7

PManaging data volume

PManaging logging performance

PEnsuring logs are useful to reconstruct theAttack

PCorrelation of data in logs< Importance of timestamping

Network Traffic CaptureLogging Issues Driving Automated Support

8

Honeytraps

Systems Designed to be Compromised and Collect AttackData

From Yasinac, A. andManzano, Y. (2002)“Honeytraps, A NetworkForensic Tool” FloridaState University.

9

PSessionizing

PProtocol parsing and analysis

PDecryption

PSecurity of Analysis and Data< Avoiding detection and analysis-data compromise

Network Traffic AnalysisUsually Requires Software Tools

10

PMinimizing distance to source

PTraversing firewalls, proxies and addresstranslation

PMuliple cooroborating collectors

PTime and location stamping

Traceback Evidence Processing

11

Terms and Log-basedTracing

12

PPromiscuous Mode< An Ethernet Network Interface Card (NIC) in promiscuous mode is a

configuration that will pass all traffic received by the card to theoperating system, rather than just packets addressed to it. Thisfeature is normally used for packet sniffing.

P IPSpoofing< Forging the source address in the header of an IP packet so that it

contains a different address, making it appear that the packet wassent by a different machine. Responses to spoofed packets will goto the forged source address. Mainly used for Denial of Servicewhere the attacker does not care about the response, or defeatingIP-based authentication. It is sometimes possible for an attacker torecover responses, when the spoofed address is on LAN or WANcontrolled by the attacker.

Two Important Terms

13

P Blackhat software that gains control over a computer ornetwork. "Root" refers to the administrative (superuser)computer account. Kit refers to mechanisms that initiateentry into the target computer modify it for later, andmore simplified means of access (a backdoor).

P Rootkits will usually erase the system event loggingcapacity in an attempt to hide attack evidence and maydisclose sensitive data. A well designed rootkit willreplace parts of the operating system with rootkitprocesses and files, and obscure itself from securityscanning.

Rootkit

14

P A network host computer serving only the purpose ofattracting network-based attacks. Because a honeypotis intended to host no legitimate activity, any activitydetected on this host is assumed to be intrusion activity.

P Data on honeypot activity is carefully captured to avoiddetection and corruption. It is used to study ongoingnetwork-based attacks for the purpose of developingdefenses and remedies for potential or experiencedcompromises

Honeypot Data

15

Log-based Tracing

Data

Data + TL Pr

Data + TL/IL Pr

Application

Transport

Internet

Network

Data + TL/IL/NA Pr

HTTP

TCP

IP

X.25

Data

Data + TL Pr

Data + TL/IL Pr

HTTP

TCP

IP

X.25

ServerClient

Sniffers

ServerLog

Proxy orFirewallLog

RouterLog

ForensicsAnalysis

16

P Issues of efficiency in logfile space andprocessing time

PSometimes options, e.g.,< Off< Succinct< Verbose

Logging Options

17

Application Layer LogAnalysis

18

P Access Log File< Access log file contains a log of all the requests.

P Proxy Access Log File< (If directed) a separate log of proxy transactions

(otherwise logged to Access Log)

P Cache Access Log< (If directed) a separate log of cache accesses (otherwise

logged to Access Log)

P Error Log File< Log of errors

Web Server Logs

Example of Application Layer Logging

19

P Format: remotehost rfc931 authuser [date] "request" status bytes< remotehost

– Remote hostname (or IP number if DNS hostname is not available, or ifDNSLookup is Off.

< rfc931– The remote logname of the user.

< authuser– The username as which the user has authenticated himself.

< [date]– Date and time of the request.

< "request"– The request line exactly as it came from the client.

< status– The HTTP status code returned to the client.

< bytes– The content-length of the document transferred.

The Common Logfile FormatWorld Wide Web Consortium (W3C)

20

Web Server Logfile Example

209.240.221.71 - - [03/Jan/2001:15:20:06 -0800] "GET /Inauguration.htm HTTP/1.0"200 8788 "http://www.democrats.com/" "Mozilla/3.0 WebTV/1.2 (compatible; MSIE2.0)"

Thamason, L. (2001) “Analyzing Web Site Traffic”,NetMechanic (4)11. http://www.netmechanic.com/news/vol4/promo_no11.htm

21

IIS Logging Options

22

Web Server Access Log

23

Web Server Log Analysis Tools: Page Delivery

Usually Intended for Management

24

Web Server Log Analysis Tools: File Delivery

25

Web Server Log Analysis Tools: Users

26

131.96.102.37 - - [27/Mar/2010:22:27:03 -0400]"GET /cis8080/readings/SEC_YOU.pdf HTTP/1.0"401 0 0 "-" "eliza-google-crawler (Enterprise; S5-JDM5GCVTD6NJB;[email protected],[email protected])"

Web Server Logfile Live Example #1

Unauthorized

Nothing delivered

27

Simple “Who Is” Tracing

Subject to Spoofing

28

208.61.220.34 - infosecstudent [25/Mar/2010:13:34:38 -0400]"GET /cis8080/readings/StratISRM_Final_Typescript.pdfHTTP/1.1" 200 60818 125"http://cis.gsu.edu/~rbaskerv/cis8080/readings.html""Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NETCLR 2.0.50727)"

Web Server Logfile Live Example #2

Request fulfilled

60KB delivered

29

Simple “Who is” Tracing

Help for Tracing Abuse

30

Lower Layer Log Analysis

31

Transport, Internet, Network Access Logging

Data + TL Pr

Data + TL/IL Pr

Transport

Internet

Network

TCP

IP

X.25

Server

Sniffers

ServerLog

Proxy orFirewallLog

RouterLog

32

P Logs record packet headers, not sessions or flows

P Logs usually ignore packet contents for efficiency

P Flow can be logically reconstructed from< IP addresses< Port numbers< Implied Protocols< Sequencing

Reconstructing Data Flows

Reconstructing TCP flows from raw IP network traffic. From E. Casey (2004) “Network Traffic as a source of evidence”, DigitalInvestigation 1 (1) 28-43.

33

TCP Connection Graph

Network Analysis Tools

Port 139: This is the single most dangerous port on the Internet. All "File and PrinterSharing" on a Windows machine runs over this port. About 10% of all users on theInternet leave their hard disks exposed on this port. This is the first port hackers want toconnect to, and the port that firewalls block.

Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77.

34

Incoming TCP Connection Graph

Inbound port 139connections suggestthe firewall and the hostare controlled byintruders.

Example from Raynal, et al. (2004)“Honeypot Forensics” IEEE Security& Privacy 72-77.

35

Outgoing TCP Connection Graph

These outgoing port139 connectionssuggest this machinehas beencompromised byintruders.

Example from Raynal, et al. (2004) “Honeypot Forensics”IEEE Security & Privacy 72-77.

36

Detecting the Moment of Compromise

Port 42895 is not “listening”, attempts to connect are “reset” (RST).

Port 42895 starts “listening”, attempts to connect “finish” (FIN), somesoftware has started monitoring this port at 5:50:37

Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77.

37

Free packet analyzer that allows a computer to intercept anddisplay packets transmitted and received over its attachednetwork. Runs on Unix-like operating systems and there is aport to Windows (WinDump). Uses packet capture engineslibpcap (or WinPcap). Tcpdump file format is standard now.

tcpdump

38

Free open source network intrusion prevention and detectionsystem that logs packets and analyzes traffic on IP networks.It performs protocol analysis, content searching/matching, andactively blocks or passively detects many attacks and probes,such as buffer overflows, stealth port scans, web applicationattacks, SMB probes, and OS fingerprinting attempts.

Snort

39

Continuous capture and warehousing of network packets andstatistics. Alerts on signatures, traffic patterns. and statisticalanomalies. Reconstructs web, email, instant messaging, FTP,Telnet, etc.

NetDetector

40

Captures and stores LAN traffic in raw dump files using apromiscuous Ethernet card and a modified UNIX kernel. Canwrite directly to removable media or network transfer to othermachines for archiving. Stream reconstruction on demand.Assembles user-defined range of packets into networkconnection data streams. The analysis subsystem isgraphical, constructing a tree stored in an SQL database.

NetIntercept

41

Network ForensicsRichard Baskerville

Georgia StateUniversity

42

network forensics pprinciples of network forensics

Documents