Friday, August 31, 2012

Friday, July 13, 2012

SIEM Splunk firewall log analysis - Part 1


Today, I am going to walkthrough some of the monitoring techniques that could be used within splunk to  watch out for port scanning and malicious smtp traffic within firewall logs. 

·         Port Scan detection (i.e. a single source to a single destination, on multiple dst_ports in a given time)
…|earliest=-15m@m latest=-5m@m| bin _time span=1m | stats dc(dest_port) as port_count by src_ip, dest_ip _time | where port_count > 100
  • ·         Port Sweep detection (i.e. single source to multiple destinations on a single port in a given time)

…|earliest=-15m@m latest=-5m@m| bin _time span=1m | stats dc(dest_ip) as multiple_dest by src_ip, dest_port _time | where multiple_dest > 100
  • ·         Multiple dropped/blocked connection attempts on high ports (over 1024) within a certain timeframe

…|dest_port>1024 (action="blocked" OR action="deny*" OR action="drop*")  earliest=-15m@m latest=-5m@m| bin _time span=1m | stats count by src_ip, dest_port | where count > 100
  • ·         Detection of anything on dst_port 6667

… dest_port=6667 | stats count by src_ip, dest_ip, action, dest_port

  • ·         Known malicious port activity

…….dest_port=666 OR dest_port=1001 OR dest_port=1011 OR dest_port=1170 OR dest_port=1234 OR dest_port=1245 OR dest_port=1492 OR dest_port=1600 OR dest_port=1807 OR dest_port=1981 OR dest_port=1999 OR dest_port=2001 OR dest_port=2023 OR dest_port=2115 OR dest_port=2140 OR dest_port=2801 OR dest_port=30129 OR dest_port=3700 OR dest_port=4092 OR dest_port=4590 OR dest_port=4156 | chart count by dest_port

Additionally, monitoring outbound email traffic, regardless of whether the traffic is allowed or blocked by the firewall, is a highly effective method for detecting compromised hosts its important to keep an eye out for a massive amount of SMTP outbound traffic

Also,monitor any outbound traffic destined for port 25.  However, be sure to exclude valid SMTP senders such as mail servers, web servers which email forms and vulnerability scanners..

Part two with more detail will continue.

Wednesday, July 11, 2012

Splunk – Using Lookup Files


Splunk – Using Look-up Files

Below steps is on how to configure and use look up files within splunk. 
  • Step 1: Add a lookup csv file in Lookup table files



  • Step 2: Map the lookup table file to the lookup definitions


  • Step 3: Verify whether the lookup works in the Search Head
|inputlookup ip_webattackerlist
                







  • Step 4: Here the ip field contains ip range rather than ip, so separate the ip range into ip’s and verify its displays as intended
|inputlookup ip_webattackerlist | rex field=ip "(?<ipnew>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
OR   |inputlookup ip_webattackerlist | rex field=ip "(?<ipnew>[^-]+)"

  • Step 5: Search the logs for presence of malicious src_ip being present in the logs
Index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip]
  • Step 6: Chart the output into a dashboard
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src>[^-]+)" | dedup src | fields src] | lookup ip_webattackerlist ip AS src output description | stats count by src descriptionOR
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip] | lookup ip_webattackerlist ip AS src_ip output description | stats count by description
OR
index=* [|inputlookup ip_webattackerlist | rex field=ip "(?<src_ip>[^-]+)" | dedup src_ip | fields src_ip] | lookup ip_webattackerlist ip AS src_ip output description | stats count by src_ip
  • Step 7: To add new src_ip to the list
| stats count | rename count as ip | eval ip="69.28.58.28,202.177.218.43,49.183.211.42,50.17.211.194,122.150.35.248" | makemv delim="," ip | mvexpand ip | eval description="known_attacker" | inputlookup append=t ip_webattackerlist | outputlookup ip_webattackerlist


Tuesday, March 20, 2012

Security Event of Interest for various technologies

Security Information and Event Management or SIEM, capabilities can provide a range of tools and functionalities to facilitate the management of security-related events, by assessing log data and correlating information coming from various sources. By not relying on a single source of information -- such as an IDS/IPS -- to flag potential breaches, the event management function can help reduce the number of false positives by first ensuring that the discovered event has been felt by other systems in the environment. As the system is tuned over time, it becomes more effective at differentiating between full-blown security incidents and other types of events patterns.

SIEM systems can provide a means to detect events of interest in two distinct ways: by providing a real-time assessment of security-relevant information directed to it; and by supporting forensic analysis of log records collected from perimeter and internal networks of the controlled environment. Below are few security event of interest that can be considered to start the security event repository.

Antivirus Events:
·         Instances of detected malware
·         File and system disinfection attempts (success and fail)
·         File quarantines
·         Malware scans
·         System start up and shutdown
·         Detection of infected files and updates
·         Quarantining of files
·         Cleansing of infected files and updates
·         System compromises
·         updating of virus signatures
·         updating of software

Application Events:

·         Requests to privileged resources
·         Application start-up, shutdown, failures and restarts
·         Application access to sensitive resources (functions, data)
·         Account lock-outs
·         User logon / logoff activities

Authentication Servers: Authentication servers, including directory servers and single sign-on servers, typically log each authentication attempt, including its origin, username, success or failure, and date and time.

·         Account Information
·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting passwords, resynchronising tokens, accessing user logs)
·         Operational Actions
·         Application start-up and shutdown
·         Application failures and restarts
·         Modification of application system settings, parameters and/or configuration

Database Events:

·         Database service (including instance) start-up and shutdown
·         Administrative user and privileged user activities including:
·         Updates
·         Deletions
·         Select
·         Imports & Exports
·         Creation of or modification to database objects (i.e. data definition language queries) and including:
·         Drop (delete)
·         Alter
·         Create
·         Modification of access controls to database objects
·         Creation of database users
·         Modification to database user properties and privileges
·         Database user logon and logoff
·         Utility Events including backup, restore and bulk insert commands
·         Connections to instances using administrator privileges

F5 devices: F5’s are intermediate hosts through which Web sites are accessed. F5 make Web page requests on behalf of users, and they cache copies of retrieved Web pages to make additional accesses to those pages more efficient. F5 /web proxies can also be used to restrict Web access and to add a layer of protection between Web clients and Web servers.

·         Monitoring authentication attempts
·         Administrative actions
·         Activity by Users
·         Top Error types
·         Top Protocol
·         Top Severity codes
·         Top Signatures
·         Top violations by signature
·         Top violations
·         Top violations by protocol (HTTP, FTP, SMTP)
·         Top violations by URL
·         Top response codes by web application
·         Top Signature
·         Web application requests by method

Firewall / Networking Devices:  Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more sophisticated methods to examine network traffic. Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to have more complex policies and generate more detailed logs of activity than routers.

·         Account Information
·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting password)
·         Administrator(s) account details
·         All unsuccessful login attempts
·         Modifications to privilege level or configuration of any account
·         Physical or virtual interface(s) configuration and status
·         System start up and shutdown
·         System compromises
·         System Alerts
·         Changes to firewall policy
·         Logging of firewall rules (Dropped packets
·         Identity context of connections where available e.g. terminated mutual authentication SSL

IIS:

·         Error Types recorded
·         Usage of bad user agents
·         Ip address or user with maximum bandwidth usage
·         Top referrals
·         Access to privileged URL
·         Attempt to upload file
·         Web pages with more consecutive hits from same source/different source
·         Excessive connection in short period of time
·         SQL Injection attempt
·         Potential malicious referrals
·         XML injection attempts
·         XPATH injection attempts
·         Session spoofing attempts
·         Cross site scripting
·         LDAP injection

Intrusion Detection/ Intrusion Prevention System: Intrusion detection and intrusion prevention systems record detailed information on suspicious behaviour and detected attacks, as well as any actions intrusion prevention systems performed to stop malicious activity in progress. Some intrusion detection systems, such as file integrity checking software, run periodically instead of continuously, so they generate log entries in batches instead of on an ongoing basis

·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting passwords, resynchronising tokens, accessing user logs)
·         Administrator(s) account details
·         All unsuccessful login attempts
·         Modifications to privilege level or configuration of any account
·         Configuration changes
·         System start up and shutdown
·         Heuristic anomalies and action (success/fail)
·         Matches to attack signatures and action (success/fail)
·         Update signature (success/fail)
·         Update software (success/fail)

Operating System Events: Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches) usually log a variety of information related to security. The most common types of security-related OS data are as follows:

·         Account Information
·         Account creation, modification and deletion
·         Administrative activity
·         Login or logoff (i.e. any account)
·         Account lock-outs
·         Actions with security implications (e.g. resetting passwords, resynchronising tokens, accessing user logs)
·         Administrator(s) account details
·         All unsuccessful login attempts
·         Modifications to privilege level or configuration of any account
·         Configuration changes
·         System start up and shutdown
·         Failed attempts to access data and system resources
·         Successful and failed attempts to use special privileges
·         Successful and failed user or group management attempts
·         Successful and failed security policy change attempts
·         Successful and failed attempts to access audit logs
·         The copying and accessing of sensitive information

Saturday, January 28, 2012

Windows Terminal Commands


Command  Function
ASSOC Displays or modifies file extension associations.
ATTRIB Displays or changes file attributes.
BREAK Sets or clears extended CTRL+C checking.
BCDBOOT Used to copy critical files to the system partition and to create a new system BCD store.
BCDEDIT Sets properties in boot database to control boot loading.
CACLS Displays or modifies access control lists (ACLs) of files.
CALL Calls one batch program from another.
CD plays the name of or changes the current directory.
CHCP Displays or sets the active code page number.
CHDIR Displays the name of or changes the current directory.
CHKDSK Checks a disk and displays a status report.
CHKNTFS Displays or modifies the checking of disk at boot time.
CHOICE Batch file command that allows users to select from a set of options. 
CIPHER Displays or alters the encryption of directories [files] on NTFS partitions.
CLIP redirects output of another command to the Windows clipboard.
CLS clears the screen.
CMD arts a new instance of the Windows command interpreter.
CMDKEY Creates, lists and deletes stored user names and passwords or credentials.
COLOR Sets the default console foreground and background colors.
COMP Compares the contents of two files or sets of files byte-by-byte
COMPACT Displays or alters the compression of files on NTFS partitions.
CONVERT Converts FAT volumes to NTFS. You cannot convert the current drive.
COPY Copies one or more files to another location.
DATE Displays or sets the date.
DEFRAG Disk defragmenter accessory. 
DEL Deletes one or more files.
DIR Displays a list of files and subdirectories in a directory.
DISKCO MP Compares the contents of two floppy disks.
DISKCOPY Copies the contents of one floppy disk to another.
DISKPART Displays or configures Disk Partition properties. A separte command interpreter with a sub-set of commands.
DOSKEY Edits command lines, recalls Windows commands, and creates macros.
DRIVER QUERY Displays current device driver status and properties.
ECHO Displays messages, or turns command echoing on or off.
ENDLOCAL Ends localization of environment changes in a batch file.
ERASE Deletes one or more files.
EXIT Quits and closes the command shell.
EXPAND Expands one or more compressed files.
FC Compares two files or sets of files, and displays the differences between them.
FIND Searches for a text string in a file or files.
FINDSTR Searches for strings in files.
FOR Runs a specified command for each item in a set.
FORFILES  Selects files in a folder for batch processing. 
FORMAT Formats a disk for use with Windows.
FSUTIL Displays or configures the file system properties.
FTYPE Displays or modifies file types used in file extension associations.
GOTO directs the Windows command interpreter to a labeled line in a batch program.
GPRESULT Displays Group Policy information for machine or user.
GRAFTABL Enables Windows to display an extended character set in graphics mode.
HELP Provides Help information for Windows commands.
ICACLS Display, modify, backup, or restore ACLs for files and directories (more here).
IF Performs conditional processing in batch programs.
IPCONFIG Displays all current TCP/IP network configuration values 
LABEL Creates, changes, or deletes the volume label of a disk.
MD creates a directory.
MKDIR Creates a directory.
MKLINK Creates Symbolic Links and Hard Links
MODE Configures a system device.
MORE displays output one screen at a time.
MOVE moves one or more files from one directory to another directory.
OPENFIles Queries, displays, or disconnects open files or files opened by network users.
PATH displays or sets a search path for executable files.
PAUSE Suspends processing of a batch file and displays a message.
POPD restores the previous value of the current directory saved by PUSHD.
PRINT Prints a text file.
PROMPT Changes the Windows command prompt.
PUSHD Saves the current directory then changes it.
RD removes a directory.
RECOVE R Recovers readable information from a bad or defective disk.
REM designates comments (remarks) in batch files
REN renames a file or files.
RENAME Renames a file or files.
REPLACe Replaces files.
RMDIR Removes a directory.
ROBOCOpy Advanced utility to copy files and directory trees
SET displays, sets, or removes environment variables for current session.
SETLOCal Begins localization of environment changes in a batch file.
SETX sets environment variables.
SC displays or configures services (background processes).
SCHTASks Schedules commands and programs to run on a computer.
SHIFT Shifts the position of replaceable parameters in batch files.
SHUTDOwn  Allows proper local or remote shutdown of machine.
SORT sorts input.
START Starts a separate window to run a specified program or command.
SUBST Associates a path with a drive letter.
SYSTEM info Displays machine specific properties and configuration.
TAKEOWN Allows an administrator to take ownership of a file (more here).
TASKLIst Displays all currently running tasks including services.
TASKKILL Kill or stop a running process or application.
TIME displays or sets the system time.
TIMEOUT Pauses the command processor for the specified number of seconds.More here.
TITLE Sets the window title for a CMD.EXE session.
TREE graphically displays the directory structure of a drive or path.
TYPE displays the contents of a text file.
VER displays the Windows version.
VERIFY Tells Windows whether to verify that your files are written correctly to a disk.
VOL displays a disk volume label and serial number.
VSSADMININ Volume Shadow Copy Service administration tool
WHERE Displays the location of files that match a search pattern. 
XCOPY Copies files and directory trees.
WMIC displays WMI information inside interactive command shell.