Tools. (Security) Tools. Network Security I-7262a

(1)

Tools

(2)

Tools:

Overview

● syslog

- history

- interna

- examples & products

● traffic capture / view / analyze

● port scanner

● vulnerability scanner

(3)

Tools:

Syslog

● What is syslog?

● Invented in 1980's by sendmail author Eric

Allman and first used by only sendmail

● RFC 3164 (2001) defacto standard

● RFC 5424 (2009) obsoletes 3164

(4)

Tools:

Syslog

● Syslog is a standard about forwarding

standardized “log messages” in a IP network

● Syslog protocol is of Client <=> Server type

● RFC5424 syslog defaults to TLS-based

(5)

Tools:

Syslog

● Layers

–

“syslog content” (message) is the management

information contained in a syslog message

–

“syslog application” is responsible for generation,

interpretation, routing, and storage of syslog

messages

–

“syslog transport” is responisble for transporting

(6)

Tools:

Syslog

● Originator

- Client => sends the message

● Relay

- Recieves the message, process it and

forward according relay configuration

(7)

Tools:

Syslog Header

● PRI

● Version

● Timestamp

● Hostname

● Application name

● Process ID

● Message ID

Example:

(8)

Tools:

Syslog PRI

●

Numerical Code Facility

0 kernel messages

1 user-level messages

2 mail system

3 system daemons

4 security/authorization messages (note 1)

5 messages generated internally by syslog

6 line printer subsystem

7 network news subsystem

8 UUCP subsystem

9 clock daemon (note 2)

10 security/authorization messages (note 1)

11 FTP daemon

12 NTP subsystem

13 log audit (note 1)

14 log alert (note 1)

(9)

Tools:

Syslog PRI

●

Numerical Code Severity

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

(10)

Tools:

Syslog Message

● MSG

- RFC3164 anything

Example:

sendmail[24951]: l948UcI5024951:

from=<[email protected]>, size=0, class=0, nrcpts=0,

proto=ESMTP, daemon=MTA,

relay=AOrleans-157-1-39-204.w90-8.abo.wanadoo.fr [90.8.222.204]\n

syslog-ng[2432]: Configuration reload request received, reloading

configuration;

(11)

Tools:

Syslog Message

● MSG

- RFC5424 uses normally “structured Data”

to make a syslog messages easier to parse.

Example:

[exampleSDID@32473 iut="3" eventSource=

"Application" eventID="1011"][examplePriority@32473

class="high"]

(12)

Tools:

**Syslog for *NIX**

● Sylog-ng

(

http://www.balabit.com/network-security/syslog-ng/

)

RFC5424 support >= OSE Version 3.0

● Rsyslog

(

http://www.rsyslog.com/

)

RFC5424 support >= Version 3.19

● Sysklogd

(13)

Tools:

Syslog for Windows

● NTsyslog

http://ntsyslog.sourceforge.net/

Very old but still useable

● Kiwi Syslog

http://www.kiwisyslog.com/

● Win Syslog

http://www.winsyslog.com

(14)

Tools:

Syslog frontends

● Logzilla

(

http://www.logzilla.info/

)

- php based frontend for syslog-ng

● Splunk (

http://www.splunk.com

)

- commercial frontend

(15)

Tools:

logrotate & logwatch

● logrotate rotates a logfile using a ruleset

- based on filesize

- based on time

- does more stuff (daemon restart, archiving ...)

● logwatch (

http://www.logwatch.org/

)

- generates simple log reports

- aggregated login attemps

(failed & succeded)

(16)

Tools:

Traffic capture/view/analyze

● tcpdump <options> <filter>

(

http://www.tcpdump.org

)

-n => no dns name resolution

-i => interface to listen on

-s => snaplen (default 68) (0 for whole pkts)

-w => write out file

-v => be verbose

(17)

Tools:

Traffic capture/view/analyze

● tcpdump <options> <filter>

logical operators: and, or, not

- ip proto <icmp|tcp|udp> (abbr. is just <>)

- host <ip>

- port <nr>

- vlan <id>

(18)

Tools:

Traffic capture/view/analyze

● Wireshark (

http://www.wireshark.org/

)

libpcap based sniffer with graphical frontend

- filtering language for dumping

- viewfilters use a different filter language

● Microsoft Network Monitor

(http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f)

(19)

Tools:

Portscanner

● nmap <options> <targets>

(

http://www.nmap.org

)

-P0 => do not ping

-O => guess OS

-sT => connect scan

-sS => syn stealth scan

-sP => ping scan

-sV => service version scan

-v => be verbose

(20)

(21)

Tools:

Vulnerability Scanner

● Nessus

(

http://www.nessus.org

)

- pluginbased & client server structured

- vulnerability scanner

- network assesment & discovery

- patch & configuration & content auditing

● OpenVAS

(

http://www.openvas.org

)

- opensource pendant

● Retina

₍

_{http://www.eeye.com/html/Products/Retina/index.html}

₎

(22)

Tools:

other tools

●

amap

●

netcat

●

metasploit

●

hping2

●

xprobe2

●

firewalk

●

GFI Languard (Winodws)

●

superscan (Windows)

●

Retina (Windows)

(23)

Tools:

closing thoughts

● know your tools

● know the theory & principles

● verify your results (independently if possible)

● know what you should find before you look

for it

● think & act logically

(24)

Network Security I-7262a

Tools

(25)

Tools:

Overview

●

syslog

- history

- interna

- examples & products

●

traffic capture / view / analyze

●

port scanner

●

vulnerability scanner

●

other utilities

(26)

Tools:

Syslog

●

What is syslog?

●

Invented in 1980's by sendmail author Eric

Allman and first used by only sendmail

●

RFC 3164 (2001) defacto standard

●

RFC 5424 (2009) obsoletes 3164

(RFC5425 TLS Transport / RFC 5426 UDP Transport)

RFC 3164 (BSD Syslog) is in widespread use but has never been formally standardized. In 3164 “only” observed formats are described.

The only thing that all formats have in common is the PRI value syntax & semantics. “Any message destined to syslog UDP port must be treated as syslog message, no matter what its format or content is.”

RFC 5424 tries to define a standardized easy parseable syslog format without breaking compatibility to RFC 3164.

(27)

Tools:

Syslog

●

Syslog is a standard about forwarding

standardized “log messages” in a IP network

●

Syslog protocol is of Client <=> Server type

●

RFC5424 syslog defaults to TLS-based

transport defined in RFC5425

●

Syslog default is UDP 514

2001: ====

RFC 3164: The BSD syslog Protocol RFC 3195: Reliable Delivery for Syslog 2009:

====

RFC 5424: The Syslog Protocol

RFC 5425: Transport Layer Security (TLS) Transport Mapping for Syslog RFC 5426: Transmission of Syslog Messages over UDP

2010: ====

RFC 5848: Signed Syslog Messages

RFC 6012: DTLS Transport Mapping for Syslog IETF Standard Page:

(28)

Tools:

Syslog

●

Layers

– “syslog content” (message) is the management

information contained in a syslog message

– “syslog application” is responsible for generation,

interpretation, routing, and storage of syslog messages

– “syslog transport” is responisble for transporting

(29)

Tools:

Syslog

●

Originator

- Client => sends the message

●

Relay

- Recieves the message, process it and

forward according relay configuration

●

Collector

-Server => writes to file/DB/... for further

analysis

-Transport Sender

Passes syslog messages from the application to the transport protocol - Transport Reciever

Passes syslog messages from the transport protocol to the application. An application can unite more than one funtion.

(30)

Tools:

Syslog Header

●

PRI

●

Version

●

Timestamp

●

Hostname

●

Application name

●

Process ID

●

Message ID

Example: <165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 Message Length:

A message up to 480 Octets (Transport Reciever) must be accepted. Up to 2048 Octet should be accepted.

PRI explained in next two slides (MUST)

Version: A IANA assigned version number. RFC5424 uses version 1. (MUST) Timestamp: Date followed by uppercase T followed by time (various resolution) and maybe timezone (MUST)

Hostname: (MUST) - FQDN

- IP Address - Hostname

- NIL Value (NULL)

Application name: Name of application generating the log message (SHOULD) Process ID: Numerical value normally representing the PID of the application generating the log message (SHOULD)

(31)

Tools:

Syslog PRI

● Numerical Code Facility

0 kernel messages 1 user-level messages 2 mail system 3 system daemons

4 security/authorization messages (note 1) 5 messages generated internally by syslog 6 line printer subsystem

7 network news subsystem 8 UUCP subsystem 9 clock daemon (note 2)

10 security/authorization messages (note 1) 11 FTP daemon

12 NTP subsystem 13 log audit (note 1) 14 log alert (note 1) 15 clock daemon (note 2) 16 - 23 local use 0 - 7 (local0 - local7)

(32)

Tools:

Syslog PRI

● Numerical Code Severity

0 Emergency: system is unusable

1 Alert: action must be taken immediately 2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level messages

Example: MAIL.INFO <22>

(33)

Tools:

Syslog Message

●

MSG

- RFC3164 anything

Example:

sendmail[24951]: l948UcI5024951:

from=<[email protected]>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=AOrleans-157-1-39-204.w90-8.abo.wanadoo.fr [90.8.222.204]\n

syslog-ng[2432]: Configuration reload request received, reloading configuration;

(34)

Tools:

Syslog Message

●

MSG

- RFC5424 uses normally “structured Data”

to make a syslog messages easier to parse.

Example:

[exampleSDID@32473 iut="3" eventSource=

"Application" eventID="1011"][examplePriority@32473 class="high"]

(35)

Tools:

**Syslog for *NIX**

●

Sylog-ng

(http://www.balabit.com/network-security/syslog-ng/) RFC5424 support >= OSE Version 3.0

●

Rsyslog

(http://www.rsyslog.com/)

RFC5424 support >= Version 3.19

●

Sysklogd

(36)

Tools:

Syslog for Windows

●

NTsyslog

http://ntsyslog.sourceforge.net/

Very old but still useable

●

Kiwi Syslog

http://www.kiwisyslog.com/

●

Win Syslog

http://www.winsyslog.com

(37)

Tools:

Syslog frontends

●

Logzilla

(http://www.logzilla.info/)

- php based frontend for syslog-ng

●

Splunk (

http://www.splunk.com

)

- commercial frontend

(38)

Tools:

logrotate & logwatch

●

logrotate rotates a logfile using a ruleset

- based on filesize - based on time

- does more stuff (daemon restart, archiving ...)

●

logwatch (

http://www.logwatch.org/

)

- generates simple log reports - aggregated login attemps (failed & succeded)

(39)

Tools:

Traffic capture/view/analyze

●

tcpdump <options> <filter>

(http://www.tcpdump.org)

-n => no dns name resolution

-i => interface to listen on

-s => snaplen (default 68) (0 for whole pkts)

-w => write out file

-v => be verbose

(40)

Tools:

Traffic capture/view/analyze

●

tcpdump <options> <filter>

logical operators: and, or, not

- ip proto <icmp|tcp|udp> (abbr. is just <>)

- host <ip>

- port <nr>

- vlan <id>

- mpls <lablel>

(41)

Tools:

Traffic capture/view/analyze

●

Wireshark (

http://www.wireshark.org/

)

libpcap based sniffer with graphical frontend

- filtering language for dumping

- viewfilters use a different filter language

●

Microsoft Network Monitor

(http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f)

(42)

Tools:

Portscanner

●

nmap <options> <targets>

(http://www.nmap.org)

-P0 => do not ping -O => guess OS -sT => connect scan -sS => syn stealth scan -sP => ping scan

-sV => service version scan -v => be verbose

(43)

(44)

Tools:

Vulnerability Scanner

●

Nessus

₍_{http://www.nessus.org}₎

- pluginbased & client server structured - vulnerability scanner

- network assesment & discovery

- patch & configuration & content auditing

●

OpenVAS

(http://www.openvas.org)

- opensource pendant

●

Retina

₍_{http://www.eeye.com/html/Products/Retina/index.html}₎ ●

GFI Langurad

₍_{www.gfi.com/languard}₎

(45)

Tools:

other tools

● amap ● netcat ● metasploit ● hping2 ● xprobe2 ● firewalk

● GFI Languard (Winodws) ● superscan (Windows) ● Retina (Windows)

● A lot more do exist!

(46)

Tools:

closing thoughts

●

know your tools

●

know the theory & principles

●

verify your results (independently if possible)

●

know what you should find before you look

for it

●