Computer security logs
company have to keep log files continuously for admissibility in a court of law
contain information about the events occurring within an organization’s systems and networks.
Security log categories
operating system log
ex: win event log, linux message log
application log
ex:web server log
security sofrware log
ex:ids log, antivirus log, firewall log
….
Common log
。router log
log files usually is in the Router cache
https://systw.net/note/af/sblog/more.php?id=53
。honeypot log
欺騙HACKER攻擊別台主機, 以偵測是否有入侵行為
https://systw.net/note/af/sblog/more.php?id=163
。windows event log
the log contains information about operational actions performed by OS components
。dhcp log
主要看MAC做分析,若有新的MAC進來表示有新的設備加入
或看在某個時間下,那個MAC是對應那個IP
https://systw.net/note/af/sblog/more.php?id=68
。audit log
a document that records an event in an IT system
。web log
常見的web log有iis log和apache log
Web log
The source, nature, and time of the attack can be determined by Analyzing log files of the compromised system.
ps:
先天是不完整,因為無法記錄到post的資訊
IIS log
2003 default path: system32logfilesw3svc
2008 default path: inetpublogslogfiles
ps:預設使用UTC時間記錄
Apache
the default location for Apache access logs on a Linux computer:
usr/local/apache/logs/access_log
https://systw.net/note/af/sblog/more.php?id=299
………………..
Log injection attacks
污染log的常見方式
new line injection attack: 用斷行方式,讓log記錄程式將資訊塞到下一行中,以製作假的log
timestamp injection attack: 製作假的timestamp,常用new line injection attack手法
separator injection attacks: 用分隔符號讓log記錄時欄位錯誤
word wrap abuse attack: 塞入很多空白字元,讓一筆log超出最大長度限制迫使其餘資料換到下一行做記錄,而產生假的log
ps:
其他還有
html injection attack
terminal injection attack
………………………………………………………………………………………………………
Log Management
Log management
。It includes all the processes and techniques used to collect, aggregate, and analyze computer-generated log messages.
。It consists of the hardware, software, network and media used to generate, transmit, store, analyze, and dispose of log data.
Log management infrastructure
log generation
log analysis and storage
log monitoring
Common functions of log management
event aggregation: 將一個小的時段內將多個重覆事件合併,可節省儲存空間
log normalization: 將多個一樣功能但不同名稱的欄位關聯
ex:drop,deny,reject這三個不同名稱欄位=deny這個功能
event correlation: SIEM主要功能
ps:
異常分析常見方法
1.以windows logon event為例
2.統計連續1個月資料(IP或user的登入登出時間)的baseline
3.根據base做分析
ps:
recommendation book
book of log visualization:applied security visualization
http://dl.acm.org/citation.cfm?id=1403873
…………………………………………………………………………………………………………..
Centralized Log and Correlation
Centralized logging
。gathering the computer system logs for a group of systems in a centralized location.
。monitoring computer system logs with the frequency required to detect security violations and unusual activity.
Advantage
hacker入侵時有log server仍可以保留資料
Common solution
syslog
SOC
………..
Type of event correlation
same-platform correlation:using same OS platforms throughout the network
cross-platform correlation:using different OS platforms throughout the network
Event correlation approaches
graph-based approach
neural network-based approach
codebook-based approach
rule-based approach
file-bsed approach
automated field correlation
packet parameter/payload correlation for network management
profile/fingerprint-based approach
vulnerability-based approach
open-port-based approach
bayesian correlation
time or role-based approach
route correlation
automated field correlation
all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields
………………………………………………………………………………..
Time Synchronization
Log time
所有的log時間建議一致
it is essential that the computers’ clocks are synchronized, when monitoring events from multiple sources
ps:
hacker 會改時間讓log記錄錯的時間,若分析時依賴系統上的時間,可能會導致錯過hacker的攻擊活動記錄
ps
常見時間格式
GMT(格林威治標準時間),第一個出現的時間格式
UTC(世界協調時間),用更先進的計算方式算出,UTC比GMT來得更加精準
CST(中央標準時間), =UTC+8
NTP(Network Time Protocol)
synchronize time among multiple computers
以封包交換把兩台電腦的時鐘同步化的通訊協定
using UDP 123
refer
https://en.wikipedia.org/wiki/Network_Time_Protocol
NTP stratum levels
stratum-0: connect to computer of stratum1 by RS232
stratum-1: time is from stratum0
stratum-2: time is from stratum1 by NTP
stratum-3: time is from stratum2 by NTP, and so on