1
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
1
Introduction to
Logfile Analysis
Guy Bruneau, GCIA
Part 1
This module is designed to provide an introduction to various types of
security logging software and how to interpret their content.
Greetings! I am Guy Bruneau. Today's talk will be on “Introduction to Logfile Analysis”. I would
like to thank the SANS Institute for this opportunity to share some of my experience and knowledge
in this sometimes difficult area.
This course is divided into two course modules. The first module will cover a variety of security logs
to help recognize the format and the tools that generated it.
In the second module, we are going to work with a case stressing the importance of data correlation
to piece together the intent of the probe. It will also be accompanied by 3 practical exercises.
I am currently the Intrusion Detection System Engineering Coordinator at the Canadian Department
of National Defense’s Computer Incident Response Team (DND CIRT). I have experience in UNIX
security, Computer Network Intrusion Detection, Network Security Auditing, Incident Response and
Reporting, Anti-virus Support and firsthand knowledge of using and tailoring Cisco Secure IDS,
SNORT, Shadow and RealSecure.
Copyright Guy Bruneau, 2000-2001. All rights reserved.
2
Introduction to Log File Analysis - SANS GIAC LevelTwo
©2001
2
Outline
• References
• Objectives
• What is Log Analysis?
• Log Examples
• Review
• Software links
These are the things we’re going to cover. In essence, we’re going to cover a series of tools and how
they are logging the traffic they generate.
If you work within a Computer Incident Response Team or as an Intrusion Detection analyst, it is
very important to understand the logs you are working with. They are the key to solve the puzzle.
3
Introduction to Log File Analysis - SANS GIAC LevelTwo
©2001
3
References (1)
• Book
– W. Richard Stevens, TCP/IP Illustrated, Vol. 1,
Addison Wesley, 1994.
• Trojan Ports Lists
– />– />– />– />– />This page intentionally left blank.
4
Introduction to Log File Analysis - SANS GIAC LevelTwo
©2001
4
References (2)
• IANA Assigned Ports
– />numbers
• IANA Protocol Numbers
– />numbers
• Name Space Information
– />This page intentionally left blank.
5
Introduction to Log File Analysis - SANS GIAC LevelTwo
©2001
5
Objectives
Provides the student with sufficient
information to be able to recognize suspicious
events such as port scans, network probes,
AUP violations, etc.
The object of this course is to provide future analysts with enough information to recognize a wide
range of security logs to assist in the detection of suspicious events, investigate abnormal traffic and
take appropriate action when necessary.
As an example, the following may be used to categorize events:
- Privilege access (System compromised and root access obtained)
- Limited access (System compromised with a user account)
- Reconnaissance (Network or host mapping, OS fingerprinting, etc)
- Stealth reconnaissance (FIN, SYN/FIN, inverse mapping, etc)
- Denial of Service (Fragments, ICMP flood, SYN flood, etc)
- Distributed Denial of Service (ICMP flood)
- AUP (acceptable use policy) violation
6
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
6
What is Log Analysis?
It is an active or continuous attempt
to detect intrusive activities
One of the most important “weapons” an Intrusion Detection or an Incident Handling analyst has is
the ability to correctly identify, recognize and analyze suspicious events within the security logs they
use on a daily basis.
This includes working with router logs, firewall logs, Intrusion Detection Systems logs and a variety
of miscellaneous logs.
Each tool has its strengths and weaknesses.
7
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
7
Cisco Router Log
Oct 15 22:21:45 [192.168.50.32] 508470: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(119), 1 packet
Oct 15 22:21:47 [192.168.50.32] 508472: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2570) -> 192.168.1.1(3), 1 packet
Oct 15 22:21:51 [192.168.50.32] 508474: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), 1 packet
Oct 15 22:21:53 [192.168.50.32] 508475: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2533) -> 192.168.1.1(161), 1 packet
Oct 15 22:21:54 [192.168.50.32] 508476: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(119), 1 packet
Oct 15 22:21:57 [192.168.50.32] 508477: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), 1 packet
Oct 15 22:22:05 [192.168.50.32] 508481: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2533) -> 192.168.1.1(161), 1 packet
Oct 15 22:22:06 [192.168.50.32] 508482: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(119), 1 packet
One of the primary purposes of an internetwork is to increase productivity by linking computers and
computer networks so people have easy access to information, regardless of differences in time,
place or type of computer system.
One such tool which accomplishes such a task is a router. In this case, a Cisco router. Access control
lists (ACL) offer powerful tools for network control. These lists add flexibility to filter the packet
flow in or out of router interfaces. Such control can help limit network traffic and restrict network
use by certain users or devices. The review of the router logs may often offer valuable information
on traffic that has been denied into your network.
- Standard access list (1 to 99) check source IP address.
- Extended access list (100 to 199) check source and destination IP, and specific
protocols, TCP and UDP port numbers with Cisco IOS version 11.2
- Standard IPX access list (800 – 899)
- Extended access list (900 to 999)
- SAP filters use 1000 – 1099 with Cisco IOS version 11.2F and later.
8
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
8
Cisco ACL
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
access-list 101 permit ip any any
(implicit deny all)
interface ethernet 0
ip access-group 101 out
Access-list Description
Command
101 Access list number, indicates extended IP access list
deny Traffic that matches selected parameters will
not be forwarded
tcp Transport-layer protocol
172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets
must match but the last octet will be ignored. The
netmask must be read backward.
any Match any destination IP address
eq 23 Specifies well-known port number for Telnet
permit Traffic that matches selected parameters will
be forwarded
ip Any IP protocol
any Keyword matching traffic from any source
any Keyword matching traffic to any destination
9
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
9
Firewall Logs
ConSeal Firewall
2000/01/04 1:50:03 AM GMT -0500: AcerLAN ALN-325 1..[0000][No matching rule] Blocking incoming TCP:
src=192.168.6.3 dst=192.168.21.101, sport=10673, dport=111.
2000/01/04 4:58:21 AM GMT -0500: AcerLAN ALN-325 1..[0000][No matching rule] Blocking incoming UDP:
src=192.168.70.205, dst=192.168.21.101, sport=31790, dport=31789.
2000/01/04 5:04:16 AM GMT -0500: AcerLAN ALN-325 1..[0000][No matching rule] Blocking incoming TCP:
src=192.168.65.167, dst=192.168.21.101, sport=2760, dport=27374.
Linux’s IpChains
Dec 23 12:02:12 @home kernel: Packet log: inp DENY eth0 PROTO=17 192.168.133.44:1024
192.168.133.255:111 L=132 S=0x00 I=20 F=0x0000 T=64 (#40)
Dec 23 15:33:35 @home kernel: Packet log: inp DENY eth0 PROTO=17 192.168.122.56:31790
192.168.11.43:31789 L=29 S=0x00 I=29147 F=0x0000 T=123 (#56)
Dec 25 16:10:42 @home kernel: Packet log: inp DENY eth0 PROTO=6 192.168.24.225:2732 192.168.11.43:1243
L=48 S=0x00 I=42508 F=0x4000 T=116 SYN (#45)
The first sample is from McAfee’s Personal Firewall and is a filtered probe sent to ports 111 (RPC
services), 31789 (Hack’a’Tack) and 27374 (SubSeven 2.1) all from the same source. At the time of
this detect (Jan 2000), RPC services were heavily exploited by hackers to gain access to UNIX
servers.
The second sample is from Linux’s IPChains and is a firewall filtered probe sent to ports 111 (RPC
services), 31789 (Hack’a’Tack) and 1243 (SubSeven). The same applies here on the RPC services
exploits (Dec 1999).
A description of the Linux firewall log breakdown is available on the next slide.
10
Introduction to Log File Analysis - SANS GIAC LevelTwo
©2001
10
Linux Firewall
Field Example Description
Date & Time Jun 1 11:11:49 Date and time that the packet was logged.
Hostname Mail The hostname of the computer.
Syslog Facility kernel: Packet log: The syslog level at which the syslog event occurred. Should always be ‘kernel’. ‘Packet
log:’ is appended for clarity’s sake and can be used in searching the logs.
Chain Name Input The chain to which the rule is attached to. Possible values are: input, output and forward.
Action Taken REJECT How the packet was handled. Possible values are: ACCEPT, REJECT, DENY, MASQ,
REDIRECT and RETURN.
Interface eth0 The network interface on which the packet was detected.
Protocol # PROTO=17 The protocol of the packet. Common values are: 1 (ICMP), 6 (TCP), and 17 (UDP).
ICMP traffic is also displayed with the ICMP code.
Source 10.100.1.228:57048 The source IP address and port number of the packet.
Destination 192.168.1.211:137 The destination IP address and port number of the packet.
Length L=78 The total length of the packet.
TOS S=0x00 The ‘Type of Service’ values from the packet.
ID I=53412 Either the Packet ID or the segment that the TCP fragment belongs to.
Fragment Offset F=0x0000 If the packet is part of a fragment, this field contains the fragment offset.
TTL T=108 The time-to-live values from the packet.
Rule # (#3) The rule number that logged this entry.
This IPChains firewall chart is to be used with the previous slide. This chart describes the ipchains
firewall fields.
11
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
11
Firewall logs
ZoneAlarm Pro (Windows 9x/NT]
ZoneAlarm Basic Logging Client v2.1.3
Windows NT-4.0.1381-Service Pack 5-SP
type date time source destination transport
FWIN 2000/04/28 09:48:24 -5:00 GMT 192.168.120.24:1364 192.168.209.246:161 UDP
FWIN 2000/04/28 10:02:34 -5:00 GMT 192.168.120.24:0 192.168.209.246:0 ICMP
FWIN 2000/04/28 10:33:44 -5:00 GMT 192.168.1.150:0 192.168.209.246:0 ICMP
PE 2000/04/28 11:03:35 -5:00 GMT Telnet Program 10.0.0.120:10023
PE 2000/04/28 11:04:58 -5:00 GMT Telnet Program 10.0.0.120:10023
FWIN 2000/04/28 11:05:24 -5:00 GMT 192.168.120.24:0 192.168.209.246:0 ICMP
PE 2000/04/28 11:05:29 -5:00 GMT Telnet Program 10.0.0.120:10023
PE 2000/04/28 11:06:23 -5:00 GMT Telnet Program 10.0.0.120:10023
FWIN 2000/04/28 11:12:32 -5:00 GMT 192.168.1.151:0 192.168.209.246:0 ICMP
FWIN 2000/04/28 11:37:50 -5:00 GMT 192.168.1.150:0 192.168.209.246:0 ICMP
This program combines the safety of a dynamic firewall with total control over applications' Internet
use. ZoneAlarm Pro claims to give rock-solid protection against thieves and vandals.
According to the vendor, Version 2.1 of ZoneAlarm Pro now features MailSafe to stop email-borne
Visual Basic Script worms, like the "I Love You" virus, "dead-in-its-tracks", thwarting its spread,
and preventing it from wreaking havoc on a PC.
In this slide, IP 192.168.120.24 is a Solaris workstation running HP OpenView running Single
Network Management Protocol (SNMP UDP port 161) and sending a ping (ICMP) to all devices on
the network. With this information, it is considered normal activity.
However, since the IP is constantly probing the network, this may be considered suspicious activity,
and therefore requires an investigation.
12
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
12
3Com OfficeConnect Internet
Firewall 25
UTC 11/22/2000 04:04:13.128 - TCP connection dropped - Source:192.168.143.189,
2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7
UTC 11/22/2000 04:04:14.000 - TCP connection dropped - Source:192.168.143.189,
2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7
This firewall provides network security for up to 25 users on a local area network (LAN). 3COM
claims it can prevent unauthorized access and denial-of-service (DoS) attacks such as Ping of Death,
SYN Flood, IP Spoofing, etc.
More information available at:
/>13
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
13
IPfilter firewall
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129790 rl0 @0:1 p
10.245.45.90 -> my-fw PR icmp len 20 29 icmp 13/0 IN
Meaning of field field
Date/Time group Aug 15 10:11:49
Host name quasi-evil
Firewall type/process ID ipmon[28775]
Timestamp 10:11:49.129790
Interface rl0
Rule designator that “fired” @0:1
Permit/block rule p
Source IP 10.245.45.90
Destination IP my-fw
Protocol identifier PR (PSH & RST)
Protocol specific info icmp len 20 29 icmp 13/0
Traffic flow IN
This firewall is used with OpenBSD and FreeBSD Unix systems and is freely available under the
GNU license. Its capabilities are the same as other free firewalls (ipfwadm, ipchains, ipfw).
More information available at: />14
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
14
Gauntlet Firewall
Oct 24 08:47:16 server kernel: securityalert: tcp if=ef0 from 10.60.255.46:1720 to
10.4.12.99 on unserved port 27374
Oct 24 11:45:05 server kernel: securityalert: tcp if=ef0 from 192.168.146.16:3626
to 10.4.12.99 on unserved port 20139
Oct 24 11:48:53 server kernel: securityalert: udp if=ef0 from 10.9.6.53:61036 to
10.4.12.99 on unserved port 137
Oct 24 17:40:49 server kernel: securityalert: tcp if=ef0 from 10.7.28.13:9704 to
10.4.12.99 on unserved port 9704
Gauntlet Firewall lets you selectively decide what gets in and out of the network. This Firewall can
guard one or many doors suited for small, medium, or large size networks.
A key word to look for with this firewall is securityalert always associated with Gauntlet.
More information available at: />15
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
15
SonicWall SOHO Firewall
11/01/2000 23:56:30.208 - Sub Seven Attack Dropped -
Source:10.21.187.87, 4426, WAN - Destination:10.110.193.10, 1243, LAN -
11/01/2000 23:56:30.768 - Sub Seven Attack Dropped -
Source:10.21.187.87, 4426, WAN - Destination:10.110.193.10, 1243, LAN -
11/02/2000 00:09:34.592 - Sub Seven Attack Dropped -
Source:10.21.187.87, 2012, WAN - Destination:10.110.193.10, 1243, LAN -
11/02/2000 00:09:35.144 - Sub Seven Attack Dropped -
Source:10.21.187.87, 2012, WAN - Destination:10.110.193.10, 1243, LAN -
SonicWALL SOHO2 offers Internet security solution for small offices for people with limited
network experience. SonicWALL offers firewall, network anti-virus, virtual private networking
(VPN), strong authentication using digital certificates, and content filtering.
SonicWall SOHO shows the filtering rule that sent the alert right after the day/time group (Sub
Seven Attack Dropped -)
More information available at: />16
Introduction to Log File Analysis – SANS GIAC LevelTwo
©2001
16
Cisco PIX Firewall
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-2-106001: Inbound TCP connection
denied from 12.20.64.120/10101 to cidr.addr.pool.98/111 flags SYN on interface outside
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.101/111
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.102/111
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.103/111
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.108/111
The Cisco Secure PIX Firewall is a dedicated firewall appliance enforcing secure access between an
internal network and Internet, extranet, or intranet links.
One of the recognizable features of its logs, is the %PIX indicating it is a Cisco PIX firewall.
More information available at: