1 Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 1 Introduction to Logfile Analysis Guy Bruneau, GCIA Part 1 This module is designed to provide an introduction to various types of security logging software and how to interpret their content. Greetings! I am Guy Bruneau. Today's talk will be on “Introduction to Logfile Analysis”. I would like to thank the SANS Institute for this opportunity to share some of my experience and knowledge in this sometimes difficult area. This course is divided into two course modules. The first module will cover a variety of security logs to help recognize the format and the tools that generated it. In the second module, we are going to work with a case stressing the importance of data correlation to piece together the intent of the probe. It will also be accompanied by 3 practical exercises. I am currently the Intrusion Detection System Engineering Coordinator at the Canadian Department of National Defense’s Computer Incident Response Team (DND CIRT). I have experience in UNIX security, Computer Network Intrusion Detection, Network Security Auditing, Incident Response and Reporting, Anti-virus Support and firsthand knowledge of using and tailoring Cisco Secure IDS, SNORT, Shadow and RealSecure. Copyright  Guy Bruneau, 2000-2001. All rights reserved. 2 Introduction to Log File Analysis - SANS GIAC LevelTwo ©2001 2 Outline • References • Objectives • What is Log Analysis? • Log Examples • Review • Software links These are the things we’re going to cover. In essence, we’re going to cover a series of tools and how they are logging the traffic they generate. If you work within a Computer Incident Response Team or as an Intrusion Detection analyst, it is very important to understand the logs you are working with. They are the key to solve the puzzle. 3 Introduction to Log File Analysis - SANS GIAC LevelTwo ©2001 3 References (1) • Book – W. Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison Wesley, 1994. • Trojan Ports Lists – http://www.sans.org/y2k/ports.htm – http://www.simovits.com/nyheter9902.html – http://doshelp.com/trojanports.htm – http://www.xploiter.com/security/trojanport.html – http://www.tlsecurity.net/trojanh.htm This page intentionally left blank. 4 Introduction to Log File Analysis - SANS GIAC LevelTwo ©2001 4 References (2) • IANA Assigned Ports – http://www.isi.edu/in-notes/iana/assignments/port- numbers • IANA Protocol Numbers – http://www.isi.edu/in-notes/iana/assignments/protocol- numbers • Name Space Information – http://free.name.space.xs2.net/search/ This page intentionally left blank. 5 Introduction to Log File Analysis - SANS GIAC LevelTwo ©2001 5 Objectives Provides the student with sufficient information to be able to recognize suspicious events such as port scans, network probes, AUP violations, etc. The object of this course is to provide future analysts with enough information to recognize a wide range of security logs to assist in the detection of suspicious events, investigate abnormal traffic and take appropriate action when necessary. As an example, the following may be used to categorize events: - Privilege access (System compromised and root access obtained) - Limited access (System compromised with a user account) - Reconnaissance (Network or host mapping, OS fingerprinting, etc) - Stealth reconnaissance (FIN, SYN/FIN, inverse mapping, etc) - Denial of Service (Fragments, ICMP flood, SYN flood, etc) - Distributed Denial of Service (ICMP flood) - AUP (acceptable use policy) violation 6 Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 6 What is Log Analysis? It is an active or continuous attempt to detect intrusive activities One of the most important “weapons” an Intrusion Detection or an Incident Handling analyst has is the ability to correctly identify, recognize and analyze suspicious events within the security logs they use on a daily basis. This includes working with router logs, firewall logs, Intrusion Detection Systems logs and a variety of miscellaneous logs. Each tool has its strengths and weaknesses. 7 Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 7 Cisco Router Log Oct 15 22:21:45 [192.168.50.32] 508470: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2590) -> 192.168.1.1(119), 1 packet Oct 15 22:21:47 [192.168.50.32] 508472: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2570) -> 192.168.1.1(3), 1 packet Oct 15 22:21:51 [192.168.50.32] 508474: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), 1 packet Oct 15 22:21:53 [192.168.50.32] 508475: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2533) -> 192.168.1.1(161), 1 packet Oct 15 22:21:54 [192.168.50.32] 508476: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2590) -> 192.168.1.1(119), 1 packet Oct 15 22:21:57 [192.168.50.32] 508477: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), 1 packet Oct 15 22:22:05 [192.168.50.32] 508481: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2533) -> 192.168.1.1(161), 1 packet Oct 15 22:22:06 [192.168.50.32] 508482: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2590) -> 192.168.1.1(119), 1 packet One of the primary purposes of an internetwork is to increase productivity by linking computers and computer networks so people have easy access to information, regardless of differences in time, place or type of computer system. One such tool which accomplishes such a task is a router. In this case, a Cisco router. Access control lists (ACL) offer powerful tools for network control. These lists add flexibility to filter the packet flow in or out of router interfaces. Such control can help limit network traffic and restrict network use by certain users or devices. The review of the router logs may often offer valuable information on traffic that has been denied into your network. - Standard access list (1 to 99) check source IP address. - Extended access list (100 to 199) check source and destination IP, and specific protocols, TCP and UDP port numbers with Cisco IOS version 11.2 - Standard IPX access list (800 – 899) - Extended access list (900 to 999) - SAP filters use 1000 – 1099 with Cisco IOS version 11.2F and later. 8 Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 8 Cisco ACL access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 access-list 101 permit ip any any (implicit deny all) interface ethernet 0 ip access-group 101 out Access-list Description Command 101 Access list number, indicates extended IP access list deny Traffic that matches selected parameters will not be forwarded tcp Transport-layer protocol 172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must match but the last octet will be ignored. The netmask must be read backward. any Match any destination IP address eq 23 Specifies well-known port number for Telnet permit Traffic that matches selected parameters will be forwarded ip Any IP protocol any Keyword matching traffic from any source any Keyword matching traffic to any destination 9 Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 9 Firewall Logs ConSeal Firewall 2000/01/04 1:50:03 AM GMT -0500: AcerLAN ALN-325 1 [0000][No matching rule] Blocking incoming TCP: src=192.168.6.3 dst=192.168.21.101, sport=10673, dport=111. 2000/01/04 4:58:21 AM GMT -0500: AcerLAN ALN-325 1 [0000][No matching rule] Blocking incoming UDP: src=192.168.70.205, dst=192.168.21.101, sport=31790, dport=31789. 2000/01/04 5:04:16 AM GMT -0500: AcerLAN ALN-325 1 [0000][No matching rule] Blocking incoming TCP: src=192.168.65.167, dst=192.168.21.101, sport=2760, dport=27374. Linux’s IpChains Dec 23 12:02:12 @home kernel: Packet log: inp DENY eth0 PROTO=17 192.168.133.44:1024 192.168.133.255:111 L=132 S=0x00 I=20 F=0x0000 T=64 (#40) Dec 23 15:33:35 @home kernel: Packet log: inp DENY eth0 PROTO=17 192.168.122.56:31790 192.168.11.43:31789 L=29 S=0x00 I=29147 F=0x0000 T=123 (#56) Dec 25 16:10:42 @home kernel: Packet log: inp DENY eth0 PROTO=6 192.168.24.225:2732 192.168.11.43:1243 L=48 S=0x00 I=42508 F=0x4000 T=116 SYN (#45) The first sample is from McAfee’s Personal Firewall and is a filtered probe sent to ports 111 (RPC services), 31789 (Hack’a’Tack) and 27374 (SubSeven 2.1) all from the same source. At the time of this detect (Jan 2000), RPC services were heavily exploited by hackers to gain access to UNIX servers. The second sample is from Linux’s IPChains and is a firewall filtered probe sent to ports 111 (RPC services), 31789 (Hack’a’Tack) and 1243 (SubSeven). The same applies here on the RPC services exploits (Dec 1999). A description of the Linux firewall log breakdown is available on the next slide. 10 Introduction to Log File Analysis - SANS GIAC LevelTwo ©2001 10 Linux Firewall Field Example Description Date & Time Jun 1 11:11:49 Date and time that the packet was logged. Hostname Mail The hostname of the computer. Syslog Facility kernel: Packet log: The syslog level at which the syslog event occurred. Should always be ‘kernel’. ‘Packet log:’ is appended for clarity’s sake and can be used in searching the logs. Chain Name Input The chain to which the rule is attached to. Possible values are: input, output and forward. Action Taken REJECT How the packet was handled. Possible values are: ACCEPT, REJECT, DENY, MASQ, REDIRECT and RETURN. Interface eth0 The network interface on which the packet was detected. Protocol # PROTO=17 The protocol of the packet. Common values are: 1 (ICMP), 6 (TCP), and 17 (UDP). ICMP traffic is also displayed with the ICMP code. Source 10.100.1.228:57048 The source IP address and port number of the packet. Destination 192.168.1.211:137 The destination IP address and port number of the packet. Length L=78 The total length of the packet. TOS S=0x00 The ‘Type of Service’ values from the packet. ID I=53412 Either the Packet ID or the segment that the TCP fragment belongs to. Fragment Offset F=0x0000 If the packet is part of a fragment, this field contains the fragment offset. TTL T=108 The time-to-live values from the packet. Rule # (#3) The rule number that logged this entry. This IPChains firewall chart is to be used with the previous slide. This chart describes the ipchains firewall fields. [...]... repeated 3 times Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 28 TCPLogd is a UNIX daemon used to log all incoming TCP connections to a UNIX based server This tool can assist the System Administrator in monitoring suspicious TCP connections It has a resource file which can be configured to ignore logging known hosts 28 Protolog - TCP -Protolog TCP logger... ) Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 29 This is one of three protolog analysis/ logging tools that records incoming TCP, UDP and ICMP connections to a UNIX server These tools also contain a configuration file to ignore well known servers These protocol loggers provides two types of logs: - Simple human readable logs - Time and raw data (header plus data) It is a great way to. .. RPC services (111), SubSeven probe (1243) and SubSeven 2.1 probe (27374) 18 Snortsnarf Introduction to Log File Analysis - SANS GIAC LevelTwo ©2001 19 This tool was designed to process Snort traffic logs into web pages This tool produces HTML output intended to easily browse the alarms Using a cron job, it is possible to produce a daily or hourly HTML output of the Snort alerts This package is available... Port=27374&name=Sub_7_2 Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 18 Here we have a tool combining a light weight Intrusion Detection System as well as a personal firewall This tool has become very popular among home users because of its price and ease of use The user can obtain online assistance pertaining to the event and the steps required to protect themselves In this example, we have some probes to. .. 2000/04/28 11:37:50 -5:00 GMT ICMP ICMP ICMP Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 11 This program combines the safety of a dynamic firewall with total control over applications' Internet use ZoneAlarm Pro claims to give rock-solid protection against thieves and vandals According to the vendor, Version 2.1 of ZoneAlarm Pro now features MailSafe to stop email-borne Visual Basic Script... -| : Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 36 This is a small perl program which converts tcpdump hex values (using tcpdump -x option) to readable ascii characters (31> char . 1 Introduction to Log File Analysis – SANS GIAC LevelTwo ©2001 1 Introduction to Logfile Analysis Guy Bruneau, GCIA Part 1 This module is designed to. 19 Introduction to Log File Analysis - SANS GIAC LevelTwo ©2001 19 Snortsnarf This tool was designed to process Snort traffic logs into web pages. This tool