work on idaholab#19, adding nonstandard port severity ranking

mmguero-dev · Sep 2, 2021 · 9e60126 · 9e60126
1 parent 8864411
commit 9e60126
Show file tree

Hide file tree

Showing 4 changed files with 251 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -1403,6 +1403,7 @@ As Zeek logs are parsed and enriched prior to indexing, a severity score up to `
 * detection of cleartext passwords
 * use of insecure or outdated protocols
 * tunneled traffic or use of VPN protocols
+* common network services communicating over non-standard ports
 * file scanning engine hits on [extracted files](#ZeekFileExtraction)
 * large connection or file transfer
     - The size (in megabytes) threshold for this condition to trigger can be adjusted by setting the `TOTAL_MEGABYTES_SEVERITY_THRESHOLD` environment variable in [`docker-compose.yml`](#DockerComposeYml).

diff --git a/logstash/maps/malcolm_severity.yaml b/logstash/maps/malcolm_severity.yaml
@@ -20,6 +20,7 @@
 "Notice (vulnerability)": 90
 "Cleartext password": 90
 "Insecure or outdated protocol": 60
+"Service on non-standard port": 40
 "Signature (capa)": 50
 "Signature (ClamAV)": 90
 "Signature": 75

diff --git a/logstash/maps/service_ports.yaml b/logstash/maps/service_ports.yaml
@@ -0,0 +1,218 @@
+ayiya:
+  - 5072
+bacnet:
+  - 47808
+bsap:
+  - 1234
+  - 1235
+cip:
+  - 1184
+  - 2222
+  - 41794
+  - 44818
+cotp:
+  - 102
+dce_rpc:
+  - 135
+  - 137
+  - 138
+  - 139
+  - 445
+dhcp:
+  - 67
+  - 68
+dnp3:
+  - 19999
+  - 20000
+  - 20001
+dns:
+  - 53
+enip:
+  - 2222
+  - 44818
+ftp:
+  - 20
+  - 21
+gquic:
+  - 80
+  - 443
+gssapi:
+  - 135
+  - 137
+  - 138
+  - 139
+  - 445
+gtp:
+  - 2123
+  - 2152
+  - 3386
+http:
+  - 80
+  - 443
+  - 8000
+  - 8080
+  - 8443
+  - 8888
+imap:
+  - 143
+  - 993
+ipsec:
+  - 500
+  - 4500
+irc:
+  - 6660
+  - 6661
+  - 6662
+  - 6663
+  - 6664
+  - 6665
+  - 6666
+  - 6667
+  - 6668
+  - 6669
+  - 7000
+krb:
+  - 88
+  - 135
+  - 137
+  - 138
+  - 139
+  - 445
+  - 464
+  - 543
+  - 749
+ldap:
+  - 389
+  - 636
+  - 1389
+  - 1636
+  - 3268
+  - 3269
+  - 10389
+  - 10636
+modbus:
+  - 502
+mqtt:
+  - 1883
+  - 8883
+mysql:
+  - 3306
+  - 6446
+  - 6447
+  - 6448
+  - 6449
+  - 13306
+  - 33060
+  - 33061
+ntlm:
+  - 135
+  - 137
+  - 138
+  - 139
+  - 445
+ntp:
+  - 123
+openvpn:
+  - 443
+  - 1193
+  - 1194
+pop3:
+  - 110
+  - 995
+profinet:
+  - 4800
+  - 4900
+  - 34962
+  - 34963
+  - 34964
+  - 49152
+profinet_dce_rpc:
+  - 4800
+  - 4900
+  - 34962
+  - 34963
+  - 34964
+  - 49152
+quic:
+  - 80
+  - 443
+radius:
+  - 1645
+  - 1646
+  - 1700
+  - 1812
+  - 1813
+  - 3799
+  - 2083
+rdp:
+  - 259
+  - 2179
+  - 3389
+rfb:
+  - 2654
+  - 5800
+  - 5801
+  - 5802
+  - 5803
+  - 5900
+  - 5901
+  - 5902
+  - 5903
+s7comm:
+  - 102
+sip:
+  - 5060
+  - 5061
+smb:
+  - 135
+  - 137
+  - 138
+  - 139
+  - 445
+smtp:
+  - 25
+  - 465
+  - 587
+  - 2525
+snmp:
+  - 161
+  - 162
+  - 10161
+  - 10162
+socks:
+  - 1080
+  - 1081
+ssh:
+  - 22
+stun:
+  - 3478
+  - 5349
+  - 19302
+syslog:
+  - 514
+  - 601
+  - 6514
+tds:
+  - 135
+  - 1433
+  - 1434
+  - 4022
+telnet:
+  - 23
+teredo:
+  - 1900
+  - 3544
+tftp:
+  - 69
+  - 247
+  - 1758
+  - 3713
+vxlan:
+  - 4789
+  - 8472
+wireguard:
+  - 51820
+xmpp:
+  - 5222
+  - 5223
+  - 5269
diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf
@@ -317,12 +317,19 @@ filter {
     # for a custom severity value it will just work. if it's not in their
     # mapping file, it'll return with a nil value and will be removed
     # in ruby_calculate_final_severity_score
+    #
+    # since we're loading the services here, we'll also take care of "services
+    # running on a non-standard port" as well
     if (!([zeek][logType] =~ /^known/)) {
       ruby {
         id => "ruby_add_field_severity_insecure_protocols"
+        init => "
+          require 'yaml'; $servicePortMap = YAML.load(File.read('/etc/service_ports.yaml'))
+        "
         code => "
           if (service = event.get('[zeek][service]')) then
-            found = 0
+            foundInsec = 0
+            foundOddPort = 0
             if !service.kind_of?(Array) then
               newsrv = Array.new
               newsrv.push(service)
@@ -334,15 +341,27 @@ filter {
               newver.push(version)
               version = newver
             end
+            if ($servicePortMap.length > 0) and
+               (dstPort = event.get('[dstPort]')) then
+              service.each do |srv|
+                if (!$servicePortMap[srv].nil?) and
+                   (service.kind_of?($servicePortMap[srv])) and
+                   ($servicePortMap[srv].length > 0) and
+                   (!$servicePortMap[srv].include?(dstPort)) then
+                  foundOddPort += 1
+                  break
+                end
+              end
+            end
             service.each do |srv|
-              if found > 0 then
+              if foundInsec > 0 then
                 break
               end
               if ['ftp', 'tftp', 'telnet', 'rlogin', 'rsh'].include?(srv) then
-                found += 1
+                foundInsec += 1
               elsif !version.nil? then
                 version.each do |ver|
-                  if found > 0 then
+                  if foundInsec > 0 then
                     break
                   end
                   if (srv.eql?('ssh') and (ver.to_f < 2.0)) or
@@ -353,7 +372,7 @@ filter {
                      (srv.eql?('snmp') and (ver.to_f < 3.0)) or
                      (srv.eql?('ldap') and (ver.to_f < 3.0)) or
                      (srv.eql?('tls') and (!(ver.match(/TLS.*v?1\.?[23]/)))) then
-                    found += 1
+                    foundInsec += 1
                   end
                 end
               end
@@ -364,9 +383,12 @@ filter {
               newtags.push(sevtags)
               sevtags = newtags
             end
-            if found > 0 then
+            if foundInsec > 0 then
               sevtags.push('Insecure or outdated protocol')
             end
+            if foundOddPort > 0 then
+              sevtags.push('Service on non-standard port')
+            end
             sevtags.push(*service.map{|x| 'PROTOCOL_' + x.upcase})
             event.set('[event][severity_tags]', sevtags)
           end"
@@ -377,7 +399,7 @@ filter {
       id => "ruby_calculate_final_severity_score"
       # pre-load severity score mapping in init outside of processing pipeline
       init => "
-        require 'yaml'; $severityMappings = YAML.load(File.read('/etc/malcolm_severity.yaml'))
+        require 'yaml'; $severityMap = YAML.load(File.read('/etc/malcolm_severity.yaml'))
       "
       # to calculate severity:
       # - look up list of severity_tags against severity score mapping (generate hash), ignoring <= 0 or missing (nil) values
@@ -390,8 +412,8 @@ filter {
           tagsarr.push(sevtags)
           sevtags = tagsarr
         end
-        if !sevtags.nil? and (sevtags.length > 0) and ($severityMappings.length > 0) then
-          sevhash = Hash[sevtags.select{|key| ($severityMappings[key].nil? ? 0 : $severityMappings[key]) > 0}.map{|key| [key, $severityMappings[key]]}]
+        if !sevtags.nil? and (sevtags.length > 0) and ($severityMap.length > 0) then
+          sevhash = Hash[sevtags.select{|key| ($severityMap[key].nil? ? 0 : $severityMap[key]) > 0}.map{|key| [key, $severityMap[key]]}]
           sevnum = sevhash.values.sum
           if (sevnum > 0) then
             sevnumNorm = [sevnum, 100].min