Difference between revisions of "KHIKA App for Sophos Firewall"

From khika
Jump to navigation Jump to search
(How to get your Sophos Firewall into KHIKA ?)
(How to Install the KHIKA App for Sophos Firewall?)
 
(28 intermediate revisions by the same user not shown)
Line 8: Line 8:
  
 
== Enabling Syslog forwarding on the device ==
 
== Enabling Syslog forwarding on the device ==
For help with enabling syslog forwarding on device click [[Getting Data into KHIKA#Enabling syslog forwarding on the device|here]]
+
Please refer the following steps for enabling syslogs on your sophos firewall device.
 +
 
 +
    1. Login into firewall UI using admin credential.
 +
    2. Go to "System Services" from the left menu.
 +
    3. Click on "Log Settings" tab.
 +
    4. Click on "Add" button
 +
[[File:Syslog_forword_sophos_1.jpg|1000px]]</br>
 +
 
 +
    5. Enter the detail info
 +
      Name : <khika_server>
 +
      IP Address / Domain : <khika_aggregator_ip>
 +
      Port : 514
 +
      Facility : LOCAL1
 +
      Severity Level : Information
 +
      Format : Device Standard Format
 +
[[File:Syslog_forword_sophos_8.jpg|1000px]]</br>
 +
    6. Go to "Log Settings" section. And checked for the required log types.
 +
[[File:Syslog_forword_sophos_4.jpg|1000px]]</br>
 +
    7. Click on "Apply" button. below pop-up appears.
 +
[[File:Syslog_forword_sophos_6.jpg|1000px]]
 +
 
 +
== Verifying SYSLOG data collection ==
 +
 
 +
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.
  
 
== How to Install the KHIKA App for Sophos Firewall? ==
 
== How to Install the KHIKA App for Sophos Firewall? ==
Line 34: Line 57:
 
Similarly you can select contents from Alerts and Dashboards.  
 
Similarly you can select contents from Alerts and Dashboards.  
  
[[KHIKA Reports|What are KHIKA Reports]]
+
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.
[[KHIKA Dashboards|What are KHIKA Dashboards]]
 
[[KHIKA Alerts|What are KHIKA Alerts]]
 
  
 
Click “OK” to proceed with the installation of the selected Application.  
 
Click “OK” to proceed with the installation of the selected Application.  
Line 44: Line 65:
  
 
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.
 
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.
 
== How to get your Sophos Firewall into KHIKA ? ==
 
 
KHIKA recommends, popular syslog forwarding to monitor the Sophos Firewall.
 
You must configure the network device (or the end node) to send its logs to KHIKA Data Aggregator by providing IP address of Data Aggregator and port 514 so that the device can send its logs to KHIKA syslog service. (Please refer the documentation of individual device/vendor/OEM to understand how to configure remote syslogging for the device. Many vendors support web based configuration these days and some vendors support command based configurations)<br>
 
Reference:- Please refer the [https://community.sophos.com/kb/en-us/123184| link explaining syslog forwarding on Sophos XG firewall]
 
  
 
== Adding the device in the Adaptor ==
 
== Adding the device in the Adaptor ==
For help to adding a device in the adapter click [[Getting Data into KHIKA#Adding device details in the Adaptor|here]].
+
After syslogs are enabled on the device and the App is installed into KHIKA, it is the time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].
 +
After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.
  
== Verifying SYSLOG data collection ==
+
[[File:Syslog_forword_sophos_7.jpg|1000px]]
 
+
== How to check the output of KHIKA Sophos Firewall App ? ==
For help to verifying syslog data collection click [[Getting Data into KHIKA#Verifying syslog data collection|here]].
 
  
== How to check the output of KHIKA Sophos Firewall App ? ==
+
===Discovering the logs of Sophos Firewall===
 +
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-sophos_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.
  
 
=== Sophos Firewall Malicious Communication Dashboard===
 
=== Sophos Firewall Malicious Communication Dashboard===
  
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the malicious communications in the Sophos Firewall(which are added into KHIKA). Details like KHIKA shares community based threat intelligence and detect bad IP's, Those bad Source IP/Destination IP communication with internal IP which is shown in an analytical fashion.
+
Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the malicious communications in the Sophos Firewall(which are added into KHIKA). Details like KHIKA shares community based threat intelligence and detect bad IP's, Those bad Source IP/Destination IP communicate with internal IP which is shown in an analytical fashion.
 
You can filter and search for information and create new ones too. For help with Dashboards, click [[KHIKA Dashboards|here]]
 
You can filter and search for information and create new ones too. For help with Dashboards, click [[KHIKA Dashboards|here]]
  
Line 78: Line 94:
 
|Malicious IP wise status
 
|Malicious IP wise status
 
|X axis : all the Malicious IP addresses which communicate with device <br/>
 
|X axis : all the Malicious IP addresses which communicate with device <br/>
Y axis : stacked in each bar (Status) status of the connection. Example allow, deny, accepted, etc. and count of events occurred.
+
Y axis : stacked of the status of connection. Example allow, deny, accepted, etc. and count of events occurred.
 
|-
 
|-
 
|Contribution of User
 
|Contribution of User
Line 84: Line 100:
 
|-
 
|-
 
|Contribution of Status
 
|Contribution of Status
|Contribution of the status of the connection. Example allow, deny, accepted, etc
+
|Contribution of the status of connection. Example allow, deny, accepted, etc
 
|-
 
|-
 
|Source IP wise status
 
|Source IP wise status
 
|X axis : all the Source IP addresses which initiate the connection <br/>
 
|X axis : all the Source IP addresses which initiate the connection <br/>
Y axis : stacked in each bar (Status) status of connection and count of events occurred.
+
Y axis : stacked of the status of connection and count of events occurred.
 
|-
 
|-
 
|Destination IP wise status
 
|Destination IP wise status
 
|X axis : all the Destination IP addresses which communicate to malicious IP<br/>
 
|X axis : all the Destination IP addresses which communicate to malicious IP<br/>
Y axis : stacked in each bar (Status) status of connection and count of events occurred.
+
Y axis : stacked of the status of connection and count of events occurred.
 
|-
 
|-
 
|Summary Table
 
|Summary Table
Line 126: Line 142:
 
|User wise status bar chart
 
|User wise status bar chart
 
|X axis : user name <br/>
 
|X axis : user name <br/>
Y axis : stacked in each bar (status) the status of login/configuration changed and count of events occurred.
+
Y axis : stacked of the status of login/configuration changed and count of events occurred.
 
|-
 
|-
 
|Summary Table
 
|Summary Table
Line 135: Line 151:
 
==== A suggestion for useful interaction with this dashboard could be : ====
 
==== A suggestion for useful interaction with this dashboard could be : ====
  
#Examine the time trend, for a higher number of events. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where admin users are logged in from "Contribution of Source IP" pie chart and Users and status of executed action in next bar chart. Details of all activities in the selected time range can be seen in the summary table.
+
#Examine the time trend, for a higher number of events. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where admin users are logged in from "Contribution of Source IP" pie chart and Users, the status of executed action in next bar chart. Details of all activities in the selected time range can be seen in the summary table.
  
 
=== Sophos Firewall Login Activities Dashboard ===
 
=== Sophos Firewall Login Activities Dashboard ===
Line 158: Line 174:
 
|User name wise status
 
|User name wise status
 
|X axis : user name<br/>
 
|X axis : user name<br/>
Y axis : stacked in each bar (status) the status of login/configuration changed and the count of events occurred.
+
Y axis : stacked of the status of login/configuration changed and the count of events occurred.
 
|-
 
|-
 
|Contribution of status
 
|Contribution of status
|successful and failed authentication status
+
|successful/failed authentication status
 
|-
 
|-
 
|Contribution of Group Name
 
|Contribution of Group Name
Line 168: Line 184:
 
|Source IP wise status
 
|Source IP wise status
 
|X axis : Source IP<br/>
 
|X axis : Source IP<br/>
Y Axis : stacked within each bar (status) the count of successful/failed events for various IP address
+
Y Axis : stacked of the count of successful/failed events for various IP address
 
|-
 
|-
 
|Summary Table
 
|Summary Table
Line 177: Line 193:
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 
==== Some suggestions for useful interaction with this dashboard could be : ====
  
#Click on User Group in the “Contribution of Group Name” pie chart. The rest of the dashboard gets filtered and shows only detail information about selected "User Group" events. So we can isolate - Users are available in selected User Group and their login status in User name wise status chart.also in "Source IP wise status" chart we can see source IP's where users are logged in.
+
#Click on User Group in the “Contribution of Group Name” pie chart. The rest of the dashboard gets filtered and shows only detail information about selected "User Group" events. So we can isolate - Users are available in selected User Group and their login status in "User name wise status" bar chart.Also in "Source IP wise status" chart we can see source IP's where users are logged in.
  
 
=== Sophos Firewall VPN activity Dashboard ===
 
=== Sophos Firewall VPN activity Dashboard ===
Line 197: Line 213:
 
|-
 
|-
 
|Contribution of VPN Users  
 
|Contribution of VPN Users  
|contribution of the VPN users which are login using VPN
+
|contribution of the VPN users which are logged using VPN
 
|-
 
|-
 
|Contribution of Status
 
|Contribution of Status
Line 217: Line 233:
 
==== Some suggestions for useful interaction with this dashboard could be : ====
 
==== Some suggestions for useful interaction with this dashboard could be : ====
  
#Click on a particular user in the “Contribution of VPN User” pie. You can monitor all the activities of this VPN user.
+
#Click on a particular user in the “Contribution of VPN User” pie chart. You can monitor all the activities of this VPN user.
#Alternately, Examine the time trend, for highest bandwidth consumption. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where VPN users are logged and Destination IP(VPN user access this server) from bar chart and which Users used more bandwidth and status of connection in the pie chart. Details of all VPN connections in the selected time range filter can be seen in the summary table.
+
#Alternately, Examine the time trend, for highest bandwidth consumption. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where VPN users are logged in and Destination IP(VPN user access this server) from bar chart and which Users used more bandwidth, also the status of connection in the pie chart. Details of all VPN connections in the selected time range filter can be seen in the summary table.
 
 
  
 
=== Sophos Firewall Alerts ===
 
=== Sophos Firewall Alerts ===
  
  
Alerts are generated when certain critical behavior is observed in the system real-time and notified on the Alerts Dashboard in KHIKA as well as can be received an email to relevant stakeholders. The details of KHIKA Alerts are mentioned here
+
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Fortigate firewall.
Click on “Alert Dashboard” on the left menu.
 
 
 
Certain alerts for Sophos Firewall are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :
 
  
 
==== Alerts Description ====
 
==== Alerts Description ====
Line 239: Line 251:
 
|-
 
|-
 
|Sophos firewall host scan attack
 
|Sophos firewall host scan attack
|This is triggered when more than 10 connections happened from the same Source and Destination IP using different destination port, within one minute
+
|This alert is triggered when more than 10 connections happened from the same Source IP and Destination IP using different destination port, within one minute
 
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/>
 
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/>
 
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br/><br/>
 
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br/><br/>
 
|-
 
|-
 
|Sophos firewall sweep scan attack
 
|Sophos firewall sweep scan attack
|This alert is triggered when more than 10 connections happened from the same source IP to various Destination IP's, within one minute
+
|This alert is triggered when more than 10 connections happened from the same source IP to various Destination IP's, within one minute. This IP address need not be malicious as per KHIKA threat intelligence.
 
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/><br/>
 
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/><br/>
 
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br/><br/>
 
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br/><br/>
 
|-
 
|-
 
|Sophos firewall backdoor traffic detected
 
|Sophos firewall backdoor traffic detected
|This alert is triggered when connection happened using vulnerable Destination ports like 3127,3198,6129,7080, within one minute
+
|This alert is triggered when connection happens on uncommon and vulnerable Destination ports like 3127,3198,6129,7080
 
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. <br/><br/>
 
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. <br/><br/>
 
Check is these ports are open and on what servers. Do you really need these ports opened?<br/>
 
Check is these ports are open and on what servers. Do you really need these ports opened?<br/>
Line 258: Line 270:
 
|-
 
|-
 
|Sophos firewall host scan activity by malicious ip
 
|Sophos firewall host scan activity by malicious ip
|This is triggered when more than 10 connections happened from the same malicious IP using different destination port, within one minute
+
|This alert is triggered when more than 10 connection attempts happen from the same malicious IP using different destination port targeting a single destination host, within one minute
 
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/><br/>
 
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/><br/>
 
It is important to check the reputation of the external ip address and block the same if necessary.<br/><br/>
 
It is important to check the reputation of the external ip address and block the same if necessary.<br/><br/>
 
|-
 
|-
 
|Sophos firewall successful host scan activity by malicious ip
 
|Sophos firewall successful host scan activity by malicious ip
|Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different destination port, within one minute
+
|This alert is triggered when more than 10 connections happened from the same malicious IP and status is deny followed by a successful login status using different destination port, within one minute.
 
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports <br/><br/>
 
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports <br/><br/>
 
It is important to check the reputation of the external ip address and block the same if necessary.<br/>
 
It is important to check the reputation of the external ip address and block the same if necessary.<br/>
Line 269: Line 281:
 
|-
 
|-
 
|Sophos firewall successful host scan activity
 
|Sophos firewall successful host scan activity
|This alert is triggered when more than 10 connections happened from the same Source and Destination IP and status is deny followed by successful login status using different destination port, within one minute
+
|This alert is triggered when more than 10 connections happened from the same Source and Destination IP and status is deny followed by a successful login status using different destination port, within one minute.
 
|Attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports <br/><br/>It is important to check the reputation of the suspected ip address. <br/>If the suspected ip address is external, you may consider blocking it.<br/>If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br/>It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br/>
 
|Attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports <br/><br/>It is important to check the reputation of the suspected ip address. <br/>If the suspected ip address is external, you may consider blocking it.<br/>If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br/>It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br/>
 
This may be a false positive.<br/><br/>
 
This may be a false positive.<br/><br/>
 
|-
 
|-
 
|Sophos firewall communication with possible IOC or bad IP
 
|Sophos firewall communication with possible IOC or bad IP
|This alert is triggered when suspicious IP communicates with internal IP
+
|This alert is triggered when a suspicious IP is communicating with internal IP
 
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br/><br/>
 
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br/><br/>
 
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br/>
 
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br/>
Line 283: Line 295:
 
|-
 
|-
 
|Sophos firewall large data sent outside
 
|Sophos firewall large data sent outside
|Alert triggered when large data is sent to the external IP Address.
+
|This alert is triggered when large data is sent to the external IP Address.
 
|Large amount of data being sent to an external network could be an indication of data exfiltration.<br/>
 
|Large amount of data being sent to an external network could be an indication of data exfiltration.<br/>
 
Check with the user or process which is responsible for the data being sent out and whether it was done for legitimate business reasons. This could be a false positive.<br/><br/>
 
Check with the user or process which is responsible for the data being sent out and whether it was done for legitimate business reasons. This could be a false positive.<br/><br/>
 
|-
 
|-
 
|Sophos firewall sweep scan attack by malicious ip
 
|Sophos firewall sweep scan attack by malicious ip
|This alert is triggered when more than 10 connections happened from the same malicious IP using different Destination IP's, within one minute
+
|This alert is triggered when more than 10 connection attempts happen from the same malicious IP targeting different Destination IP's, within one minute
 
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/><br/>
 
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.<br/><br/>
 
It is important to check the reputation of the external ip address and block the same if necessary.
 
It is important to check the reputation of the external ip address and block the same if necessary.
 
|-
 
|-
 
|Sophos firewall successful sweep scan activity
 
|Sophos firewall successful sweep scan activity
|This alert is triggered when more than 10 connections happened from the same Source and Destination IP and status is deny followed by successful login status using different Destination IP, within one minute
+
|This alert is triggered when more than 10 connection attempts happen from the same Source IP and status is 'deny' followed by a successful connection with status 'accept/allow' where Destination IPs are unique and all appening within one minute.
 
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses <br/><br/>
 
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses <br/><br/>
 
It is important to check the reputation of the suspected ip address.<br/>
 
It is important to check the reputation of the suspected ip address.<br/>
Line 301: Line 313:
 
|-
 
|-
 
|Sophos firewall successful sweep scan activity by malicious ip
 
|Sophos firewall successful sweep scan activity by malicious ip
|Alert triggered when more than 10 connections happened from same malicious IP and status is deny followed by a successful login status using different Destination IP, within one minute
+
|This alert is triggered when more than 10 connection attempts happen from same 'malicious IP' and status is 'deny', followed by a successful connection where status is 'accept'. This all has to happen on unique Destination IPs, within one minute
 
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.<br/><br/>It is important to check the reputation of the external ip address and block the same if necessary.<br/>It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br/><br/>
 
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.<br/><br/>It is important to check the reputation of the external ip address and block the same if necessary.<br/>It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br/><br/>
 
|}
 
|}

Latest revision as of 14:06, 28 June 2019

Introduction

Most of the network devices, such as firewalls, switches, routers, web proxies etc send the traffic and user activity related information in the form of logs over syslog protocol. Some applications such as Oracle database server, Symantec antivirus server, EMC SAN Storage etc also support syslog protocol as syslog is very efficient and simple to integrate with. KHIKA Data Aggregator is pre-configured with syslog services on port 514. The key parts to get here are :

  1. Enabling Syslog forwarding on the device
  2. Install the KHIKA App for Sophos Firewall
  3. Get data from your Sophos_Firewall into KHIKA Aggregator

Enabling Syslog forwarding on the device

Please refer the following steps for enabling syslogs on your sophos firewall device.

   1. Login into firewall UI using admin credential.
   2. Go to "System Services" from the left menu.
   3. Click on "Log Settings" tab.
   4. Click on "Add" button

Syslog forword sophos 1.jpg

   5. Enter the detail info
      Name : <khika_server>
      IP Address / Domain : <khika_aggregator_ip>
      Port : 514
      Facility : LOCAL1
      Severity Level : Information
      Format : Device Standard Format

Syslog forword sophos 8.jpg

   6. Go to "Log Settings" section. And checked for the required log types.

Syslog forword sophos 4.jpg

   7. Click on "Apply" button. below pop-up appears.

Syslog forword sophos 6.jpg

Verifying SYSLOG data collection

After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer here to understand how to verify syslogs on KHIKA Data Aggregator.

How to Install the KHIKA App for Sophos Firewall?

It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read how to configure KHIKA Data Aggregator and perform the pre-requisite steps.

This section explains how to pick and install the KHIKA application for Sophos Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Sophos Firewall data format, the dashboards, and the alert rules preconfigured.

Go to the “Applications” tab in the “Configure” menu.

Application index.JPG

Check whether the appropriate Workspace is selected. Note: Application is always loaded in a Workspace. Read the section KHIKA Workspaces to know more about KHIKA Workspaces. Also select your KHIKA aggregator name in the Node dropdown. This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.

Sophos app.jpg

Click on the “+” button. A pop up appears.

Sophos install popup.jpg

User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. Similarly you can select contents from Alerts and Dashboards.

Visit the sections on KHIKA Reports, KHIKA Dashboards, KHIKA Alerts & Correlations to know more about these topics.

Click “OK” to proceed with the installation of the selected Application. After successful installation, following status should be displayed :

Successful sophos install.jpg

This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.

Adding the device in the Adaptor

After syslogs are enabled on the device and the App is installed into KHIKA, it is the time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer here to know how to add the device to an App. After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.

Syslog forword sophos 7.jpg

How to check the output of KHIKA Sophos Firewall App ?

Discovering the logs of Sophos Firewall

After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-sophos_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.

Sophos Firewall Malicious Communication Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the malicious communications in the Sophos Firewall(which are added into KHIKA). Details like KHIKA shares community based threat intelligence and detect bad IP's, Those bad Source IP/Destination IP communicate with internal IP which is shown in an analytical fashion. You can filter and search for information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Sophos Firewall Malicious Communication" Dashboard
Visualization Description
Daily Trend Trend of malicious communication over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Malicious IP wise status X axis : all the Malicious IP addresses which communicate with device

Y axis : stacked of the status of connection. Example allow, deny, accepted, etc. and count of events occurred.

Contribution of User Contribution of Users which communicate with malicious IP.
Contribution of Status Contribution of the status of connection. Example allow, deny, accepted, etc
Source IP wise status X axis : all the Source IP addresses which initiate the connection

Y axis : stacked of the status of connection and count of events occurred.

Destination IP wise status X axis : all the Destination IP addresses which communicate to malicious IP

Y axis : stacked of the status of connection and count of events occurred.

Summary Table Detailed data with timestamp and count

Suggestion for useful interaction with this dashboard could be :

  1. Click on the highest communicated malicious IP in the "Malicious IP wise status" bar chart. This gets selected and a filter for selected malicious IP is applied across the rest of the dashboard. The next two pie charts shall show then, the "user" which communicates with this IP and "status" of the connection. In the next two bar shall show Source IP and Destination IP for selected malicious communication. Details of selected malicious IP can be seen in the summary table. How to remove this filter is explained here
  2. Examine the time trend, for a higher number of malicious communication events. Rest of the dashboard also gets filtered and we can isolate – all the source IPs and Destination IPs which initiate a malicious communication in bar charts and all malicious IPs and connections status of communication for the selected time range. Details of all activities in the selected time range can be seen in the summary table.

Sophos Firewall Admin Activities Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the login activity of admin users in the Sophos Firewall. Details like which user logged in how many times, authentication information, Configuration changes, etc. are shown in an analytical fashion. You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Sophos Firewall Admin Activities" Dashboard
Visualization Description
Daily Trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Contribution of Source IP Contribution of Source IP Address where admin user logged in.
User wise status bar chart X axis : user name

Y axis : stacked of the status of login/configuration changed and count of events occurred.

Summary Table Detailed data with timestamp and count

A suggestion for useful interaction with this dashboard could be :

  1. Examine the time trend, for a higher number of events. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where admin users are logged in from "Contribution of Source IP" pie chart and Users, the status of executed action in next bar chart. Details of all activities in the selected time range can be seen in the summary table.

Sophos Firewall Login Activities Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This dashboard focuses on the login activity of all users in the Sophos Firewall. Details like which user logged in how many times, authentication information, etc. is shown in an analytical fashion.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Sophos Firewall Login Activities" Dashboard
Visualization Description
Daily Trend Trend of login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
User name wise status X axis : user name

Y axis : stacked of the status of login/configuration changed and the count of events occurred.

Contribution of status successful/failed authentication status
Contribution of Group Name Contribution of the user group. every user belongs to one or many user groups.
Source IP wise status X axis : Source IP

Y Axis : stacked of the count of successful/failed events for various IP address

Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. Click on User Group in the “Contribution of Group Name” pie chart. The rest of the dashboard gets filtered and shows only detail information about selected "User Group" events. So we can isolate - Users are available in selected User Group and their login status in "User name wise status" bar chart.Also in "Source IP wise status" chart we can see source IP's where users are logged in.

Sophos Firewall VPN activity Dashboard

Go to "Dashboards" from the left menu. From the list of in-built dashboards, select this one. It shall open the Dashboard. This report summarizes Sophos Firewall VPN activity details. it shows bandwidth utilization, accessed server by VPN users, etc.

You can filter and search information and create new ones too. For help with Dashboards, click here

Elements in the Dashboard are explained below :

Elements in "Sophos Firewall VPN activity" Dashboard
Visualization Description
Daily Trend Trend of VPN login events over time. Useful to identify unusual spikes at a glance.

X axis : date & time
Y axis : count of events
Contribution of VPN Users contribution of the VPN users which are logged using VPN
Contribution of Status contribution of allow/deny status of VPN connection.
Source IP wise hits X axis : Top 10 Source IP where users have logged in using VPN

Y axis : Number of hits from Source IP

Hostname wise User X axis : Top 10 Destination IP IP where users have logged in using VPN

Y axis : Number of hits from Destination IP

Summary Table Detailed data with timestamp and count

Some suggestions for useful interaction with this dashboard could be :

  1. Click on a particular user in the “Contribution of VPN User” pie chart. You can monitor all the activities of this VPN user.
  2. Alternately, Examine the time trend, for highest bandwidth consumption. Rest of the dashboard also gets filtered and we can isolate – all the source IP's where VPN users are logged in and Destination IP(VPN user access this server) from bar chart and which Users used more bandwidth, also the status of connection in the pie chart. Details of all VPN connections in the selected time range filter can be seen in the summary table.

Sophos Firewall Alerts

Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Fortigate firewall.

Alerts Description

Alert Details Table
Alert Name Description Suggested Resolution
Sophos firewall host scan attack This alert is triggered when more than 10 connections happened from the same Source IP and Destination IP using different destination port, within one minute An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.

Sophos firewall sweep scan attack This alert is triggered when more than 10 connections happened from the same source IP to various Destination IP's, within one minute. This IP address need not be malicious as per KHIKA threat intelligence. An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.

Sophos firewall backdoor traffic detected This alert is triggered when connection happens on uncommon and vulnerable Destination ports like 3127,3198,6129,7080 This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports.

Check is these ports are open and on what servers. Do you really need these ports opened?
Check what programs are running on these ports. Check vulnerability reports of the applications
Block these ports for external traffic, unless mandatory to keep them opened.
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc.

Sophos firewall host scan activity by malicious ip This alert is triggered when more than 10 connection attempts happen from the same malicious IP using different destination port targeting a single destination host, within one minute Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

It is important to check the reputation of the external ip address and block the same if necessary.

Sophos firewall successful host scan activity by malicious ip This alert is triggered when more than 10 connections happened from the same malicious IP and status is deny followed by a successful login status using different destination port, within one minute. Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports

It is important to check the reputation of the external ip address and block the same if necessary.
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.

Sophos firewall successful host scan activity This alert is triggered when more than 10 connections happened from the same Source and Destination IP and status is deny followed by a successful login status using different destination port, within one minute. Attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports

It is important to check the reputation of the suspected ip address.
If the suspected ip address is external, you may consider blocking it.
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.

This may be a false positive.

Sophos firewall communication with possible IOC or bad IP This alert is triggered when a suspicious IP is communicating with internal IP KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.

If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration.
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.

Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.
It is critical to block this rogue communication.

Sophos firewall large data sent outside This alert is triggered when large data is sent to the external IP Address. Large amount of data being sent to an external network could be an indication of data exfiltration.

Check with the user or process which is responsible for the data being sent out and whether it was done for legitimate business reasons. This could be a false positive.

Sophos firewall sweep scan attack by malicious ip This alert is triggered when more than 10 connection attempts happen from the same malicious IP targeting different Destination IP's, within one minute Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.

It is important to check the reputation of the external ip address and block the same if necessary.

Sophos firewall successful sweep scan activity This alert is triggered when more than 10 connection attempts happen from the same Source IP and status is 'deny' followed by a successful connection with status 'accept/allow' where Destination IPs are unique and all appening within one minute. Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses

It is important to check the reputation of the suspected ip address.
If the suspected ip address is external, you may consider blocking it.
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.\nThis may be a false positive.

Sophos firewall successful sweep scan activity by malicious ip This alert is triggered when more than 10 connection attempts happen from same 'malicious IP' and status is 'deny', followed by a successful connection where status is 'accept'. This all has to happen on unique Destination IPs, within one minute Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.

It is important to check the reputation of the external ip address and block the same if necessary.
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.