Wednesday, January 11, 2012

Different log sources and way to find security events

Log types and its usefulness

Firewall Logs:
They can help reveal connectivity patterns from the network to the outside world, serving as proof that one system connected or tried to connect to another system. This is very useful to establish the path of the malware within your organization’s infrastructure – from the initial infection to the subsequent spreading of that infection. Firewall logs and network flow data can serve as proof of a lack of connectivity: firewall blocking connections not followed by a successful attempt prove that the malware was unable to connect outside to its “headquarters” and sensitive data was most likely not stolen after being acquired by the malware.

IDS and IPS devices have signatures for network malware detection including worms, viruses, and spyware; their logs are useful for learning the impact to infected systems, as well as the number and nature of infection attempts in user environment.

Antivirus Logs:
Anti-virus can be incredibly helpful to detect situations when an anti-virus tools detects the “evil presence” but fails to clean it automatically. A characteristic log message is generated by most major antivirus vendor tools in such circumstances. This log may be your sole indication that the system is infected. These logs are useful for detecting the occurrences where the malware tries to damage an antivirus tool or interfere with its update mechanism, thereby preventing the up-to-date virus signatures from being delivered. Whenever an anti-virus software process dies, a log is created by the system, and reviewing such log records can serve as early indication of a possible incident, as well as provide key evidence further in the investigation

Web proxy logs:
Web proxy logs can be used for detection of file uploads and other outbound information transfers via the web, initiated by data-stealing malware. Looking for methods and content-type in combination with either known suspicious URLs or user-agent (i.e. web client type) can often reveal spyware infections that are actively collecting data and channelling it out of your environment. Admittedly, a well-written spyware can certainly fake the user-agent field, but it can be useful to add to our query above. Proxy logs may indicate a pattern of activity where a machine shows a set of connections and data uploads in rapid sequence with attempts to many systems suggesting malware may be the cause.

Operating System logs:
Operating system logs are also useful for malware tracking since modern operating systems will require software updates and process terminations – and both can be performed by malicious software. Even simply logging the application launches with process names allows us to match those names against known lists of malware applications, sometimes with surprising and scary results.
Typical Log locations:
Linux OS and core applications: /var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats

What to look for on windows logs
User logon/logoff events
Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes
Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
To self: 628; to others: 627
Service started or stopped
7035, 7036
Object access denied (if auditing enabled)
560, 567

What to look for on Linux logs

Successful user login
“Accepted password”,
“Accepted publickey”,
"session opened”
Failed user login
“authentication failure”,
“failed password”
User log-off
“session closed”
User account change or deletion
“password changed”,
“new user”,
“delete user”
Sudo actions
“sudo: … COMMAND=…”
Service failure
“failed” or “failure”

What to Look for on Network Devices

Look at both inbound and outbound activities.
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.
Traffic allowed on firewall
“Built … connection”,
“access-list … permitted”
Traffic blocked on firewall
“access-list … denied”,
“deny inbound”,
“Deny … by”
Bytes transferred (large files?)
“Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage
“limit … exceeded”,
“CPU utilization”
Detected attack activity
“attack from”
User account changes
“user added”,
“user deleted”,
“User priv level changed”
Administrator access
“AAA user …”,
“User … locked out”,
“login failed”

What to Look for on Web Servers

Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours
Failed user authentication
Error code 401, 403
Invalid request
Error code 400
Internal server error
Error code 500