Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 223 times |
Download: | 0 times |
Log Analysis and Intrusion Detection
By
Srikrishna Gudavalli
Venkata Naga Vamsi Krishna
Ravi Kiran Yellepeddy
Log Analysis (Windows And linux)
What is log analysis?
Describes an event (or) process activity in detail on the system.
Examples : • user authentication event log• ftp authentication .
Setup for LogAnalysis
• Application Log
Specific to particular application.
eg:MS word,Windows Media Player
• Security Log
Specifically logs all the security features.
• System Log
Logs all the system related activities.
Linux Auditing• Sysklog
• Metalog
• LogRotater
Basic Linux Auditing
Syslogd:
Gives information about the general activities about the Kernel,Mails,Process and Remote logins.
Intrusion Detection Systems (IDS)
• What is an intrusion Detection System (IDS)?
Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent
Example : Snort
Steps to setup IDS
• Installation of snort
• Creation of Snort configuration files
• Creation of rules
• Testing of rules
Operation of Snort
Using Snort in Different Scenarios
• Ping
• nmap Scan Utility
• Subseven Trojan
• Telnet
• Internet Explorer
SNORT AS A SNIFFER
Starting snort to sniff the data on the network.
Pinging the server from the client and sniffing data on server by snort.
Traffic dump for Linux using snort
Output for the snort sniffed data
Adding preprocessor to the config files of Snort to filter port scanner.
Xmas scan using nmap
Alerts in Snort log files for Xmas Stealth activity.
Preprocessor to sniff Trojans activity (ettercap)
Creating snort config file to use detection engine
Starting the snort service with detection engine
Using Internet Explorer to detect directory traversal attack
by snort
Alert for the Directory Traversal attack in snort alerts file
Creating the rules in snort to detect the subseven Trojan
Adding subseven rules to config file of snort
Starting the snort service with new subseven rule
Attacking the server with subseven Trojan
Alert log for the subseven Trojan detection
Subseven Trojan scenario on Linux