Your Logs or ...Back to the Gold Rush

ISSA-BE EventJanuary 2011

Your Logs or ...Back to the Gold Rush

$ whoami

� Xavier Mertens (@xme)

� Senior Security Consultant @ C

� CISSP, CISA, CEH

http://blog.rootshell.be� http://blog.rootshell.be

� I’m also on Maltego & Google!

� Some friends:

Xavier Mertens (@xme)

Senior Security Consultant @ C-CURE

http://blog.rootshell.behttp://blog.rootshell.be

I’m also on Maltego & Google!

$ cat disclaimer.txt

The opinions expressed in this presentation are

those of the speaker and do not reflect those of

past, present or future employers, partners or

customers...customers...

$ cat disclaimer.txt

The opinions expressed in this presentation are

those of the speaker and do not reflect those of

past, present or future employers, partners or

- 1 The situation todayThe situation today

1 -The situation todayThe situation today

acme.org

acme.org’s CSO

Did you already get this feeling?

acme.org’s CSO

Did you already get this feeling?

Today's Issues

� Technical

� Networks are complex

� Based on non-heterogeneous components (firewalls, IDS, proxies, etc)components (firewalls, IDS, proxies, etc)

� Millions of daily events

� Lot of consoles/tools

� Protocols & applications

Networks are complex

heterogeneous components (firewalls, IDS, proxies, etc)components (firewalls, IDS, proxies, etc)

Millions of daily events

Lot of consoles/tools

Protocols & applications

Today's Issues

� Economical

� ”Time is Money”

� Investigations must be performed in real-timereal-time

� Downtime may have a huge business impact

� Reduced staff & budgets

� Happy Shareholders

”Time is Money”

Investigations must be performed in

Downtime may have a huge business impact

Reduced staff & budgets

Happy Shareholders

Today's Issues

� Legal

� Compliance requirements

� PCI-DSS, SOX, HIPAA, etcInitiated by the group or business� Initiated by the group or business

� Local laws

� Due diligence & due care

� Security policies mustbe enforced!

Compliance requirements

DSS, SOX, HIPAA, etcInitiated by the group or businessInitiated by the group or business

Due diligence & due care

Security policies mustbe enforced!

Need for More Visibility

� More integration, more sources� More chances to detect a problem

� Integration of external source of information could help the detection of incidentscould help the detection of incidents

� Automatic vulnerability scans

� Import of vulnerabilitiesdatabase

� FIM

� Awareness

Need for More Visibility

More integration, more sourcesMore chances to detect a problem

Integration of external source of information could help the detection of incidentscould help the detection of incidents

Automatic vulnerability scans

Import of vulnerabilities

Need for More Visibility

[**] [1:2050:14] SQL version overflow attempt [**][Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/27-17:00:05.199275 203.85.114.127:1073 -> 10.0.0.2:1434UDP TTL:105 TOS:0x0 ID:65518 IpLen:20 DgmLen:404Len: 376[Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002/www.securityfocus.com/bid/5310]

[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:07:54.146866 10.0.0.2:9041 -> 199.7.71.72:80TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167TCP TTL:64 TOS:0x0 ID:36997 IpLen:20 DgmLen:167***AP*** Seq: 0x5F1B1F41 Ack: 0x6CBD4FE5 Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 1475031583 2358505469

[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:20:05.913434 10.0.0.2:1758 -> 199.7.59.72:80TCP TTL:64 TOS:0x0 ID:41064 IpLen:20 DgmLen:167***AP*** Seq: 0xA9756DFB Ack: 0x8AF3A8FC Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 2086630937 3122214979

[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:22:27.226248 10.0.0.2:23157 -> 199.7.71.72:80TCP TTL:64 TOS:0x0 ID:48855 IpLen:20 DgmLen:167***AP*** Seq: 0x480A3145 Ack: 0x9227C6FF Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 2530339421 2353821688

[**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**][Priority: 3] 07/27-17:29:26.969904 10.0.0.2:41287 -> 199.7.52.72:80TCP TTL:64 TOS:0x0 ID:7498 IpLen:20 DgmLen:167***AP*** Seq: 0xBDCC9352 Ack: 0xB241F70B Win: 0x4000 TcpLen: 32TCP Options (3) => NOP NOP TS: 3995062809 1050363790

Need for More Visibility

039.mspx][Xref => http://cgi.nessus.org/pbin/cvename.cgi?name=2002-0649][Xref => http:/

- 2 Fraud?Fraud?

2 -Fraud?Fraud?

What’s ”Fraud”?

”Deliberate deception, trickery, or cheatingintended to gain an advantage”

� Fraud represents 39% of crimes in the CERT.us databaseCERT.us database

� Occurs “below the radar”

Deliberate deception, trickery, or cheatingintended to gain an advantage”

Fraud represents 39% of crimes in the

Occurs “below the radar”

Fraud Types

� Unauthorized addition or changes in databases

� Data theft or disclosure

� Rogue devices� Rogue devices

� Identifity theft

Unauthorized addition or changes in

Data theft or disclosure

Find the Intruder

� Keep an eye on the «

� Who is he?

� Current or past employee (m/f)

Contractors / Business partners� Contractors / Business partners

� Non-technical as well as technical position

� He/she has authorized access tosensitive assets

Keep an eye on the « malicious insider »

Current or past employee (m/f)

Contractors / Business partnersContractors / Business partners

technical as well as technical position

He/she has authorized access to

Fraud == Suspicious

� The term “fraud” is closely linked to money

� Let’s use “suspicious“inclined to suspect, to have doubts about; distrust”distrust”

� Detected outside the scope of regular operations

� Need for baselines, thresholds and watchdogs

� And... Procedures!

Fraud == Suspicious

The term “fraud” is closely linked to money

suspicious ” which means “inclined to suspect, to have doubts about;

Detected outside the scope of regular

Baselines

� Interval of values

Trigger an alert of above a thresholdor outside an intervalTrigger an alert of above a thresholdor outside an interval

Baselines

� Recurrence in time

Baselines

� Correlation between multiple sourcesCorrelation between multiple sources

Impacts of Fraud?

� Quantitative

� $$$

� Qualitative

Brand� Brand

� Reputation

� Customers / Stakeholders

Impacts of Fraud?

Customers / Stakeholders

Some Examples

� CC used in country ”A” and used 4 hours later in country ”B”.

� A Belgian CC used to buy a 40” flat TV in BrazilBrazil

� A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand

� Stolen or shared credentials / access badges.

� SSL VPN access from a foreign country.

CC used in country ”A” and used 4 hours

A Belgian CC used to buy a 40” flat TV in

A SIM card connected to a mobile network in Belgium and 2 hours later in Thailand

Stolen or shared credentials / access badges.

SSL VPN access from a foreign country.

More Examples

� ”root” session opened on a Sunday 02AM.

� Data copied on removable devices

� Installation of keyloggers

Rogue FTP servers� Rogue FTP servers

”root” session opened on a Sunday 02AM.

Data copied on removable devices

Installation of keyloggers

Security Convergence!

� Logical Security

� Credentials

� IP access lists

� Physical Security� Physical Security

� Access badges

� GeoIP

� Mobile devices

� Time references

� Let’s mix them!

Security Convergence!

Resources!

� Adding plus-value to your logs is resources consuming!

� Temporary tables might be required

� Beware of time lines!� Beware of time lines!

value to your logs is resources

Temporary tables might be required

Beware of time lines!Beware of time lines!

How to fight?

� Need for raw material

� Know the process flows!

� Talk to the ”business”

Increase the logs value� Increase the logs value

� Add visibility

� Correlate with other information sources

+ Processes and communication!

Need for raw material �Your logs

Know the process flows!

Talk to the ”business”

Increase the logs valueIncrease the logs value

Correlate with other information sources

+ Processes and communication!

When?

� Real-time

� Immediate investigationSource: Real

� Before

Proactivity (reporting � Proactivity (reporting

� After

� Forensic searches

Immediate investigationSource: Real-time alerts

Proactivity (reporting - trending)Proactivity (reporting - trending)

- 3 The toolsThe tools

3 -The toolsThe tools

It’s not a product...

”... It’s a process!” (c) Bruce

Incident Handling

Log Collection

It’s not a product...

”... It’s a process!” (c) Bruce

Incident Handling

Correlation

Reporting

Search

Log Collection

The Good, The Bad, The Ugly!

� Big Play€r$ (no names!)

� All of them prone to be the best

� But often when you look inside:

The Good, The Bad, The Ugly!

r$ (no names!)

All of them prone to be the best

often when you look inside:

Straight to the Point

� SIEM environments are exp

� Best choice?

� Must address the business requirements(not yours)(not yours)

� You must be able to handle them

Straight to the Point

SIEM environments are exp€n$ive!

Must address the business requirements

You must be able to handle them

The Ingredients...

� Free software to the rescue!

� Some tools...

� OSSEC

MySQL� MySQL

� Iptables / Ulogd

� Google Maps API

� Perl

� The ”Cloud” (don’t be scared!)

The Ingredients...

Free software to the rescue!

The ”Cloud” (don’t be scared!)

You said ”OSS.. What?”

� OSSEC is ”an Open Source HostIntrusion Detection System. analysis , file integrity checking, policy monitoring, rootkit detection, realalerting and active responsealerting and active response

� More info � @wimremes

You said ”OSS.. What?”

an Open Source Host-based Intrusion Detection System. It performs log

, file integrity checking, policy detection, real-time

active response ”.active response ”.

wimremes (ISSA 01/2010)

The Recipes

� Good news, you already have the main ingredient: your logs!

Logs

Ext

erna

lR

esou

rces

Logs

Ext

erna

lR

esou

rces

Security Incidents

news, you already have the main ingredient: your logs!

Res

ourc

es

Pol

icie

s

Res

ourc

es

Pol

icie

s

Security Incidents

- 4 MySQL AuditMySQL Audit

4 -MySQL AuditMySQL Audit

Problem

� Authorized users added or modified data in a database.

� Lack of control and separation of duties

� Examples of fraud� Examples of fraud

� Rogue acces created

� Price changed

� Stock modified

� Data integrity not consistent anymore

Authorized users added or modified data in a

Lack of control and separation of duties

Rogue acces created

Data integrity not consistent anymore

Solution

� Database changes can be audited

� High performance impact

� All transactions are logged

Not convenient to process� Not convenient to process

� Monitor changes on critical data

� Users credentials

� Financial data

� Audit INSERT, UPDATE & DELETEqueries

Database changes can be audited

High performance impact

All transactions are logged

Not convenient to processNot convenient to process

Monitor changes on critical data

Audit INSERT, UPDATE & DELETE

Howto

� Use the MySQL UDF ”lib_mysqludf_log.so”mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so';mysql> create function log_error returns string soname 'lib_mysqludf_log.so';

Use MySQL triggers� Use MySQL triggersmysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”));

� Triggers will write message in theMySQL errors.log

Use the MySQL UDF ”lib_mysqludf_log.so”mysql> create function lib_mysqludf_log_info returns string soname 'lib_mysqludf_log.so';mysql> create function log_error returns string soname 'lib_mysqludf_log.so';

mysql> create trigger users_insert after insert on users for each row insert into dummy values(log_error(”your message here”));

Triggers will write message in the

Howto

� Process the MySQL log via OSSEC<!-- MySQL Integrity check <rule id="100025" level="7"><regex>^\d\d\d\d-\d\d-\

\.</regex><description>MySQL users table

updated</description>updated</description></rule>

Process the MySQL log via OSSECMySQL Integrity check -->

<rule id="100025" level="7">\d\d \d\d:\d\d:\d\d Table:

<description>MySQL users table

Howto

� Results:

Received From: (xxxxx) xx.xxx.xxx.xxx>/var/lib/mysql/errors.logRule: 100025 fired (level 7) updated”Portion of the log(s):Portion of the log(s):2011-01-08 00:31:24 Table: acme.users: insert(8,brian,qavXvxlEVykwm) by admin@localhost

--END OF NOTIFICATION

Received From: (xxxxx) xx.xxx.xxx.xxx->/var/lib/mysql/errors.logRule: 100025 fired (level 7) -> "MySQL users table

08 00:31:24 Table: acme.users: insert(8,brian,qavXvxlEVykwm) by admin@localhost

- 5 USB Stick DetectionUSB Stick Detection

5 -USB Stick DetectionUSB Stick Detection

Problem

� Risks of data leak

� Risks of malware infectionsRisks of malware infections

Solution

� The Windows registry is a goldmine to audit a system!

� The OSSEC Windows agent can monitor the Windows registry.Windows registry.

The Windows registry is a goldmine to audit a

The OSSEC Windows agent can monitor the

Howto

� Interesting registry keys:

HKLM\SYSTEM\CurrentControlSet

OrOr

HKLM\SYSTEM\CurrentControlSet

Interesting registry keys:

CurrentControlSet\Services\USBSTOR\Enum\Count

CurrentControlSet\Enum\USBSTOR

Howto

� Create a new OSSEC rule:

[USB Storage Inserted] [any] [] r:HKLM\SYSTEM\CurrentControlSet-> Count -> !0;

� If “Count” > 0 => USB Storage inserted

� Problem: will be reported by the detector and not in real time

Create a new OSSEC rule:

[USB Storage Inserted] [any] [] CurrentControlSet\Services\USBSTOR\Enum

If “Count” > 0 => USB Storage inserted

Problem: will be reported by the rootkitdetector and not in real time

Howto

� The second registry key changes when a USB stick is inserted:

HKLM\SYSTEM\CurrentControlSetSB&Prod_Flash_Disk&Rev_0.00

� New rule:

[USB Storage Detected] [any] []

r:HKLM\SYSTEM\CurrentControlSet

The second registry key changes when a USB stick is inserted:

CurrentControlSet\Enum\USBSTOR\Disk&Ven_USB&Prod_Flash_Disk&Rev_0.00

[USB Storage Detected] [any] []

CurrentControlSet\Services\USBSTOR;

Howto

� Results

** Alert 1268681344.26683: 2010 Mar 15 20:29:04 (WinXP>rootcheckRule: 512 (level 3) -> 'Windows Audit event.‘Rule: 512 (level 3) -> 'Windows Audit event.‘Src IP: (none)User: (none)Windows Audit: USB Storage Inserted.

** Alert 1268681344.26683: - ossec,rootcheck,WinXP) 192.168.38.100-

> 'Windows Audit event.‘> 'Windows Audit event.‘

Windows Audit: USB Storage Inserted.

- 6 Detecting Rogue Detecting Rogue

Access

6 -Detecting Rogue Detecting Rogue

Access

Problem

� Stolen or shared credentials can be used from ”unknown” locations

� If your team members are local, is it normal to have sessions opened on your SSL VPN to have sessions opened on your SSL VPN from Thailand or Brazil?

� An admin session started from the administration VLAN?

Stolen or shared credentials can be used from ”unknown” locations

If your team members are local, is it normal to have sessions opened on your SSL VPN to have sessions opened on your SSL VPN from Thailand or Brazil?

An admin session started from the administration VLAN?

Solution

� Public IP addresses? They can be mapped to coordonatess using open GeoIP databases

� Private IP addresses? Hey, they’re yours, you should know them you should know them

� For public services, Google Maps offers a nice API

Public IP addresses? They can be mapped to coordonatess using open GeoIP databases

Private IP addresses? Hey, they’re yours, you should know them you should know them

For public services, Google Maps offers a

Howto

� Configure OSSEC for your application log file (write a parser if required)

� Create an “Active-Response” action triggered when a specific action is detectedwhen a specific action is detected

� The “Active-Response” script will perform a geoIP lookup using the source IP address

Configure OSSEC for your application log file (write a parser if required)

Response” action triggered when a specific action is detectedwhen a specific action is detected

Response” script will perform a lookup using the source IP address

Howto

� If the IP address belongs to suspicious country or network zone, inject a new event into OSSEC

� OSSEC generates an alert based on� OSSEC generates an alert based onthis event.

If the IP address belongs to suspicious country or network zone, inject a new event

OSSEC generates an alert based onOSSEC generates an alert based on

Howto

� Results:

** Alert 1270065106.2956457: mail 2010 Mar 31 21:51:46 satanasRule: 50001 (level 10) -> 'Fraud Detection‘Src IP: (none)Src IP: (none)User: (none)[31-03-2010 21:51:45] Suspicious activity detected for user johndoe via IP x.x.x.x

** Alert 1270065106.2956457: mail - local,syslog,satanas->/var/log/fraud.log

> 'Fraud Detection‘

2010 21:51:45] Suspicious activity detected x.x.x.x in DE, Germany

- 7 Mapping on GoogleMapping on Google

Maps

7 -Mapping on GoogleMapping on Google

Maps

Problem

� What the difference between:

� 195.75.200.200 (Netherlands)

� 195.76.200.200 (Spain)

� IP’s are extracted from firewall logs, botnet � IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...

What the difference between:

195.75.200.200 (Netherlands)

195.76.200.200 (Spain)

IP’s are extracted from firewall logs, botnet IP’s are extracted from firewall logs, botnet analyzis, web sites logs, ...

Howto

� Geo-localization is performedMaxMind DB (free version) + Perl API

use Geo::IP;my $gi = Geo::IP->open("GeoLiteCity.dat",

GEOIP_STANDARD);my $record = $gi->record_by_nameprint $record->latitude . "," . $record

� Store results to a XML file.

performed using the DB (free version) + Perl API

>open("GeoLiteCity.dat", GEOIP_STANDARD);

record_by_name(“1.2.3.4");>latitude . "," . $record->longitude;

Store results to a XML file.

Howto

� Submit the file to the Google map API from HTML code.Submit the file to the Google map API from

- 8 Searching the Searching the

Cloud

8 -Searching the Searching the

Cloud

”LaaS” ?

� ”Logging as a Service” seems to be an emerging thread in 2011.

� Loggly offers beta accounts

� 200MB/day - 90 days of retention� 200MB/day - 90 days of retention

� No SSL support

� Supported ”inputs”

� Syslog (UDP or TCP)

� HTTP(S)

”Logging as a Service” seems to be an emerging thread in 2011.

Loggly offers beta accounts

90 days of retention90 days of retention

Syslog (UDP or TCP)

”OSSEC phone Loggly”

� OSSEC can export to Syslog

� Events can be sent to Loggly using HTTP POST requests:

https://logs.loggly.com/inputs/420fecf5a0cb-21b421d4cc46

”OSSEC phone Loggly”

OSSEC can export to Syslog

Events can be sent to Loggly using HTTP

https://logs.loggly.com/inputs/420fecf5-c332-4578-

”OSSEC phone Loggly”

� Perl to the rescue:

# ./syslog2loggly.pl –hsyslog2loggly.pl [-f keyfile] [port]-D : Run as a daemon-h : This help-f keyfile : Configuration file

(default: /etc/syslog2loggly.conf)-p port : Bind to port (default 5140)

-v : Increase verbosity

”OSSEC phone Loggly”

f keyfile] [-D] [-h] [-v] [-p

D : Run as a daemon

f keyfile : Configuration file (default: /etc/syslog2loggly.conf)

p port : Bind to port (default 5140)

v : Increase verbosity

Results

Conclusions

� The raw material is already yours.

� The amount of data to process makes it impossible to process it without appropriate tools.tools.

� Suspicious activity occurs below the radar.

� Make your logs more valuable by crosslinking them with other sources.

� Be ”imaginative”!

The raw material is already yours.

The amount of data to process makes it to process it without appropriate

Suspicious activity occurs below the radar.

Make your logs more valuable by cross-linking them with other sources.

References

� The scripts and references are available on my blog: http://blog.rootshell.be/

� Keyword: ”OSSEC”

The scripts and references are available on my blog: http://blog.rootshell.be/

Thank You!Questions?Questions?Thank You!Questions?Questions?