Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 06 12:14
    sathishkgit opened #695
  • Aug 06 12:07
    sathishkgit commented #455
  • Jun 21 19:53
    drapiti opened #694
  • May 10 03:49
    Blason commented #455
  • May 09 08:20
    ananth07reddy commented #455
  • May 01 20:16

    chasebrewsky on controlscan-rename

    (compare)

  • May 01 20:16

    chasebrewsky on master

    Rename misc copyrights to Contr… (compare)

  • May 01 20:16
    chasebrewsky closed #693
  • Apr 15 22:49
    drapiti commented #680
  • Apr 05 18:52
    coveralls commented #693
  • Apr 05 18:33
    chasebrewsky opened #693
  • Apr 05 16:28

    chasebrewsky on controlscan-rename

    Rename misc copyrights to Contr… (compare)

  • Feb 26 03:30
    Blason opened #692
  • Feb 22 21:52

    chasebrewsky on controlscan-name-change

    (compare)

  • Feb 22 21:52

    chasebrewsky on master

    Replace Dunbar with ControlScan… (compare)

  • Feb 22 21:52
    chasebrewsky closed #691
  • Feb 21 16:46
    coveralls commented #691
  • Feb 21 15:17
    chasebrewsky opened #691
  • Feb 20 16:49
    callahan22 opened #690
  • Feb 13 21:26
    daveacquitygroup unassigned #413
cybersecc
@cybersecc
I need to set up OAuth access to myJIRA account
the official doc did not help a lot
:/
trenerok
@trenerok
Could you tell me what steps you do to set up this.
cybersecc
@cybersecc
I went to Jira applications, set up a link .. then when I use this script http://cyphon.readthedocs.io/en/latest/user-manual/jira-example.html#jira-example. I always get Exception: Should have no access!
my I changed this
# Replace with the path to your RSA .pem file
RSA_PEM_FILEPATH = '../rsa.pem'

# Replace with your own consumer key and shared secret
CONSUMER_KEY = 'oauth-sample-consumer'
CONSUMER_SECRET = 'your-consumer-secret'

# Replace with the URL for your JIRA instance (include the end slash!)
JIRA_URL = 'http://localhost:8090/jira/'
with the rsa path, consumer key and secret and my jira url
trenerok
@trenerok
Are you set your cosumer_key and kosumer sercret? Yo are generate RSA?
cybersecc
@cybersecc
yes I did set a random consumer_key and secret and put them in the script, I also generated and RSA key, I used the public in the link creation and the I put the path of the private one in the script
cybersecc
@cybersecc
@trenerok Issue resolved thanks a lot
cybersecc
@cybersecc
Now I followed the doc to configure JIRA in cyphon.. I also modified the conf.py where I put JIRA server IP, project key.. but I'm getting a request timeout in cyclops when trying to create an issue
Sanjay Patel
@San_j_ay_twitter
hello
is Cyphon a 1:1 solution or can multiple organizations use it?
Tom Callahan
@fatalglitch
@San_j_ay_twitter can you explain a bit more on what you are asking? Cyphon provides an open license for non-commercial use
Dhruv Kalaan
@dhruvkalaan
@lhadjchikh No my emails do not have attachments and i have configured Cyphon that way, the strange bit is it reads some emails correctly but then it just keeps passing one email in a loop
James Fitzsimons
@jamesfitzsimons
Hi all, I'd like to be able to set a sensible session timeout in Cyphon. I'm a django novice, but from the reading I've done so far it looks like setting the SESSION_COOKIE_AGE is the standard way of managing this. However, given that cyphon uses the REST API and SPA model just changing the SESSION_COOKIE_AGE isn't going to cut it. I've looked at the JWT_AUTH settings, but although I can set a shorter expiry on the JWT token, something in the app needs to handle the fact that is expired and log the user out. Am I missing something, or will this require some code changes to handle? Cheers!
James Fitzsimons
@jamesfitzsimons

Another unrelated question - I believe that the whole shaping data process (mungers, condensers etc.) only works for data that comes into Cyphon through a chute - is that correct? If so, how would I go about creating a chute based on a logstash output? Is there a way to process data off a rabbitmq queue like the watchdogs, or would that require writing an Aggregator to poll the queue?

What I am trying to achieve is to change indicator urls to something like hxxp:// instead of http:// so that analysts can't accidentally click on a malicious link.

Aagosh
@Aagosh
Hi Guys. I am new to Cyphon and trying to set up a Ubuntu Cyphon VM. But I am not able to find "Cyphon Service". When i run the command "$ sudo systemctl status cyphon", it says that no service or directory exists. I have done the initial configurations and I am also able to find the "Docker" service.
Idriel
@Idriel
Hi, I am new to Cyphon (just install it, read docs and watched youtube clips).
Could you add pls into documentation some real-life workflow example about eg. receive IDS alert and then how to you add additional context like source_ip geolocation, eg. DHCP infromations and windows who is logged on that IP (read from AD Security log) if it's from internal network, ... how to you connect/grab that data?
I am having hard time to understand how do you add context as this product is intended to get only Alert data (right?) and then you give additional context by pulling data over API (or I got something wrong)?
Tarek
@tee2015
Hi Guys, I setup Cyphon and willing get my twitter feeds to it, I Follow documentation step by step I am up and running , I load the default starter-textures.json and I added my twitter app secrets / Result: cannot see any stream / I login to the kibana and I set a stamp index but Also I cannot see the twitters loading in kibana too ? Any ideas where I can start troubleshooting? Thank you guys in advance.
trenerok
@trenerok

@lhadjchikh hello. Could you help me? We get this error when using alerts in UI -
xhr.js:177 Mixed Content: The page at 'https://server_name/app/alerts/376744/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://server_name/api/v1/categories/?page=2'. This request has been blocked; the content must be served over HTTPS.

Where can I fixed it ?

Tarek
@tee2015
Hi i was able to solve the problem, disregard my previous post .
trenerok
@trenerok
Hi everyone. I see that project project is not developing?
Chase Brewer
@chasebrewsky

@/all on our current version.

Let me know if you have more questions. I apologize for the radio silence for so long since I'm the only person working on this at the moment. It's difficult to find time to develop this and do any community outreach.

@/all The project is currently under development for the next version. We've had a lot of the same issues cropping up internally from our employees and externally from our open source users, so we decided to take a look at how we can redesign the application to fix these issues. The main things we are trying to fix with the next version is scalability, ease of configuration, ease of deployment, and the ability to incrementally add different alerting mechanisms.

The current version of the application was originally designed as a complete data ingestion pipeline. You would put data into the pipeline, it would categorize it, parse it, alert on it, and store it for you. The configuration makes sense as you configure data as it comes into the pipeline, gets processed by the pipeline, and gets sorted into elasticsearch using the pipeline. Once the application starts to get flooded with data though, the pipeline can buckle under the pressure and log data gets backed up with no hope of catching up. You're limited by the central database's connection and processing power as the watchdogs frantically try to keep up. When we reached this limit internally, we moved the ingestion and sorting process into logstash, limited our alert intake to a few select data types, and turned off the applications ability to save data to elasticsearch. It was now a sidecar alert generation and workflow application rather than the original data ingestion pipeline. This seems to be the way most users use the application as well since they already have existing ELK stacks and workflows based around that stack.

After moving the application to being a sidecar application, the configuration required to make this work doesn't fit the mental model of the configurations original design. It still requires a warehouse and collection to be defined even though it's not saving data there anymore. It can still search through that elasticsearch index, but it requires the collection name to be defined to match the elasticsearch index that it no longer manages. There's a lot of implicit instead of explicit connections to that index, which can lead to issues when the storage environment changes without Cyphon knowing.

Creating alerts that don't fit into the data ingestion pipeline is also an issue. We could just force it into the alert list, but without the data ingestion pipeline the alert has no context to where it came from and why it's an alert. This leads the user to make a collection they won't use and a parsing rule that blantly accepts anything from that data type. It's a hack that gives the alert context to where it came from while bypassing the parser. This means we have to configure a collection and data type for any new data source like this. This isn't scalable when you're adding many new data sources constantly.

The next version redesigns Cyphon to act more like an ecosystem of decoupled but interconnected services with the ecosystems main focus being alert generation rather than being a data ingestion pipeline. We're focusing on three main services in the next version: an alert ingestion service that simply accepts and throttles known alerts, a parsing service that generates alerts based on parsing rules, and a polling service that pulls in data from outside sources and directs it into the cyphon ecosystem. Any new services created will revolve around either generating alerts to push to the alert ingestion service or pull in alerts from different sources. Each service is deployed as a binary and can be run as easy as ./cyalert start. Each service is also built to be horizontally scalable so we don't run into the database congestion issues we had previously.

Every service will also be able to be managed by a plugin web based GUI system that contains plugins tailored for each service. This plugin based system allows you to create your own services with their own tailored plugins so you can manage your entire alerting service cluster from one place. This part was very important to break out the coupling issues we were having when creating new features

Sorry about all the new message pings, I was trying to get the formatting correct and was failing miserably
Tarek
@tee2015
Hi @chasebrewsky and thank you for the updates
Tarek
@tee2015
I have a question in regards the ability to hook a third party app to cyphon I know by default there is Twitter and JIRA supported I am wondering how to implement a third party, I was trying to access the django admin panel on a different port running the Dev framework any suggesting on that and guidance will be grateful
trenerok
@trenerok
@chasebrewsky it's sounds perfect ! We very wait next version. Tnx!
Chase Brewer
@chasebrewsky
@tee2015 You would have to create a new destination module in the Cyphon source code. There's information on that package here: https://cyphon.readthedocs.io/en/latest/modules/responder.destinations.html#destinations
Tarek
@tee2015
Thanks @chasebrewsky
Tarek
@tee2015
Hi @chasebrewsky hope U doing well, if I want to create a new alarm from couple of alarms or group alarms in one what will be the best approach? I am thinking to group them based on two criteria ( an identical I'd and time frame)
Phuong Nam Tran
@phuongnamtk_twitter
hi every one here>?
I dont know how to add feed to cyphon, can you help me?
Tarek
@tee2015
Hi Phuong what type of feed U want to add ? U can add the feeds if are from your network send them to logstash and Will be ingested / if it's from API U must add the app API and do some configurations the documents on GitHub are enough to let you start.
Ali Bandagi
@abandgi
Hi guys, i just installed Cyphon ISO image. The installation completed successfully. But the cyphon service status seems to be stuck at "activating". when "systemctl start cyphon" is executed, the terminal goes into wait state, i left it for like 2-3 hours still no response.
ant1234
@ant1234
Hi guys, I've installed and configured Cyphondock and have run through the Filebeat / Snort log tutorial. Filebeat seems to harvest new messages in my var/log/snort/snort.log file and publishes the message to logstash but seems to get stuck there. I get "_grokparsefailure" but otherwise the message seems to harvest without errors. Nothing in Kibana or RabbitMQ though. Anyone else had this issue?
Tarek
@tee2015
looks like @ant1234 that u need to update the gork to match the message , but the default one I assume working well
ant1234
@ant1234
Hi @tee2015, thanks for your reply. Yes I was able to solve that problem and can see the messages streaming into the Kibana dashboard now. However not into Cyclops unfortunately, I've configured the mapbox field and can see the map showing up but my logs don't carry over from Kibana to there. Would you know how to debug this one, or if there's any gotcha's which might be tripping me up here?
ant1234
@ant1234

Yes, I can confirm the default message is working, I have a snort log which has sent the default message to the Cyclops panel without parse errors.

I would like to modify the snort pattern to accommodate a message which looks like :
Jul 05 2019:07:05 [Host: www.website-url.com] [Classification: IN] [TTL: 81] [Type: A] [IP Address: 54.206.74.117]

I have changed the line inside /logstash/pipeline/2-filter4-snort.conf to :

        grok {
            patterns_dir => ["/usr/share/logstash/patterns"]
            match => { "message" => "(?<ts>(.*\d{2}:\d{2}:\d{2}))\s\[Host: %{DATA:host}] \[Classification: %{WORD:classification}] \[%{DATA:ttl}] \[Type: %{WORD:type}] \[IP Address: %{IPV4:ip}]" }
        }

Which I can confirm is working if I Grok check here :
http://grokdebug.herokuapp.com/

Nothing appears in Kibana though, is there something else I need to do? Would greatly appreciate any help

Tarek
@tee2015
Great @ant1234 once its on Kibana that's mean U just need to configure it from the cyphon admin panel U must create bottles and containers and to show that alert on Cyphon also U need to create watchdogs too, there is an easy guide on Cyphon website as a wiki U can follow it up easily, let me know if U still need a hand happy to assist
ant1234
@ant1234
Thanks for that advice @tee2015, I managed to get that sorted in the Cyphon admin panel. All Working now :)
Tarek
@tee2015
Awesome 😋 @ant1234
trenerok
@trenerok
Hi guys. Do you have any updates about new Cyphon version?
Tarek
@tee2015
No actually
Lenin Corzo
@Lenin_Corzo_16_twitter
Hello!
I am having problems with email notifications, I configure through the administrator interface but I have no results in the emails, could you help me with the configuration of these with examples?
Hello guys,
Could you help me, at the time of creating alerts I can not add titles, you know why this error is due, thanks!
Tarek
@tee2015
hello its very easy though what issue u are facing ?
@Lenin_Corzo_16_twitter do u still facing an issue ?