412))
You should be able to connect:
~ $ telnet 127.0.0.1 3333 -
If it's not open, analyze LogStash and Elasticsearch container logs:
~ $ docker logs -f -n 100 ec4e3b0t7d87There should be a log line like this one in Logstash:
[2023-07-19T13:40:11,945][INFO ][logstash.inputs.tcp ][main][cbc1d83a3460288f8b2c2a0399fe2b85eab0199a0a58318f75a4f931f9175f9e] Starting tcp input listener {:address=>"127.0.0.1:3333", :ssl_enable=>false}Also review elasticsearch/data/ directory permissions, and be sure that the user that started the container can write there.
-
If you cannot connect to ports 3333 / 9200, disable opensnitch's System firewall from the GUI, or set Enable to false in /etc/opensnitchd/system-fw.json and try again.