SANS ISC Internship Setup: AWS DShield Sensor + DShield SIEM [Guest Diary], (Tue, Nov 26th)

Category :

SANS Full Feed

Posted On :

[This is a Guest Diary by John Paul Zaguirre , an ISC intern as part of the SANS.edu BACS program]

Introduction

This is a blog post documentation on how to set up the DShield Sensor in AWS, DShield SIEM locally, and connecting them both. I initially setup a Raspberry Pi5 to use as a DShield Sensor, but ultimately switched to AWS after a while. I then added a DShield SIEM hosted locally on my network and connected the AWS sensor into it to utilize for my attack observations. This walkthrough is based on multiple documentations that have been compiled into one, and I have linked their GitHub pages under the “References and Resources” section. You can find the full walkthrough on this page – https://github.com/15HzMonitor/Internship-Blog-Post

Requirements – Hardware, Software, and Accounts

Hardware
1.    A machine to host your DShield SIEM. This can be a laptop, a desktop, or a virtual machine running on your desktop. If you’re planning to run the SIEM 24/7, I suggest using something different than your daily production machine. In my case, I reused an old desktop to use as my SIEM so that it can run 24/7. Below are the minimum specs required to run the SIEM based on Guy’s documentation for the Ubuntu Setup [1]:
    o    Minimum 8+ GB RAM
        –    If the amount of RAM assigned to each container (see below) is more than 2GB, consider increasing the server RAM capacity.
    o    4-8 Cores
    o    Add 2 partitions, one for the OS, the other for docker
    o    Minimum 300 GB partition assigned to /var/lib/docker (I used a 1TB SATA drive)
2.    USB flash drive(s) to put your Ubuntu ISO to be installed to your repurposed machine. Have at least 16GB, and it must be clear of any data since you will be using Rufus, and it will format the USB stick when creating a boot drive.

Software
1.    Ubuntu 22.04 LTS Live Server 64-bit for your DShield SIEM. You can download the ISO on the Ubuntu Server Page [2].
2.    Rufus Software to put your Ubuntu ISO into a bootable USB. You can find the latest Rufus version on the Rufus downloads page [3].
3.    (Optional) a software such as Parted Magic or DBAN to wipe the machine you will be using.
4.    Your router’s software to create a static IP for your SIEM and do port forwarding.

Accounts
1.    A SANS Internet Storm Center (ISC) Account for your API key to enter in your sensor. You can sign up on the ISC sign up page [4].
2.    An AWS Account to deploy your DShield Sensor using the Free Tier offer.
If you don’t have one yet, you can sign up on the AWS sign up page [5].
3.    An AlienVault OTX account for generating the API code to link to your DShield SIEM. You can sign up on the AlienVault OTX sign up page [6].

Setup Process

1. Setup your DShield Sensor.

Sign up for an AWS Account.
Setup EC2 Instance
Install & setup DShield Sensor
Configure EC2 Security

2. Setup your DShield SIEM.

Install Ubuntu Server to a physical machine.
(Option) Install Ubuntu Server virtually through VMWare.
Build a Docker Partition.
Install Docker.
Install and Configure DShield ELK.

 An optional setup for using Raspberry Pi as a SIEM has been written by another SANS Student and can be found on their GitHub page [7].

3. Configure Filebeat and connect your DShield Sensor to DShield SIEM.

Install and configure Filebeat on your DShield sensor and connect it to your ELK.
Troubleshoot and test Filebeat.
Start Filebeat, Elastic-agent, and Softflowd.
Check the status of Filebeat, Elastic-agent, and Softflowd.
Accessing your dashboards and logs.

4. Harden your DShield SIEM.

Adding non-root user(s), Install updates, Unattended upgrades, Locking down OpenSSH, Fail2ban.
10 Tips for Hardening your Linux Servers.

[1] https://github.com/bruneaug/DShield-SIEM#ubuntu-setup
[2] https://ubuntu.com/download/server
[3] https://rufus.ie/downloads/
[4] https://isc.sans.edu/register.html
[5] https://signin.aws.amazon.com/signup?request_type=register
[6] https://otx.alienvault.com/
[7] Installing DShield SIEM on a Raspberry Pi 5 – 8 GB RAM
[8] https://www.sans.edu/cyber-security-programs/bachelors-degree/

Special thanks to the writers of these GitHub documents:

dshield: DShield Raspberry Pi Sensor
Installing DShield SIEM on a Raspberry Pi 5 – 8 GB RAM
DShield-SIEM: DShield Sensor Log Collection with ELK
Dshield-ELK

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.