-
Notifications
You must be signed in to change notification settings - Fork 522
FreqServer
We're currently working on integrating FreqServer, (a dockerized version of Mark Baggett's freq_server.py, found at https://github.com/MarkBaggett/MarkBaggett/blob/master/freq/freq_server.py) into Security Onion with our move to the Elastic stack.
Thanks to Justin Henderson for all his work with the FreqServer docker image!
FreqServer is based on freq.py and freq_server.py (originally created by Mark Baggett).
From https://github.com/sans-blue-team/freq.py:
Mark Baggett's (@MarkBaggett - GSE #15, SANS SEC573 Author) Awesome-Sauce tool for detecting randomness using NLP techniques rather than pure entropy calculations. Uses character pair frequency analysis to determine the likelihood of tested strings of characters occurring based upon the chosen frequency tables (some prebuilt English text freq tables provided). Extremely useful for detecting high entropy where it shouldn't be. Especially powerful for discovering DNS based DGAs commonly used for malware C2 and exfiltration. Think bigger than DGAs though. Random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.
From https://isc.sans.edu/forums/diary/Continuous+Monitoring+for+Random+Strings/20451/
Freq_server.py is a multithreaded web based API that will allow you to quickly query your frequency tables. The server isn’t intended to replace freq.py. Instead, after building a frequency table of normal strings in your environment with freq.py, you start a server up to allow services to measure various strings against that table. You can run multiple servers to provide access to different frequency tables.
For information how to modify configuration for FreqServer, consult the following:
https://github.com/SMAPPER/docker_freq_server
FreqServer's logs can be found at /var/log/freq_server/
.
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs