Table of Contents
1 About
1.1 Software Requirements
- UNIX based machine
- Python 2.7
- Bitsight json2cefleef conversion script
1.1.1 Installation
python setup.py install
1.2 Hardware Requirements
Under normal network performance, and using common grade processors and memory:
Events Per Second |
CPU |
RAM |
100 |
2 |
2 GBs |
200 |
2 |
2 GBs |
500 |
2 |
2 GBs |
1.000 |
4 |
2 - 3 GBs |
2.500 |
4 |
2 - 4 GBs |
5.000 |
4 |
2 - 4 GBs |
10.000 |
8 |
4 - 8 GBs |
20.000 |
8 |
4 - 8 GBs |
1.3 Required Knowledge
2 Script Configuration
The script will get Infections Alerts events from Bitsight and convert the JSON data into CEF or LEEF formats.
2.1 Configurable Variables (config.py)
Variable |
Details |
OUTPUT_FORMAT |
Defines the output format of the data. Can be one of:
OUTPUT_FORMAT = 'CEF'
OUTPUT_FORMAT = 'LEEF'
|
SYSLOG_DST_IP |
IP address of the Syslog server. |
SYSLOG_DST_PORT |
Port of the Syslog server. |
APIKEY |
Infections Alerts API token. Provided by Bitsight. |
ENDPOINT |
Provided by Bitsight. This defaults to:
https://alerts.api.bitsighttech.com |
FILTERS |
Add filters to the API request.
Example: For the “maxbytes=1 ” filter
('maxbytes', '1')
|
DEBUG |
- No output:
OFF
- Output the queue size:
DEBUG_JSON_QUEUE
- Output CEF/LEEF:
DEBUG_OUT
- Output Syslog messages to a file:
DEBUG_SYSLOG
- Set pyCurl to VERBOSE mode:
VERBOSE
|
2.2 Execution
$ python json2cefleef.py
3 Field Mapping
3.1 JSON to CEF
Fields |
Key Name |
Full Name |
Data Type |
Size |
env.remote_addr |
src |
sourceAddress |
IPV4 Address |
|
env.remote_port |
spt |
sourcePort |
sourcePort |
|
env.server_name |
dhost |
destinationHostName |
String |
1023 |
env.server_addr |
dst |
destinationAddress |
IPv4 Address |
|
env.server_port |
dpt |
destinationPort |
Integer |
|
env.request_method |
requestMethod |
requestMethod |
String |
1023 |
_ts |
rt |
receiptTime |
Time Stamp |
|
trojanfamily |
cs1 |
deviceCustomString1 |
String |
1023 |
_geo_env_remote_addr.country_name |
cs3 |
deviceCustomString3 |
String |
1023 |
Key Name |
Full Name |
Label |
cs1Label |
deviceCustomString1Label |
trojanFamily |
cs3Label |
deviceCustomString3Label |
geoEnvRemoteAddrCountry Name |
3.2 JSON to LEEF
Fields |
Key Name |
Data Type |
Size |
env.remote_addr |
src |
IPV4 Address |
|
env.remote_port |
srcPort |
sourcePort |
|
env.server_name |
dhost |
String |
1023 |
env.server_addr |
dst |
IPv4 Address |
|
env.server_port |
dstPort |
Integer |
|
env.request_method |
requestMethod |
String |
1023 |
_ts |
devTime |
Time Stamp |
|
trojanfamily |
trojanFamily |
String |
1023 |
_geo_env_remote_addr.country_name |
geoEnvRemoteAddrCountryName |
String |
1023 |
- September 23, 2020: Updated the 0.10.0 package to the 0.11.0 version.
Feedback
0 comments
Please sign in to leave a comment.