SlideShare ist ein Scribd-Unternehmen logo

Log Analysis

Als PPT, PDF herunterladen
n|u - The Open Security Community
n|u - The Open Security Community

Log Analysis by Abhishek Sanyal @ null Pune Meet, October, 2010

Technologie
1 von 16
Thank You
Topic - Log Analysis * Not a log analysis of a hacked server
References Security Metrics – Replacing FUD *Diversion ahead
Good Metrics - - Consistently Measured - Cheap to Gather - Expressed as a number / percentage - Expressed using one unit of measure - Contextually specific – avoid So What ?
Bad Metrics - - Inconsistently Measured / Varies from person to person - Cannot be Gathered cheaply - Does not express results with numbers e.g. - ratings and grades
Log – Record of all the activities in an Application / Server or a Process Log Analysis – Extracting information from the logs
Pre-Requisites of Log Analysis - Logging should be enabled - Correct Time to be recorded in the logs - Data should not be corrupted - Known / Intuitive Log format - Patience - Caution
Common Log Format Host Ident Authuser [Date] Request Status Bytes 127.0.0.1 - - [14/Oct/2010:15:41:45 +0530] "GET /announce? info_hash=%9E%F7E%21m0%C3%BB%C8%17%AC%CF%C7K %CCO%85L%B7S&peer_id=-AZ4510- jsyzmsekckgz&supportcrypto=1&port=14523&azudp=14523&uploaded =0&downloaded=0&left=144067607&corrupt=0&event=started&numwa nt=34&no_peer_id=1&compact=1&key=R34XtNXz&azver=3 HTTP/1.1" 404 300 "-" "Azureus 4.5.1.0;Linux;Java 1.6.0_18" (Last two fields makes the format – Combined Log Format)
Extended W3C Log Format #Software: Microsoft Internet Security and Acceleration Server 2004 #Version: 2.0 #Date: 2009-10-28 00:00:01 #Fields: computer date time IP protocol source destination original client IP source network destination network action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received intermediate connection time connection time intermediate username agent session ID connection ID FW1 2009-10-28 00:00:01 TCP 192.9.133.33:2179 124.153.12.25:443 192.9.133.33 Internal External Establish 0x0 LAN to Internet HTTPS 0 0 0 0 - - - - 248445 7348626
Squid Log Format Native access.log Time Duration ClientIp ResultCodes RequestMethod URL Ident Hierarchy Type 1286536314.464 475 192.168.0.188 TCP_MISS/200 627 GET http://api.bing.com/qsml.aspx? - DIRECT/122.160.242.136 text/xml 1286536314.489 780 192.168.0.68 TCP_MISS/200 507 POST http://rcv- srv37.inplay.tubemogul.com/streamreceiver/services - DIRECT/174.129.41.128 application/xml Custom access.log Dec 15 06:44:23 box squid[2011]: 192.9.101.130 TCP_MISS/200 389 POST http://65.54.49.123/gateway/gateway.dll? - DIRECT/65.54.49.123 application/x- msn-messenger Dec 15 06:45:24 box squid[2011]: 192.9.101.130 TCP_MISS/200 389 POST http://65.54.49.123/gateway/gateway.dll? - DIRECT/65.54.49.123 application/x- msn-messenger Dec 15 06:47:25 box last message repeated 2 times Dec 15 06:47:32 box squid[2011]: 127.0.0.1 TCP_MISS/200 68777105 GET http://update.nai.com/products/commonupdater/dat-5832.zip - DIRECT/122.166.109.18 application/zip
Multi-line Log Format Generated by Applications which runs multiple processes internally. Such logs are created when a single activity as seen by the End User internally translates to several different tasks in the Application. LogEntry1 of Task1 LogEntry2 of Task2 LogEntry3 of Task3 Almost all Mail Server Logs are Multi line logs. Example – Postfix and IronPort (Cisco) Email Server
Iptables Log Format Dec 5 00:17:38 box Shorewall:nic012FW:ACCEPT: IN=eth1 OUT= MAC=00:1f:e2:6c:cb:6d:00:1e:58:22:6b:30:08:00 SRC=124.153.10.16 DST=192.168.1.4 LEN=44 TOS=00 PREC=0x00 TTL=55 ID=39105 CE PROTO=TCP SPT=36597 DPT=5666 SEQ=3522285426 ACK=0 WINDOW=5840 SYN URGP=0 Dec 5 00:17:40 box Shorewall:nic012FW:DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:e4:a5:46:f1:08:00 SRC=192.168.1.87 DST=192.168.1.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=3758 PROTO=UDP SPT=138 DPT=138 LEN=209 Dec 5 00:17:47 box Shorewall:nic012nic01:DROP: IN=eth1 OUT=eth1 MAC=00:1f:e2:6c:cb:6d:00:1b:b9:63:a3:19:08:00 SRC=192.168.1.120 DST=202.54.157.139 LEN=48 T OS=00 PREC=0x00 TTL=127 ID=3754 DF PROTO=TCP SPT=1414 DPT=80 SEQ=2498894647 ACK=0 WINDOW=65535 SYN URGP=0
Splunk – Monitor, Report and Analyze live streaming / historical IT data
Basic Configuration after installation cd /opt/splunk/bin export SPLUNK_IGNORE_SELINUX=1 ./splunk start Use your browser to login to http://localhost:8000
New Apps goes to /opt/splunk/etc/apps For custom log format - update the following configuration file /opt/splunk/etc/system/local/props.conf and /opt/splunk/etc/system/local/transforms.conf with entries of new log format
OSSEC – This is an Open Source Host Based Intrusion Detection System which can work in a client – server mode.

Empfohlen

Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization Sematext Group, Inc.
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 

Empfohlen

Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Introducing log analysis to your organization
Introducing log analysis to your organization Introducing log analysis to your organization
Introducing log analysis to your organization Sematext Group, Inc.
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Cloud Storage Introduction ( CEPH )
Cloud Storage Introduction ( CEPH ) Cloud Storage Introduction ( CEPH )
Cloud Storage Introduction ( CEPH ) Alex Lau
 
How to create Treasure Data #dotsbigdata
How to create Treasure Data #dotsbigdataHow to create Treasure Data #dotsbigdata
How to create Treasure Data #dotsbigdataN Masahiro
 

Weitere ähnliche Inhalte

Was ist angesagt?

Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 

Was ist angesagt? (20)

Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 

Ähnlich wie Log Analysis

Cloud Storage Introduction ( CEPH )
Cloud Storage Introduction ( CEPH ) Cloud Storage Introduction ( CEPH )
Cloud Storage Introduction ( CEPH ) Alex Lau
 
How to create Treasure Data #dotsbigdata
How to create Treasure Data #dotsbigdataHow to create Treasure Data #dotsbigdata
How to create Treasure Data #dotsbigdataN Masahiro
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2jayeshpar2006
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPFIvan Babrou
 
11thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp0111thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp01Karam Abuataya
 
11 Things About11g
11 Things About11g11 Things About11g
11 Things About11gfcamachob
 
Oracle to Postgres Migration - part 2
Oracle to Postgres Migration - part 2Oracle to Postgres Migration - part 2
Oracle to Postgres Migration - part 2PgTraining
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識維泰 蔡
 
Best Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesBest Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesOdoo
 
Treasure Data and AWS - Developers.io 2015
Treasure Data and AWS - Developers.io 2015Treasure Data and AWS - Developers.io 2015
Treasure Data and AWS - Developers.io 2015N Masahiro
 
16aug06.ppt
16aug06.ppt16aug06.ppt
16aug06.pptzagreb2
 
How to admin
How to adminHow to admin
How to adminyalegko
 
OSTU - Sake Blok on Packet Capturing with Tshark
OSTU - Sake Blok on Packet Capturing with TsharkOSTU - Sake Blok on Packet Capturing with Tshark
OSTU - Sake Blok on Packet Capturing with TsharkDenny K
 
(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon RedshiftAmazon Web Services
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopMichael Zhang
 

Ähnlich wie Log Analysis (20)

Cloud Storage Introduction ( CEPH )
Cloud Storage Introduction ( CEPH ) Cloud Storage Introduction ( CEPH )
Cloud Storage Introduction ( CEPH )
 
How to create Treasure Data #dotsbigdata
How to create Treasure Data #dotsbigdataHow to create Treasure Data #dotsbigdata
How to create Treasure Data #dotsbigdata
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
 
Akka 2.2.0
Akka 2.2.0Akka 2.2.0
Akka 2.2.0
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
11thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp0111thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp01
 
11 Things About11g
11 Things About11g11 Things About11g
11 Things About11g
 
Oracle to Postgres Migration - part 2
Oracle to Postgres Migration - part 2Oracle to Postgres Migration - part 2
Oracle to Postgres Migration - part 2
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識
 
Best Practices in Handling Performance Issues
Best Practices in Handling Performance IssuesBest Practices in Handling Performance Issues
Best Practices in Handling Performance Issues
 
Sql server 2014 online operations
Sql server 2014 online operationsSql server 2014 online operations
Sql server 2014 online operations
 
Treasure Data and AWS - Developers.io 2015
Treasure Data and AWS - Developers.io 2015Treasure Data and AWS - Developers.io 2015
Treasure Data and AWS - Developers.io 2015
 
16aug06.ppt
16aug06.ppt16aug06.ppt
16aug06.ppt
 
How to admin
How to adminHow to admin
How to admin
 
OSTU - Sake Blok on Packet Capturing with Tshark
OSTU - Sake Blok on Packet Capturing with TsharkOSTU - Sake Blok on Packet Capturing with Tshark
OSTU - Sake Blok on Packet Capturing with Tshark
 
(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift(DAT201) Introduction to Amazon Redshift
(DAT201) Introduction to Amazon Redshift
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
 
Osol Pgsql
Osol PgsqlOsol Pgsql
Osol Pgsql
 
Job lifecycle
Job lifecycleJob lifecycle
Job lifecycle
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Log Analysis

  • 2. Topic - Log Analysis * Not a log analysis of a hacked server
  • 4. Good Metrics - - Consistently Measured - Cheap to Gather - Expressed as a number / percentage - Expressed using one unit of measure - Contextually specific – avoid So What ?
  • 5. Bad Metrics - - Inconsistently Measured / Varies from person to person - Cannot be Gathered cheaply - Does not express results with numbers e.g. - ratings and grades
  • 6. Log – Record of all the activities in an Application / Server or a Process Log Analysis – Extracting information from the logs
  • 7. Pre-Requisites of Log Analysis - Logging should be enabled - Correct Time to be recorded in the logs - Data should not be corrupted - Known / Intuitive Log format - Patience - Caution
  • 8. Common Log Format Host Ident Authuser [Date] Request Status Bytes 127.0.0.1 - - [14/Oct/2010:15:41:45 +0530] "GET /announce? info_hash=%9E%F7E%21m0%C3%BB%C8%17%AC%CF%C7K %CCO%85L%B7S&peer_id=-AZ4510- jsyzmsekckgz&supportcrypto=1&port=14523&azudp=14523&uploaded =0&downloaded=0&left=144067607&corrupt=0&event=started&numwa nt=34&no_peer_id=1&compact=1&key=R34XtNXz&azver=3 HTTP/1.1" 404 300 "-" "Azureus 4.5.1.0;Linux;Java 1.6.0_18" (Last two fields makes the format – Combined Log Format)
  • 9. Extended W3C Log Format #Software: Microsoft Internet Security and Acceleration Server 2004 #Version: 2.0 #Date: 2009-10-28 00:00:01 #Fields: computer date time IP protocol source destination original client IP source network destination network action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received intermediate connection time connection time intermediate username agent session ID connection ID FW1 2009-10-28 00:00:01 TCP 192.9.133.33:2179 124.153.12.25:443 192.9.133.33 Internal External Establish 0x0 LAN to Internet HTTPS 0 0 0 0 - - - - 248445 7348626
  • 10. Squid Log Format Native access.log Time Duration ClientIp ResultCodes RequestMethod URL Ident Hierarchy Type 1286536314.464 475 192.168.0.188 TCP_MISS/200 627 GET http://api.bing.com/qsml.aspx? - DIRECT/122.160.242.136 text/xml 1286536314.489 780 192.168.0.68 TCP_MISS/200 507 POST http://rcv- srv37.inplay.tubemogul.com/streamreceiver/services - DIRECT/174.129.41.128 application/xml Custom access.log Dec 15 06:44:23 box squid[2011]: 192.9.101.130 TCP_MISS/200 389 POST http://65.54.49.123/gateway/gateway.dll? - DIRECT/65.54.49.123 application/x- msn-messenger Dec 15 06:45:24 box squid[2011]: 192.9.101.130 TCP_MISS/200 389 POST http://65.54.49.123/gateway/gateway.dll? - DIRECT/65.54.49.123 application/x- msn-messenger Dec 15 06:47:25 box last message repeated 2 times Dec 15 06:47:32 box squid[2011]: 127.0.0.1 TCP_MISS/200 68777105 GET http://update.nai.com/products/commonupdater/dat-5832.zip - DIRECT/122.166.109.18 application/zip
  • 11. Multi-line Log Format Generated by Applications which runs multiple processes internally. Such logs are created when a single activity as seen by the End User internally translates to several different tasks in the Application. LogEntry1 of Task1 LogEntry2 of Task2 LogEntry3 of Task3 Almost all Mail Server Logs are Multi line logs. Example – Postfix and IronPort (Cisco) Email Server
  • 12. Iptables Log Format Dec 5 00:17:38 box Shorewall:nic012FW:ACCEPT: IN=eth1 OUT= MAC=00:1f:e2:6c:cb:6d:00:1e:58:22:6b:30:08:00 SRC=124.153.10.16 DST=192.168.1.4 LEN=44 TOS=00 PREC=0x00 TTL=55 ID=39105 CE PROTO=TCP SPT=36597 DPT=5666 SEQ=3522285426 ACK=0 WINDOW=5840 SYN URGP=0 Dec 5 00:17:40 box Shorewall:nic012FW:DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:e4:a5:46:f1:08:00 SRC=192.168.1.87 DST=192.168.1.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=3758 PROTO=UDP SPT=138 DPT=138 LEN=209 Dec 5 00:17:47 box Shorewall:nic012nic01:DROP: IN=eth1 OUT=eth1 MAC=00:1f:e2:6c:cb:6d:00:1b:b9:63:a3:19:08:00 SRC=192.168.1.120 DST=202.54.157.139 LEN=48 T OS=00 PREC=0x00 TTL=127 ID=3754 DF PROTO=TCP SPT=1414 DPT=80 SEQ=2498894647 ACK=0 WINDOW=65535 SYN URGP=0
  • 13. Splunk – Monitor, Report and Analyze live streaming / historical IT data
  • 14. Basic Configuration after installation cd /opt/splunk/bin export SPLUNK_IGNORE_SELINUX=1 ./splunk start Use your browser to login to http://localhost:8000
  • 15. New Apps goes to /opt/splunk/etc/apps For custom log format - update the following configuration file /opt/splunk/etc/system/local/props.conf and /opt/splunk/etc/system/local/transforms.conf with entries of new log format
  • 16. OSSEC – This is an Open Source Host Based Intrusion Detection System which can work in a client – server mode.