BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • SSH
  • Telnet
  • FTP (File Transfer Protocol)
  • SMB (Server Message Block)
  • RDP (Remote Desktop Protocol)
  • Elastic-Search
  • GIT Protocol
  • VNC
  • SIP
  • SNMP
  • TFTP
  1. 10_Active-Defense-Services
  2. Services (ADS - LIADS)

Network Services

LIADS Service & Protocols with configurable options

This section provides information on deployable Low-Interactive-Active-Defense-Services (LIADS) Services with configurable options and logging:

SSH

Emulates SSH (Secure-Shell) running service on the server. By default, the service is configured to run on 'TCP/22', any connection attempts made with the service are logged and eventually alerted.

  • Log data captured include "Source-IP, Destination-IP, Remote-SSH-Version, Username/Password used during login attempt".

  • SSH service options "Port, Version/Banner" can be configured and adjusted as per the deployed environment, allowing to make changes to how the SSH service is visible on the network.

Telnet

Emulates Telnet service running on the server. By default, the service is configured to run on 'TCP/23', any connection attempts made with the service are logged and alerted.

  • Log data captured include "Source-IP, Destination-IP, Username/Password used during login attempt".

  • Telnet service options "Port, Version/Banner" can be configured and adjusted as per the deployed environment, allowing to make changes to how the Telnet service is visible on the network.

FTP (File Transfer Protocol)

Emulates File Transfer Protocol (FTP) service running on the server. By default, the service is configured to run on 'TCP/21', any connection attempts made with the service are logged and alerted.

  • Log data captured include "Source-IP, Destination-IP, Username/Password used during login attempt".

  • FTP service options "Port, Display Banner" can be configured and adjusted as per the deployed environment, allowing to make changes to how the FTP service is visible on the network.

SMB (Server Message Block)

Emulates SMB service (with network-share enabled) running on the server. By default, the service is configured to run on 'TCP/445' network-share is enabled with default configuration, and any access attempts made on files served via configured network share are logged and alerted.

  • Log data captured include "Source-IP, Destination-IP, User (who accessed the share), Hostname, Filename Accessed, Network-Share Name, SMB-Version, Activity", SOC team can use this information during their analysis.

  • Service options that can be configured and adjusted:

    • SMB Share-Name, Workgroup, Netbios Name, Server-Version

Manual Configuration

Depending on the environment, this service would require additional manual configuration that includes:

  • Before deploying the SMB service, create fake files and folders with juicy names, and place them on the sensor inside the "/opt/ADS/etc/config/smb/files/" directory.

  • Deceptive/Fake files placed inside "/opt/ADS/etc/config/smb/files/" will be served via configured SMB network share.

Note: A default set of fake files and folders will be used if not provided.

RDP (Remote Desktop Protocol)

Emulates Remote-Desktop-Protocol (RDP) service running on the server. By default, the service is configured to run on 'TCP/3389', any connection attempts made with the service are logged and alerted.

  • Depending on how the user has interacted with the service, log data may include "Domain, Username, Password used during login attempt" along with "Source-IP, Destination-IP", SOC team can use this information for further analysis and take appropriate action.

  • RDP service does not require additional configuration, service port can be reconfigured as needed.

Elastic-Search

Emulates an instance of Elastic-Search Node running on the server. Service is configured to run on 'TCP/9200' with default configuration, any connection attempts made with the service are logged and alerted. Captured log data includes "Source-IP, Destination-IP, URI, User-Agent, Request Type".

  • Elastic-Search node options "Port, Instance Name" and instance responses can be configured and adjusted as needed.

GIT Protocol

Emulates GIT protocol service running on the server. Service is configured to run on 'TCP/9418' with default configuration, any interaction made with the GIT service is logged and alerted.

  • Captured log data includes "Source-IP, Destination-IP, Git-Host, Repository attempted to clone". Though the service does not require additional configuration, the service port can be reconfigured as needed.

VNC

Emulates a VNC service running on the server. By default, the service is configured to run on 'TCP/5900', any connection attempts made to the service are logged and alerted.

  • Log data includes "Source-IP, Destination-IP, Password used during a login attempt, Client-Response, Server-Response". This service does not require additional configuration, the service port can be reconfigured as needed.

SIP

Emulates a non-interactive Session-Initiation-Protocol (SIP) running on the server that does not respond to any requests made to the service but captures the received request information and alerts accordingly. By default, this service is configured to run on 'UDP/5060'.

  • Log data includes "Source-IP, Destination-IP, SIP Headers (call-id, contact, from, to, user-agent)". This service does not require additional configuration, the service port can be reconfigured as needed.

SNMP

Emulates a non-interactive Simple Network Management Protocol (SNMP) protocol running on the server that does not respond to any requests made to the service but captures the received request information and alerts accordingly. By default, the service is configured to run on 'UDP/161'.

  • Log data includes "Source-IP, Destination-IP, Request Object ID (to uniquely identify managed devices), Community-String (something like User-ID) attempted to enumerate)". This service does not require additional configuration, the service port can be reconfigured as needed.

TFTP

Emulates a non-interactive Trivial File Transfer Protocol (TFTP) protocol running on the server that does not respond to any requests made to the service but captures the received request information and alerts accordingly. By default, the service is configured to run on 'UDP/69'.

  • Log data includes "Source-IP, Destination-IP, Transfer Mode, Operation Code (that Specifies the message type), Filename attempted to enumerate)". This service does not require additional configuration, the service port can be reconfigured as needed.

PreviousServices (ADS - LIADS)NextDatabase Services

Last updated 2 years ago