Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

FreqServer

doug edited this page Aug 27, 2019 · 10 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/FreqServer.

Description

FreqServer is based on freq.py and freq_server.py (originally created by Mark Baggett).
Thanks to Justin Henderson for all his work with the FreqServer docker image!

From https://github.com/sans-blue-team/freq.py:

Mark Baggett's (@MarkBaggett - GSE #15, SANS SEC573 Author) Awesome-Sauce tool for detecting randomness using NLP techniques rather than pure entropy calculations. Uses character pair frequency analysis to determine the likelihood of tested strings of characters occurring based upon the chosen frequency tables (some prebuilt English text freq tables provided). Extremely useful for detecting high entropy where it shouldn't be. Especially powerful for discovering DNS based DGAs commonly used for malware C2 and exfiltration. Think bigger than DGAs though. Random file names, script names, process names, service names, workstation names, TLS certificate subjects and issuer subjects, etc.

From https://isc.sans.edu/forums/diary/Continuous+Monitoring+for+Random+Strings/20451/

Freq_server.py is a multithreaded web based API that will allow you to quickly query your frequency tables. The server isn’t intended to replace freq.py. Instead, after building a frequency table of normal strings in your environment with freq.py, you start a server up to allow services to measure various strings against that table. You can run multiple servers to provide access to different frequency tables.

Configuration

For information how to modify configuration for FreqServer, consult the following:
https://github.com/SMAPPER/docker_freq_server

FreqServer is disabled by default when running Production Mode with Best Practices.
You can enable it by doing the following:

sudo sed -i 's/FREQ_SERVER_ENABLED="no"/FREQ_SERVER_ENABLED="yes"/' /etc/nsm/securityonion.conf
sudo so-elastic-start
sudo so-logstash-restart

FreqServer's logs can be found in /var/log/freq_server/.

Kibana

You can find FreqServer data on the Frequency Analysis dashboard.

DNS Frequency Analysis

freq1-dns freq2-dns

HTTP Frequency Analysis

freq3-http

SSL Frequency Analysis

freq4-ssl freq5-ssl freq6-ssl

X.509 Frequency Analysis

freq7-x509 freq8-x509 freq9-x509

Clone this wiki locally