พรบ คอมพิวเตอร์ 2550

... ..
2550
Log implementation and auditing guideline
compliance with Computer Crime Act B.E 2550 (2007)
1: 2 2551
: 23 2551

. .

Internet Service Provider (ISP)

(ThaiCERT)

(NECTEC)

.. 2550

.. 2550 23
2550

Log [3]

1 51
...

.. 2550

..

... .. 2550 ........7
1. ...........................................7
2. .............................................8
3. ..........................12
4. ..............................................................18
5. 5 (1)....................................................20
5.1. 5 (1) .
(Telecommunication and Broadcast Carrier).....................................................................20
5.2. 5 (1) . (Access Service
Provider) 5 (1) .
(Hosting Service Provider) ...........................................................................21
5.3. 5 (1) . .....................................................27
6. 5 (2)....................................................28
7. ..................................................................29
ISO/IEC 27001...................................30
...........................................................................33
1. (Log management) ...................................................................33
1.1. ................................................................................34
1.2. ...........................................................................................................36
1.3. ...............................................................................................38
2. ...........................................................................39
2.1. .............................................................................39
2.2. Primary Logging Secondary Logging................................40
2.3. ..................................................................................41
3. (Log source Log generation).............44
3.1. (Operating system log)............................................44
3.2. (Application log).............................................45
3.3.
(Security-related device/software log) .............................................................................48
.........................................................................................................................51
2 51
M Mandatory ...
.. 2550
.. 2550
I ISO/IEC 27001 ISO/IEC 27001

B Best Practice

...
//

90

90
1

90

5 (1)
5 (2)
5 (1)
.. 2550

...

[7]

3 51
9
9

...
(Media)
(Integrity)
//
...

...

(IT
Auditor)

...
Harddisk RAID

Log Server
Secondary Logging
4 51
9 9
9 9
(Identification)
(Media)

...
(Identification and
Authentication)
//

Secondary Logging

Digital Hashing
MD5
GPG

CD-ROM

Username Login
Identification

Authentication
PIN Smartcard

Identification Username Login

5 51
9 9
9 9
(Stratum 0)

//

I&A

Username

Microsoft Active Directory
Proxy

Network
Time Protocol NTP

Stratum 1
[9]

time1.nimt.or.th 203.185.69.60

time.navy.mi.th 118.175.67.83

ThaiCERT
clock.thaicert.org
203.185.129.186 203.185.129.187

National Institute of Standards and
Technology
time.nist.gov 192.43.244.18
NTP

NTP Server
Stratum 1 2
3

NTP Server
NTP
Stratum 1 NTP Server
Stratum 2

NTP

NTP
NTP
6 51
9 9
...
.. 2550
...
.. 2550 Log
[4] Audit Trail
ISO/IEC 27001
1.
... .. 2550 26 [1]

3 [1]

()

()

.. [2]
26 6

()

()

user name pin code
7 51

...

90

90
1

.. 2550

90
.. 2550 23
2550
[7]
user
name pin code

2.

2
.. 2550 23
2550 [7]

..

..
8 51

..

()

. (Telecommunication
and Broadcast Carrier) .
. (Access Service Provider)
.
.
(Host Service Provider) .
. .
() ()
(Content Service Provider) (Application
Service Provider) .
.

() () . .
() () . .

() () . .

() () . .
() () .

() (Media) (Integrity)
(Identification)
()

Centralized Log Server Data Archiving Data
Hashing
(IT Auditor)

()
..

()
(Identification and Authentication) Proxy Server, Network Address
Translation (NAT) Proxy Cache Cache Engine Free Internet
1222 Wi-Fi Hotspot
()

9 51

(Identification and Authentication)

(Stratum 0)

() () .
() () .
(ISP)
() ()
...
5 (1)
5 (2)
5
(1)
...
10 51

Workshop

...

[7]

...
...
11 51
...

...

3.

Confidentiality

Integrity
Availability Data archival

(
Log Archival)
...

90

.. 2550 23 2550 8 9 [7]

2 1

.. 2550 23
2550 8 9

Best Practice

5 (1)
5 (2)
5
(1)
1

.. 2550 23 2550
8 9 (
)
12 51
(Media)
(Integrity)

(Harddisk)
(Identification)
(Media)
13 51

(IT Auditor)

...
Harddisk
RAID Redundancy
Array of Independent Disks
RAID 1 RAID 3 RAID 5
Harddisk
Physical Error
Disk Error

Disk mirror

Harddisk

Log Server
Secondary
Logging
Secondary Logging

(IT
Auditor)

Log Server

14 51
...
15 51
Digital Hashing

MD5
GPG

CD-ROM
Full
1
(Archive Log)

10

2

RAID
(Identification
an
Authentication
I&A)
Proxy Server Cache

Server Proxy Cache
Cache Engine
Network
Address Translation
NAT

Hotspot Wi-Fi
Hotspot
Outsource

3rd Party Vendor
I&A
Outsource
(Identification
and
Authentication)
16 51

Username Login
Identification

Authentication
What you know

PIN
What you have
Smartcard
What you are

Authentication 1
I&A

Identification
Username Login
I&A

Username

Microsoft Active Directory
Proxy
(Stratum 0)

Network Time Protocol
NTP NTP Server

Stratum 1-15
10 NTP
Server Stratum

NTP
Stratum
1 [9]

time1.nimt.or.th
203.185.69.60

time.navy.mi.th
118.175.67.83

ThaiCERT
clock.thaicert.org
203.185.129.186
203.185.129.187

National Institute of
Standards and Technology

time.nist.gov
192.43.244.18

NTP
NTP Server
Stratum 1 2
3
NTP
Stratum [10]
Network Time Protocol .
.. 2550 http://www.thaicert.org/paper/basic/NTPandLAW.php

[11] Time Server []
http://www.thaicert.org/paper/basic/manualTimeServer.php
NTP Stratum 1
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
17 51
4.

[7]
5 (1)
(Telecommunication
and Broadcast Carrier)
1) (Fixed
Line Service Provider)
2)
(Mobile Service Provider)
3) (Leased Circuit
Service Provider)
Leased Line
(Fiber
Optic)
ADSL (Asymmetric
Digital Subscriber Line)
Frame Relay
ATM
(Asynchronous Transfer
Mode)
MPLS (Multi
Protocol Label Switching)
Physical
Media
Cabling Internet
IP Traffic
Dark Fiber

4) (Satellite
Service Provider)
1) (Internet
Service Provider ISP)
2)

3)

1)
(Web Hosting)
Web Server
2)
(File Server File Sharing)
3)
(Mail Server Service
Provider)
4)
(Access
Service Provider)
(Hosting Service
Provider)
18 51
5 (2)
5(1)
(Content and
Application Service
Provider)
1)
2)
1)
2)
3)
4)
(Internet Data
Center IDC)
(Internet
Caf)
(Game
Online)
(Web board)
(Blog)
(Internet Banking)
(Electronic Payment
Service Provider)
(Web
Services)
(eCommerce)
(e-Transactions)

X
ADSL
X
(2)
5 (1)
5 (1)
.
(Access Service Provider) 5 (1) .
X 5 (1) . 5 (2)
[7]
19 51
5. 5 (1)
5 (1)

[7] 5 (1) 4
5.1. 5 (1) .
(Telecommunication and Broadcast Carrier)
5 (1) .
(Telecommunication and Broadcast Carrier)
(Fixed Line Service Provider)

(Mobile Service Provider)
(Leased Circuit Service Provider)
Leased Line
(Fiber Optic)
ADSL (Asymmetric Digital Subscriber Line)
Frame Relay
ATM (Asynchronous Transfer Mode)
MPLS (Multi Protocol Label Switching)
Physical Media Cabling
Internet IP Traffic
Dark Fiber

(Satellite Service Provider)
(Mobile
Communication

(Fixed Network Telephony and Mobile
Telephony)

(Name and
Address of Subscriber or Registered User)
Cell ID
(Date and Time of the Initial Activation of the Service and
the Location Label (Cell ID)

(Fixed Network
Telephony and Mobile Telephony, the Date and Time of the
Start and End of the Communication)
1) Label (Cell ID)
2)
Cell ID
3)
20 51
Equipment)
5.2. 5 (1) . (Access

Service Provider) 5 (1) .
(Hosting Service Provider)

5 (1) . (Access Service
Provider)
(Internet Service Provider ISP)

5 (1) .
(Hosting Service Provider)
(Web Hosting) Web Server

(File Server File Sharing)
(Mail Server Service Provider)
(Internet Data Center IDC)
Authentication Server
21 51
RADIUS
FreeRadius
OpenRadius
Microsoft Internet
Authentication Service
Microsoft IAS
Steel Belt Radius
Cisco Access Control Server
(Cisco ACS)

RADIUS
[12]
TACACS+

DIAMETER

Lightweight Directory Access
Protocol LDAP
Active Directory
Red Hat Directory Service
SUN iPlanet
OpenLDAP

Network Access Control
(email servers)
SMTP Server
POP/IMAP Server
Simple Mail Transfer

Protocol SMTP
Post Office Protocol
version 3 POP3
POP3S
Internet Message
Access Protocol version
4 IMAP4
IMAP4S
FTP Server
File
Transfer Protocol FTP
Web Server

Hypertext
Transfer Protocol HTTP
HTTPS
News Server

Network News
22 51
Cisco NAC
FreeNAC

IEEE 802.1X

NAC
[17]
Proxy Server

Squid
Bluecoat

Proxy
[18]

Wireless Hotspot
Chillispot, NoCAT
Exchange
Backend Frontend Server
POP3
IMAP4
IBM Lotus Domino
MailEnable
Merak Mail Server
Novell Groupwise
Sun Java System
Messaging Server
Zimbra
Sendmail
Postfix Qmail
POP3
IMAP4
Courier Mail Server
Cyrus IMAP Server Dovecot
Binc IMAP Server
[13]

Internet Information Services
IIS FTP
WS_FTP Server
FileZilla Server
ProFTPD
VsFTPD WU-FTPD
[14]
Apache Web Server
Internet
Information Services IIS
IBM HTTP Server
WebLogic
JBoss
WebSphere Application
Server
[15]
Exchange
Server NNTP
Java Apache Mail
(Usenet)
Internet Relay
Chat (IRC)
Instance
Messaging (IM)
Transfer Protocol NNTP
Enterprise Server Apache

James
Diablo
[16]
2
IRC Server
IM Server

2
Firewall
Router

Network Address Translation
NAT NAT

NAT Log
Authentication
Server Proxy Server

IRC
IM
[7]

1)
Access Logs
Radius Log
Authentication
Server
Sun Mar 18 04:35:24 2008

localhost@server radiusd[2305]:
Login OK: [8uJY5653/<CHAPPassword>] (from client APF2
port 7 cli 00-1B-77-F3-18-C3)
Squid Log
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
"GET /images/bgON.gif HTTP/1.1"
304 "http://virus.thaicert.org/styl
esheets/_menu.css?1213106214"
"Mozilla/5.0 (Windows; U;
Windows NT 6.0; en-US;
rv:1.8.0.4) Gecko/20060602
Firefox/1.5.0.4"
Chillispot Log
Aug 13 20:34:05 192.168.1.21
chillispot[1099]: chilli.c:
3200: Client MAC=00-1B-77-0AF8-20 assigned IP 192.168.1.122
Aug 13 20:34:10 192.168.1.21
23 51
2)
(Date and Time of

Connection of Client to
Server)
3)
(User ID)
3502: Successful UAM login from
username=56F7hesa
IP=192.168.1.122
Sun Mar 18 04:35:24 2008
Radius Accounting Log

User-Name = uXas36yT
Squid Log
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
(email servers)
SMTP Server
POP/IMAP
Server

SMTP
POP3
IMAP4
4)

(Assigned IP
Address)
5)
(Calling
Line Identification)
1) Log
(SMTP)
-
(Message ID)
-
(Sender E-mail
Address)
-
(Receiver E-mail
Address)
-
(Status Indicator)

2)
(IP Address of Client

Connected to Server)
24 51
Framed-IP-Address = 192.168.1.5
Chillispot Log
Aug 13 20:34:05
192.168.1.21/192.168.1.21
3200: Client MAC=00-1B-77-0AF8-20 assigned IP
192.168.12.122
Calling-Station-Id = 00-14-2A4B-D8-71
NAS-IP-Address = 192.168.1.1
Aug 24 05:18:14
admin@example.com
sendmail[10900]:
m7OMIE38010900:
from=<test@example.com>,
size=690, class=0, nrcpts=1,
msgid=<200805242102.m7OL24r5010
202@example.com>, proto=ESMTP,
daemon=MTA,
relay=mail.example.com
[14.36.11.2]
Aug 24 05:18:14
admin@example.com
sendmail[10202]:
m7OL24r5010202:
to=lersak@gmail.com,
ctladdr=192.168.1.50 (0/0),
delay=01:16:10,
xdelay=00:00:00, mailer=relay,
pri=30451,
relay=[mail.example.com]
[14.36.11.2], dsn=2.0.0,
stat=Sent (m7OMIE38010900
Message accepted for delivery)
ctladdr=192.168.1.50
3)
(Date
and time of connection of
Client Connected to server)
4)

(IP
Address of Sending
Computer)
5) (User ID) (
)
6)

POP3 log IMAP4 Log
1) Log
Aug 24 05:18:14
FTP Server
File
Transfer Protocol
FTP
2)

(Date and Time of
Server)
3)
(IP Source
Address)
4) (User
ID)
()
5) (Path)
25 51
relay=mail.example.com
[14.36.11.2]
Login: user=<suwarut>,
2007-06-21 11:14:27 Info: imaplogin: Login: user=<suwarut>,
method=plain,
rip=192.168.1.200,
lip=192.168.1.35
#Software: Microsoft Internet

Information Services 5.0
#Version: 1.0
#Date: 2007-11-16 10:54:13
#Fields: time c-ip cs-username
s-port cs-method cs-uri-stem
sc-status
17:40:30 192.168.1.67 anonymous
21 [139]USER anonymous 331
17:40:30 192.168.1.67 - 21
[139]PASS IEUser@ 530
17:40:41 192.168.1.67
Administrator 21 [140]USER
Administrator 331
17:40:41 192.168.1.67
Administrator 21 [140]PASS 230
#Date: 2007-11-16
17:40:30
17:40:30 192.168.1.67 anonymous

21 [139]USER anonymous 331
17:40:41 192.168.1.67
Administrator 21 [140]USER
Administrator 331
Mon Feb 26 12:51:52 2008 6

(Path and Filename of Data
Object Uploaded or
Downloaded)
1) Log
3.example.com 62823 \
/var/ftp/pubinfo/jpeg/EtaCarD.j
pg b _ o a mozilla@ ftp 0 * c
Web Server
Hypertext Transfer
Protocol HTTP
HTTPS
(Usenet)
News Server
Network News
Transfer Protocol
NNTP
2)

3)
4)
5)
(URI:
Uniform Resource
Identifier)
1) Log
(NNTP
Network News Transfer
Protocol Log)
2)

(Date and Time of
26 51
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
"GET /images/bgDIVIDER.gif
HTTP/1.1" 304 "http://www.google.com
/stylesheets/_menu.css?12131062
14" "Mozilla/5.0 (Windows; U;
rv:1.8.0.4) Gecko/20060602
Firefox/1.5.0.4"
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
304 "http://virus.thaicert.org/styl
esheets/_menu.css?1213106214"
"Mozilla/5.0 (Windows; U;
rv:1.8.0.4) Gecko/20060602
Firefox/1.5.0.4"
[18/Aug/2008:21:06:48 +0700]
192.168.99.7

187.58.96.87, user, 12/1/2007,

14:37:37, NNTPSVC1,
NEWS_Server, 134.56.87.11,
2814, 11, 513, 220, 0, article,
6 arlQl#SH#GA.425@serve,
microsoft.public.ins
207.46.248.16, <feed>,
4/29/2007, 11:49:10, NNTPSVC1,
NEWS_Server, 134.56.87.11, 890,
0, 61, 502, 0, newnews, Access
Denied.,
microsoft.public.windows.server
.sbs 060101 080000 GMT,
187.58.96.87, user, 12/1/2007,
14:37:37,
207.46.248.16, <feed>,
4/29/2007, 11:49:10
Internet Relay
Chat (IRC)
Instance
Messaging (IM)
Server)
3) Port
(Protocol Process
ID)
4)
(Host Name)
5)

(Posted Message ID)
1)
(Date
and Time of Connection of
Client to Server)
2)
(Client Hostname and/or IP
Address)
3)
(Destination Hostname
and/or IP Address)
NNTPSVC1, NEWS_Server
article, 6
arlQl#SH#GA.425@serve,
1205326745.661 1912
192.168.42.165 TCP_MISS/200
8460 CONNECT
login.live.com:443/ DIRECT/login.live.com - CMF:40
DCF:20 ERR:0 DEFAULT_CASEDefaultGroup
1205326745.661 1912
192.168.42.165 TCP_MISS/200
8460 CONNECT
login.live.com:443/ DIRECT/login.live.com
1205326745.661 1912
192.168.42.165 TCP_MISS/200
8460 CONNECT
login.live.com:443/ DIRECT/login.live.com
[19]
5.3. 5 (1) .
5 (1) .
(Internet Caf)
(Game Online)
1)

Proxy Server
Proxy Server
Authentication Gateway
2)
3) IP Address
(Internet Protocol Address)
27 51
6. 5 (2)
5(1)
(Content and Application Service Provider)
(Web board) (Blog)

(Internet Banking)
(Electronic Payment Service Provider)
(Web Services)
(e-Commerce) (e-Transactions)
[7]
(Content Service
Provider)
1)

(User ID)

(User ID)

2)
3) (Web
board) (Blog)
(Post)
28 51
Username
7.
[7]

() () .
() () .
(ISP)
() ()
5 (1) 5 (2)
5 (1)
5 (2)
5(1)
.
(Telecommunication
and Broadcast Carrier)
.
(Access Service Provider)
(Internet Service
Provider ISP)
.
(Access Service Provider)
.
(Hosting
Service Provider)
.
(Content and Application Service

Provider)
29 51
23 2550
23 2551
23 2551
ISO/IEC 27001
ISO/IEC 27001

... .. 2550
...
Log

...

...
...
( 2.5)
2550 [3] 41
6.10 (Monitoring)

6.10.1 (Audit logging)
()

6.10.2 (Monitoring system use)

( )

6.10.3 (Protection of log information)
()

6.10.4 (Administrator and operator
logs)
()
6.10.5 (Fault logging)

()

6.10.6 (Clock synchronization)
30 51
()

ISO/IEC 27001 ISO/IEC 17799 [8]

(Audit logging)

Denial of
Service

(Monitoring
system use)
31 51

...
90

3 (
)

18.00 8.00

70%
(Protection of
log information)
(Fault logging)
(Clock
synchronization)
Data Hashing

Error
32 51
Network Time
Protocol NTP

Stratum 1
[9]

time1.nimt.or.th
203.185.69.60

time.navy.mi.th
118.175.67.83

ThaiCERT
clock.thaicert.org
203.185.129.186
203.185.129.187
National Institute of
Standards and Technology

time.nist.gov
192.43.244.18

Log [4]
Audit Trail
Log Audit Trail

... .. 2550
ISO/IEC 27001

1. (Log management)

(Policies and
Procedures for
Log
Management)

Audit
33 51

...
.. 2550
26
(

)

Microsoft
Windows
Log Server

1.1.
34 51

2
2
(Authentication log)
(Operation log)
Timestamp
Timestamp
Syslog

X
MM-DD-YYYY
Y
YYDDMM

M File Transfer
Protocol (FTP)

N
21/TCP
...

Network Time Protocol NTP

CSV
Comma-Separated

Database Management System
SQL
Structure Query Language
Syslog
Eventlog

Simple
Network Management Protocol
SNMP
XML XHTML

1.
Network
Time
Protocol NTP
2.
3.

35 51
1.2.

Log Server

Secondary
Logging
36 51

Digital Hashing

MD5
GPG
CD-ROM
Eventlog

/var/log
(
)

Two-factor
Authentication
Log Archival
...
37 51
Full
1
(Archive Log)

10

2

RAID

Archive Log
30

.. 2550
90
90
(

1 )
1.3.
(System Administrator) (Network Administrator)
(Developer)
(Security Analyst)
2
38 51
2.

[4] 3
2.1.
Log Generation Log Source

Primary Logging
Log server Secondary Logging
Log Storage and Correlation
Log Generation

Collectors Aggregators
Log Analysis and Monitoring

39 51
2.2. Primary Logging Secondary Logging

/
2
Primary Logging
Secondary Logging
[5]
Primary Logging

E-ticket
/var/log

Application Programming Interface

API
TEXT CSV (Comma-Separated)
File Transfer Protocol FTP
SYSLOG UDP 514

EVENTLOG
EVENTLOG
SQL Structure Query
Language
Database
Management System
Simple Network Management Protocol SNMP
XML XHTML SOAP
Log Server Secondary Logging

40 51
Centralized Log Server

Centralized Log Management Server
Security Event Manager System SEM

Security Information Management System SIM

Secondary Logging

Primary Logging

Primary Logging

Real-time Off-line
2.3.

.. .. 2550

90

.. ..
2550 28
Computer
Forensic

Chain of Custody [6]

[4]
Log parsing
Log Conversation
41 51
Event filtering

Event filtering
Event aggregation
Log rotation

/var/log/message
/var/log/message.1 /var/log/message

Log
archive

Log archival

Storage area network SAN

Log archival
Log retention
Log preservation

...

.. 2550
Log compression

Log rotation Log archival
Log reduction
Log
archival
Log conversion
TEXT XML
Log conversion
Event filtering Event aggregation Log normalization
Log normalization

12 2:34:56 P.M.
IDT 24
14:34 GMT+7
Timestamp Event
Time
42 51
Timezone GMT+7
Zone-21 Log normalization
Zone-21 GMT+7
Log normalization

Log normalization

Log file integrity checking
Data Hashing Log
rotation
Log compression Log archival
Message
Digest MD5 128 SHA-1
128 Message Digest 128
Message Digest

Data Hashing
/var/log/message C:\WINDOWS\System32\config\SecEvent.Evt
Security Log
Data Hashing
Message Digest CD-ROM

Message Digest Message Digest

Message Digest
Event correlation
Rule-based correlation

43 51
Event correlation

Data Mining
Log viewing Event filtering

Log reporting

Log clearing
Log
archival
3. (Log source Log generation)

Continuous

Batches

Batches
3.1.
(Operating system log)
(Servers) (Workstations)
Routers Switches
System Events

(Boot and Shutting down Operating System)

Aug 16 06:01:50 localhost@server kernel: kjournald starting. Commit
interval 5 seconds
Aug 16 06:01:50 localhost@server kjournald starting. Commit interval 5
seconds
44 51
Aug 17 06:01:51 localhost@server Allocating PCI resources starting at

40000000 (gap: 3c000000:c2c00000)
Aug 17 06:01:51 localhost@server kernel: ehci_hcd 0000:00:10.4: USB 2.0
started, EHCI 1.00, driver 10 Dec 2004
Aug 25 06:00:42 localhost@server syslog-ng[2005]: Termination requested via

signal, terminating;
Aug 25 06:00:42 localhost@server syslog-ng[2005]: syslog-ng shutting down;
version='2.0.9'
Aug 25 06:01:51 localhost@server syslog-ng[2004]: syslog-ng starting up;
version='2.0.9'
Aug 25 04:02:04 localhost@server logrotate: ALERT exited abnormally with [1]

Aug 25 06:00:01 localhost@server shutdown[11127]: shutting down for system
reboot
Aug 25 06:01:51 localhost@server kernel: SI 27 (level, low) -> IRQ 169
Audit Records

Aug 1 22:25:41 localhost@server sshd[7876]: pam_unix(sshd:auth):

authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.96.6 user=teerapap
Aug 1 22:25:43 localhost@server sshd[7876]: Failed password for teerapap
from 192.168.1.6 port 1068 ssh2
Aug 1 22:25:46 localhost@server sshd[7876]: Accepted password for teerapap
from 192.168.1.6 port 1068 ssh2
Aug 1 22:25:46 localhost@server sshd[7876]: pam_unix(sshd:session): session
opened for user suwit by (uid=0)
Aug 1 22:25:55 localhost@server sshd[7909]: Connection closed by
192.168.1.96
Aug 1 22:26:52 localhost@server su: pam_unix(su-l:auth): authentication
failure; logname=suwit uid=502 euid=0 tty=pts/0 ruser=suwit rhost=
user=root
user=root
Aug 1 22:27:05 localhost@server sshd[7919]: Connection closed by
192.168.1.96
user=root
Aug 1 22:27:38 src@serverwifi su: pam_unix(su-l:session): session opened for
user root by suwit(uid=502)
3.2. (Application log)
45 51
Application

(FTP Application Server)

(Financial Application)
Enterprise Resource
Planning (ERP) Logistic
2

Application
requests
and
responses:
- (E-mail application server)
- -
(Web server application)

Transaction
Sendmail Net-SNMP
Nov 21 12:21:29 server sendmail[28855]: jALHLTNW028855:

to=Dr_xxx@hotmail.com, ctladdr=apache (48/48), delay=00:00:00,
xdelay=00:00:00, mailer=relay, pri=31029, relay=[127.0.0.1] [127.0.0.1],
dsn=2.0.0, stat=Sent (jALHLTs3028856 Message accepted for delivery)
Aug 25 22:30:31 localhost@server snmpd[2271]: Received SNMP packet(s) from

UDP: [127.0.0.1]:10503
Aug 25 22:30:33 localhost@server snmpd[2271]: Connection from UDP:
[192.168.1.1]:10503
Aug 25 22:30:33 localhost@server snmpd[2271]: Received SNMP packet(s) from
UDP: [192.168.1.1]:10503
[127.0.0.1]:10503
Account Information:

SSH
OpenVPN
Aug 15 22:25:41 localhost@server sshd[7876]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.96.6 user=tawatchai
failure; logname=seewat uid=502 euid=0 tty=pts/0 ruser=seewat rhost=
user=root
Aug 20 13:29:39 localhost@server openvpn[2235]: 203.48.33.231:2686 Data

Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 20 14:29:56 localhost@server openvpn[2235]: client/203.48.33.231:2686
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC
authentication
46 51
Aug 20 14:29:56 localhost@server openvpn[2235]: client/203.48.33.231:2686

Data Channel
Usage information:

[127.0.0.1]:10525
[127.0.0.1]:10525
[127.0.0.1]:10525
[127.0.0.1]:10525
Aug 1 16:39:57 localhost@server named[2042]: unexpected RCODE (SERVFAIL)

resolving 'webindex.siamzab.com/AAAA/IN': 192.168.99.1#53
Aug 1 06:01:25 localhost@server kernel: TCP bind hash table entries: 65536
(order: 7, 524288 bytes)
Aug 1 06:01:25 localhost@server kernel: TCP: Hash tables configured
(established 131072 bind 65536)
Aug 2 06:01:18 localhost@server kernel: TCP bind hash table entries: 65536
(order: 7, 524288 bytes)
Operational actions:

Aug 11 06:05:51 192.168.1.21/192.168.1.21 syslog: chilli : chilli daemon
successfully started
Aug 11 06:05:51 192.168.1.21/192.168.1.21 syslog: ttraff : traffic counter
daemon successfully started
Aug 11 06:05:51 192.168.1.21/192.168.1.21 syslog: ttraff: data collection
started
Aug 11 06:05:53 192.168.1.21/192.168.1.21 syslog: chilli : chilli daemon
successfully started
Aug 11 06:05:53 192.168.1.21/192.168.1.21 syslog: klogd : klog daemon
successfully stopped
Aug 12 06:01:58 localhost@server monit[2481]: Monit started

Aug 12 06:01:48 localhost@server named[2040]: starting BIND 9.3.3rc2 -u
named -t /var/named/chroot
Aug 12 06:02:02 localhost@server monit[2481]: monit HTTP server started
Aug 12 06:02:02 localhost@server monit[2481]: Monit started
Aug 13 17:40:09 localhost@server monit[2481]: 'ADMIN-sshd' trying to restart

Aug 13 17:40:10 localhost@server monit[2481]: 'ADMIN-sshd' start:
/etc/init.d/sshd
Aug 13 17:43:57 localhost@server monit[2481]: 'WWW-httpd' trying to restart
47 51
3.3.
(Security-related device/software log)
Network-based
Host-based

Routers :
Network Address Translation (NAT)
NAT

Firewall:

Denial of Service IP Spoofing

IPTables
Aug 25 22:20:17 192.168.1.21/192.168.1.21 kernel: DROP IN=vlan1 OUT=
MAC=01:00:5e:00:00:01:00:02:cf:b4:b7:84:08:00:46:00:00:24 SRC=192.168.1.1
DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=64587 OPT (94040000)
PROTO=2
Aug 25 22:25:02 192.168.1.21/192.168.1.21 kernel: ACCEPT IN=vlan1 OUT=
MAC=00:1d:7e:dc:1b:37:00:1d:60:8f:44:b6:08:00:45:00:00:41 SRC=192.168.1.99
DST=192.168.1.21 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=10499 DPT=161 LEN=45
MAC=01:00:5e:00:00:01:00:02:cf:b4:b7:84:08:00:46:00:00:24 SRC=192.168.1.1
PROTO=2
MAC=01:00:5e:00:00:01:00:02:cf:b4:b7:84:08:00:46:00:00:24 SRC=192.168.1.1
PROTO=2
(Proxy Server) (Web Proxies):

HTTP FTP

Squid Microsoft ISA
Server (Appliance) Bluecoat
Squid
1219678885.680
245 192.168.56.80 TCP_MISS/200 19875 GET
http://directory.narak.com/vote.php? - DIRECT/203.121.145.220 text/html
1219678885.776
748 192.168.56.78 TCP_MISS/200 337 GET
http://widget.alot.com/geocode - DIRECT/208.76.11.230 text/html
1219678885.791
839 192.168.56.73 TCP_MISS/200 424 GET
http://www.thaiebayuser.com/forum/index.php? - DIRECT/74.86.247.98 text/html
1219678885.832
25 192.168.56.78 TCP_IMS_HIT/304 325 GET
http://www.sanook.com/temp/hdmbg2.jpg - NONE/- image/jpeg
1219678885.980
144 192.168.56.80 TCP_MISS/200 426 GET
http://lvs.truehits.in.th/goggen.php? - DIRECT/164.115.2.135 image/jpeg
1219678886.547
1044 192.168.56.54 TCP_MISS/200 360 GET
http://tracker.prq.to/scrape.php? - DIRECT/77.247.176.136 text/plain
48 51
1219678886.643
610 192.168.56.80 TCP_MISS/200 82392 GET
http://images2.narak.com/banner/jobs_468x60.gif - DIRECT/203.151.233.144
image/gif
: (Malware
Malicious Software
(Rootkit) Antivirus
Kaspersky, ESET
NOD, Symantec Antivirus, Trend Micro, McAfee
Remote Access
Software: Virtual Private
Network VPN
VPN
Remote Access

SSL VPN Juniper SSL
VPN Microsoft ISA Server PPTP L2TP
POPTOP
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS):

Snort
Vulnerability Management Software:

Patch Management Software

Vulnerability Assessment Software

Microsoft Baseline Security Analyzer (MBSA), Nessus
GFI Network Security
Authentication Servers:
Lightweight Directory Access Protocol LDAP
Microsoft Active Directory Novell E-Directory Single
Sign-on RADIUS TACAC+ FreeRadius
Funk

FreeRadius Authentication Log
Aug 12 19:49:46 localhost@server radiusd[2305]: Login OK: [6HN3fe5/<CHAPPassword>] (from client APF2 port 3 cli 00-17-C4-23-A3-2D)
Aug 12 20:17:26 localhost@server radiusd[2305]: Login OK: [8uJY5653/<CHAPPassword>] (from client APF2 port 7 cli 00-1B-77-F3-18-C3)
Aug 12 20:25:07 localhost@server radiusd[2305]: Invalid user
(rlm_sqlcounter: Maximum never usage time reached): [AU33WHq/<CHAPPassword>] (from client APF5 port 8 cli 00-18-DE-46-8A-12)
Aug 12 21:31:57 localhost@server radiusd[2305]: Login OK: [VU6agCw/<CHAPPassword>] (from client APF5 port 10 cli 00-0E-35-58-BA-8D)
Aug 12 21:34:53 localhost@server radiusd[2305]: Multiple logins (max 1) :
[RU4XgCw/<CHAP-Password>] (from client APF2 port 0 cli 00-0E-35-58-BA-8D)
FreeRadius
Accounting Log
49 51
Sun Mar 18 04:35:24 2008

Acct-Status-Type = Start
User-Name = uXas36yT
Calling-Station-Id = 00-14-2A-4B-D8-71
Called-Station-Id = 00-14-22-17-0A-11
NAS-Port-Type = Wireless-802.11
NAS-Port = 103
NAS-Port-Id = 00000103
NAS-IP-Address = 192.168.1.1
NAS-Identifier = AP221
Framed-IP-Address = 192.168.1.5
Acct-Session-Id = 4921040504040422
Acct-Unique-Session-Id = d6e75vbd643333a754
Timestamp = 5040232301
Authentication Gateway
Captive Portal HotSpot

Network Quarantine Server
(
)
Authentication Gateway ChilliSpot
Aug 13 20:34:03 192.168.1.21/192.168.1.21 chillispot[1099]: chilli.c:
New DHCP request from MAC=00-1B-77-0A-F8-20
Client MAC=00-1B-77-0A-F8-20 assigned IP 192.168.12.122
Successful UAM login from username=56F7hesa IP=192.168.12.122
Successful UAM login from username=6A7eRkc IP=192.168.12.73
Successful UAM login from username=Yb4agCw IP=192.168.12.97
DHCP addr released by MAC=00-1B-77-0A-F8-20 IP=192.168.12.56
Rereading configuration file and doing DNS lookup
50 51
3230:
3200:
3502:
3502:
3502:
3280:
968:

[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
, .. ,
18 2550
,
..

,
( 2.5) 2550, ISBN: 978-974-229-584-4, 1, 2550
Karen Kent and Murugiah Souppaya, NIST, Special Publication 800-92, Guide to Computer
Security Log Management, September 2006
Roger Meyer, Auditing a Corporate Log Server GAIC Gold Certification, GIAC Systems and
Network Auditor (GSNA), SANS Institute 2006 Reading Room, 17 September 2006

. ACIS Professional Center & ACIS i-Secure,
.
..

.. , http://www.acisonline.net
,
.. , 23 2550
SN ISO/IEC 17799:2005, Information technology Security Technique Code of practice for
information security management (ISO/IEC 17799:2005), Second Edition, 2005-06-15
Chaiyakorn Apiwathanokul, Computer Time Synchronization Scheme ,
http://www.etcommission.go.th/documents/standard/time_sync_server_v1_0.pdf,
3 October 2007
, Network Time Protocol
. .. 2550
http://www.thaicert.org/paper/basic/NTPandLAW.php, 27 2551
, Time Server [],
http://www.thaicert.org/paper/basic/manualTimeServer.php, 27 2551
Wikipedia, List of RADIUS Servers, http://en.wikipedia.org/wiki/List_of_RADIUS_Servers
Wikipedia, List of mail servers, http://en.wikipedia.org/wiki/List_of_mail_servers
Wikipedia, List of FTP server software,
http://en.wikipedia.org/wiki/List_of_FTP_server_software
Wikipedia, Comparison of web server software
http://en.wikipedia.org/wiki/Comparison_of_web_servers
Wikipedia, News server, http://en.wikipedia.org/wiki/News_server
Wikipedia, Network Access Control, http://en.wikipedia.org/wiki/Network_Access_Control
Wikipedia, Proxy Server, http://en.wikipedia.org/wiki/Proxy_server
, ..2550,

(Ethical, Legal and Social Impacts of ICT : ELSIT),
51 51

พรบ คอมพิวเตอร์ 2550

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

พรบ คอมพิวเตอร์ 2550

Uploaded by

Copyright:

Available Formats

... ..

I ISO/IEC 27001 ISO/IEC 27001

Availability Data archival

Proxy Server Cache

What you know

Network Time Protocol

(Fixed Line Service Provider)

5.2. 5 (1) . (Access

(Hosting Service Provider)

(Web Hosting) Web Server

Simple Mail Transfer

Transfer Protocol NNTP

Enterprise Server Apache

Sun Mar 18 04:35:24 2008

(Date and Time of

Radius Accounting Log

Radius Accounting Log

Radius Accounting Log

(IP Address of Client

#Software: Microsoft Internet

17:40:30 192.168.1.67 anonymous

"GET /images/bgON.gif HTTP/1.1"

187.58.96.87, user, 12/1/2007,

(Web board) (Blog)

(Content and Application Service

6.10.2 (Monitoring system use)

6.10.5 (Fault logging)

Log Audit Trail

2.2. Primary Logging Secondary Logging

Application Programming Interface

Log Server Secondary Logging

Centralized Log Server

Security Information Management System SIM

Chain of Custody [6]

Log viewing Event filtering

Aug 17 06:01:51 localhost@server Allocating PCI resources starting at

Aug 25 06:00:42 localhost@server syslog-ng[2005]: Termination requested via

Aug 25 04:02:04 localhost@server logrotate: ALERT exited abnormally with [1]

Aug 1 22:25:41 localhost@server sshd[7876]: pam_unix(sshd:auth):

3.2. (Application log)

Nov 21 12:21:29 server sendmail[28855]: jALHLTNW028855:

Aug 25 22:30:31 localhost@server snmpd[2271]: Received SNMP packet(s) from

Aug 20 13:29:39 localhost@server openvpn[2235]: 203.48.33.231:2686 Data

Aug 20 14:29:56 localhost@server openvpn[2235]: client/203.48.33.231:2686

Aug 1 16:39:57 localhost@server named[2042]: unexpected RCODE (SERVFAIL)

Aug 12 06:01:58 localhost@server monit[2481]: Monit started

Aug 13 17:40:09 localhost@server monit[2481]: 'ADMIN-sshd' trying to restart

(Proxy Server) (Web Proxies):

Sun Mar 18 04:35:24 2008

You might also like