Nikolay Klender

Extending ESA: command based enrichment source

Discussion created by Nikolay Klender on Mar 2, 2016

During incident response it is important to have as much as much info as possible. So it will be very useful to have enrichment source for alert which receive some meta from related event as parameter next perform command execution and add result of the command to alert. For example: right after we registered network scanning from local network, we perform nslookup, get process list from the host (in this case we should implement some module which must be placed on windows based machine). In case we have a login we can go to LDAP and get more info about login.

To implement such functionality we can use awesome esper capability: virtual data windows http://www.espertech.com/esper/release-5.3.0/esper-reference/html/extension.html#extension-virtualdw

To use my command based enrichment source please do following steps:

1) upload attached jar file somewhere on ESA server (in my case /opt/uib/lib/my_vdw.jar)

2) add following lines to /opt/rsa/esa/conf/esper-config.xml

<plugin-virtualdw namespace="myvdw" name="cmdvdw" factory-class="vdw.cmd.CmdFactory"/>

3) add jar to /opt/rsa/esa/conf/wrapper.conf to load it with esa engine

wrapper.java.classpath.169=/opt/uib/lib/my_vdw.jar (please change bold number)

4) restart esa service:

service rsa-esa restart

5) create in memory enrichment source in expert mode:

CMDwindowSetup.png

6) add new enrichment to alert rule. In my case I created simple rule for ciscoasa source. Important thing is that Enrichment Source Column Name must be 'arg' because it is hardcoded (look at source code)

CMD_rule.png

7) test new rule, in my case just ping remote host and look at result (it is old screen shot so you see MySampleWindow instead of Command:

nslookup.png

8) analyze attached jar with JAD, create and share your extensions!

Attachments

Outcomes