securityonion-strelka

Work in progress (not officially supported to work with Security Onion -- TEST AT YOUR OWN RISK!)

• Integrates the great work of @jshlbrd (Strelka) with Security Onion.
• Tested on standalone and distributed Security Onion deployments.
• PLEASE NOTE: The official Strelka documentation recommends that you install Strelka on a seperate node to perform processing of files without taxing sensor components. These scripts will install Strelka directly on Security Onion (Standalone/Forward Node). Depending on the amount of traffic you are monitoring, and the number of files extracted by Bro (on average), you may indeed see the need to move Strelka (at least the server process) to a dedicated node (on the TODO list to have this as a future option).
• Currently monitors /nsm/strelka. Files are copied (every minute) from /nsm/bro/extracted to /nsm/strelka, then read by Strelka, and deleted after processed. Original files remain in /nsm/bro/extracted and are managed by Security Onion as normal. If you have a Security Onion installation with pre-existing extracted files (and you would like them scanned), you will need to manually copy these files to the /nsm/strelka directory.

TODO:

• Better parsing/mapping of fields.
• Better correlation with existing log data presented by Security Onion.
• Consider moving/adding the ability to move Strelka server process to master server to avoid taxing sensor components.
• Consider adding Strelka Bro extraction script.

Install on Standalone

• wget https://raw.githubusercontent.com/weslambert/securityonion-strelka/master/install_strelka && sudo chmod +x install_strelka && sudo ./install_strelka

Install in Distributed Environment

Not currently supported.

Logs

• Raw logs are located in /var/log/strelka/ (on standalone/forward nodes)

Kibana

• Navigate to Discover and type the following in the search field: tags:strelka or event_type:strelka

  (May have to refresh field list under Management -> Index Patterns)