Passive DNS data is a good source of threat intelligence. We show in this post how to build such database for your environment using Bro IDS and the ELK stack. The only requirement here is that your bro sensor is seeing all the DNS traffic originating from your local network. You can use Brostash to deploy a Bro based sensor.
In this blog post, the second in our series about the ELK stack, we present an introduction on how to use Logstash. By definition, Logstash is a data processing pipeline that provides the components to ingest data from a variety of sources, to transform/enrich that data and finally to send it to a data store or another processing pipeline. With its modular architecture, Logstash offers a robust framework to easily build a data processing pipeline. As a showcase, we will be using the Bro IDS generated data/logs as a input for our data processing pipeline.
ELK stands for Elasticsearch, Logstash and Kibana. It provides an open source data analytics platform covering searching/analysing, transforming/enriching and visualising data.
Brostash: a Debian based Linux distribution that put together the Bro IDS and Logstash.
In this post, we show how to setup a simple/small LAN samba server. The setup is done on an OpenBSD distribution.
In this post, we show how to setup a simple LAN gateway running a DHCP server and DNS forwarder. The setup is based on OpenBSD and uses the DHCPD and Unbound.