1
Network Forensics: Log
Analysis
Richard Baskerville
Georgia State
University
2
P Terms & Log-based Tracing
P Application Layer Log Analysis
P Lower Layer Log Analysis
Agenda
3
P Promiscuous Mode
< An Ethernet Network Interface Card (NIC) in promiscuous mode is a configuration that will pass all traffic received by the card to the operating system, rather than just packets addressed to it. This feature is normally used for packet sniffing.
P IPSpoofing
< Forging the source address in the header of an IP packet so that it contains a different address, making it appear that the packet was sent by a different machine. Responses to spoofed packets will go to the forged source address. Mainly used for Denial of Service where the attacker does not care about the response, or defeating IP-based authentication. It is sometimes possible for an attacker to recover responses, when the spoofed address is on LAN or WAN controlled by the attacker.
Two Important Terms
4
P Blackhat software that gains control over a computer or network. "Root" refers to the administrative (superuser) computer account. Kit refers to mechanisms that initiate entry into the target computer modify it for later, and more simplified means of access (a backdoor). P Rootkits will usually erase the system event logging
capacity in an attempt to hide attack evidence and may disclose sensitive data. A well designed rootkit will replace parts of the operating system with rootkit processes and files, and obscure itself from security scanning.
Rootkit
Logging Tracing
Data Data + TL Pr Data + TL/IL Pr Application Layer Transport Layer Internet LayerNetwork Access Layer
Data + TL/IL/NA Pr HTTP TCP IP X.25 Data Data + TL Pr Data + TL/IL Pr HTTP TCP IP X.25 Server Client Sniffers Server Log Proxy or Firewall Log Router Log Forensics Analysis
P Issues of efficiency in logfile space and
processing time
P Sometimes options, e.g.,
< Off
< Succinct
< Verbose
7
Application Layer Log
Analysis
8
P Access Log File
< Access log file contains a log of all the requests.
P Proxy Access Log File
< (If directed) a separate log of proxy transactions (otherwise logged to Access Log)
P CacheAccessLog
< (If directed) a separate log of cache accesses (otherwise logged to Access Log)
P Error Log File
< Log of errors
Web Server Logs
Example of Application Layer Loggin
9
P Format: remotehost rfc931 authuser [date] "request" status bytes < remotehost
– Remote hostname (or IP number if DNS hostname is not available, or if DNSLookup is Off.
< rfc931
– The remote logname of the user. < authuser
– The username as which the user has authenticated himself. < [date]
– Date and time of the request. < "request"
– The request line exactly as it came from the client. < status
– The HTTP status code returned to the client. < bytes
– The content-length of the document transferred.
The Common Logfile Format
World Wide Web Consortium (W3C)
10
Web Server Logfile Example
209.240.221.71 - - [03/Jan/2001:15:20:06 -0800] "GET /Inauguration.htm HTTP/1.0" 200 8788 "http://www.democrats.com/" "Mozilla/3.0 WebTV/1.2 (compatible; MSIE 2.0)"
13
Web Server Log Analysis Tools: Page Delivery
Usually Intended for Management
14
Web Server Log Analysis Tools: File Delivery
15
Web Server Log Analysis Tools: Users
16
131.96.102.37 - - [27/Mar/2010:22:27:03 -0400]
"GET /cis8080/readings/SEC_YOU.pdf HTTP/1.0"
401 0 0 "-" "eliza-google-crawler (Enterprise;
S5-JDM5GCVTD6NJB;
[email protected],[email protected])"
Web Server Logfile Live Example #1
Unauthorized Access
Nothing delivered
Simple “Who Is” Tracing
Subject to Spoofing 208.61.220.34 - infosecstudent [25/Mar/2010:13:34:38 -0400]
"GET /cis8080/readings/StratISRM_Final_Typescript.pdf HTTP/1.1" 200 60818 125
"http://cis.gsu.edu/~rbaskerv/cis8080/readings.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
Web Server Logfile Live Example #2
Request fulfilled
19
Simple “Who is” Tracing
Help for Tracing Abuse
20
Lower Layer Log Analysis
21
Transport, Internet, Network Access Logging
Data + TL Pr
Data + TL/IL Pr Transport Layer
Internet Layer
Network Access Layer
TCP IP X.25 Server Sniffers Server Log Proxy or Firewall Log Router Log
22
P Logs record packet headers, not sessions or flows P Logs usually ignore packet contents for efficiency P Flow can be logically reconstructed from
< IP addresses < Port numbers < Implied Protocols < Sequencing
Reconstructing Data Flows
Reconstructing TCP flows from raw IP network traffic.
From E. Casey (2004) “Network Traffic as a source of evidence”, Digital Investigation 1 (1) 28-43.
TCP Connection Graph
Network Analysis Tools
Port 139: This is the single most dangerous port on the Internet. All "File and Printer
Incoming TCP Connection Graph
Inbound port 139 connections suggest the firewall and the host are controlled by intruders.
25
Outgoing TCP Connection Graph
These outgoing port 139 connections suggest this machine has been compromised by intruders.
Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77.
26
Detecting the Moment of Compromise
Port 42895 is not “listening”, attempts to connect are “reset” (RST).
Port 42895 starts “listening”, attempts to connect “finish” (FIN), some software has started monitoring this port at 5:50:37
Example from Raynal, et al. (2004) “Honeypot Forensics” IEEE Security & Privacy 72-77.
27
Free packet analyzer that allows a computer to intercept and display packets transmitted and received over its attached network. Runs on Unix-like operating systems and there is a port to Windows (WinDump). Uses packet capture engines libpcap (or WinPcap). Tcpdump file format is standard now.
tcpdump
28
Free open source network intrusion prevention and detection system that logs packets and analyzes traffic on IP networks. It performs protocol analysis, content searching/matching, and actively blocks or passively detects many attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts.
Snort
Continuous capture and warehousing of network packets and statistics. Alerts on signatures, traffic patterns. and statistical anomalies. Reconstructs web, email, instant messaging, FTP, Telnet, etc.
NetDetector
Captures and stores LAN traffic in raw dump files using a promiscuous Ethernet card and a modified UNIX kernel. Can write directly to removable media or network transfer to other machines for archiving. Stream reconstruction on demand. assembles user-defined range of packets into network connection data streams. The analysis subsystem is graphical, constructing a tree stored in an SQL database.
