SIEMonster V4 - Free | Open Source Security Incident and Event Management (SIEM)

SIEMonster Security Information and Event Management (SIEM):

                                                                                              built on customizable, components. Included is UEBA, Bro, Suricata, The Hive, Cortex, Apache Ni-Fi, Kafka, MISP and Wazuh.

SIEMonster provides Community Edition is a single appliance or Virtual machine, for companies from 1-100 endpoints. It is completely free to use.

 SIEMonster is a collection of the best open source security tools and our own development as professional hackers to provide a SIEM for everyone. We showcase the latest and greatest tools for security professionals and our Community Edition v.4 Fully Loaded has it all. Designed for smaller organizations, charities, classrooms or even those who just want to check out our Fully Loaded SIEM. This edition is completely free, for the community and to be supported by the community.

Community Edition gives you the ability to monitor all network assets in an affordable scalable solution. This single server solution makes it easier for organizations who only have 1-100 endpoints. To access the Community Edition you will need to sign up to the Community Portal, which is available via the download button on our website. There you will also find all the resources you will need to help install and learn about SIEMonster. We have created an admin guide and videos for you. You are also encouraged to interact with other Community Edition users for support or just share how you are using the SIEM and even help out another user, after all that’s what Community is all about.

SIEMonster’s slogan is SIEM for everyone and this is why our prices are so affordable. Whether you are a small, medium or large enterprise we have the right product and licensing for you.

Pre Requisites :

You will need a minimum of 32GB RAM and 8 VCPU’s of power.

Note: Community edition will monitor up to 100 endpoints at 5,000 EPS as it’s designed to give you a taste and allow you to play with the product for as long as you like.

When you’re ready to get serious, let us know, and we’ll help you with our other editions.

Reference : Docs | Videos

https://siemonster.knowledgeowl.com/help

Download Link:

https://go.siemonster.com/Community-Edition

Apache Metron - Open Source Big Data Security Analytics Framework

Apache Metron:

                           integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat intelligence information to security telemetry within a single platform.

Logical Architecture 

 Apache Metron can be used as a SIEM system. It offers a variety of options that make up a SIEM system. First, you can save data over a long period of time.

Some Features:

 
Because Apache Metron is designed as a big data solution, the open source solution can handle data lakes too. 

Simply put, data lakes are an in-house storage option for all data and sources. Business users can access and analyze the data based on their permissions. Usually the data in Data Lake is unmodified, so it will not be transformed. The Data Lake is accessed by various analysis tools, which convert the data for their own use. 

 Nice Intro Video 

Current Release: 0.7.1

 Download Link : 

https://archive.apache.org/dist/metron/

https://github.com/apache/metron

 

CloudSeeker - Free tool

CloudSeeker:

           A free tool that gives enterprises visibility into cyber exposure caused

 by the proliferation of cloud services and ability to tackle the visibility gap

 caused by unsanctioned IT.

Cofense CloudSeeker - free utility starts with a catalog of popular SaaS applications and checks each to see if a domain has been configured for use. Once the scan is complete, export the data for a better understanding of potential issues.

CloudSeeker Helps:

• Give insight into which apps are in use

• Uncover applications provisioned without IT’s knowledge

• Uncover risks to your organization

  Link : https://cofense.com/cloudseeker/

DocBleach - Content Disarm and Reconstruction(CDR) - Open Source tool

DocBleach:

              is an advanced Content Disarm and Reconstruction open source software. Its objective is to remove misbehaving dynamic content from your Office files, or everything that could be a threat to the safety of your computer.

                                    DocBleach allows you to sanitize your Word, Excel, PowerPoint, PDF, ... documents. This repository contains the DocBleach Web API, packaged as a docker service. Two clicks and you'll feel safer.


Let's assume your job involves working with files from external sources, for instance reading resumes from unknown applicants. You receive for example a .doc file, your anti-virus doesn't detect it as harmful, and you decide to open it anyway. You get infected. You can use DocBleach to sanitize this document: chances are you don't get infected, because the dynamic content isn't run.

Howto's

To build DocBleach, use Maven:

$ mvn clean package
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.696 s
[INFO] Finished at: 2016-12-19T17:36:10+01:00
[INFO] Final Memory: 29M/234M
[INFO] ------------------------------------------------------------------------

The final jar is stored in cli/target/docbleach.jar.
To use DocBleach, you may either use the Web Interface or run it in CLI:

java -jar docbleach.jar -in unsafe_document.doc -out safe_doc.doc

The input file may be a relative/absolute path, an URI (think: http:// link), or a dash (-).
The output file may be a relative/absolute path, or a dash (-).
If a dash is given, the input will be taken from stdin, and the output will be sent to stdout.
DocBleach's information (removed threats, errors, ...) are sent to stderr.

Download Link :

https://github.com/docbleach/DocBleach.git
https://github.com/docbleach/DocBleach-Web
 

DocBleach - Online ( Hosted in OVH )

Sanitizes a potentially dangerous file (Office Document, PDF), by removing macros and other active contents.

Friendly reminder: do NOT post sensitive documents here, unless you trust this page owner.

 

Online Link : https://www.docbleach.ovh/

 

Threat Hunting Tool - Bro (Zeek) Network Security Monitor

Bro (Zeek) - Threat Hunting Tool:

A powerful framework for network traffic analysis and security monitoring.Bro is a passive, open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Note that "Zeek" is the new name of what used to be known as the "Bro" network security monitoring system.

Key Features

• In-depth Analysis Zeek ships with analyzers for many protocols, enabling high-level semantic analysis at the application layer.
  
• Adaptable and Flexible Zeek's domain-specific scripting language enables site-specific monitoring policies and means that it is not restricted to any particular detection approach.
  
• Efficient Zeek targets high-performance networks and is used operationally at a variety of large sites.
  
• Highly Stateful Zeek keeps extensive application-layer state about the network it monitors and provides a high-level archive of a network's activity.
  

 Download Link :

https://www.zeek.org/download/index.html

Free / Community - Triage Analysis Tools - FireEye / Crowdstrike

Compromise Assessment / Triage Analysis Tools :

Two best tools to do the triage analysis , once the system is suspect for compromise. 

             

• Redline - FireEye

•  CrowdResponse - CrowdStrike

  
  

Redline:

           FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

With Redline, you can:

• Thoroughly audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history.
• Analyze and view imported audit data, including the ability to filter results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
• Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
• Perform Indicators of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.

Redline version 1.20.2 introduces support for large file and registry audits. Redline has also been improved to address issues related to efficiency and memory management.

• Supported Operating Systems: Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit), Windows 10
• File Size: 76 MB
• Integrity Hashes:
  • MD5: 2edb1d0e023f286ea5015cdf1382d642
  • SHA-1: e38fe8cc81dc5491d38b61db0fff165cdd3ed35d
   

Download Link :

https://www.fireeye.com/content/dam/fireeye-www/services/freeware/sdl-redline.zip

CrowdResponse: 
                          Static Host Data Collection Tool.

                                    There is no installer for this tool. Simply unzip the contents of the downloaded ZIP file into a location of your choosing and launch it directly from there. Similarly for uninstalling; simply delete the file(s) you extracted by moving them to the Recycle Bin or permanently deleting them. It is possible there may be a very small number of elements that remain in the Registry.

There can be safely ignored or manually deleted by using a registry editing tool (e.g. regedit) and navigating to HKEY_LOCAL_MACHINE\Software\\CrowdStrike or HKEY_CURRENT_USER\Software\CrowdStrike and noting the name of the tool there and removing the branch.

Hashes:

• MD5 c94edf14e5e1b205813b949b7904b95e


• SHA1 bf48a7c0e32fd8f67b11eebb69f836a60de2f9e1


• SHA256 3b5f07d83af34f16f79f8cc1f77d6a0827d7dee57a4be8f667767ce325ac5d00

Download Link :

https://www.crowdstrike.com/wp-content/community-tools/CrowdResponse.zip

Malicious Software Removal Tool / Safety Scanner - Microsoft

Malicious Software Removal Tool (MSRT) :

                                                                 helps keep Windows computers free from prevalent malware. MSRT finds and removes threats and reverses the changes made by these threats. MSRT is generally released monthly as part of Windows Update or as a standalone tool available here for download.

Use this tool:

• If you have automatic updates for Windows turned off. Windows Update automatically downloads and runs MSRT in the background.
• If you suspect an infection from prevalent malware families
• To complement your antimalware product.

MSRT targets prevalent malware families only.

Download Link :

https://www.microsoft.com/en-us/download/details.aspx?id=16

Microsoft Safety Scanner:

is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.

Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.

Download 

• Download Microsoft Safety Scanner (32-bit)
  
• Download Microsoft Safety Scanner (64-bit)
  

Free / Open-Source tools for Kubernetes Security Audit

kube-hunter:

                   is an open-source tool that hunts for security issues in your Kubernetes clusters. It’s designed to increase awareness and visibility of the security controls in Kubernetes environments.

kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.

Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read Guidelines For Developing Your First kube-hunter Module.

Ref link : https://kube-hunter.aquasec.com/

kube-bench:

                  is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

"An objective, consensus-driven security guideline for the Kubernetes Server Software."

Note that it is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.


Sample Output:
 

CIS Kubernetes Benchmark support

kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.

CIS Kubernetes Benchmark	kube-bench config	Kubernetes versions
1.0.0	1.6	1.6
1.1.0	1.7	1.7
1.2.0	1.8	1.8-1.10
1.3.0	1.11	1.11-1.12
1.4.0	1.13	1.13-

By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

 Ref Link :

https://github.com/aquasecurity/kube-bench
https://www.cisecurity.org/benchmark/kubernetes/

MALWOVERVIEW - Malware Analysis ( triage ) tool

MALWOVERVIEW :-    

                                             Malware Analysis tools was to developed to provide students with a comprehensive hands-on exposure to the processes, tools and procedures used to identify common types of malware and to quickly determine their capabilities and threat level.

The new 1.6.0 version of MALWOVERVIEW tool is finally available!

Malwoverview.py is a first response tool to perform an initial and quick triage on either a directory containing malware samples, specific malware sample or even a suspect URL.

https://github.com/alexandreborges/malwoverview

This version:

* It is using the Hybrid Analysis API version 2.4.0.
* Includes certificate information in the Hybrid Analysis report.
* Includes MITRE information in the Hybrid Analysis report.
* Includes an option to download samples from Hybrid Analysis.

Gorsair - Docker API Penetration Testing Tool

Gorsair

                is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access to the docker daemon, you can use Gorsair to directly execute commands on remote containers.

Gorsair hacks its way into remote docker containers that expose their APIs.

Exposing the docker API on the internet is a tremendous risk, as it can let malicious agents get information on all of the other containers, images and system, as well as potentially getting privileged access to the whole system if the image uses the root user.

 

Install

From a release

Set the:

• GORSAIR_VERSION to whatever release you are interested in
• OS to your operating system (linux, windows or darwin)
• ARCH to your architecture (amd64, arm, or ppc64le)

And then run the following command to install gorsair.
curl https://github.com/Ullaakut/Gorsair/releases/download/$GORSAIR_VERSION/gorsair_$OS_$ARCH --output /usr/local/bin/gorsair

From the sources

• Make sure that you have a go version that supports modules (versions 1.11 and above)
• Make sure that your environment contains the GO111MODULE variable set to on
• Run go build -o /usr/local/bin/gorsair cmd/*.go from the root of this repository

Command line options

• -t, --targets: Set targets according to the nmap target format. Required. Example: --targets="192.168.1.72,192.168.1.74"
• -p, --ports: (Default: 2375,2376) Set custom ports.
• -s, --speed: (Default: 4) Set custom nmap discovery presets to improve speed or accuracy. It's recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. You might also want to keep it low to keep your discovery stealthy. See this for more info on the nmap timing templates.
• -v, --verbose: Enable more verbose logs.
• -D, --decoys: List of decoy IP addresses to use (see the decoy section of the nmap documentation)
• -e, --interface: Network interface to use
• --proxies: List of HTTP/SOCKS4 proxies to use to deplay connections with (see documentation)
• -S, --spoof-ip: IP address to use for IP spoofing
• --spoof-mac: MAC address to use for MAC spoofing
• -v, --verbose: Enable verbose logging
• -h, --help: Display the usage information

How can I protect my containers from this attack

• Avoid putting containers that have access to the docker socket on the internet
• Avoid using the root account in docker containers

Ref Link: https://github.com/Ullaakut/Gorsair

Open-Sourced Remote Vulnerability Testing Framework - Pocsuite

Pocsuite:

                 is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec 404 Team.

It comes with a powerful proof-of-concept engine, many niche features for the ultimate penetration testers and security researchers.

Features

• PoC scripts can running with `attack`,`verify`, `shell` mode in different way
• Plugin ecosystem
• Dynamic loading PoC script from any where (local file, redis , database, Seebug ...)
• Load multi-target from any where (CIDR, local file, redis , database, Zoomeye ...)
• Results can be easily exported
• Dynamic patch and hook requests
• Both command line tool and python package import to use
• IPV6 support
• Global HTTP/HTTPS/SOCKS proxy support
• Simple spider API for PoC script to use
• Integrate with [Seebug](https://www.seebug.org) (for load PoC from Seebug website)
• Integrate with [ZoomEye](https://www.zoomeye.org) (for load target from ZoomEye `Dork`)
• Integrate with [Ceye](http://ceye.io/) (for verify blind DNS and HTTP request)
• More ...

Functions

Vulnerability Testing Framework

Written in Python and supported both validation and exploitation two plugin-invoked modes, Pocsuite could import batch targets from files and test those targets against multiple exploit-plugins in advance.（See "Pocsuite usage"）

PoC/Exp Development Kit

Like Metasploit, it is a development kit for pentesters to develope their own exploits. Based on Pocsuite, you can write the most core code of PoC/Exp without caring about the resulting output etc. There are at least several hundred people writing PoC/Exp based on Pocsuite up to date.

Integratable Module

Users could utilize some auxiliary modules packaged in Pocsuite to extend their exploit functions or integrate Pocsuite to develop other vulnerability assesment tools.

Integrated ZoomEye And Seebug APIs

Pocsuite is also an extremely useful tool to integrate Seebug and ZoomEye APIs in a collaborative way. Vulnerablity assessment can be done automatically and effectively by searching targets through ZoomEye and acquiring PoC scripts from Seebug or locally.

Installation

pocsuite3 works out of the box with Python version 3.x on any platform.
You can use Git to clone the latest source code repository

    $ git clone git@github.com:knownsec/pocsuite3.git

Or click here to download the latest source zip package, and extract

    $ wget https://github.com/knownsec/pocsuite3/archive/master.zip
    $ unzip master.zip

    $ cd Pocsuite
    $ python cli.py --version

Or use pip

    $ pip install pocsuite
    $ pocsuite --version

More Videos : https://asciinema.org/a/133345

Download / Ref Link :

https://github.com/knownsec/Pocsuite
https://pocsuite.org/index-en.html

GUI Based Snort Rule Creator / Maker - SNORPY

SNORPY:

                        A Simple GUI / Web Based Snort Rule Creator / Maker for Building Simple Snort Rules.

Snorpy is a simple Snort rule creator / builder / maker made originally with python but I made the most recent version with Node and jquery.

#Install

1. Install nodejs
2. Download repo
3. Unzip the file name node_modules.zip
4. cd /to/the/path/of/app.js
5. run the following command: "node app.js"

Should be that easy.

Video Ref : https://vimeo.com/182794567

Download Link : https://github.com/chrisjd20/Snorpy

Online Play : http://snorpy.com/

Bulk_Extractor - Best Forensics tool to Extracts Sensitive Information

Bulk Extractor:

                          is to locate potentially sensitive information such as email addresses and credit card numbers, as well as other types of information such as GPS coordinates and image file types.

Bulk extractor ignores the file system and scans it linearly. This, in combination with parallel processing, makes the tool very fast. It will have an issue with fragmented files, but typically, files aren’t fragmented.

bulk_extractor can be used on Windows, Linux, and Macintosh OS X platforms.
This page contains instructions for downloading, building and installing bulk_extractor on Linux and OS X, and for downloading and installing the bulk_extractor binary on Windows. If you would like to build your own Windows binary

bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
We have made the following tools available for processing feature files generated by bulk_extractor:

• A a small number of python programs that perform automated processing on feature files.
• A Bulk Extractor Viewer User Interface (BEViewer) for browsing features stored in feature files and for launching bulk_extractor scans. Please see page BEViewer.

Installation Steps for Windows / Linux :

Output Feature Files

bulk_extractor now creates an output directory that has the following layout:

alerts.txt	Processing errors.
ccn.txt	Credit card numbers
ccn_track2.txt	Credit card “track 2″ informaiton, which has previously been found in some bank card fraud cases.
domain.txt	Internet domains found on the drive, including dotted-quad addresses found in text.
email.txt	Email addresses.
ether.txt	Ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file fragments.
exif.txt	EXIFs from JPEGs and video segments. This feature file contains all of the EXIF fields, expanded as XML records.
find.txt	The results of specific regular expression search requests.
identified_blocks.txt	Block hash values that match hash values in a hash database that the scan was run against.
ip.txt	IP addresses found through IP packet carving.
rfc822.txt	Email message headers including Date:, Subject: and Message-ID: fields.
tcp.txt	TCP flow information found through IP packet carving.
telephone.txt	US and international telephone numbers.
url.txt	URLs, typically found in browser caches, email messages, and pre-compiled into executables.
url_searches.txt	A histogram of terms used in Internet searches from services such as Google, Bing, Yahoo, and others.
url_services.txt	A histogram of the domain name portion of all the URLs found on the media.
wordlist.txt	A list of all “words” extracted from the disk, useful for password cracking.
wordlist_*.txt	The wordlist with duplicates removed, formatted in a form that can be easily imported into a popular password-cracking program.
zip.txt	A file containing information regarding every ZIP file component found on the media. This is exceptionally useful as ZIP files contain internal structure and ZIP is increasingly the compound file format of choice for a variety of products such as Microsoft Office

Download Link :

http://downloads.digitalcorpora.org/downloads/bulk_extractor/ 

https://www.kazamiya.net/en/bulk_extractor-rec

https://github.com/simsong/bulk_extractor