june 14, 2004suny technology conference centralized logging bill kramp, network administrator finger...
Post on 18-Dec-2015
220 views
TRANSCRIPT
June 14, 2004 SUNY Technology Conference
Centralized Logging
Bill Kramp, Network Administrator
Finger Lakes Community College
SUNY Technology Conference
June 14, 2004 SUNY Technology Conference
Centralized Logging
Logging Windows events and syslog messages to a central
server for analysis.
June 14, 2004 SUNY Technology Conference
Centralized Logging
Logging events and messages to a central server for
analysis.
June 14, 2004 SUNY Technology Conference
Overview
Reasons to log Centralized logging and Analysis
Unix Windows Open source Commercial
Home brew solution at FLCC
June 14, 2004 SUNY Technology Conference
Reasons to log events
Record security events Monitoring applications Configuration changes Sarbanes-Oxley Act compliance HIPAA compliance Low in carb’s!
June 14, 2004 SUNY Technology Conference
Reasons to log events
Record security events Monitoring applications Configuration changes Sarbanes-Oxley Act compliance HIPAA compliance Low in carb’s!
June 14, 2004 SUNY Technology Conference
Reasons for Centralized Logging
Correlation of data Manageability Data integrity Time synchronization Real-time alert capability Single backup location for log data
June 14, 2004 SUNY Technology Conference
Log Analysis Process
Data Sources Filtering Normalization Aggregation Correlation Report/Display
June 14, 2004 SUNY Technology Conference
Data Sources
Windows – Event logs and applications
Unix – syslog and applications Firewalls Routers Intrusion Detection System’s Host Intrusion Systems SNMP traps
June 14, 2004 SUNY Technology Conference
Honeypot’s
June 14, 2004 SUNY Technology Conference
Windows Events
Application System Security
June 14, 2004 SUNY Technology Conference
Windows Events (Win2003)
Application System Security DNS Server Directory File Replication
June 14, 2004 SUNY Technology Conference
Security Event Categories Logon events Account logon events Object access events Directory Service access events Privilege use events Process tracking events System events Policy change events
June 14, 2004 SUNY Technology Conference
Syslog basics
UDP messages sent on port 514 Three parts to a message:
PRI (priority) Header MSG (message)
PRI contains the severity and facility
June 14, 2004 SUNY Technology Conference
Unix syslog
boot cron secure E-mail Kernel Local(0-7)
June 14, 2004 SUNY Technology Conference
*nix Syslog Alternatives
Syslog-ng - www.balabit.com/products/syslog_ng/
SDSC Secure Syslog - sourceforge.net/projects/sdscsyslog/
Modular Syslog –www.corest.com/corelabs/
June 14, 2004 SUNY Technology Conference
Windows Syslog Alternatives
Kiwi syslog – www.kiwisyslog.com Winsyslog – www.adiscon.com SL4NT – www.netal.com Syslog Daemon – www.triaction.nl Cisco syslog – www.cisco.com 3com Daemon – www.3com.com
June 14, 2004 SUNY Technology Conference
Centralized Windows Events
LogAnalyst for Windows 2000 Server Central database of events Built in report generator Available with Win2000 Resource Kit GUI interface
www.cybersafe.com/centrax/cla1.html
June 14, 2004 SUNY Technology Conference
Forwarding Windows Events
Snare – www.intersect-alliance.com
NTsyslog – ntsyslog.sourceforge.net
Event Reporter – eventreporter.com
Win32:Eventlog – www.cpan.org
June 14, 2004 SUNY Technology Conference
Commercial Log Analysis Tools
enVision – www.opensystems.com Snare - www.intersect-alliance.com ServerVision – sunbelt-
software.com MoniLog – www.monilog.com GFiLANguard – www.gfi.com neuSECURE – www.guarded.net
June 14, 2004 SUNY Technology Conference
MoniLog
Handles syslog and Windows events
Windows based Rule engine to include or discard Reports – distributed by HTML or E-
June 14, 2004 SUNY Technology Conference
enVision Many options for reports, nice console Appliance solution Models sold by the required sustained
events per second needed. Hardware Supported:
*nix Firewalls Switches IDS’s
June 14, 2004 SUNY Technology Conference
neuSECURE
Handles many log formats: Unix syslog Windows events SNMP traps
Event Aggregation Threat correlation
June 14, 2004 SUNY Technology Conference
Open Source Monitoring Tools
Swatch – swatch.sourceforge.net Logsurfer+
www.crypt.gen.nz/logsurfer LogSentry – www.psionic.com POE – poe.perl.org SEC – simple-
evcorr.sourceforge.net
June 14, 2004 SUNY Technology Conference
Swatch
“Grandfather” of log monitoring tools
Simple expression matching Matches can trigger:
Execution of scripts Echoing to console of match
Throttle option to limit matches for a period of time.
June 14, 2004 SUNY Technology Conference
POE – Perl Object Environment
Multitasking using events & handlers Can create separate objects to
monitor multiple log files. Tasks run in a single process Handlers can’t be interrupted DBI support for mysql, etc. Support for pre-forking web server
June 14, 2004 SUNY Technology Conference
Simple Event Correlator
Applies pattern matching to files or pipes.
Rules for establishing both a low and high level threshold setting.
Pairing of multiple events within a time window.
Suppression rules.
June 14, 2004 SUNY Technology Conference
Home Brew Solution
June 14, 2004 SUNY Technology Conference
Log Sources
PIX Firewalls Primary and Redundant PIX’s Extension Center PIX’s X-net PIX’s
Windows Servers: DNS, Web, SAN Linux Servers: DNS, service
monitoring SNMP traps: network switches, UPS’s
June 14, 2004 SUNY Technology Conference
FLCC Project Need to send all log messages from the
different sources to a single logging server.
Save all the raw data, and burn to DVD. Filter out incidents (messages) that are
not important. Normalize the data from the different
sources. Write filtered data to database. Display the important events on a single
web based interface.
June 14, 2004 SUNY Technology Conference
Centralized Logging
June 14, 2004 SUNY Technology Conference
Log Analysis Process
Data Sources Filtering Normalization Aggregation Correlation Report/Display
June 14, 2004 SUNY Technology Conference
Normalization Issue PIX: Oct 8 23:55:02 172.16.254.254 Oct 08 2003
23:55:01: %PIX-6-302014: Teardown TCP connection 2749949 for outside:24.24.54.63/4910 to dmz1:172.19.1.7/8900 duration 0:00:15 bytes 9995 TCP Reset-O
Honeypot: 2004-06-10-12:52:18.0891 tcp(6) S 172.17.203.61 33015 172.17.222.1 80
Windows: Jun 10 08:52:39 krampwd-network MSWinEventLog 1 System 9717 Thu Jun 10 08:52:39 2004 18 Automatic Updates N/A N/A Information KRAMPWD-NETWORK Disk Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, June 10, 2004 at 11:00 AM. - Security Update for DirectX 8.1 (KB839643) 1
June 14, 2004 SUNY Technology Conference
Filtered HTML ReportJun 4 23:17:30 192.168.1.1 %PIX-3-710003: TCP access denied by ACL from
192.168.1.9/32771 to inside:192.168.1.1/telnet Jun 4 23:16:14 192.168.1.1 %PIX-7-111009: User 'enable_15' executed cmd: show ip address outside
Jun 4 23:15:38 192.168.1.1 %PIX-6-605005: Login permitted from
192.168.1.52/3149 to inside:192.168.1.1/https for user "enable_15" Jun 4 23:15:31 192.168.1.1 %PIX-6-605004: Login denied from 192.168.1.52/3148 to
inside:192.168.1.1/https for user "enable_15" Jun 4 23:13:39 192.168.1.1 %PIX-6-302010: 1 in use, 76 most used
Jun 4 23:03:39 192.168.1.1 %PIX-6-302010: 4 in use, 76 most used
June 14, 2004 SUNY Technology Conference
Event 1 Graph – Jan 25, 2003
June 14, 2004 SUNY Technology Conference
Slammer Syslog Entries
Jan 25 00:29:42 router Jan 25 2003 01:32:12: %PIX-4-106023: Deny udp src outside:216.120.67.34/2596 dst library:192.156.234.247/1434 by access-group "acl-outside"
June 14, 2004 SUNY Technology Conference
Event 2 Graph – Oct. 9, 2003
June 14, 2004 SUNY Technology Conference
Welchia Syslog Entries
Oct 9 13:43:00 172.16.254.254 Oct 09 2003 13:42:59: %PIX-3-305005: No translation group found for icmp src student:172.17.203.169 dst inside:172.16.46.148 (type 8, code 0)
June 14, 2004 SUNY Technology Conference
Event 2 Graph Detail
June 14, 2004 SUNY Technology Conference
Open Source Tools Used Syslog-ng Snare POE – Perl Object Environment GD Graphics Library – www.boutell.com GDgraph module by Martien
Verbruggen Mysql Apache SEC – Simple Event Correlator CRM-114 Bayesian Filter
June 14, 2004 SUNY Technology Conference
What’s the solution?
June 14, 2004 SUNY Technology Conference
What’s the solution?
Depends on data sources Supported Operating Systems What are the report/alert
requirements? Comfort level with open source Affordable commercial solutions
June 14, 2004 SUNY Technology Conference
Things to consider
Throughput (messages per second) Hashing signatures Encryption Bayesian and statistical filters Stealth logging
June 14, 2004 SUNY Technology Conference
Hardware Issues
Dual processors and/or hyper threading
Lots of memory Fast SCSI drives DVD or tape for data backups Separate servers for data
collection and database.
June 14, 2004 SUNY Technology Conference
Web Resources
http://www.loganalysis.org http://rr.sans.org http://www.microsoft.com/technet/
June 14, 2004 SUNY Technology Conference
www.loganalysis.org Site Centralizing Logging Complete Reference Guide to Creating a
Remote Log Server Configuring and using syslogd to collect logging
messages on systems running Solaris 2.x Centralized Logging using Logsentry in a Large
UNIX Environment - Saleem Kazmi paper for SANS GIAC certification
Practical Implementations of syslog in Mixed Windows Environments for Secure Centralized Audit Logging - from the SANS reading room
June 14, 2004 SUNY Technology Conference
rr.SANS.org Reading Room Logging Issues
The Importance of Logging and Traffic Monitoring for Information Security
Seham GadAllah, April 19, 2004
Centralizing Event Logs on Windows 2000Gregory Lalla, GSEC April 4, 2003
Security Management Systems: An Oversite Layer for Layers of DefenseDan Keldsen, September 4, 2003
The Ins and Outs of System Logging Using SyslogIan Eaton, GSEC-3077 August 14, 2003
June 14, 2004 SUNY Technology Conference
Mixed Environment Logging
Garbrecht, Frederick C. Practical Implementation of Syslog in Mixed Windows Environments for Secure Centralized Audit Logging 10 June 2004. <http://www.sans.org/rr/papers/9/713.pdf>
June 14, 2004 SUNY Technology Conference
Visualization Techniques
Takada, Tetsuji and Koike, Hideki MieLog 10 June 2004. Univ’ of Electro-Communications. <http://www.vogue.is.uec.ac.jp/~koike/papers/mielog/FormattedPaperLISA02.pdf>
June 14, 2004 SUNY Technology Conference
Filtering and Correlation
Chyssler, Tobias and Nadjm-Tehrani, stefan and Burbeck, Kalle. Alarm Reduction and Correlation in Defense of IP Networks 10 June 2004. <http://www.ida.liu.se/~rtslab/publications/2004/Chyssler04_wetice.pdf>
June 14, 2004 SUNY Technology Conference
Books and Guides
Bauer, Michael. Building Secure Servers with Linux. O’Reilly, 2002.
Microsoft Solution for Securing Windows 2000 Server, Chapter 9: Auditing and Intrusion Detection. 10 June 2004 <http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/default.mspx>
June 14, 2004 SUNY Technology Conference
End of presentation
Please remember to fill out the form.
E-mail questions to [email protected]
The full presentation will be available online at my web page: http://paws.flcc.edu/~krampwd/presentations/
Thank you for attending.