Tools (Security) Tools
Tools: Overview syslog - history - interna - examples & products traffic capture / view / analyze port scanner vulnerability scanner other utilities closing thoughts
Tools: Syslog What is syslog? Invented in 1980's by sendmail author Eric Allman and first used by only sendmail RFC 3164 (2001) defacto standard RFC 5424 (2009) obsoletes 3164 (RFC5425 TLS Transport / RFC 5426 UDP Transport)
Tools: Syslog Syslog is a standard about forwarding standardized log messages in a IP network Syslog protocol is of Client <=> Server type RFC5424 syslog defaults to TLS-based transport defined in RFC5425 Syslog default is UDP 514
Tools: Syslog Layers syslog content (message) is the management information contained in a syslog message syslog application is responsible for generation, interpretation, routing, and storage of syslog messages syslog transport is responisble for transporting the messages. ( putting them on the wire )
Tools: Syslog Originator - Client => sends the message Relay - Recieves the message, process it and forward according relay configuration Collector -Server => writes to file/db/... for further analysis
Tools: Syslog Header PRI Version Timestamp Hostname Application name Process ID Message ID Example: <165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47
Tools: Syslog PRI Numerical Code Facility 0 kernel messages 1 user-level messages 2 mail system 3 system daemons 4 security/authorization messages (note 1) 5 messages generated internally by syslog 6 line printer subsystem 7 network news subsystem 8 UUCP subsystem 9 clock daemon (note 2) 10 security/authorization messages (note 1) 11 FTP daemon 12 NTP subsystem 13 log audit (note 1) 14 log alert (note 1) 15 clock daemon (note 2) 16-23 local use 0-7 (local0 - local7)
Tools: Syslog PRI Numerical Code Severity 0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level messages Example: MAIL.INFO <22>
Tools: Syslog Message MSG - RFC3164 anything Example: sendmail[24951]: l948uci5024951: from=<bahram77innis3@afsfs.com>, size=0, class=0, nrcpts=0, proto=esmtp, daemon=mta, relay=aorleans-157-1-39-204.w90-8.abo.wanadoo.fr [90.8.222.204]\n syslog-ng[2432]: Configuration reload request received, reloading configuration; This is a valid syslog message too!
Tools: Syslog Message MSG - RFC5424 uses normally structured Data to make a syslog messages easier to parse. Example: [examplesdid@32473 iut="3" eventsource= "Application" eventid="1011"][examplepriority@32473 class="high"]
Tools: Syslog for *NIX Sylog-ng (http://www.balabit.com/network-security/syslog-ng/) RFC5424 support >= OSE Version 3.0 Rsyslog (http://www.rsyslog.com/) RFC5424 support >= Version 3.19 Sysklogd (http://freshmeat.net/projects/sysklogd/)
Tools: Syslog for Windows NTsyslog http://ntsyslog.sourceforge.net/ Very old but still useable Kiwi Syslog http://www.kiwisyslog.com/ Win Syslog http://www.winsyslog.com RFC5424 support >= Version 9.2
Tools: Syslog frontends Logzilla (http://www.logzilla.info/) - php based frontend for syslog-ng Splunk (http://www.splunk.com) - commercial frontend (there's a limited free version)
Tools: logrotate & logwatch logrotate rotates a logfile using a ruleset - based on filesize - based on time - does more stuff (daemon restart, archiving...) logwatch (http://www.logwatch.org/) - generates simple log reports - aggregated login attemps (failed & succeded) - customized user regex results
Tools: Traffic capture/view/analyze tcpdump <options> <filter> (http://www.tcpdump.org) -n => no dns name resolution -i => interface to listen on -s => snaplen (default 68) (0 for whole pkts) -w => write out file -v => be verbose -Z => drop privileges to user <X>
Tools: Traffic capture/view/analyze tcpdump <options> <filter> logical operators: and, or, not - ip proto <icmp tcp udp> (abbr. is just <>) - host <ip> - port <nr> - vlan <id> - mpls <lablel>
Tools: Traffic capture/view/analyze Wireshark (http://www.wireshark.org/) libpcap based sniffer with graphical frontend - filtering language for dumping - viewfilters use a different filter language Microsoft Network Monitor (http://www.microsoft.com/downloads/en/details.aspx?familyid=983b941d-06cb-4658-b7f6-3088333d062f) protocol analyzer from Redmond
Tools: Portscanner nmap <options> <targets> (http://www.nmap.org) -P0 => do not ping -O => guess OS -st => connect scan -ss => syn stealth scan -sp => ping scan -sv => service version scan -v => be verbose
Tools: Portscanner
Tools: Vulnerability Scanner Nessus (http://www.nessus.org) - pluginbased & client server structured - vulnerability scanner - network assesment & discovery - patch & configuration & content auditing OpenVAS (http://www.openvas.org) - opensource pendant Retina (http://www.eeye.com/html/products/retina/index.html) GFI Langurad (www.gfi.com/languard)
Tools: other tools amap netcat metasploit hping2 xprobe2 firewalk GFI Languard (Winodws) superscan (Windows) Retina (Windows) A lot more do exist! (e.g. Top 100 Network Security Tools http://sectools.org/)
Tools: closing thoughts know your tools know the theory & principles verify your results (independently if possible) know what you should find before you look for it think & act logically act according to applicable law
Tools (Security) Tools
Tools: Overview syslog - history - interna - examples & products traffic capture / view / analyze port scanner vulnerability scanner other utilities closing thoughts
Tools: Syslog What is syslog? Invented in 1980's by sendmail author Eric Allman and first used by only sendmail RFC 3164 (2001) defacto standard RFC 5424 (2009) obsoletes 3164 (RFC5425 TLS Transport / RFC 5426 UDP Transport) RFC 3164 (BSD Syslog) is in widespread use but has never been formally standardized. In 3164 only observed formats are described. The only thing that all formats have in common is the PRI value syntax & semantics. Any message destined to syslog UDP port must be treated as syslog message, no matter what its format or content is. RFC 5424 tries to define a standardized easy parseable syslog format without breaking compatibility to RFC 3164.
Tools: Syslog Syslog is a standard about forwarding standardized log messages in a IP network Syslog protocol is of Client <=> Server type RFC5424 syslog defaults to TLS-based transport defined in RFC5425 Syslog default is UDP 514 2001: ==== RFC 3164: The BSD syslog Protocol RFC 3195: Reliable Delivery for Syslog 2009: ==== RFC 5424: The Syslog Protocol RFC 5425: Transport Layer Security (TLS) Transport Mapping for Syslog RFC 5426: Transmission of Syslog Messages over UDP 2010: ==== RFC 5848: Signed Syslog Messages RFC 6012: DTLS Transport Mapping for Syslog IETF Standard Page: http://tools.ietf.org/wg/syslog/
Tools: Syslog Layers syslog content (message) is the management information contained in a syslog message syslog application is responsible for generation, interpretation, routing, and storage of syslog messages syslog transport is responisble for transporting the messages. ( putting them on the wire )
Tools: Syslog Originator - Client => sends the message Relay - Recieves the message, process it and forward according relay configuration Collector -Server => writes to file/db/... for further analysis -Transport Sender Passes syslog messages from the application to the transport protocol - Transport Reciever Passes syslog messages from the transport protocol to the application. An application can unite more than one funtion.
Tools: Syslog Header PRI Version Timestamp Hostname Application name Process ID Message ID Example: <165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 Message Length: A message up to 480 Octets (Transport Reciever) must be accepted. Up to 2048 Octet should be accepted. PRI explained in next two slides (MUST) Version: A IANA assigned version number. RFC5424 uses version 1. (MUST) Timestamp: Date followed by uppercase T followed by time (various resolution) and maybe timezone (MUST) Hostname: (MUST) - FQDN - IP Address - Hostname - NIL Value (NULL) Application name: Name of application generating the log message (SHOULD) Process ID: Numerical value normally representing the PID of the application generating the log message (SHOULD) Message ID: Messagetype to identify the message (SHOULD)
Tools: Syslog PRI Numerical Code Facility 0 kernel messages 1 user-level messages 2 mail system 3 system daemons 4 security/authorization messages (note 1) 5 messages generated internally by syslog 6 line printer subsystem 7 network news subsystem 8 UUCP subsystem 9 clock daemon (note 2) 10 security/authorization messages (note 1) 11 FTP daemon 12 NTP subsystem 13 log audit (note 1) 14 log alert (note 1) 15 clock daemon (note 2) 16-23 local use 0-7 (local0 - local7)
Tools: Syslog PRI Numerical Code Severity 0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level messages Example: MAIL.INFO <22> PRI = Faciltiy * 8 + Severity
Tools: Syslog Message MSG - RFC3164 anything Example: sendmail[24951]: l948uci5024951: from=<bahram77innis3@afsfs.com>, size=0, class=0, nrcpts=0, proto=esmtp, daemon=mta, relay=aorleans-157-1-39-204.w90-8.abo.wanadoo.fr [90.8.222.204]\n syslog-ng[2432]: Configuration reload request received, reloading configuration; This is a valid syslog message too!
Tools: Syslog Message MSG - RFC5424 uses normally structured Data to make a syslog messages easier to parse. Example: [examplesdid@32473 iut="3" eventsource= "Application" eventid="1011"][examplepriority@32473 class="high"]
Tools: Syslog for *NIX Sylog-ng (http://www.balabit.com/network-security/syslog-ng/) RFC5424 support >= OSE Version 3.0 Rsyslog (http://www.rsyslog.com/) RFC5424 support >= Version 3.19 Sysklogd (http://freshmeat.net/projects/sysklogd/)
Tools: Syslog for Windows NTsyslog http://ntsyslog.sourceforge.net/ Very old but still useable Kiwi Syslog http://www.kiwisyslog.com/ Win Syslog http://www.winsyslog.com RFC5424 support >= Version 9.2
Tools: Syslog frontends Logzilla (http://www.logzilla.info/) - php based frontend for syslog-ng Splunk (http://www.splunk.com) - commercial frontend (there's a limited free version)
Tools: logrotate & logwatch logrotate rotates a logfile using a ruleset - based on filesize - based on time - does more stuff (daemon restart, archiving...) logwatch (http://www.logwatch.org/) - generates simple log reports - aggregated login attemps (failed & succeded) - customized user regex results
Tools: Traffic capture/view/analyze tcpdump <options> <filter> (http://www.tcpdump.org) -n => no dns name resolution -i => interface to listen on -s => snaplen (default 68) (0 for whole pkts) -w => write out file -v => be verbose -Z => drop privileges to user <X>
Tools: Traffic capture/view/analyze tcpdump <options> <filter> logical operators: and, or, not - ip proto <icmp tcp udp> (abbr. is just <>) - host <ip> - port <nr> - vlan <id> - mpls <lablel>
Tools: Traffic capture/view/analyze Wireshark (http://www.wireshark.org/) libpcap based sniffer with graphical frontend - filtering language for dumping - viewfilters use a different filter language Microsoft Network Monitor (http://www.microsoft.com/downloads/en/details.aspx?familyid=983b941d-06cb-4658-b7f6-3088333d062f) protocol analyzer from Redmond
Tools: Portscanner nmap <options> <targets> (http://www.nmap.org) -P0 => do not ping -O => guess OS -st => connect scan -ss => syn stealth scan -sp => ping scan -sv => service version scan -v => be verbose
Tools: Portscanner
Tools: Vulnerability Scanner Nessus (http://www.nessus.org) - pluginbased & client server structured - vulnerability scanner - network assesment & discovery - patch & configuration & content auditing OpenVAS (http://www.openvas.org) - opensource pendant Retina (http://www.eeye.com/html/products/retina/index.html) GFI Langurad (www.gfi.com/languard)
Tools: other tools amap netcat metasploit hping2 xprobe2 firewalk GFI Languard (Winodws) superscan (Windows) Retina (Windows) A lot more do exist! (e.g. Top 100 Network Security Tools http://sectools.org/)
Tools: closing thoughts know your tools know the theory & principles verify your results (independently if possible) know what you should find before you look for it think & act logically act according to applicable law