Tài liệu Introduction to Logfile Analysis docx

Trang 1

Introduction to Logfile Analysis

Guy Bruneau, GCIA

Part 1

This module is designed to provide an introduction to various types of

security logging software and how to interpret their content

Greetings! I am Guy Bruneau Today's talk will be on “Introduction to Logfile Analysis” I would like to thank the SANS Institute for this opportunity to share some of my experience and knowledge

in this sometimes difficult area

This course is divided into two course modules The first module will cover a variety of security logs

to help recognize the format and the tools that generated it

In the second module, we are going to work with a case stressing the importance of data correlation

to piece together the intent of the probe It will also be accompanied by 3 practical exercises

I am currently the Intrusion Detection System Engineering Coordinator at the Canadian Department

of National Defense’s Computer Incident Response Team (DND CIRT) I have experience in UNIX security, Computer Network Intrusion Detection, Network Security Auditing, Incident Response and Reporting, Anti-virus Support and firsthand knowledge of using and tailoring Cisco Secure IDS, SNORT, Shadow and RealSecure

Trang 3

Trang 5

Objectives

Provides the student with sufficient information to be able to recognize suspicious

events such as port scans, network probes,

AUP violations, etc.

The object of this course is to provide future analysts with enough information to recognize a wide range of security logs to assist in the detection of suspicious events, investigate abnormal traffic and take appropriate action when necessary

As an example, the following may be used to categorize events:

- Privilege access (System compromised and root access obtained)

- Limited access (System compromised with a user account)

- Reconnaissance (Network or host mapping, OS fingerprinting, etc)

- Stealth reconnaissance (FIN, SYN/FIN, inverse mapping, etc)

- Denial of Service (Fragments, ICMP flood, SYN flood, etc)

- Distributed Denial of Service (ICMP flood)

- AUP (acceptable use policy) violation

Trang 6

What is Log Analysis?

It is an active or continuous attempt

to detect intrusive activities

One of the most important “weapons” an Intrusion Detection or an Incident Handling analyst has is the ability to correctly identify, recognize and analyze suspicious events within the security logs they use on a daily basis

This includes working with router logs, firewall logs, Intrusion Detection Systems logs and a variety

of miscellaneous logs

Each tool has its strengths and weaknesses

Trang 7

Cisco Router Log

Oct 15 22:21:45 [192.168.50.32] 508470: %SEC-6-IPACCESSLOGP: list 102

One such tool which accomplishes such a task is a router In this case, a Cisco router Access control lists (ACL) offer powerful tools for network control These lists add flexibility to filter the packet flow in or out of router interfaces Such control can help limit network traffic and restrict network use by certain users or devices The review of the router logs may often offer valuable information

on traffic that has been denied into your network

- Standard access list (1 to 99) check source IP address

- Extended access list (100 to 199) check source and destination IP, and specific

protocols, TCP and UDP port numbers with Cisco IOS version 11.2

- Standard IPX access list (800 – 899)

Trang 8

access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23

access-list 101 permit ip any any

(implicit deny all)

interface ethernet 0

ip access-group 101 out

Access-list Description

Command

deny Traffic that matches selected parameters will

not be forwardedtcp Transport-layer protocol

172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets

must match but the last octet will be ignored Thenetmask must be read backward

any Match any destination IP address

eq 23 Specifies well-known port number for Telnet

permit Traffic that matches selected parameters will

be forwarded

ip Any IP protocol

any Keyword matching traffic from any source

any Keyword matching traffic to any destination

Trang 9

Firewall LogsConSeal Firewall

2000/01/04 1:50:03 AM GMT -0500: AcerLAN ALN-325 1 [0000][No matching rule] Blocking incoming TCP:

The second sample is from Linux’s IPChains and is a firewall filtered probe sent to ports 111 (RPC services), 31789 (Hack’a’Tack) and 1243 (SubSeven) The same applies here on the RPC services exploits (Dec 1999)

A description of the Linux firewall log breakdown is available on the next slide

Trang 10

Linux Firewall

Field Example Description

Date & Time Jun 1 11:11:49 Date and time that the packet was logged.

Hostname Mail The hostname of the computer.

Syslog Facility kernel: Packet log: The syslog level at which the syslog event occurred Should always be ‘kernel’ ‘Packet

log:’ is appended for clarity’s sake and can be used in searching the logs.

Chain Name Input The chain to which the rule is attached to Possible values are: input, output and forward.

Action Taken REJECT How the packet was handled Possible values are: ACCEPT, REJECT, DENY, MASQ,

REDIRECT and RETURN.

Interface eth0 The network interface on which the packet was detected.

Protocol # PROTO=17 The protocol of the packet Common values are: 1 (ICMP), 6 (TCP), and 17 (UDP)

ICMP traffic is also displayed with the ICMP code.

Source 10.100.1.228:57048 The source IP address and port number of the packet.

Destination 192.168.1.211:137 The destination IP address and port number of the packet.

Length L=78 The total length of the packet.

TOS S=0x00 The ‘Type of Service’ values from the packet.

ID I=53412 Either the Packet ID or the segment that the TCP fragment belongs to.

Fragment Offset F=0x0000 If the packet is part of a fragment, this field contains the fragment offset.

TTL T=108 The time-to-live values from the packet.

Rule # (#3) The rule number that logged this entry.

This IPChains firewall chart is to be used with the previous slide This chart describes the ipchains firewall fields

Trang 11

Firewall logsZoneAlarm Pro (Windows 9x/NT]

ZoneAlarm Basic Logging Client v2.1.3

Windows NT-4.0.1381-Service Pack 5-SP

type date time source destination transport FWIN 2000/04/28 09:48:24 -5:00 GMT 192.168.120.24:1364 192.168.209.246:161 UDP

According to the vendor, Version 2.1 of ZoneAlarm Pro now features MailSafe to stop email-borne

Visual Basic Script worms, like the "I Love You" virus, "dead-in-its-tracks", thwarting its spread, and preventing it from wreaking havoc on a PC

In this slide, IP 192.168.120.24 is a Solaris workstation running HP OpenView running Single Network Management Protocol (SNMP UDP port 161) and sending a ping (ICMP) to all devices on the network With this information, it is considered normal activity

However, since the IP is constantly probing the network, this may be considered suspicious activity, and therefore requires an investigation

Trang 12

3Com OfficeConnect Internet

Firewall 25

UTC 11/22/2000 04:04:13.128 - TCP connection dropped - Source:192.168.143.189,

2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7

UTC 11/22/2000 04:04:14.000 - TCP connection dropped - Source:192.168.143.189,

2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7

This firewall provides network security for up to 25 users on a local area network (LAN) 3COM claims it can prevent unauthorized access and denial-of-service (DoS) attacks such as Ping of Death, SYN Flood, IP Spoofing, etc

More information available at:

http://buydirect.3com.com/iom_dcms/b2c/catalog/detail.html?SKU=3C16770-US&SM=SML_BUS

Trang 13

IPfilter firewall

Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129790 rl0 @0:1 p

10.245.45.90 -> my-fw PR icmp len 20 29 icmp 13/0 IN

Meaning of field field

Date/Time group Aug 15 10:11:49

Firewall type/process ID ipmon[28775]

Protocol identifier PR (PSH & RST)

Protocol specific info icmp len 20 29 icmp 13/0

Trang 14

A key word to look for with this firewall is securityalert always associated with Gauntlet.

More information available at: http://www.pgp.com/products/config-guide.asp#gauntlet

Trang 15

SonicWall SOHO Firewall

11/01/2000 23:56:30.208 Sub Seven Attack Dropped

Source:10.21.187.87, 4426, WAN Destination:10.110.193.10, 1243, LAN 11/01/2000 23:56:30.768 - Sub Seven Attack Dropped -

Source:10.21.187.87, 2012, WAN Destination:10.110.193.10, 1243, LAN

-SonicWALL SOHO2 offers Internet security solution for small offices for people with limited network experience SonicWALL offers firewall, network anti-virus, virtual private networking (VPN), strong authentication using digital certificates, and content filtering

SonicWall SOHO shows the filtering rule that sent the alert right after the day/time group (Sub Seven Attack Dropped -)

More information available at: http://www.sonicwall.com/products/soho/index.html

Trang 16

Cisco PIX Firewall

Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-2-106001: Inbound TCP connection

denied from 12.20.64.120/10101 to cidr.addr.pool.98/111 flags SYN on interface outside Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)

One of the recognizable features of its logs, is the %PIX indicating it is a Cisco PIX firewall.

More information available at: http://www.cisco.com

Trang 17

Check Point FireWall-1

Time Origin Action Dst Port Src IP Dst IP Protocol Src Port

• Malicious Activity Detection

• Network Address Translation

One of the recognizable features of its logs, is firewall-1

More information available at:

http://www.checkpoint.com/products/firewall-1/

Trang 18

BlackICE Defender

Windows 9x/NT

#Severity Timestamp (GMT) Issue ID Issue Intruder IP Intruder Victim IP Victim Parameters Count

Name Name Name Name

39 2000-04-15 13:22:09 2003402 RPC port probe 10.10.20.142 scan.com 10.4.6.123 target.net port=111 1

39 2000-04-15 13:36:06 2003402 RPC port probe 10.30.20.142 scan.com 10.4.6.123 target.net port=111 1

59 2000-04-15 20:02:07 2003105 SubSeven port probe 10.1.3.92 pick.com 10.4.6.123 target.net port=1243 2

59 2000-03-22 00:35:09 2003105 SubSeven port probe 10.1.4.6 poke.net 10.4.6.123 target.net port=27374 1

Trace Number 3 in Parameters the full text is: Port=1243&name=Fho+7

Trace Number 4 in Parameters the full text is: Port=27374&name=Sub_7_2

Here we have a tool combining a light weight Intrusion Detection System as well as a personal firewall

This tool has become very popular among home users because of its price and ease of use The user can obtain online assistance pertaining to the event and the steps required to protect themselves

In this example, we have some probes to RPC services (111), SubSeven probe (1243) and SubSeven 2.1 probe (27374)

Trang 19

Snortsnarf

This tool was designed to process Snort traffic logs into web pages This tool produces HTML output intended to easily browse the alarms Using a cron job, it is possible to produce a daily or hourly HTML output of the Snort alerts

This package is available at: http://www.silicondefense.com/snortsnarf/

Trang 20

Snort logs[**] SCAN-SYN FIN [**]

10/25-20:33:38.568567 63.78.46.199:21 -> my.net.109:21

TCP TTL:26 TOS:0x0 ID:39426

**SF**** Seq: 0x76F7894 Ack: 0x59E55EAE Win: 0x404

Meaning Snort information

Snort signature [**] SCAN-SYN FIN [**]

Date/Time group 10/25-20:33:38.568567

Source Address and port (21) 63.78.46.199:21

Direction operator ->

Destination address and port (21) my.net.109:21

Protocol and Time to Live (TTL) TCP TTL:26

Type of Service (TOS) TOS:0x0

Packet ID in binary ID:39426

Sequence # in Hex Seq: 0x76F7894

Acknowledgement # in Hex Ack: 0x59E55EAE

Windows size in Hex Win: 0x404

Well, what is Snort? It is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system Its features are rule based logging, performing protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, in the Event Viewer in WinNT, or as a WinPopup message via Samba's SMBclient It is now available for Solaris, Linux and WinNT

In this slide we have a SYN/FIN alert generated by a tool called synscan1.6.tar.gz This output was generated by Snort version 1.6.3

Note: The is an output by Snort version 1.7 with some added information and the TCP flags is now

set in the right order:

[**] IDS198 - SCAN-SYN FIN [**]

01/27-15:30:22.068157 24.9.81.251:1578 -> 24.112.132.243:1578

TCP TTL:34 TOS:0x0 ID:39426 IpLen:20 DgmLen:40

******SF Seq: 0x738F19BC Ack: 0x4BD47DD0 Win: 0x404 TcpLen: 20

Portscan output log

Jul 13 20:16:36 192.168.30.1:57254 -> 192.168.30.10:1 SYN **S*****

Jul 13 20:16:36 192.168.30.1:57256 -> 192.168.30.10:1 XMAS ****FP*U

Jul 13 20:16:37 192.168.30.1:57249 -> 192.168.30.10:21 SYN **S*****

Trang 21

Shadow Hourly Log

Shadow is a full fledged packet collector designed to collect all packet headers entering and leaving

a network Initially, this Cooperative Intrusion Detection Evaluation and Response (CIDER) project was an effort of the Naval Surface Warfare Center (NSWC) Dahlgren, NFR, NSA, and the SANS community

Shadow collects all packet headers in default mode (68 bytes or can be adjusted to collect the full packet), cuts a traffic file every hour then displays only the traffic that wasn’t filtered out by the analyst It also provides the ability to replay any of the recorded traffic and examine the activity in detail This sensor should be collocated with some sort of near real-time signature based sensor such

as Snort, RealSecure, Dragon, etc Shadow is the perfect tool to establish correlation

If necessary, the traffic from Shadow can be replayed through Snort and its signature rule set

TCPDump is available at: http://www.tcpdump.org and Shadow is available at:

http://www.nswc.navy.mil/ISSEC/CID/

Trang 22

Mixed Trojan scan

05:25:33.517335 scanner.net.39355 > target.12346: S 52066685:52066685(0) win 8192 (DF)

Both of these traces were traffic generated using tcpdump off a Shadow sensor This slide contains two Trojan samples which are quite different

The first one represents NetBus Pro The source made 4 unsuccessful attempts to connect to the target (port blocked by ipchains)

The second sample demonstrates a tool specifically looking for a multitude of well known Trojans

In both cases, a SYN packet was sent to the port with the scanner waiting for the proper response (SYN-ACK) before attempting to initiate a connection (ACK)

The current version 3.6.x (Jan 2001) contains added features such as a new switch –X that provides

ASCII text output without the need of other filters such as asctcpdump or tcpdump2ascii Here is an example:

21:20:23.036721 seeker.ca.domain > G.ROOT-SERVERS.NET.domain: 41159[|domain]

0x0000 4500 0047 7c27 0000 4011 7ca7 c0a8 00f3 E G|' @.| p

0x0010 c070 2404 0035 0035 0033 8b91 a0c7 0000 p$ 5.5.3

0x0020 0001 0000 0000 0000 0235 3002 3832 0233 50.82.3

Tiêu đề	Introduction to Logfile Analysis
Tác giả	Guy Bruneau
Người hướng dẫn	Guy Bruneau, GCIA
Trường học	Canadian Department of National Defense
Chuyên ngành	Cybersecurity / Network Security
Thể loại	Giáo trình giới thiệu
Năm xuất bản	2001
Thành phố	Unknown

Định dạng
Số trang	41
Dung lượng	480,13 KB