Computer Log


Computer Security Log

company have to keep log files continuously for admissibility in a court of law


Computer security logs
contain information about the events occurring within an organization's systems and networks.

Security log categories
operating system log
ex: win event log, linux message log
application log
ex:web server log
security sofrware log
ex:ids log, antivirus log, firewall log

....

Common log
router log
 log files usually is in the Router cache
 http://systw.net/note/af/sblog/more.php?id=53
honeypot log
 欺騙HACKER攻擊別台主機, 以偵測是否有入侵行為
 http://systw.net/note/af/sblog/more.php?id=163
windows event log
 the log contains information about operational actions performed by OS components
dhcp log
 主要看MAC做分析,若有新的MAC進來表示有新的設備加入
 或看在某個時間下,那個MAC是對應那個IP
 http://systw.net/note/af/sblog/more.php?id=68
audit log
 a document that records an event in an IT system
web log
 常見的web log有iis log和apache log


Web log
The source, nature, and time of the attack can be determined by Analyzing log files of the compromised system.
ps:
先天是不完整,因為無法記錄到post的資訊
IIS log
2003 default path: system32logfilesw3svc
2008 default path: inetpublogslogfiles
ps:預設使用UTC時間記錄
Apache
the default location for Apache access logs on a Linux computer:
usr/local/apache/logs/access_log
http://systw.net/note/af/sblog/more.php?id=299

....................

Log injection attacks

污染log的常見方式
new line injection attack: 用斷行方式,讓log記錄程式將資訊塞到下一行中,以製作假的log
timestamp injection attack: 製作假的timestamp,常用new line injection attack手法
separator injection attacks: 用分隔符號讓log記錄時欄位錯誤
word wrap abuse attack: 塞入很多空白字元,讓一筆log超出最大長度限制迫使其餘資料換到下一行做記錄,而產生假的log
ps:
其他還有
html injection attack
terminal injection attack

.....................................................................................................................

Log Management

Log management
。It includes all the processes and techniques used to collect, aggregate, and analyze computer-generated log messages.
。It consists of the hardware, software, network and media used to generate, transmit, store, analyze, and dispose of log data.


Log management infrastructure
log generation
log analysis and storage
log monitoring

Common functions of log management
event aggregation: 將一個小的時段內將多個重覆事件合併,可節省儲存空間
log normalization: 將多個一樣功能但不同名稱的欄位關聯
ex:drop,deny,reject這三個不同名稱欄位=deny這個功能
event correlation: SIEM主要功能


ps:
異常分析常見方法
1.以windows logon event為例
2.統計連續1個月資料(IP或user的登入登出時間)的baseline
3.根據base做分析

ps:
recommendation book
book of log visualization:applied security visualization
http://dl.acm.org/citation.cfm?id=1403873

..........................................................................................................................

Centralized Log and Correlation

Centralized logging
。gathering the computer system logs for a group of systems in a centralized location.
。monitoring computer system logs with the frequency required to detect security violations and unusual activity.

Advantage
hacker入侵時有log server仍可以保留資料

Common solution
syslog
SOC

...........

Type of event correlation
same-platform correlation:using same OS platforms throughout the network
cross-platform correlation:using different OS platforms throughout the network

Event correlation approaches
graph-based approach
neural network-based approach

codebook-based approach
rule-based approach
file-bsed approach
automated field correlation
packet parameter/payload correlation for network management
profile/fingerprint-based approach
vulnerability-based approach
open-port-based approach
bayesian correlation
time or role-based approach
route correlation

automated field correlation
all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields

............................................................................................

Time Synchronization

Log time
所有的log時間建議一致
it is essential that the computers' clocks are synchronized, when monitoring events from multiple sources

ps:
hacker 會改時間讓log記錄錯的時間,若分析時依賴系統上的時間,可能會導致錯過hacker的攻擊活動記錄

ps
常見時間格式
GMT(格林威治標準時間),第一個出現的時間格式
UTC(世界協調時間),用更先進的計算方式算出,UTC比GMT來得更加精準
CST(中央標準時間), =UTC+8


NTP(Network Time Protocol)

synchronize time among multiple computers
以封包交換把兩台電腦的時鐘同步化的通訊協定

using UDP 123
refer
https://en.wikipedia.org/wiki/Network_Time_Protocol

NTP stratum levels
stratum-0: connect to computer of stratum1 by RS232
stratum-1: time is from stratum0
stratum-2: time is from stratum1 by NTP
stratum-3: time is from stratum2 by NTP, and so on

 

 

 

 

2015-10-19 16:01:21發表 2015-10-24 07:46:30修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識

資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net