This morning I installed and configured Snare on my AWS EC2 Windows 2012 Server to ship logs to my SplunkStorm project.
Below is a basic query for charting the top processes that have started on the system:
EventID 4688 — A new process has been created. (Details)
4688 | rex field=_raw “Process Name: (?<Process_Name>.*) Token Elevation Type:” | sort Process_Name | top limit=10000 Process_Name
Here is a modified version of the query for processes that have terminated:
EventID 4689 — A process has exited. (Details)
4689 | rex field=_raw “Process Name: (?<Process_Name>.*) Exit Status:” | sort Process_Name | top limit=10000 Process_Name
More to come.…
It seems that every year for the last six years, I refresh the website look with a different theme, and make a renewed attempt to add content. This year is no different.
This year I’m also taking advantage of the free CloudFlare service to provide security protection for the blog, any viewers, and faster delivery of the site via their CDN network. If you’re suspected of being infected with malware, cloudflare will notify you and perhaps require a captcha to access the site. Additionally, they provide Web Application Firewall capability that protects from common attacks such as SQLi and XSS.
Some other recent technologies I’m taking a look at include Amazon Web Services EC2 Windows 2012 Micro Instance and the cloud offering from Splunk — Splunk Storm
So far the AWS instance seems to be a nice way to try out the latest server platform without having to obtain a copy of the OS Installation material. Previously, this was easily done through a corporate MSDN account to quickly try it out in a dev environment. My current position doesn’t afford me that luxury, so it’s nice to see that I can still try it through AWS EC2.
Until next time.