1. Introduction
Hello everyone, today we are going to see how to collect in QRadar elements sent by external applications via HTTP protocol. Indeed, many applications offer this feature and it’s often interesting in terms of security and supervision in general to collect this type of information.
For this article, we are going to use the BookStack web application as an example but we could test on any application we want, or even on our own developped application!
2. HowTo
To start, we have to configure within QRadar:
We choose the universal DSM allowing us to do our tests.
We then choose the “HTTP Receiver” protocol allowing us to intercept the “POST” requests of the application within our QRadar.
We then configure the log source name as well as other reception parameters such as the target Event Collector.
Then we configure the protocol :
- Log Source Identifier : it will define the “identifier” for the log source, as opposed to other log sources communicating via syslog, there is no need for this identifier to correspond to the IP or the hostname. We can therefore name it “MonApplication@API“
- Communication Type : HTTPS or HTTP, it must of course correspond to the protocol chosen within the application to send logs. Otherwise, QRadar will not be able to receive the logs.
- TLS Version : This parameter must be configured only when the previous communication type chosen is HTTPS
- Listen Port : This corresponds to the port where the logs will be received. We must be careful and make sure it is not already used for other logs collections. To do so, we can run the following command
netstat -lapute | grep <PORT>on our QRadar and it should not return anything in result.
The following options can be left as they are but we could also modify them if we want (to limit the packets size for example, or increase it if truncated packets are received).
For the log source and the listening port to be fully operationnal, a deploy must be launched from the QRadar GUI.
Then we have to configure within the application :
The application chosen for the tets here is BookStack. As stated earlier, we could choose any application we want as long as it offers sending logs via HTTP protocol.
Configuration link : https://<FQDN>/settings/webhooks
We have to use an admin account and then click on “CREATE NEW WEBHOOK” and fill the parameters as shown below :
We must be careful and not forget to cput the “http://” if we’ve chosen the HTTP protocol in the QRadar log source configuration. We also have to add the reception port by specifying it after the “:”.
In order to test the log reception, you can use the GUI or the following command line on QRadar: tcpdump -i any 'dst port <PORT>' -X
3. Conclusion
We are now able to retrieve all information provided by web applications and will be able to have a better supervision of those.
4. Bibliography
- IBM Documentation on the HTTP Receiver Protocol: https://www.ibm.com/docs/en/dsm?topic=options-http-receiver-protocol-configuration
- BookStack Project: https://www.bookstackapp.com/
Thank you for reading this article, I really hope it’s been useful! Do not hesitate commenting via the forms just below.