Send all exe and similar files to strelka

[samtheruby]

Hi I have a hopefully easy question, I have a tremendous amount of ingest space for the nsm partition on my drive. I want to make security onion send of the exes and similar files to strelka to be processed and examined by strelka, mainly to have the hash of each file. How would I go about doing this? I'm on the latest version of security onion 2.3 (2.3.260 as of the time of posting).

[cm-ops]

By default Zeek should be extracting exe files and sending them to Strelka for analysis. See /opt/so/saltstack/default/salt/zeek/fileextraction_defaults.yaml for what Zeek is extracting.

[samtheruby]

this is what my file shows:

zeek:
2 policy:
3 file_extraction:
4 - application/x-dosexec: exe
5 - application/pdf: pdf
6 - application/msword: doc
7 - application/vnd.ms-powerpoint: doc
8 - application/rtf: doc
9 - application/vnd.ms-word.document.macroenabled.12: doc
10 - application/vnd.ms-word.template.macroenabled.12: doc
11 - application/vnd.ms-powerpoint.template.macroenabled.12: doc
12 - application/vnd.ms-excel: doc
13 - application/vnd.ms-excel.addin.macroenabled.12: doc
14 - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc
15 - application/vnd.ms-excel.template.macroenabled.12: doc
16 - application/vnd.ms-excel.sheet.macroenabled.12: doc
17 - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc
18 - application/vnd.openxmlformats-officedocument.presentationml.slide: doc
19 - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc
20 - application/vnd.openxmlformats-officedocument.presentationml.template: doc
21 - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc
22 - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc
23 - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc
24 - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc
25 - application/vnd.ms-powerpoint.addin.macroenabled.12: doc
26 - application/vnd.ms-powerpoint.slide.macroenabled.12: doc
27 - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
28 - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
29 - application/vnd.openxmlformats-officedocument: doc

Does it extract files downloaded over https? I don't see almost any files being extracted.

[cm-ops]

If you check in SOC/Hunt, what do you see for event.module zeek and event.dataset file? You can also use event.dataset:file | groupby file.mime_type source.ip in Hunt.

[samtheruby]

I see a lot of application/oscp-response and text/html but nothing related to applications or exes

[samtheruby]

This is the other interesting peice of information from zeek notices

[TOoSmOotH]

Are you sure you are seeing .exe files on http? https will not get carved since it is encrypted like.

[samtheruby]

ah ok so that is most likely the issue. Is there any way to make it capture https?

[InfosecGoon]

You'd need to intercept the traffic with something like PolarProxy or an enterprise tap or SSL interception device.

[samtheruby]

Thank you PolarProxy was exactly what I was looking for.