Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

Transcription

1 Foreword p. xvii Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security Information to Management p. 5 Example of an Incident Report: IDS Case No. 123, 5 September 2005 p. 6 Combining Resources for an "Eye-in-the-Sky" View p. 9 Blended Threats and Reporting p. 12 Conclusion p. 16 Code Solutions p. 16 Bird's-Eye View for Management: HTML p. 16 Birds-Eye View for Security Teams: HTML p. 20 Commercial Solutions: ArcSight and Netforensics p. 30 Summary p. 32 Solutions Fast Track p. 32 Frequently Asked Questions p. 35 IDS Reporting p. 37 Introduction p. 38 Session Logging with Snort p. 39 Did That Exploit Work? Did the Attacker Download Any Data? p. 41 An Example of a Web Connection p. 43 An Example of a Web Connection with a Backdoor Snort Session p. 43 Session/Flow Logging with Argus p. 44 Database Setup p. 46 Can You Determine When a DDoS/DoS Attack Is Occurring? p. 53 Using Snort for Bandwidth Monitoring p. 57 Using Bro to Log and Capture Application-Level Protocols p. 65 Tracking Malware and Authorized Software in Web Traffic p. 67 Determining Which Machines Use a Provided/Supported Browser p. 71 Tracking Users' Web Activities with Bro p. 74 Using Bro to Gather DNS and Web Traffic Data p. 79 Using Bro for Blackholing Traffic to Malware-Infested Domains p. 90 Using Bro to Identify Top Senders/Receivers p. 101 Top Mail Server p. 102 Top Address p. 103 Virus Attachment Du Jour p. 104 Summary p. 107 Solutions Fast Track p. 107 Frequently Asked Questions p. 111 Firewall Reporting p. 113 Firewall Reporting: A Reflection of the Effectiveness of Security Policies p. 114

2 The Supporting Infrastructure for Firewall Log Management p. 116 Parsing the Data p. 118 Tools for an Overview of Activity p. 126 Time History Graphics p. 127 Reporting Statistics p. 132 Statistics by Country p. 132 Statistics by Business Partner p. 135 What Is "Normal" and What Is Threatening p. 136 Tools and URLs p. 138 Summary p. 139 Solutions Fast Track p. 139 Frequently Asked Questions p. 141 Systems and Network Device Reporting p. 143 Introduction p. 144 What Should the Logs Log? Everything? p. 145 The 5 Ws (Who, What, When, Where, and Why) p. 145 Web Server Logs p. 147 Recon and Attack Information p. 148 Identifying User Agent Types p. 149 Isolating Attacking IP Addresses p. 151 Correlating Data with the Host System p. 152 Did They Try to Get In? p. 152 Did They Get In? p. 153 What Did They Do While They Were In? p. 155 Pulling It All Together p. 156 Awstats Graphical Charting of Web Statistics p. 156 Top Attacker and Top User for the Web Server p. 160 Summary p. 162 Solutions Fast Track p. 162 Frequently Asked Questions p. 162 Creating a Reporting Infrastructure p. 165 Introduction p. 166 Creating IDS Reports from Snort Logs-Example Report Queries p. 166 Prepare Different Report Formats-Text, Web, p. 177 Creating IDS Reports from Bro Logs-Application Log Information p. 178 Prepare Different Report Formats-Text, Web, p. 185 Summary p. 190 Solutions Fast Track p. 190 Frequently Asked Questions p. 191 Scalable Enterprise Solutions (ESM Deployments) p. 193 Introduction p. 194

3 What Is ESM? p. 196 Security Policy p. 197 Controlling Configuration p. 198 Controlling Deployment p. 200 Monitoring p. 202 When Deploying ESM Makes Sense p. 205 Questions Your Organization Should Be Asking p. 207 What Problem Are You Trying to Solve? p. 207 How Many Information Sources Are Manageable? p. 208 What Benefits Do I Gain from ESM? p. 209 What Is the Return on Investment for ESM Tools? p. 211 What Type of Reports Do I Expect from ESM? p. 213 Monitoring and Managing versus Reporting p. 214 Which Security Reporting Tools to Aggregate into ESM p. 216 Determining How Much Data Is Too Much p. 219 Using ESM Reporting for Maximum Performance p. 220 Real-Time Reporting p. 221 Centralized Repository Reporting p. 222 ESM Reporting as a Single Point of View p. 224 Automation of ESM Reporting p. 226 Special Considerations for Using ESM p. 227 Security p. 227 Reliability p. 228 Scalability p. 229 Lessons Learned Implementing ESM p. 230 Knowing Your Environment p. 231 Implementing at the Right Pace p. 232 Obtaining Vendor Support p. 234 Ensuring Usability p. 235 Summary p. 237 Solutions Fast Track p. 238 Frequently Asked Questions p. 241 Managing Log Files with Log Parser p. 243 Introduction p. 244 Log File Conversion p. 244 Standardizing Log Formats p. 244 Using XML for Reporting p. 248 Correlating Log File Data p. 251 Identifying Related Data p. 252 Converting Related Log Files p. 253 Analyzing Related Log File Data p. 257

4 Log Rotation and Archival p. 259 Rotating Log Files p. 259 Rotating Log Files Based on Size p. 260 Rotating Log Files Based on Date p. 260 Automating Log File Rotation p. 261 Determining an Archiving Methodology p. 262 Meeting Legal or Policy Requirements p. 263 Archiving Logs for Non-Repudiation p. 264 Building a Hierarchical Logging Directory Structure p. 266 Using a Syslog Server p. 269 Separating Logs p. 271 Determining Log File Separation Strategies p. 271 Separating by Date p. 272 Separating by Event Type p. 272 Separating by System p. 273 Using Separated Log Files p. 275 Developing a Separated Log File Hierarchy p. 276 Summary p. 277 Solutions Fast Track p. 277 Frequently Asked Questions p. 279 Investigating Intrusions with Log Parser p. 281 Introduction p. 282 Locating Intrusions p. 282 Monitoring Logons p. 283 Excessive Failed Logons p. 283 Terminal Services Logons p. 284 Monitoring IIS p. 287 Identifying Suspicious Files p. 287 Finding Modification Dates p. 289 Reconstructing Intrusions p. 291 Most Recently Used Lists p. 291 Downloading Stolen Data p. 293 DNS Name Cache p. 294 User Activity p. 295 Login Count p. 298 Services p. 298 Installed Programs p. 300 Summary p. 302 Solutions Fast Track p. 302 Frequently Asked Questions p. 304 Managing Snort Alerts with Microsoft Log Parser p. 305

5 Introduction p. 306 Building Snort IDS Reports p. 306 Gathering Snort Logs p. 306 Building an Alerts Detail Report p. 308 Most Common Alerts p. 309 Alerts by IP Address p. 317 Building an Alerts Overview Report p. 319 Managing Snort Rules p. 323 Summary p. 327 Index p. 329 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.