Mining Proxy Logs: Finding Needles In Haystacks 2010-05-19



Similar documents
Exploitation of Server Log Files of User Behavior in Order to Inform Administrator

LogLogic Blue Coat ProxySG Log Configuration Guide

Microsoft Internet Information Services (IIS)

Pre-Processing: Procedure on Web Log File for Web Usage Mining

Survey on web log data in teams of Web Usage Mining

Networks and the Internet A Primer for Prosecutors and Investigators

STABLE & SECURE BANK lab writeup. Page 1 of 21

Symantec Event Collector 3.6 for Blue Coat Proxy Quick Reference

Networking for Caribbean Development

Proxies. Chapter 4. Network & Security Gildas Avoine

Analyzing the Different Attributes of Web Log Files To Have An Effective Web Mining

LogLogic Blue Coat ProxySG Syslog Log Configuration Guide

Malware Prevention with Blue Coat Proxies

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

Research on Application of Web Log Analysis Method in Agriculture Website Improvement

Copyright Winfrasoft Corporation. All rights reserved.

APPLICATION PROGRAMMING INTERFACE

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

The web server administrator needs to set certain properties to insure that logging is activated.

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Common Event Format Configuration Guide

Centralized Cloud Firewall. Ivan Ivanovic BUCC/AMRES Tbilisi, December 2013.

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Whose IP Is It Anyways: Tales of IP Reputation Failures

Barracuda Web Filter Demo Guide Version 3.3 GETTING STARTED

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

UNMASKCONTENT: THE CASE STUDY

Understanding Syslog Messages for the Barracuda Web Filter

The PA-4000 Series can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

On and off premises technologies Which is best for you?

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Barracuda Networks Web Application Firewall

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall

Blue Coat Systems SG Appliance

Using TestLogServer for Web Security Troubleshooting

Installing AWStats on IIS 6.0 (Including IIS 5.1) - Revision 3.0

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

User Identification and Authentication

Name Services (DNS): This is Quick rule will enable the Domain Name Services on the firewall.

Blue Coat Security First Steps Transparent Proxy Deployments

Introduction to Computer Security Benoit Donnet Academic Year

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Centre for the Protection of National Infrastructure Effective Log Management

UNCLASSIFIED. General Enquiries. Incidents Incidents

Apache Logs Viewer Manual

Direct or Transparent Proxy?

Cisco AnyConnect Secure Mobility Solution Guide

Comparison table for an idea on features and differences between most famous statistics tools (AWStats, Analog, Webalizer,...).

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Phishing Activity Trends Report for the Month of December, 2007

Using the Microsoft IIS SMTP Service for LISTSERV Deliveries

LogLogic Microsoft Internet Information Services (IIS) Log Configuration Guide

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Release Notes for Websense Security v7.2

Contact Information. Document Number: Document Revision: SSL Proxy Deployment Guide SGOS 5.1.4

Firewalls, IDS and IPS

Firewall Firewall August, 2003

Blue Coat Systems. Reference Guide. SSL Proxy. For SGOS 5.3.1

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Domain Name System (DNS)

Web Application Firewall

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

Ram Dantu. VOIP: Are We Secured?

WebMarshal User Guide

Application Detection

How to Configure Captive Portal

provides several new features and enhancements, and resolves several issues reported by WatchGuard customers.

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Third Party Integration

How To Understand The History Of The Web (Web)

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

thriller INTERNET SECURITY

74% 96 Action Items. Compliance

Load balancing Microsoft IAG

Intro to Firewalls. Summary

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Gateway Security at Stateful Inspection/Application Proxy

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Integrated SSL Scanning

Deploying the SSL Proxy

Migration Project Plan for Cisco Cloud Security

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Today's security needs in networking

How To Control Your Network With A Firewall On A Network With An Internet Security Policy On A Pc Or Ipad (For A Web Browser)

An Approach to Convert Unprocessed Weblogs to Database Table

Transcription:

Mining Proxy Logs: Finding Needles In Haystacks 2010-05-19 Matthew Myrick (myrick3@llnl.gov), P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by under Contract DE-AC52-07NA27344

Disclaimer Our security infrastructure is a work in progress This presentation is for educational purposes This discussion pertains to our Unclassified environment ONLY Hopefully we can make things better by learning from each other If you see problems please say something 2

Have Fun! 3

Overview Introduction Problems Landscape Solutions Future Conclusion 4

Introduction About LLNL/My Team/Me LLNL Livermore, CA (1 sq mile and 13 sq miles) ~7000 Employees (including contractors) ~20,000 computers My Team Me ~10,000 Access Internet Network Security Team (NST) - 8 people Incident Management Team (IMT) - 4 people IDS, IPS, Proxys, Firewalls, IR, Log Aggregation/Correlation, Pen Testing, Malware Analysis, Forensics, etc. B.S./M.S. in Computer Science from CSU, Chico Over 13 years w/ LLNL ~6 years full time Currently hold a CISSP, BCCPA, GCIH, GPEN 5

Problems What Are We Trying To Solve? How do we find bad guys on our networks??? There are a lot of users There are a lot of computers There is a lot of data There is no consistency and centralized governance is lacking What do the bad guys look like??? I ve never spoken to a bad guy I ve never met a bad guy in person Bad guys means something different to different people Most of us now have a web proxy now what??? It never works perfectly Somebody is always blaming me for breaking their app 6

Landscape - LLNL Proxy Deployment Blue Coat Proxy SG s Transparent forwarding deployment using WCCP We proxy ALL egress traffic (4 ports) Excluding mail, dns and things explicitly exempted Protocols or enforced on their respective ports Content filtering (BCWF) A/V scanning (McAfee) Internet authentication (ldaps) By and large most data flows through our proxy! 7

Landscape - Log Format Details Blue Coat uses a format called ELFF (WC3 Extended) Extend Log File Format (http://www.w3.org/tr/wd-logfile.html) date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filterresult cs-categories cs(referer) sc-status s-action cs-method rs(content-type) csuri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(user- Agent) s-ip sc-bytes cs-bytes x-virus-id 8

Landscape - Log Format Details prefix (header) Describes a header data field. The valid prefixes are: c = Client s = Server r = Remote cs = Client to Server sc = Server to Client http://www.bluecoat.com/http:/%252fwww.bluecoat.com/s upport/self-service/6/elff_format_descriptions.html 9

Landscape - Log Format Details continued LLNL format date time time-taken c-ip sc-status s-action scbytes cs-bytes cs-method cs-uri-scheme cshost cs-ip cs-uri-port cs-uri-path cs-uri-query cs(referer) cs-username cs-auth-group s- hierarchy s-supplier-name rs(content-type) cs(user-agent) sc-filter-result cs-category x- virus-id s-ip s-sitename Customize your log format to best suite your needs 10

Landscape - Log Format Example 2010-04-20 07:00:40 225 1XX.115.109.XX 200 TCP_NC_MISS 332 533 GET http 116vistadrive.greatluxuryestate.com 65.18.172.67 80 /mlsmax/layout05/images/menu_div.gif - http://116vistadrive.greatluxuryestate.com/mlsmax/hom e.htm?mls=&vkey=&vid= linney1 - DIRECT 116vistadrive.greatluxuryestate.com image/gif "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" OBSERVED "Real Estate" 1XX.115.27.XX SG-HTTP-Service 11

Solutions How can we solve our problems? Most of us now have a web proxy now what??? Centralize your logs Modify your log format to suite your needs What do the bad guys look like??? Different types of bad guys, overlap, difficult to tell apart Users Criminals / Entrepreneurs APT (Advanced Persistent Threat) How do we find bad guys on our networks??? Depends on which bad guys we re looking for Digest Analyze Scrutinize 12

Solutions Overview Parse your logs with whatever makes you happy My Proof of Concept codes are in Perl Need a code reference I ll share You can use grep, awk, sed, cut, PHP, C, etc. Practical tips Pay attention to http redirects 301, 302, 3XX Pay attention to referrer Could contain search terms Multi staged attacks are commonplace Looking at logs after 5pm can be detrimental! -Monzy 13

Solutions Overview Continued Getting comfortable with the data Machine learning algorithms are not mandatory get www.010h45m.com/freeav2010.exe Our solutions will focus on the following Simple statistics summarization, mean, std. dev, etc. User agents Content Types Compound Searches Consult the oracle a.k.a. google 14

Solution - Summarization 2010-04-20 07:00:40 225 1XX.115.109.XX 200 TCP_NC_MISS 332 533 GET http 116vistadrive.greatluxuryestate.com 65.18.172.67 80 /mlsmax/layout05/images/menu_div.gif - http://116vistadrive.greatluxuryestate.com/mlsmax/hom e.htm?mls=&vkey=&vid= linney1 - DIRECT 116vistadrive.greatluxuryestate.com image/gif "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" OBSERVED "Real Estate" 1XX.115.27.XX SG-HTTP-Service 15

Solution - Summarize logs Daily summary Total HTTP users, Total FTP users, Top Sources, Top Destinations, Top Categories, Top Denied Sources, Top Spyware/Malware Sources, Top Spyware Effects, Top User Agents, Top IP getting images, Top IP performing POST s Top 15 Spyware/Malware Sources: 1xx.115.226.xx : 48 1xx.115.105.xxx : 47 1xx.9.139.xx : 14 1xx.9.139.xx : 12 1xx.9.93.xx : 8 1xx.115.105.xxx : 5 1xx.115.105.xxx : 5 1xx.9.135.xx : 2 1xx.9.135.xx : 2 1xx.115.62.xxx : 2 1xx.9.135.xx : 1 PoC bcsummary.pl Daily summary of most of the above 16

Solution - Summarize all requests by TLD Top Level Domain (TLD) I need to jump through hoops to travel physically Virtually users are all over the map! Summary of daily TLD's: com : 15889009 net : 1883675 org : 679329 gov : 265059 edu : 125093 uk : 116674 us : 38544 de : 29788 it : 26079 tv : 24495 fr : 11703 ca : 11016 ru : 7621 PoC tldsummary.pl summary by Top Level Domain Maybe you should block entire TLD s? 17

Solution User Agents 2010-04-20 07:00:40 225 1XX.115.109.XX 200 TCP_NC_MISS 332 533 GET http 116vistadrive.greatluxuryestate.com 65.18.172.67 80 /mlsmax/layout05/images/menu_div.gif - http://116vistadrive.greatluxuryestate.com/mlsmax/home.htm?mls= &vkey=&vid= linney1 - DIRECT 116vistadrive.greatluxuryestate.com image/gif "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" OBSERVED "Real Estate" 1XX.115.27.XX SG-HTTP-Service Most things identify themselves Or at least try to mimic common agents Even malware or unwanted software 18

Solution - User Agents Recent interesting user agents Possible trojan QI.exe TwcToolbarIe7 weather2004 Possible piracy/mpaa issues AnyDVD (DVD cloning software) Possible PII issues TurboTax2009.r07.005 VFNetwork/438.14 Darwin/9.8.0 (i386) (MacBook5%2C1) Possible Data Loss Prevention dotmacsyncclient259 CFNetwork/438.14 Darwin/9.8.0 (i386) (MacBook3%2C1) Possible malware or IT issue Immunet Updater MSDW //Thank you Monzy,Danny Quist, Kevin Hall Microsoft Dr. Watson (sqm.microsoft.com, sqm.msn.com, watson.microsoft.com) 19

Solution - User Agents Continued Possible Waste Fraud and Abuse (WFA) BattlefieldBadCompany2Updater Solitaire III Build 33 AppleTV/1.1 Possible attack victims honeyd/1.5b Winamp/5.551 //Integer overflow exploit Integer overflow (www.milw0rm.com/exploits/8783) WordPress/2.7; http://localhost Possibly anything ie8ish blah Handy lookup tool (user-agents.org) PoC uasummary.pl Summarizes user agents and list in descending order by number of occurrences 20

Solution Content Types 2010-04-20 07:00:40 225 1XX.115.109.XX 200 TCP_NC_MISS 332 533 GET http 116vistadrive.greatluxuryestate.com 65.18.172.67 80 /mlsmax/layout05/images/menu_div.gif - http://116vistadrive.greatluxuryestate.com/mlsmax/hom e.htm?mls=&vkey=&vid= linney1 - DIRECT 116vistadrive.greatluxuryestate.com image/gif "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" OBSERVED "Real Estate" 1XX.115.27.XX SG-HTTP-Service 21

Solution - Content-Type (a.k.a. MIME) HTTP Protocol (originally designed for SMTP) Used to identify the type of information that a file contains. Specified by web server using Content-type: header Common examples text/html.html Web Page image/png.png PNG-format image image/jpeg.jpeg JPEG-format image audio/mpeg.mp3 MPEG Audio File application.exe Executable content 22

Content-Type continued Focus on executable content "application/octet-stream Beware of.ico (i.e. favicon.ico) "application/x-msdownload application/x-msdos-program Or Ends in.exe.msi.pif.scr etc. 23

Content-Type continued PoC executables.pl Look for everything that ends in.exe Exempt items from trusted domains Less than 100 domains for my enterprise Interesting examples www.hotfile.com/free-games-download/treasure_puzzle.exe www.inovikov.net/srs/rgasetup_release_3.205.007.exe download.uniblue.com/aff/rb/fdm/registrybooster.exe koti.mbnet.fi/vaultec/files/miscellaneous/mingwstudiosetup- 2.05r2.exe The possibilities are endless 24

Solution Compound Searches Mix and match all of the tools previous tools This where scripting languages come in handy! Pay close attention to some TLDs, specifically.ca! If the destination ends in.ca If the mime type is "application/octet-stream" Print the log line Check out executables coming from category of none If content type is "application/octet-stream or "application/xmsdownload If category is none If the file doesn t end in.ico» Print the log line 25

Solution Compound Searches Examine requests to IP s categorized as none If the destination host is the same as the destination IP If the category is none If this isn t FTP Print the log line PoC quickie.pl (does this + more) Simple canned compound queries of interest Useful for looking for things quickly Great for APT indicators 26

Solution - Google Safe Browsing API API that enables client applications to check URLs against Google's constantly updated blacklists of suspected phishing and malware pages. Isolates machine from Internet http://code.google.com/apis/safebrowsing/ ~300,227 domains (2010-04-26) Built into Firefox FREE Reactive Checks nightly PoC safebrows-canonical.pl Monzy Merza & Adam Sealey 27

Future Continue automation/scripting Proxy Log IDS (P.L.I.D.S.) Share indicators/ideas that work! Other Antivirus Scanners Experimenting with Avira/Kaspersky Add to current ICAP group Other Content filters Procuring McAfee Smartfilter Do More with HTTPS Deny (Category=NONE && Untrusted issuer) Intercept everything Archive HTTPS files 28

Conclusion Further Reading Dr Anton Chuvakin (chuvakin.blogspot.com) Joe Griffin (http://www.sans.org/reading_room/whitepapers/malicious/mining_for_ malware_theres_gold_in_them_thar_proxy_logs_32959) Any Questions??? My Contact Information Email: myrick3@llnl.gov (Entrust/PGP) Office: 925.422.0361 Thank you for your time 29

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information