Not able to understand Threat Intelligence plugin


(Ganeshbabu Ramamoorthy) #1

Hi All,

I installed Graylog 2.4.3 version in ubuntu and I am started understanding how the threat intelligence plugin works. I read the documentation and this plugin add the pipeline function to enrich the log messages with threat intelligence data.

As I wanted to see how this plugin identifies the threat data, so for that I have pushed some sample IIS logs to graylog using collector-sidecar.

Below is the rule I have created for the pipeline,

rule "Threat_Intelligence_Lookups"
when
    has_field("SourceAddress")
then
    let src_addr_threatintel = threat_intel_lookup_ip(to_string($message.SourceAddress), "SourceAddress");
    set_fields(src_addr_threatintel);
end

https://www.graylog.org/post/integrating-threat-intelligence-with-graylog

Also I have the read the above blog where it mentioned

The lookup will be performed on those messages that contain the fields “domain”, “src_addr”, or “dst_addr”. For each message that matches, a new field will be added to the message, “X_threat_indicated”. (X represents the name of the field we compared against)

Yes after the message got routed to the pipeline I can able to see new field is added to the message

SourceAddress_threat_indicated:false

But here I am not understand I haven’t added any lookup for the messages then how the
threat_intel_lookup_ip will able to identify the threat data and also in the documentation I couldn’t find the related informations.

Below is the screenshot reference for lookup,

It would be very helpful if someone share your thoughts on this.

Regards,
Ganeshbabu R


(Jan Doberstein) #2

depending on the configuration of the plugin (described in the blog) it will check if the service returns something for the specific lookup.

For example if the IP is in the Spamhaus no-route list or it is a tor node this will be true. It depends on the source what and how it is checked.


(Ganeshbabu Ramamoorthy) #3

Hi @jan,

Thanks for sharing your thoughts…

One more doubt…
Let’ say I have enabled service Tor exit nodes in the threat intelligence lookup configuration and I have added the below rule in the pipeline,

rule "tor_lookup"
when
    has_field("clientip")
then
    let intel = tor_lookup(to_string($message.clientip));
    set_field("src_addr_is_tor_exit_node", intel.threat_indicated);
end

I can see in Lookup tables by default it has Tor Exit Node List lookup table configured. After the messages were routed to the pipeline I always get this new field and value as false,
src_addr_is_tor_exit_node:false

Why the value is false always?
Does that mean the IP is not in the tor node list? By that means there is no threat in the data.

Please kindly share your thoughts.

Thanks,
Ganeshbabu R


(Jan Doberstein) #4

in this case false indicate that the IP is not on the list of Tornodes.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.