Tracking Tweets in your SIEM

Twitter TargetMy previous post about monitoring pastebin.com within your SIEM gave ideas to some of you. On aftershell.com, you will find a fork of my script to monitor WordPress RSS feeds. If pastebin.com may contain relevant piece of information as well as blogs, do not underestimate the value of social networks! They are plenty of them: Google+, LinkedIn, Twitter, Facebook, etc. Let’s focus on Twitter.

Why Twitter? The micro-blogging website is constantly used by more and more people and is a good communication vector to spread information in the wild. As an example, announces made by @anonymous or @lulzsec are relayed on Twitter. Your company is maybe present on Twitter (for communication or helpdesk purposes) as well as your competitors!

The principle remains the same as for pastebin.com: a Perl script calls the Twitter API to track your defined keywords and log them to a Syslog server in free or CEF format:

# ./twittermon.pl --help
Usage: ./twittermon.pl --config=filepath [--facility=daemon ] [--debug] [--help]
                [--cef-destination=fqdn|ip] [--cef-port=<1-65535> [--cef-severity=<1-10>]
                [--pidfile=file] --twitter-user=username]
                [--twitter-pass=password]
Where:
--cef-destination : Send CEF events to the specified destination (ArcSight)
--cef-port        : UDP port used by the CEF receiver (default: 514)
--cef-severity    : Generate CEF events with the specified priority (default: 3)
--debug           : Enable debug mode (verbose - do not detach)
--facility        : Syslog facility to send events to (default: daemon)
--help            : What you're reading now.
--pidfile         : Location of the PID file (default: /var/run/pastemon.pid)
--config          : Configuration file with keywords to match (send SIGUSR1 to reload)
--twitter-user    : Your Twitter username
--twitter-pass    : Your Twitter password

The configuration remains easy: You define what must be monitored and detected via a text file (one keyword per line). But, there are limitations! Being based on the Twitter streaming API, the script does not allow you to specify regular expressions but only words! Why? A first version of the script implemented regular expressions and Twitter was accessed via the “sample” method. In this case, the main issue was the relevance of the received feed! Only a sample of  the full activity was received. It is simply impossible to receive and process all Tweets posted on the social network! By using the “track” method, Twitter will filter by itself the flow of messages and send you only the relevant ones. The API does not support regular expression (even simple wildcards). The second limitation is the length of monitored keywords. It cannot exceed 60 characters. The access to the Twitter API is handled via the Perl module AnyEvent::Twitter::Stream.

Otherwise, the script generates events like the first one. You can find it here.

 

 

One comment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.