Professional Documents
Culture Documents
2550
Log implementation and auditing guideline
compliance with Computer Crime Act B.E 2550 (2007)
1: 2 2551
: 23 2551
. .
Internet Service Provider (ISP)
(ThaiCERT)
(NECTEC)
.. 2550
.. 2550 23
2550
Log [3]
1 51
...
.. 2550
..
... .. 2550 ........7
1. ...........................................7
2. .............................................8
3. ..........................12
4. ..............................................................18
5. 5 (1)....................................................20
5.1. 5 (1) .
(Telecommunication and Broadcast Carrier).....................................................................20
5.2. 5 (1) . (Access Service
Provider) 5 (1) .
(Hosting Service Provider) ...........................................................................21
5.3. 5 (1) . .....................................................27
6. 5 (2)....................................................28
7. ..................................................................29
ISO/IEC 27001...................................30
...........................................................................33
1. (Log management) ...................................................................33
1.1. ................................................................................34
1.2. ...........................................................................................................36
1.3. ...............................................................................................38
2. ...........................................................................39
2.1. .............................................................................39
2.2. Primary Logging Secondary Logging................................40
2.3. ..................................................................................41
3. (Log source Log generation).............44
3.1. (Operating system log)............................................44
3.2. (Application log).............................................45
3.3.
(Security-related device/software log) .............................................................................48
.........................................................................................................................51
2 51
M Mandatory ...
.. 2550
.. 2550
B Best Practice
...
//
90
90
1
90
5 (1)
5 (2)
5 (1)
.. 2550
...
[7]
3 51
9
9
...
(Media)
(Integrity)
//
...
...
(IT
Auditor)
...
Harddisk RAID
Log Server
Secondary Logging
4 51
9 9
9 9
(Identification)
(Media)
...
(Identification and
Authentication)
//
Secondary Logging
Digital Hashing
MD5
GPG
CD-ROM
Username Login
Identification
Authentication
PIN Smartcard
Identification Username Login
5 51
9 9
9 9
(Stratum 0)
//
I&A
Username
Microsoft Active Directory
Proxy
Network
Time Protocol NTP
Stratum 1
[9]
time1.nimt.or.th 203.185.69.60
time.navy.mi.th 118.175.67.83
ThaiCERT
clock.thaicert.org
203.185.129.186 203.185.129.187
National Institute of Standards and
Technology
time.nist.gov 192.43.244.18
NTP
NTP Server
Stratum 1 2
3
NTP Server
NTP
Stratum 1 NTP Server
Stratum 2
NTP
NTP
NTP
6 51
9 9
...
.. 2550
...
.. 2550 Log
[4] Audit Trail
ISO/IEC 27001
1.
... .. 2550 26 [1]
3 [1]
()
()
.. [2]
26 6
()
()
user name pin code
7 51
...
90
90
1
.. 2550
90
.. 2550 23
2550
[7]
user
name pin code
2.
2
.. 2550 23
2550 [7]
..
..
8 51
..
()
. (Telecommunication
and Broadcast Carrier) .
. (Access Service Provider)
.
.
(Host Service Provider) .
. .
() ()
(Content Service Provider) (Application
Service Provider) .
.
() () . .
() () . .
() () . .
() () . .
() () .
() (Media) (Integrity)
(Identification)
()
Centralized Log Server Data Archiving Data
Hashing
(IT Auditor)
()
..
()
(Identification and Authentication) Proxy Server, Network Address
Translation (NAT) Proxy Cache Cache Engine Free Internet
1222 Wi-Fi Hotspot
()
9 51
(Identification and Authentication)
(Stratum 0)
() () .
() () .
(ISP)
() ()
...
5 (1)
5 (2)
5
(1)
...
10 51
Workshop
...
[7]
...
...
11 51
...
...
3.
Confidentiality
Integrity
.. 2550 23 2550 8 9 [7]
2 1
.. 2550 23
2550 8 9
Best Practice
5 (1)
5 (2)
5
(1)
1
.. 2550 23 2550
8 9 (
)
12 51
(Media)
(Integrity)
(Harddisk)
(Identification)
(Media)
13 51
(IT Auditor)
...
Harddisk
RAID Redundancy
Array of Independent Disks
RAID 1 RAID 3 RAID 5
Harddisk
Physical Error
Disk Error
Disk mirror
Harddisk
Log Server
Secondary
Logging
Secondary Logging
(IT
Auditor)
Log Server
14 51
...
15 51
Digital Hashing
MD5
GPG
CD-ROM
Full
1
(Archive Log)
10
2
RAID
(Identification
an
Authentication
I&A)
3rd Party Vendor
I&A
Outsource
(Identification
and
Authentication)
16 51
Username Login
Identification
Authentication
I&A
Identification
Username Login
I&A
Username
Microsoft Active Directory
Proxy
(Stratum 0)
Network Time Protocol
NTP NTP Server
Stratum 1-15
10 NTP
Server Stratum
Network Time Protocol
NTP
Stratum
1 [9]
time1.nimt.or.th
203.185.69.60
time.navy.mi.th
118.175.67.83
ThaiCERT
clock.thaicert.org
203.185.129.186
203.185.129.187
National Institute of
Standards and Technology
time.nist.gov
192.43.244.18
NTP
NTP Server
Stratum 1 2
3
NTP
Stratum [10]
Network Time Protocol .
.. 2550 http://www.thaicert.org/paper/basic/NTPandLAW.php
NTP Stratum 1
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
17 51
4.
[7]
5 (1)
(Telecommunication
and Broadcast Carrier)
1) (Fixed
Line Service Provider)
2)
(Mobile Service Provider)
3) (Leased Circuit
Service Provider)
Leased Line
(Fiber
Optic)
ADSL (Asymmetric
Digital Subscriber Line)
Frame Relay
ATM
(Asynchronous Transfer
Mode)
MPLS (Multi
Protocol Label Switching)
Physical
Media
Cabling Internet
IP Traffic
Dark Fiber
4) (Satellite
Service Provider)
1) (Internet
Service Provider ISP)
2)
3)
1)
(Web Hosting)
Web Server
2)
(File Server File Sharing)
3)
(Mail Server Service
Provider)
4)
(Access
Service Provider)
(Hosting Service
Provider)
18 51
5 (2)
5(1)
(Content and
Application Service
Provider)
1)
2)
1)
2)
3)
4)
(Internet Data
Center IDC)
(Internet
Caf)
(Game
Online)
(Web board)
(Blog)
(Internet Banking)
(Electronic Payment
Service Provider)
(Web
Services)
(eCommerce)
(e-Transactions)
X
ADSL
X
(2)
5 (1)
5 (1)
.
(Access Service Provider) 5 (1) .
X 5 (1) . 5 (2)
[7]
19 51
5. 5 (1)
5 (1)
[7] 5 (1) 4
5.1. 5 (1) .
(Telecommunication and Broadcast Carrier)
5 (1) .
(Telecommunication and Broadcast Carrier)
(Mobile
Communication
(Fixed Network Telephony and Mobile
Telephony)
(Name and
Address of Subscriber or Registered User)
Cell ID
(Date and Time of the Initial Activation of the Service and
the Location Label (Cell ID)
(Fixed Network
Telephony and Mobile Telephony, the Date and Time of the
Start and End of the Communication)
1) Label (Cell ID)
2)
Cell ID
3)
20 51
Equipment)
Authentication Server
21 51
RADIUS
FreeRadius
OpenRadius
Microsoft Internet
Authentication Service
Microsoft IAS
Steel Belt Radius
Cisco Access Control Server
(Cisco ACS)
RADIUS
[12]
TACACS+
DIAMETER
Lightweight Directory Access
Protocol LDAP
Active Directory
Red Hat Directory Service
SUN iPlanet
OpenLDAP
Network Access Control
(email servers)
SMTP Server
POP/IMAP Server
FTP Server
File
Transfer Protocol FTP
Web Server
Hypertext
Transfer Protocol HTTP
HTTPS
News Server
Network News
22 51
Cisco NAC
FreeNAC
IEEE 802.1X
NAC
[17]
Proxy Server
Squid
Bluecoat
Proxy
[18]
Wireless Hotspot
Chillispot, NoCAT
Exchange
Backend Frontend Server
POP3
IMAP4
IBM Lotus Domino
MailEnable
Merak Mail Server
Novell Groupwise
Sun Java System
Messaging Server
Zimbra
Sendmail
Postfix Qmail
POP3
IMAP4
Courier Mail Server
Cyrus IMAP Server Dovecot
Binc IMAP Server
[13]
Internet Information Services
IIS FTP
WS_FTP Server
FileZilla Server
ProFTPD
VsFTPD WU-FTPD
[14]
Apache Web Server
Internet
Information Services IIS
IBM HTTP Server
WebLogic
JBoss
WebSphere Application
Server
[15]
Exchange
Server NNTP
Java Apache Mail
(Usenet)
Internet Relay
Chat (IRC)
Instance
Messaging (IM)
[16]
2
IRC Server
IM Server
2
Firewall
Router
Network Address Translation
NAT NAT
NAT Log
Authentication
Server Proxy Server
IRC
IM
[7]
1)
Access Logs
Radius Log
Authentication
Server
Squid Log
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
"GET /images/bgON.gif HTTP/1.1"
304 "http://virus.thaicert.org/styl
esheets/_menu.css?1213106214"
"Mozilla/5.0 (Windows; U;
Windows NT 6.0; en-US;
rv:1.8.0.4) Gecko/20060602
Firefox/1.5.0.4"
Chillispot Log
Aug 13 20:34:05 192.168.1.21
chillispot[1099]: chilli.c:
3200: Client MAC=00-1B-77-0AF8-20 assigned IP 192.168.1.122
Aug 13 20:34:10 192.168.1.21
23 51
2)
chillispot[1102]: chilli.c:
3502: Successful UAM login from
username=56F7hesa
IP=192.168.1.122
Sun Mar 18 04:35:24 2008
Squid Log
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
(email servers)
SMTP Server
POP/IMAP
Server
SMTP
POP3
IMAP4
4)
(Assigned IP
Address)
5)
(Calling
Line Identification)
1) Log
(SMTP)
-
(Message ID)
-
(Sender E-mail
Address)
-
(Receiver E-mail
Address)
-
(Status Indicator)
2)
Framed-IP-Address = 192.168.1.5
Chillispot Log
Aug 13 20:34:05
192.168.1.21/192.168.1.21
chillispot[1099]: chilli.c:
3200: Client MAC=00-1B-77-0AF8-20 assigned IP
192.168.12.122
Calling-Station-Id = 00-14-2A4B-D8-71
NAS-IP-Address = 192.168.1.1
Aug 24 05:18:14
admin@example.com
sendmail[10900]:
m7OMIE38010900:
from=<test@example.com>,
size=690, class=0, nrcpts=1,
msgid=<200805242102.m7OL24r5010
202@example.com>, proto=ESMTP,
daemon=MTA,
relay=mail.example.com
[14.36.11.2]
Aug 24 05:18:14
admin@example.com
sendmail[10202]:
m7OL24r5010202:
to=lersak@gmail.com,
ctladdr=192.168.1.50 (0/0),
delay=01:16:10,
xdelay=00:00:00, mailer=relay,
pri=30451,
relay=[mail.example.com]
[14.36.11.2], dsn=2.0.0,
stat=Sent (m7OMIE38010900
Message accepted for delivery)
ctladdr=192.168.1.50
3)
(Date
and time of connection of
Client Connected to server)
4)
(IP
Address of Sending
Computer)
5) (User ID) (
)
6)
POP3 log IMAP4 Log
1) Log
Aug 24 05:18:14
FTP Server
File
Transfer Protocol
FTP
2)
(Date and Time of
Connection of Client to
Server)
3)
(IP Source
Address)
4) (User
ID)
()
5) (Path)
25 51
relay=mail.example.com
[14.36.11.2]
Login: user=<suwarut>,
2007-06-21 11:14:27 Info: imaplogin: Login: user=<suwarut>,
method=plain,
rip=192.168.1.200,
lip=192.168.1.35
17:40:41 192.168.1.67
Administrator 21 [140]USER
Administrator 331
Mon Feb 26 12:51:52 2008 6
(Path and Filename of Data
Object Uploaded or
Downloaded)
1) Log
3.example.com 62823 \
/var/ftp/pubinfo/jpeg/EtaCarD.j
pg b _ o a mozilla@ ftp 0 * c
Web Server
Hypertext Transfer
Protocol HTTP
HTTPS
(Usenet)
News Server
Network News
Transfer Protocol
NNTP
2)
3)
4)
5)
(URI:
Uniform Resource
Identifier)
1) Log
(NNTP
Network News Transfer
Protocol Log)
2)
(Date and Time of
Connection of Client to
26 51
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
"GET /images/bgDIVIDER.gif
HTTP/1.1" 304 "http://www.google.com
/stylesheets/_menu.css?12131062
14" "Mozilla/5.0 (Windows; U;
Windows NT 6.0; en-US;
rv:1.8.0.4) Gecko/20060602
Firefox/1.5.0.4"
192.168.99.7 - lersak
[18/Aug/2008:21:06:48 +0700]
"GET /images/bgON.gif HTTP/1.1"
304 "http://virus.thaicert.org/styl
esheets/_menu.css?1213106214"
"Mozilla/5.0 (Windows; U;
Windows NT 6.0; en-US;
rv:1.8.0.4) Gecko/20060602
Firefox/1.5.0.4"
[18/Aug/2008:21:06:48 +0700]
192.168.99.7
Internet Relay
Chat (IRC)
Instance
Messaging (IM)
Server)
3) Port
(Protocol Process
ID)
4)
(Host Name)
5)
(Posted Message ID)
1)
(Date
and Time of Connection of
Client to Server)
2)
(Client Hostname and/or IP
Address)
3)
(Destination Hostname
and/or IP Address)
NNTPSVC1, NEWS_Server
article, 6
arlQl#SH#GA.425@serve,
1205326745.661 1912
192.168.42.165 TCP_MISS/200
8460 CONNECT
login.live.com:443/ DIRECT/login.live.com - CMF:40
DCF:20 ERR:0 DEFAULT_CASEDefaultGroup
1205326745.661 1912
192.168.42.165 TCP_MISS/200
8460 CONNECT
login.live.com:443/ DIRECT/login.live.com
1205326745.661 1912
192.168.42.165 TCP_MISS/200
8460 CONNECT
login.live.com:443/ DIRECT/login.live.com
[19]
5.3. 5 (1) .
5 (1) .
(Internet Caf)
(Game Online)
1)
Proxy Server
Proxy Server
Authentication Gateway
2)
3) IP Address
(Internet Protocol Address)
27 51
6. 5 (2)
5(1)
(Content and Application Service Provider)
[7]
(Content Service
Provider)
1)
(User ID)
(User ID)
2)
3) (Web
board) (Blog)
(Post)
28 51
Username
7.
[7]
() () .
() () .
(ISP)
() ()
5 (1) 5 (2)
5 (1)
5 (2)
5(1)
.
(Telecommunication
and Broadcast Carrier)
.
(Access Service Provider)
(Internet Service
Provider ISP)
.
(Access Service Provider)
.
(Hosting
Service Provider)
.
29 51
23 2550
23 2551
23 2551
ISO/IEC 27001
ISO/IEC 27001
... .. 2550
...
Log
...
...
...
( 2.5)
2550 [3] 41
6.10 (Monitoring)
6.10.1 (Audit logging)
()
()
ISO/IEC 27001 ISO/IEC 17799 [8]
(Audit logging)
Denial of
Service
(Monitoring
system use)
31 51
...
90
3 (
)
18.00 8.00
70%
(Protection of
log information)
(Fault logging)
(Clock
synchronization)
Data Hashing
Error
32 51
Network Time
Protocol NTP
Stratum 1
[9]
time1.nimt.or.th
203.185.69.60
time.navy.mi.th
118.175.67.83
ThaiCERT
clock.thaicert.org
203.185.129.186
203.185.129.187
National Institute of
Standards and Technology
time.nist.gov
192.43.244.18
Log [4]
Audit Trail
1. (Log management)
(Policies and
Procedures for
Log
Management)
Audit
33 51
...
.. 2550
26
(
)
Microsoft
Windows
Log Server
1.1.
34 51
2
2
(Authentication log)
(Operation log)
Timestamp
Timestamp
Syslog
X
MM-DD-YYYY
Y
YYDDMM
M File Transfer
Protocol (FTP)
N
21/TCP
...
Network Time Protocol NTP
CSV
Comma-Separated
Database Management System
SQL
Structure Query Language
Syslog
Eventlog
Simple
Network Management Protocol
SNMP
XML XHTML
1.
Network
Time
Protocol NTP
2.
3.
35 51
1.2.
Log Server
Secondary
Logging
36 51
Digital Hashing
MD5
GPG
CD-ROM
Eventlog
/var/log
(
)
Two-factor
Authentication
Log Archival
...
37 51
Full
1
(Archive Log)
10
2
RAID
Archive Log
30
.. 2550
90
90
(
1 )
1.3.
(System Administrator) (Network Administrator)
(Developer)
(Security Analyst)
2
38 51
2.
[4] 3
2.1.
Log Generation Log Source
Primary Logging
Log server Secondary Logging
Log Storage and Correlation
Log Generation
Collectors Aggregators
Log Analysis and Monitoring
39 51
Primary Logging
Secondary Logging
[5]
Primary Logging
E-ticket
/var/log
Secondary Logging
Primary Logging
Primary Logging
Real-time Off-line
2.3.
.. .. 2550
90
.. ..
2550 28
Computer
Forensic
Log parsing
Log Conversation
41 51
Event filtering
Event filtering
Event aggregation
Log rotation
/var/log/message
/var/log/message.1 /var/log/message
Log
archive
Log archival
Storage area network SAN
Log archival
Log retention
Log preservation
...
.. 2550
Log compression
Log rotation Log archival
Log reduction
Log
archival
Log conversion
TEXT XML
Log conversion
Event filtering Event aggregation Log normalization
Log normalization
12 2:34:56 P.M.
IDT 24
14:34 GMT+7
Timestamp Event
Time
42 51
Timezone GMT+7
Zone-21 Log normalization
Zone-21 GMT+7
Log normalization
Log normalization
Log file integrity checking
Data Hashing Log
rotation
Log compression Log archival
Message
Digest MD5 128 SHA-1
128 Message Digest 128
Message Digest
Data Hashing
/var/log/message C:\WINDOWS\System32\config\SecEvent.Evt
Security Log
Data Hashing
Message Digest CD-ROM
Message Digest Message Digest
Message Digest
Event correlation
Rule-based correlation
43 51
Event correlation
Data Mining
Log clearing
Log
archival
3. (Log source Log generation)
Continuous
Batches
Batches
3.1.
(Operating system log)
(Servers) (Workstations)
Routers Switches
System Events
(Boot and Shutting down Operating System)
Aug 16 06:01:50 localhost@server kernel: kjournald starting. Commit
interval 5 seconds
Aug 16 06:01:50 localhost@server kjournald starting. Commit interval 5
seconds
44 51
Audit Records
45 51
Application
(FTP Application Server)
(Financial Application)
Enterprise Resource
Planning (ERP) Logistic
2
Application
requests
and
responses:
- (E-mail application server)
- -
(Web server application)
Transaction
Sendmail Net-SNMP
Account Information:
SSH
OpenVPN
Aug 15 22:25:41 localhost@server sshd[7876]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.96.6 user=tawatchai
Aug 15 22:26:04 localhost@server su: pam_unix(su-l:auth): authentication
failure; logname=seewat uid=502 euid=0 tty=pts/0 ruser=seewat rhost=
user=root
46 51
Usage information:
Aug 1 00:50:01 localhost@server snmpd[2271]: Connection from UDP:
[127.0.0.1]:10525
Aug 1 00:50:01 localhost@server snmpd[2271]: Connection from UDP:
[127.0.0.1]:10525
Aug 1 00:50:01 localhost@server snmpd[2271]: Connection from UDP:
[127.0.0.1]:10525
Aug 1 00:50:01 localhost@server snmpd[2271]: Connection from UDP:
[127.0.0.1]:10525
Aug 1 06:01:25 localhost@server kernel: TCP bind hash table entries: 65536
(order: 7, 524288 bytes)
Aug 1 06:01:25 localhost@server kernel: TCP: Hash tables configured
(established 131072 bind 65536)
Aug 2 06:01:18 localhost@server kernel: TCP bind hash table entries: 65536
(order: 7, 524288 bytes)
Operational actions:
Aug 11 06:05:51 192.168.1.21/192.168.1.21 syslog: chilli : chilli daemon
successfully started
Aug 11 06:05:51 192.168.1.21/192.168.1.21 syslog: ttraff : traffic counter
daemon successfully started
Aug 11 06:05:51 192.168.1.21/192.168.1.21 syslog: ttraff: data collection
started
Aug 11 06:05:53 192.168.1.21/192.168.1.21 syslog: chilli : chilli daemon
successfully started
Aug 11 06:05:53 192.168.1.21/192.168.1.21 syslog: klogd : klog daemon
successfully stopped
47 51
3.3.
(Security-related device/software log)
Network-based
Host-based
Routers :
Network Address Translation (NAT)
NAT
Firewall:
Denial of Service IP Spoofing
IPTables
Aug 25 22:20:17 192.168.1.21/192.168.1.21 kernel: DROP IN=vlan1 OUT=
MAC=01:00:5e:00:00:01:00:02:cf:b4:b7:84:08:00:46:00:00:24 SRC=192.168.1.1
DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=64587 OPT (94040000)
PROTO=2
Aug 25 22:25:02 192.168.1.21/192.168.1.21 kernel: ACCEPT IN=vlan1 OUT=
MAC=00:1d:7e:dc:1b:37:00:1d:60:8f:44:b6:08:00:45:00:00:41 SRC=192.168.1.99
DST=192.168.1.21 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=10499 DPT=161 LEN=45
Aug 25 22:26:31 192.168.1.21/192.168.1.21 kernel: DROP IN=vlan1 OUT=
MAC=01:00:5e:00:00:01:00:02:cf:b4:b7:84:08:00:46:00:00:24 SRC=192.168.1.1
DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=64982 OPT (94040000)
PROTO=2
Aug 25 22:28:36 192.168.1.21/192.168.1.21 kernel: DROP IN=vlan1 OUT=
MAC=01:00:5e:00:00:01:00:02:cf:b4:b7:84:08:00:46:00:00:24 SRC=192.168.1.1
DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=65212 OPT (94040000)
PROTO=2
48 51
1219678886.643
610 192.168.56.80 TCP_MISS/200 82392 GET
http://images2.narak.com/banner/jobs_468x60.gif - DIRECT/203.151.233.144
image/gif
: (Malware
Malicious Software
(Rootkit) Antivirus
Kaspersky, ESET
NOD, Symantec Antivirus, Trend Micro, McAfee
Remote Access
Software: Virtual Private
Network VPN
VPN
Remote Access
SSL VPN Juniper SSL
VPN Microsoft ISA Server PPTP L2TP
POPTOP
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS):
Snort
Vulnerability Management Software:
Patch Management Software
Vulnerability Assessment Software
Microsoft Baseline Security Analyzer (MBSA), Nessus
GFI Network Security
Authentication Servers:
Lightweight Directory Access Protocol LDAP
Microsoft Active Directory Novell E-Directory Single
Sign-on RADIUS TACAC+ FreeRadius
Funk
FreeRadius Authentication Log
Aug 12 19:49:46 localhost@server radiusd[2305]: Login OK: [6HN3fe5/<CHAPPassword>] (from client APF2 port 3 cli 00-17-C4-23-A3-2D)
Aug 12 20:17:26 localhost@server radiusd[2305]: Login OK: [8uJY5653/<CHAPPassword>] (from client APF2 port 7 cli 00-1B-77-F3-18-C3)
Aug 12 20:25:07 localhost@server radiusd[2305]: Invalid user
(rlm_sqlcounter: Maximum never usage time reached): [AU33WHq/<CHAPPassword>] (from client APF5 port 8 cli 00-18-DE-46-8A-12)
Aug 12 21:31:57 localhost@server radiusd[2305]: Login OK: [VU6agCw/<CHAPPassword>] (from client APF5 port 10 cli 00-0E-35-58-BA-8D)
Aug 12 21:34:53 localhost@server radiusd[2305]: Multiple logins (max 1) :
[RU4XgCw/<CHAP-Password>] (from client APF2 port 0 cli 00-0E-35-58-BA-8D)
FreeRadius
Accounting Log
49 51
Authentication Gateway
Captive Portal HotSpot
Network Quarantine Server
(
)
Authentication Gateway ChilliSpot
Aug 13 20:34:03 192.168.1.21/192.168.1.21 chillispot[1099]: chilli.c:
New DHCP request from MAC=00-1B-77-0A-F8-20
Aug 13 20:34:05 192.168.1.21/192.168.1.21 chillispot[1099]: chilli.c:
Client MAC=00-1B-77-0A-F8-20 assigned IP 192.168.12.122
Aug 13 20:34:10 192.168.1.21/192.168.1.21 chillispot[1102]: chilli.c:
Successful UAM login from username=56F7hesa IP=192.168.12.122
Aug 19 23:31:25 192.168.1.21/192.168.1.21 chillispot[1102]: chilli.c:
Successful UAM login from username=6A7eRkc IP=192.168.12.73
Aug 20 06:59:34 192.168.1.21/192.168.1.21 chillispot[1099]: chilli.c:
Successful UAM login from username=Yb4agCw IP=192.168.12.97
Aug 25 20:58:31 192.168.1.21/192.168.1.21 chillispot[1099]: chilli.c:
DHCP addr released by MAC=00-1B-77-0A-F8-20 IP=192.168.12.56
Aug 25 21:05:53 192.168.1.21/192.168.1.21 chillispot[1099]: chilli.c:
Rereading configuration file and doing DNS lookup
50 51
3230:
3200:
3502:
3502:
3502:
3280:
968:
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
, .. ,
18 2550
,
..
,
( 2.5) 2550, ISBN: 978-974-229-584-4, 1, 2550
Karen Kent and Murugiah Souppaya, NIST, Special Publication 800-92, Guide to Computer
Security Log Management, September 2006
Roger Meyer, Auditing a Corporate Log Server GAIC Gold Certification, GIAC Systems and
Network Auditor (GSNA), SANS Institute 2006 Reading Room, 17 September 2006
. ACIS Professional Center & ACIS i-Secure,
.
..
.. , http://www.acisonline.net
,
.. , 23 2550
SN ISO/IEC 17799:2005, Information technology Security Technique Code of practice for
information security management (ISO/IEC 17799:2005), Second Edition, 2005-06-15
Chaiyakorn Apiwathanokul, Computer Time Synchronization Scheme ,
http://www.etcommission.go.th/documents/standard/time_sync_server_v1_0.pdf,
3 October 2007
, Network Time Protocol
. .. 2550
http://www.thaicert.org/paper/basic/NTPandLAW.php, 27 2551
, Time Server [],
http://www.thaicert.org/paper/basic/manualTimeServer.php, 27 2551
Wikipedia, List of RADIUS Servers, http://en.wikipedia.org/wiki/List_of_RADIUS_Servers
Wikipedia, List of mail servers, http://en.wikipedia.org/wiki/List_of_mail_servers
Wikipedia, List of FTP server software,
http://en.wikipedia.org/wiki/List_of_FTP_server_software
Wikipedia, Comparison of web server software
http://en.wikipedia.org/wiki/Comparison_of_web_servers
Wikipedia, News server, http://en.wikipedia.org/wiki/News_server
Wikipedia, Network Access Control, http://en.wikipedia.org/wiki/Network_Access_Control
Wikipedia, Proxy Server, http://en.wikipedia.org/wiki/Proxy_server
, ..2550,
(Ethical, Legal and Social Impacts of ICT : ELSIT),
51 51