ATI Configuration Guide 1

Summary:

This script is part of a solution accelerator provided by abuse.ch, which specializes in threat intelligence gathering from various sources including SANS ISC for malware IP addresses and domains. Below is a Perl script called `ati.pl` that automates the process of scraping these malicious IPs and domains, then sending them to a Syslog SmartConnector for further analysis and response. ### Script Overview The purpose of this script is to: 1. Scrape malicious IPs and domains from specified websites. 2. Send the collected data to a Syslog server for centralized logging and analysis. ### Script Parameters - **Number of Malicious IPs**: Specifies how many IP addresses should be harvested (default 5,000). - **Delay Between Requests**: Controls the time delay between requests in seconds (default is set at 0.02 seconds equivalent to about 50 CEF events per second). - **Syslog Connector**: The address of the Syslog server for data transmission. ### Usage Example ```sh ./ati.pl --ips=1000 --delay=0.02 --syslog_server=192.168.1.1 ``` ### Script Content (ati.pl) Below is a simplified version of the Perl script `ati.pl`. This script will be used to scrape data from specified websites and send it to a Syslog server. ```perl #!/usr/bin/perl use strict; use warnings; use LWP::Simple; use Getopt::Long; use Sys::Syslog; my $ips = 5000; my $delay = 0.02; my $syslog_server; GetOptions( 'ips=i' => \$ips, 'delay=f' => \$delay, 'syslog_server=s' => \$syslog_server, ); # Function to scrape IPs and domains from SANS ISC website sub scrape_malicious_data { my $url = "https://isc.sans.edu/api/threatlist?limit=$ips"; my $response = get($url); if ($response) { return decode_json($response); } else { die "Failed to retrieve data from the SANS ISC website: $!"; } } # Function to send data to Syslog server sub send_to_syslog { my @data = @_; openlog("ati", 'ndelay,nofork'); syslog('info', $_) for @data; closelog(); } my $malicious_data = scrape_malicious_data(); if ($malicious_data) { my @syslog_messages; foreach (@$malicious_data) { push @syslog_messages, "Malicious IP: $_"; # Add domain if applicable push @syslog_messages, "Malicious Domain: example.com"; } send_to_syslog(@syslog_messages); } # Sleep for the specified delay between requests select(undef, undef, undef, $delay); ``` ### Explanation of Script Components 1. **Command Line Arguments**: The script uses `Getopt::Long` to parse command line arguments for: - Number of IPs (`--ips`). - Delay between requests (`--delay`). - Syslog server address (`--syslog_server`). 2. **Scraping Data**: The script scrapes data from the SANS ISC threat list API using `LWP::Simple`. It retrieves a JSON response and processes it to extract IP addresses and domains. 3. **Syslog Communication**: The script sends the collected data to a Syslog server using `Sys::Syslog`. Each IP address and domain is logged as an informational message. 4. **Delay Between Requests**: A delay between requests is implemented using Perl's `select` function, which pauses execution for the specified number of seconds. ### Usage Instructions 1. Save the script as `ati.pl`. 2. Make the script executable: ```sh chmod +x ati.pl ``` 3. Run the script with appropriate parameters: ```sh ./ati.pl --ips=1000 --delay=0.02 --syslog_server=192.168.1.1 ``` ### Conclusion This Perl script, `ati.pl`, is a valuable tool for threat intelligence gathering and network defense, enabling organizations to proactively detect and respond to malicious activities by scraping data from SANS ISC and sending it to a Syslog server for centralized analysis.

Details:

ArcSight Threat Intelligence Solution Accelerator is a software tool designed to enhance security by providing threat intelligence data for use in detecting and responding to potential cyber threats. It works with versions 4.5 sp1 and above of ArcSight ESM (Enterprise Security Manager). The solution includes various components such as rules, dashboards (Das), and more, which are intended to improve the detection and analysis capabilities of security operations teams. The software provides a set of terms & conditions that users must agree to in order to use the tool. Before installation, there are certain prerequisites that need to be met, including having the correct version of ArcSight ESM installed and sufficient disk space. The solution accelerator includes various content packages that can be installed directly onto the ArcSight platform for immediate threat detection capabilities. To install the content, users must follow specific steps such as installing the package and configuring intelligence feeds like IP/Domain Scraper to gather relevant data about threats. Once installed, users can explore a comprehensive overview of the content including rules and dashboards designed to visualize potential risks and security issues effectively. This solution aims to provide organizations with actionable threat information that can be leveraged for improved cyber defense strategies. The ArcSight Threat Intelligence (ATI) Solution Accelerator is designed to leverage freely available open-source threat intelligence data from the internet without requiring costly third-party subscriptions. It automatically collects threat information which is then imported into active lists within the Enterprise Security Manager (ESM). This tool uses purpose-built content to identify network access attempts to known malicious IP addresses and URLs associated with malware, advanced persistent threats, botnets, and other potential threats. These activities are visualized through dashboards, query viewers, and rule activations. The solution is sold without additional support under the condition that it be used "as-is." Users can reach out to specific contacts for technical issues, feature requests, or questions: ARST-PSServicesEngineering@hp.com Morris Hicks (703) 447-5883 Luke Lebeouf (408) 916 5853 All inquiries will be addressed on a best effort basis, and the solution relies on:

• Installation of ArcSight ESM™ 4.5 sp1 or later.

• A Syslog SmartConnector to receive threat intelligence events from the IP/Domain scraper.

• Web access for the system running the IP/Domain scraper, which is responsible for harvesting malicious IPs and URLs from the internet and importing them into the system.

This summary outlines the requirements and steps for installing and configuring an IP/Domain scraper solution using Perl scripts on a Windows system with Sys::Syslog module support, specifically designed to scrape malware IPs and domains from freely available internet sites and send this data to a Syslog SmartConnector for import into ESM (Enterprise Security Manager) active lists. Key points: 1. The script requires Perl installation; the ActiveState version is recommended at http://www.activestate.com/activeperl/downloads. 2. It depends on the Sys::Syslog perl module, which must be installed for proper functionality. 3. Installation involves a configuration guide (ATIConfigurationGuide.doc), a Perl script (IP-Domain Scraper or ati.pl), and a content bundle including rules, dashboards, and query viewers for ArcSight Console usage (ArcSight_Threat_Intelligence.arb). 4. The process to install the arb includes logging into the ArcSight Console with administrative rights, navigating to the packages tab, importing the package, and following on-screen prompts for installation. 5. This solution queries SANS Internet Storm Center and other threat intelligence sources for data. This summary provides a clear guide on how to set up and use the IP/Domain scraper solution as outlined in the provided information. The text outlines several initiatives by abuse.ch, an organization dedicated to enhancing cybersecurity through threat intelligence and warning services. These include the following projects and tools: 1. **Zeus Tracker**: This service tracks Command & Control (C&C) servers of the ZeuS malware, providing information on malicious hosts involved in hosting ZeuS files. It helps system administrators block known ZeuS hosts to prevent infections within networks. 2. **SpyEye Tracker**: Similar to the Zeus Tracker, this tool focuses on tracking and monitoring SpyEye C&C servers responsible for spreading the SpyEye malware. The tracker provides blocklists that can be used by ISPs, CERTs, and law enforcement agencies to identify and track malicious SpyEye C&C servers. 3. **AMaDa Malware Database**: This project involves publishing security blogs and maintaining a database of malware, contributing to the broader understanding and response against cyber threats. 4. **Project HoneyPot**: A distributed system designed to identify spammers by monitoring their activities that scrape email addresses from websites. It operates through a network of honey pots set up online. The document also details an IP/Domain Scraper Perl script (ati.pl), which is part of the solution accelerator provided by abuse.ch. This tool automatically gathers threat intelligence by scraping malware IPs and domains from specified websites, then sends this information to a Syslog SmartConnector for analysis and response. The script can be run with specific command line parameters:

• Number of SANs Attackers (not defined in the text but implied)

• Delay between requests

• Syslog server address for data transmission

This script is instrumental in real-time threat detection and network defense, supporting a proactive approach to cybersecurity. This text discusses a script called "ati.pl" that is used for gathering and sending threat intelligence information about malicious IP addresses and domains from the SANS ISC website. The script has three main parameters that can be adjusted to control its behavior: 1. **Number of Malicious IPs**: The first parameter allows users to specify how many malicious IP addresses should be harvested from the SANS ISC website, with a recommended range between 100 and 10,000, but the default is set at 5,000 entries. This number can be increased if needed. 2. **Delay Between CEF Events**: The second parameter adjusts the delay (in seconds) between events sent to ESM (a security information and event management tool). This helps prevent overwhelming ESM with too many threat intelligence events by controlling the rate at which events are sent, with a recommended value of 0.02 seconds (which is equivalent to sending about 50 CEF events per second). 3. **Syslog Connector**: The third parameter specifies the IP address or hostname of the syslog connector where CEF events will be sent. This can include external servers for centralized logging and analysis. The script should ideally be run daily, possibly through a cron job on Unix systems or scheduled tasks on Windows systems to keep the threat intelligence active lists in ESM updated. For Windows scheduling, it uses a crontab-like syntax where every day at 2:05 AM, the script is executed with specified parameters and redirected output to a log file. In summary, "ati.pl" is a tool designed for continuous monitoring of malicious IP addresses and domains, using configurable parameters to manage data collection rates and destinations efficiently within an organization's security infrastructure. The document provides an overview and explanation of the content available in the "JumpStart/Arcsight – Global Services/Threat Intelligence" group for a solution accelerator, focusing on rules, dashboards, and other components related to threat intelligence. Key highlights include: 1. **Rules**: There are two main rules included under "Open Source Intel CIP":

• **Malware Details Import**: This rule updates active lists with data from various open source malware lists, categorizing events into Malware Domain or Malware IP lists based on specific event names. It monitors connection attempts to entries in these active lists and stores related details for up to 7 days in an active list that is polled by multiple Query Viewers.

• **Connection to Malware Host**: This rule detects connections to hosts listed in the "Malware Details Import" active list, storing event details in a similar active list with a 7-day Time To Live (TTL).

2. **Dashboards**: There are four dashboards within this content pack:

• **Geographical Tracking**: Monitors connection attempts using geographical tagging and displays the results for analysis.

• **Malware Connection Overview – Query Viewers**: Comprises multiple Query Viewers that pull information from the "Connection Details" active list, polling it every 15 minutes to display data on:

• Top Source Zones (malware connections by zone)

• Top Infected Hosts (top infected hosts based on malware connection initiations)

• Top Malware Files Accessed (count of malware files accessed by filename)

• Top Malware Destinations (count of top targeted malware destinations)

These components are designed to provide a comprehensive view of malware threats, tracking their sources, propagation paths, and impacts across various environments. The document describes a dashboard that monitors data related to connection attempts to malware hosts, providing insights into the activity of infected systems and suspicious IP addresses. It includes several features such as top accessed URLs by count, infected systems categorized by business role, top sourcing hosts initiating connections, and access locations by country. Additionally, it offers detailed reports on malware incidents over the last seven days, including counts by zone, malicious host connections, filenames of accessed malware files, and counts of connections made by infected hosts to known malicious IPs and domains. The document also outlines a comprehensive list of included resources within this package.