{"id":355,"date":"2015-10-24T20:05:00","date_gmt":"2015-10-24T12:05:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=355"},"modified":"2023-10-30T20:09:18","modified_gmt":"2023-10-30T12:09:18","slug":"computer-log","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/355","title":{"rendered":"Computer Log"},"content":{"rendered":"\n


Computer security logs<\/strong>
company have to keep log files continuously for admissibility in a court of law
contain information about the events occurring within an organization’s systems and networks.<\/p>\n\n\n\n

Security log categories<\/strong>
operating system log
ex: win event log, linux message log
application log
ex:web server log
security sofrware log
ex:ids log, antivirus log, firewall log<\/p>\n\n\n\n

….<\/p>\n\n\n\n

Common log<\/strong>
\u3002router log<\/strong>
\u3000log files usually is in the Router cache
\u3000https:\/\/systw.net\/note\/af\/sblog\/more.php?id=53<\/a>
\u3002honeypot log<\/strong>
\u3000\u6b3a\u9a19HACKER\u653b\u64ca\u5225\u53f0\u4e3b\u6a5f, \u4ee5\u5075\u6e2c\u662f\u5426\u6709\u5165\u4fb5\u884c\u70ba
\u3000https:\/\/systw.net\/note\/af\/sblog\/more.php?id=163<\/a>
\u3002windows event log<\/strong>
\u3000the log contains information about operational actions performed by OS components
\u3002dhcp log<\/strong>
\u3000\u4e3b\u8981\u770bMAC\u505a\u5206\u6790\uff0c\u82e5\u6709\u65b0\u7684MAC\u9032\u4f86\u8868\u793a\u6709\u65b0\u7684\u8a2d\u5099\u52a0\u5165
\u3000\u6216\u770b\u5728\u67d0\u500b\u6642\u9593\u4e0b,\u90a3\u500bMAC\u662f\u5c0d\u61c9\u90a3\u500bIP
\u3000https:\/\/systw.net\/note\/af\/sblog\/more.php?id=68<\/a>
\u3002audit log<\/strong>
\u3000a document that records an event in an IT system
\u3002web log<\/strong>
\u3000\u5e38\u898b\u7684web log\u6709iis log\u548capache log<\/p>\n\n\n\n


Web log<\/strong>
The source, nature, and time of the attack can be determined by Analyzing log files of the compromised system.
ps:
\u5148\u5929\u662f\u4e0d\u5b8c\u6574\uff0c\u56e0\u70ba\u7121\u6cd5\u8a18\u9304\u5230post\u7684\u8cc7\u8a0a
IIS log<\/strong>
2003 default path: system32logfilesw3svc
2008 default path: inetpublogslogfiles
ps:\u9810\u8a2d\u4f7f\u7528UTC\u6642\u9593\u8a18\u9304
Apache<\/strong>
the default location for Apache access logs on a Linux computer:
usr\/local\/apache\/logs\/access_log
https:\/\/systw.net\/note\/af\/sblog\/more.php?id=299<\/a><\/p>\n\n\n\n

………………..<\/p>\n\n\n\n

Log injection attacks<\/strong><\/p>\n\n\n\n

\u6c61\u67d3log\u7684\u5e38\u898b\u65b9\u5f0f<\/strong>
new line injection attack: \u7528\u65b7\u884c\u65b9\u5f0f\uff0c\u8b93log\u8a18\u9304\u7a0b\u5f0f\u5c07\u8cc7\u8a0a\u585e\u5230\u4e0b\u4e00\u884c\u4e2d\uff0c\u4ee5\u88fd\u4f5c\u5047\u7684log
timestamp injection attack: \u88fd\u4f5c\u5047\u7684timestamp\uff0c\u5e38\u7528new line injection attack\u624b\u6cd5
separator injection attacks: \u7528\u5206\u9694\u7b26\u865f\u8b93log\u8a18\u9304\u6642\u6b04\u4f4d\u932f\u8aa4
word wrap abuse attack: \u585e\u5165\u5f88\u591a\u7a7a\u767d\u5b57\u5143\uff0c\u8b93\u4e00\u7b46log\u8d85\u51fa\u6700\u5927\u9577\u5ea6\u9650\u5236\u8feb\u4f7f\u5176\u9918\u8cc7\u6599\u63db\u5230\u4e0b\u4e00\u884c\u505a\u8a18\u9304\uff0c\u800c\u7522\u751f\u5047\u7684log
ps:
\u5176\u4ed6\u9084\u6709
html injection attack
terminal injection attack
………………………………………………………………………………………………………<\/p>\n\n\n\n

Log Management<\/strong><\/h2>\n\n\n\n

Log management<\/strong>
\u3002It includes all the processes and techniques used to collect, aggregate, and analyze computer-generated log messages.
\u3002It consists of the hardware, software, network and media used to generate, transmit, store, analyze, and dispose of log data.<\/p>\n\n\n\n


Log management infrastructure<\/strong>
log generation
log analysis and storage
log monitoring<\/p>\n\n\n\n

Common functions of log management<\/strong>
event aggregation: \u5c07\u4e00\u500b\u5c0f\u7684\u6642\u6bb5\u5167\u5c07\u591a\u500b\u91cd\u8986\u4e8b\u4ef6\u5408\u4f75,\u53ef\u7bc0\u7701\u5132\u5b58\u7a7a\u9593
log normalization: \u5c07\u591a\u500b\u4e00\u6a23\u529f\u80fd\u4f46\u4e0d\u540c\u540d\u7a31\u7684\u6b04\u4f4d\u95dc\u806f
ex:drop,deny,reject\u9019\u4e09\u500b\u4e0d\u540c\u540d\u7a31\u6b04\u4f4d=deny\u9019\u500b\u529f\u80fd
event correlation: SIEM\u4e3b\u8981\u529f\u80fd<\/p>\n\n\n\n


ps:
\u7570\u5e38\u5206\u6790\u5e38\u898b\u65b9\u6cd5
1.\u4ee5windows logon event\u70ba\u4f8b
2.\u7d71\u8a08\u9023\u7e8c1\u500b\u6708\u8cc7\u6599(IP\u6216user\u7684\u767b\u5165\u767b\u51fa\u6642\u9593)\u7684baseline
3.\u6839\u64dabase\u505a\u5206\u6790<\/p>\n\n\n\n

ps:
recommendation book
book of log visualization:applied security visualization
http:\/\/dl.acm.org\/citation.cfm?id=1403873<\/p>\n\n\n\n

…………………………………………………………………………………………………………..<\/p>\n\n\n\n

Centralized Log and Correlation<\/strong><\/h2>\n\n\n\n

Centralized logging<\/strong>
\u3002gathering the computer system logs for a group of systems in a centralized location.
\u3002monitoring computer system logs with the frequency required to detect security violations and unusual activity.<\/p>\n\n\n\n

Advantage<\/strong>
hacker\u5165\u4fb5\u6642\u6709log server\u4ecd\u53ef\u4ee5\u4fdd\u7559\u8cc7\u6599<\/p>\n\n\n\n

Common solution<\/strong>
syslog
SOC<\/p>\n\n\n\n

………..<\/p>\n\n\n\n

Type of event correlation<\/strong>
same-platform correlation:using same OS platforms throughout the network
cross-platform correlation:using different OS platforms throughout the network<\/p>\n\n\n\n

Event correlation approaches<\/strong>
graph-based approach
neural network-based approach
codebook-based approach
rule-based approach
file-bsed approach
automated field correlation
packet parameter\/payload correlation for network management
profile\/fingerprint-based approach
vulnerability-based approach
open-port-based approach
bayesian correlation
time or role-based approach
route correlation<\/p>\n\n\n\n

automated field correlation<\/strong>
all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields<\/p>\n\n\n\n

………………………………………………………………………………..<\/p>\n\n\n\n

Time Synchronization<\/strong><\/h2>\n\n\n\n

Log time<\/strong>
\u6240\u6709\u7684log\u6642\u9593\u5efa\u8b70\u4e00\u81f4
it is essential that the computers’ clocks are synchronized, when monitoring events from multiple sources<\/p>\n\n\n\n

ps:
hacker \u6703\u6539\u6642\u9593\u8b93log\u8a18\u9304\u932f\u7684\u6642\u9593\uff0c\u82e5\u5206\u6790\u6642\u4f9d\u8cf4\u7cfb\u7d71\u4e0a\u7684\u6642\u9593\uff0c\u53ef\u80fd\u6703\u5c0e\u81f4\u932f\u904ehacker\u7684\u653b\u64ca\u6d3b\u52d5\u8a18\u9304<\/p>\n\n\n\n

ps
\u5e38\u898b\u6642\u9593\u683c\u5f0f
GMT(\u683c\u6797\u5a01\u6cbb\u6a19\u6e96\u6642\u9593)\uff0c\u7b2c\u4e00\u500b\u51fa\u73fe\u7684\u6642\u9593\u683c\u5f0f
UTC(\u4e16\u754c\u5354\u8abf\u6642\u9593)\uff0c\u7528\u66f4\u5148\u9032\u7684\u8a08\u7b97\u65b9\u5f0f\u7b97\u51fa,UTC\u6bd4GMT\u4f86\u5f97\u66f4\u52a0\u7cbe\u6e96
CST(\u4e2d\u592e\u6a19\u6e96\u6642\u9593), =UTC+8<\/p>\n\n\n\n


NTP(Network Time Protocol)<\/strong>
synchronize time among multiple computers
\u4ee5\u5c01\u5305\u4ea4\u63db\u628a\u5169\u53f0\u96fb\u8166\u7684\u6642\u9418\u540c\u6b65\u5316\u7684\u901a\u8a0a\u5354\u5b9a
using UDP 123
refer
https:\/\/en.wikipedia.org\/wiki\/Network_Time_Protocol<\/p>\n\n\n\n

NTP stratum levels
stratum-0: connect to computer of stratum1 by RS232
stratum-1: time is from stratum0
stratum-2: time is from stratum1 by NTP
stratum-3: time is from stratum2 by NTP, and so on<\/p>\n","protected":false},"excerpt":{"rendered":"

Computer security logscompany …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-355","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=355"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/355\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}