Phn Tch Log (1)

Tequila (VietHacker.org Translator Group Leader)

Compose by hieupc

Trong lnh vc computer forensics, th dng nh my tnh ca bn l hin trng ni xy ra ti phm. Nhng khng ging nh phn tch v loi ngi, cc nh phn tch v my tnh thng lm vic vi 1 ci my tnh ang lm vic m c th a ra cc du hiu m nhng th khc c th sai lm. Chng ny chng ta s lm vic vi vic phn tch log, m c th c coi nh l 1 nhnh ca forensics. Mt file log ring r c th rt quan trng v chng ta phi quyt nh a chng vo cc phn khc nhau. Nhng g l v d cho nhng file log? Chng ta c th phn loi file log bng cc thit b m lm vic da trn chng, bi v nhng thit b thng quyt nh loi thng tin cha trong cc file. V d, cc file log ca host (nh Unix, Linux, Windows, VMS) l khc nhau t log ca cc ng dng network khcnhau (vd nh sn phm switchs, routers hoc cc thit b mng khc ca Cisco, Nortel, Lucent). Tng t nh vy, cc log ca cc ng dng an ton thng tin (nh firewall, IDS, thit b chng ddos, h thng phng b) cng rt khc nhau trn c phng din host v cc log mng. Trong thc t, cc thit b an ton mng hin nhin to nn mt s phn b khng th tng tng c nhng g chng c th ghi li v nh dng m chng c th to ra. Sp xp t cc a ch IP n gin cho ti nhng giao dch y phc tp trn mng, cc thit b an ton h thng thng to nn mt gi tr rt to ln nhng thng tin rt th v, c nhng thng tin v nhng s vic hp l v khng hp l. Lm th no chng ta c th tm c u l nhng s vic khng c cho php. Lm th no chng ta hc c v nhng xm nhp trong qu kh v thm ch l tng lai t logs? Chng ta hon ton c th hi vng vo vic tm kim trong hng gigabytes file log tm ra nhng hot ng m khng c php xy ra khi m nhng hacker rt l cn thn khng li mt d tha no? Chng ny s tr li cho chng ta tt c nhng cu hi . 18.1 C bn ca vic phn tch Log Phn tch cc log hoc cc chui thng k l mt ngh thut ca vic trch dn y ngha thng tin v a ra kt lun v mt trng thi an ton t cc bn ghi thng k nhng s vic c sn sinh bi my tnh. Phn tch log khng phi l 1 khoa hc, nhng ngy nay, vic tin tng vo k nng phn tch c lp v trc quan cng nh tnh cht may mn trong vic phn tch log cht lng cng l mt khi nim khoa hc. nh ngha vic phn tch log c th nghe rt kh khan, nhng quan trng l rt ra mt Kt lun c ngha. Nhn mt cch n gin vo cc file log khng phi l phn tch, bi v him c nhng ci g ngoi nhng s nhm chn v dng nh chng lin quan g n nhau. Trong trng hp mt thit b 1 ngi s dng vi rt t cc hot ng, tt c nhng bn ghi log m cha c nhn trc l rt it nghi ng, nhng trong thc t li khng d dng nh vy. Hy th xem mt phn tch log cho nhng telnet chung. u tin, hy nhn qua ton b log cn phi phn tch(ging nh file log ca mt thit b xm nhp i vi 1 thng bo tn cng thnh cng) v to quan h vi nhng ngun thng tin khc. Vic to quan h c ngha l thc hin nhng thao tc bng tay hoc t ng thit lp nn mi quan h gia cc s kin tng chng khng lin quan xy ra trn mng. Cc s kin xy ra trn cc thit b khc nhau trong cc thi im khc nhau c th to nn nhng quan h tc thi (xut hin trong thi gian ngn). y c phi l mt l hng cho k tn cng c th pht hin c? C phi cc quy tc ca cc h thng pht hin xm nhp a ra 1 d bo sai. C phi l mt ai trong s cc nhn vin ca bn ang th qut cc l hng trong mng ca bn? Tr li cho nhng cu hi tng t nh vy l rt cn thit trc khi lp k hoch phn ng cho cc thng bo ca IDS. Cc c gng kt ni, nm bt cc dch v v nhng sai lm a dng ca h thng thng yu cu thc thi rt nhiu nhng vic to mi quan h vi nhng ngun thng tin khc nhau theo nhiu mc t c thng tin c ngha y nht. 18.2 Nhng v d v log Trong phn ny chng ta s lt v d trn cc file log c tng hp trn cc h thng Unix v sau l Windows. 18.2.1 Unix

Vic ph bin cc h thng Unix thng mi v min ph ngy cng pht trin khin cho k nng phn tch Unix log cng l mt u tin pht trin hng u. Cc h thng Unix v Linux to ra mt lot cc thng bo (ging nh cc log h thng), thng tn ti di cc dng plain text, c nh dng nh trong v d sau: <date / time> <host> <message source> <message> V d nh : Oct 10 23:13:02 ns1 named[767]: sysquery: findns error (NXDOMAIN) on ns2.example.edu? Oct 10 23:17:14 ns1 PAM_unix[8504]: (system-auth) session opened for user anton by (uid=0) Oct 10 22:17:33 ns1 named[780]: denied update from [10.11.12.13].62052 for "example.edu" Oct 10 23:24:40 ns1 sshd[8414]: Accepted password for anton from 10.11.12.13 port 2882 ssh2 V d ny rt quen thuc cho ai qun tr h thng Unix trong t nht 1 ngy. nh dng ny bao gm cc trng sau: Timestamp Gi h thng ca thit b khi ghi nhn log (trng hp log 1 ng nhp t xa) hoc ca thit b to log (trong trng hp t to log). Hostname or IP address of the log-producing machine Hostname c th l mt tn domain name cht lng (FQDN) v d nh ns1.example.edu hoc ch l tn my ging nh l ns1 trong v d trn. Message source Ngun c th l mt phn mm h thng (sshd hoc l named trong v d trn) hoc l 1 b phn (v v nh PAM_unix) m sn sinh ra thng bo log. Log message Thng bo log c th c nhiu nh dng khc nhau, thng thng bao gm tnng dng, cc bin tnh trng a dng, a ch IP ngun, giao thc Thnh thong nh danh tin trnh ca mt tin trnh c th to ra nhng bn ghi log v c ghi vo cc ch trng. 4 thng bo log sau y c ch ra, theo th t: C vn xy ra i vi DNS server th 2 Mt ngi s dng , (anton) ng nhp vo thit b Mt truy cp DNS b cm xut hin. - Mt ngi s dng (anton) c cung cp mt khu an ton h thng ang ng nhp t xa t a ch IP 10.11.12.13. 18.2.1.1Phn tch log h thng Unix Log 1h thng Unix c qun l bi1 daemon syslog. Thit b daemon ny u tin xut hin trong nhng h thng BSD u tin. Chng trnh v cc thnh phn ca h iu hnh c th a cc s kin vo syslog thng qua h thng cc lnh, mt socket (/dev/log), hoc mt kt ni mng s dng UDP cng 514. Cc logging ni b th thng uc thc thi thng qua API. Ging nh trong trang hng dn syslogd, logging h thng c cung cp bi 1 thit b nhn syslogd t cc ngun BSD,. Cc h tr cho logging kernel c cung cp bi tin ch klogd (trn Linux), ci m cho php logging kernel c th c qun l trong nhng mu chun ring hoc ging nh 1 my trm ca syslogd. Trong mu chun ring, klogd chuyn cc thng bo kernel ra 1 file, cn trong mu kt hp, n y thng bo ti 1 daemon syslogd. Cc kt ni t xa i hi daemon syslog phi c thit lp lng nghe trn UDP cng 514 (cng chun ca syslog) cho cc giao tip thng tin. cho php 1 ng nhp t xa, bn chy syslogd r trong Linux. Chc nng ny c mc nh l cho php trong Solaris v mt vi mi trng Unix khc. Cc thng bo

ti cc mng di dng plain text v khng c lin quan n thi gian no (N c nh du bi thit b nhn). Cc thng bo ti cng bao gm cc gi tr thc t v n gin, c gii m bi daemon syslog. Cc log nhn uc hoc ni b c daemon syslog chuyn ti nhiu ch khc nhau (c th l cc file, cc thit b, cc chng trnh, iu khin h thng hoc nhng h thng syslog khc) theo th t v nhng tin nghi khc. Nhng tin nghi khc bao gm auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (cng ging nh auth), syslog, user, uucp v local0 qua local7. Hng dn syslog cng ng thi cung cp danh sch theo th t ca syslog (sp xp da trn quan trng): debug, info, notice, warning, warn (same cng ging nh warning), err, error (tng t nh err), crit, alert, emerg, v panic (tng t nh emerg). Th t error, warn, and panic hin nay vn c s dng cho cc h thng syslog theo tun th cc th t. File thit lp syslog thng nm trong /etc/syslog.conf. Ging nh c ch ra di ay, n cho php bnc th thit lp cc sp xp thppng bp theo cc file khc nhau v cc cu trc khc nhau: *.* @log host kern.* /dev/console *.crit anton,other,root local2.* |/dev/custom_fifo *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* /var/log/maillog cron.* /var/log/cron uucp,news.crit /var/log/spooler local7.* /var/log/boot.log Cc thng bo c th c trc tip a n cc file cc b (ging nh /var/log/messages), gi ti cc thit b (nh a /dev/console), hoc c ph bin ti tt c hoc l ch nhng ngui s dng c la chn (anton, other, root) trong cc lnh tng t hoc cc lnh wall shell.Thm vo , thng ip c th c chuyn ti mt remote host (nhn on log host tn) v trc tip ti cc ng dn c nh danh hoc nhng FIFOs khc (trong v d trn l /dev/custom_fifo) c to bi lnh mknod hoc mkfifo. Thm ch nhng thng ip m c ti t mng c th c chuyn tip ti nhng thit b khc, c cc thit b syslog daemon cu hnh lm nhim v ny (ging nh syslogd h trong Linux). Vic chuyn tip c mc nh l khng cho php bi v n c th gy nn s tc nghn mng v nhng vn khc (bi v n nhn i lu lng trn ng truyn). Cc ng nhp t xa c ghi nhn l mi li ln cho nhng ngi m mong mun tp trung tt c cc bn ghi thu nhn c vo mt ch. Cc thc thi syslog t cc phin bn Unix khc nhau u c th lm vic tt. Bn c th dng ln nhiu box Unix trong 1 nn tng syslog. Mt vi vn v syslog s xut hin mt cch hin nhin trong khi lm vic. y l 1 danh sch ngn: 1. nh dng ca thng ip log l mu thun vi nhau ng dng v h iu hnh. Mt phn l thi gian, host, phn cn li ca thng ip l mt mu t do, iu ny c th to ra rt nhiu kh khn nu tt c cc thng ip khc nhau u hin th. 2. Vic lc cc thng ip theo theo th t v kh nng khng tht hiu qu bi v n c th dn n mt s log file tr thnh st rc ca mt m hn tp cc loi thng ip. Khng c cch no lc cc thng ip theo ni dung ca chng v thm ch vic iu chnh th t hoc kh nng ca mt chng trnh to log cng thng xuyn chng t nhng th thch .

3. Cc chuyn dch trn mng da trn UDP l khng th tin tng c, nu nhng ci nhn c kt thc ca 1 lin kt UDP (khng phi l kt ni, bi v UDP cn cha kt ni) m gim xung, th thng ip s b mt m khng c c hi phc hi li. 4. Cc chuyn dch trn mng da trn UDP thng c din ra di dng plain text (khng c m ha), khng c xc thc v rt t c bo v. y c th l mt thm ha v an ton thng tin. Tuy nhin thng thng th y khng phi lm 1 vn trm trng bi syslog c s dng trong cc mng ni b c th tin tng c hoc thm ch l 1 mng LAN c ch nh qun l. 5. Khi chuyn tip cc thng ip t host ti host, ch c trm cui cng mi c th nhn thy thng ip. Bi v, nu 1 thit b gi cc thng ip ti nhng my khc - m c th chuyn tip ti bt k u, th thng ip nhn c dng nh l nguyn bn ti thit b th 2 ny. 6. Vic lu tr cc log di cc file plain text c th lm cho n tr nn kh khn hn khi phn tch mt lng ln cc d liu log. Hy th c gng thc thi 1 lnh grep hon chnh trn 1 file khong 5 GB v bn s hiu ang phi i mt vi vn g. Trong khi quay vng log, lu tr v gim bt tt c nhng s gip gii quyt vn , 1 c s d liu quan h l thc s cn thit. 7. Cc log c lu tr l im yu (??) sa cha hoc xa i, c bit l khi lu tr ni b. Rt l kh kim tra nhng file log c thiu mt on d liu no hay khng, c bit nu chng c thay i bi mt ngi tn cng c kinh nghim vi vic truy cp root. S thay th nhng syslog ca cc h thng Unix ph bin xc nh nhng s thiu ht. Chng ta s xem 2 s thay th kh ni ting l thay th syslog-ng bi BalabIT (http://www.balabit.hu/en/downloads/syslogng); v thay th msyslog bi CORE SDI (http://www.corest.com). Nhng chng trnh ny to nn giao tip TCP ng tin cy vi cc message bufferring,v nhiu la chn lc hn (thm vo vi tnh v tnh thc t ca syslog. Nhng ti khon khng c quyn root m bo an ninh cho cc thao tc trong chroot, cung cp d liu log v iu khin truy cp tt hn vi cc d liu c m ha v thm ch cung cp c nhng file log c tch hp. Hy th quan st cch thit lp msyslog cho mt mng nh. Khng ging nh trong v d v cu hnh syslog chuyn tt c cc thng ip ti cc thit b host thng qua UDP, trong trng hp ny, chng ta s s dng TCP vi b m v lu tr cc log trong d liu v cc file dng plain text. Hn na, chng ta s cho php bo v m ha cho cc log file dng plain text m c th cho php chng ta t ra nhng thay i trong cc log c lu gi. Trn cc my trm m to ra hoc chuyn tip cc file l, chng ta pht trin v cu hnh msyslog. msyslog s dng file hp l /etc/syslog.conf vi cc thay i ph, nh v d sau : *.* %tcp -a -h log host -p 514 -m 30 -s 8192 v d ny, tt c cc thng ip s c chuyn t cc localhost ti cc host log thng qua kt ni TCP cng 514, ghi vo b m 8,192 thng ip trong trng hp kt ni khng thnh cng v ch khong 30 giy thit lp li ky ni ti log host . Dng khc nh /etc/syslog.conf c th c mt trong nhng nh dng syslog ging nh c miu t trn, Daemon c kch hot chy thng qua lnh msyslogd -i linux -i unix hoc s dng nhng kch bn mc nh c cung cp bi cc msyslog package. Ti server, chng ta msyslogd -i linux -i unix -i tcp -a -p 514 cu hinh chy msyslog nh sau:

iu ny lm cho daemon phi lng nghe cc kt ni qua TCP cng 514 v cho php ng nhp t tt c cc thit b. Cc quy c iu khin truy cp c th c ng dng gii hn cc host da trn a ch IP (cc host c th chuyn logs). Chng ta cng thm vo bo v crypto nhiu thng ip quan trng (chng hn nh th t u tin). lm c iu ny, chng ta thm vo dng lnh on /etc/syslog.conf nh sau:: *.crit %peo -l -k /etc/.var.log.authlog.key %classic /var/log/critical Tip theo, kt thc msyslog daemon, xa hoc quay cc logs, v to ra cc kha m s dng tin ch rt quen thuc: peochk -g -k /etc/.var.log.authlog.key Khi ng li daemon, v bo v log c bt. Sau khi nhn thng ip mi, msyslog cp nht li iu kin. V kim tra tnh tch hp ca log, chy lnh sau: peochk -f /var/log/messages -k /etc/.var.log.authlog.key

Nu mi vic tt p, bn s nhn thy nh sau: (0) /var/log/critical file is ok Nu logfile b thay i, bn s thy: (1) /var/log/critical corrupted Thm vo , gi cc thng ip ti c s d liu, mt lnh sau cn phi c thm vo trong /etc/syslog.conf nh sau: *.* %mysql -s localhost -u logger -d msyslog -t syslogTB Lnh ny s lu mt bn copy ca thng ip vo trong c s d liu MySQL . Tuy nhin, trc khi s thu thp d liu bt u, bn cn to ra mt phc v chn vo mt user c log, iu ny c lm hon chnh thng qua lnh sau: echo "CREATE DATABASE msyslog;" | mysql -u root -p Lnh ny s to ra 1 c s d liu. Nhng trc , MySQL phi c ci t v chy tt trn h thng ca bn. Lnh tip theo s l: cat syslog-sql.sql | mysql msyslog Lnh ny nh ngha 1bng lu tr log, syslog-sql.sql c ch ra nh sau: CREATE TABLE syslogTB ( facility char(10), priority char(10), date date, time time, host varchar(128), message text, seq int unsigned auto_increment primary key ); Bc cui cng l to c hi cho vic thm cc echo "grant INSERT,SELECT on msyslog.* to logger@localhost;" | mysql -u root -p thng ip:

Vic ci t c s d liu nh trn c th lu tr an ton hng triu bn ghi. D liu c th c hin thi thng qua cc giao tip cu lnh (mysql) hoc mt trong s nhiu c s d liu GUI database frontends v web frontends (v d nh PHPMyAdmin, vit trong PHP). kt lun, msyslog v syslog-ng thao tc ln nhau vi cc thc thi syslog truyn thng nu log c vn chuyn thng qua UDP. Trong trng hp ny, syslog mi v cc syslog truyn thng s c dng chung pht trin mng, v mt syslog mi s c pht trin trn log-collection server. Nhng c im tin b khc nh lc, kim tra tch hp, su tp d liu l c sn, v ch cch chuyn vn ca cc log mng l c lm theo cch c in m thi. 18.2.2 Windows Windows (t NT/2000/XP tr ln) cng cung cp logging h thng. Tuy nhin, n s dng nh dng nh phn (*.evt) lu tr 3 dng logfile:h thng, ng dng v an ninh (system, application, and security). Figure 18-1 l 1 v d ca log an ton ca h thng windows . Log h thng bao gm rt nhiu cc bn ghi c lin quan ti cc vn hnh thng thng hoc bt thng ca my tnh. V d ny ch ra 1 hot ng thng thng ca Windows XP. Xem chi tit hnh (Figure 18-2). c cc log ca windows, bn cn s dng chng trnh hoc thit b c th c c file *.evt . Thit b c c th s dng xut cc file ra di dng mi gi tr cch nhau 1 du phy cho vic phn tch hoc quan st log qua cc text editor. Figure 18-1. Windows security log showing normal operation Figure 18-2. Double-clicking to drill down for detail on the Windows security log

18.2.3 Remote Covert Logging Mt chng v logging s khng y nu thiu phn ni v logging chuyn i. Trong mt vi trng hp (ging nh cho honeypots v cho nhng kch bn khc), tht l ng mong c che du i s c mt ca mt logging tp trung t xa khi nhng ngi khch ca bn. Thng thng, file cu hnh syslog bc l s hin din ca logging t xa v ch ra v tr logging server. iu ny cho php cc hacker c th tn cng, d xt cc log server v xa i nhng vt chng. Mt khc, stealthy logging li rt kh cho 1 k tn cng c th pht hin ra. La chn stealthy logging c bn nht thc s li khng phi l vng trm. N ch cung cp 1 site backup cho vic lu tr log. Thm vo vic ch nh log server (c th nhn thy i vi nhng k tn cng), 1 sniffer (ging nh Snort IDS trong ch lng nghe, tcpdump, hoc ngrep) c pht trin trn nhng thit b ring r. V d nh, nu server c a ch IP l 10.1.1.2 gi logti 1 server c a ch 10.1.1.3, mt thit b c bit khc khng c a ch IP s c pht trin trn cng subnet m sniffer ang chy. Tt c cc sniffer u c cu hnh bng ngn ng Berkeley Packet Filter (BPF) nhn nhng thng tin xc nh. Trong trng hp ny, chng ta s chy lnh tng t nh: ngrep "" src host 10.1.1.2 and dst host 10.1.1.3 and proto UDP and port 514 > /var/log/stealth-log Lnh ny cho php sniffer (trong v d ny l ngrep, c sn ti a ch http://ngrep.courceforge.net) lu li ch nhng chuyn dch syslog t xa gia 2 host xc nh v d liu vo file /var/log/stealth-log. R rng rng, cng c tcpdump c th c s dng ghi li tt c nhng syslog di cc nh dng nh phn hoc ASCII , nhng ngrep dng nh lm tt hn trong cng vic ny, bi v n ch hin th nhng phn c php ca syslog packet. Chn la stealthy log th 2 gi file log ti 1 host log m khng chy syslog (hoc l bt k mt dch v mng no khac). Trong trng hp ny, firewall chy trn log server ch n gin t chi mi u vo c gi tin UDP cng 514. Bn s thc mc n s thit lp logging nh th no? Mt sniffer m s kim tra tt c cc gi tin UDP trc khi n b firewall y ra c pht trin trn chnh log server . S khng c mt ng dng no trn host c th nhn thy gi tin bi v n b firewall y ra, sniffer ghi n vo 1 file (s dng cu lnh trn). N c th c thc thi trnh vin tng hack log server. Thc t th chng ta va thit lp nn mt ci by honeypot; nhng thng ip c chuyn ti router (ci m hin nhin khng quan tm n vic thng tin nhn c c l mt thng ip syslog hay khng). Mt ngi c th ch ra dng thng ip mt ni no , nhng s dng mt host m khng c syslog to nn li ch trong vic lm cho nhng k tn cng b ri ren ( v phi cn nhc xem li cu hnh trn 1 phn ca system administrators). Phn th 3, la chn stealthy logging cui cng lin quan n vic chuyn d liu log ti mt host khng cn tn ti v sau chn lc d liu vi 1 sniffer ging nh trn. Trong trng hp ny, mt thit lp m rng nn thay i trn thit b gi logfile: stack TCP/IP nn trang tr cc gi tin c gi i ti thit b m s khng bao gi tr li (v n khng tn ti). Tt c nhng ci ny c biu din hon chnh trong cu lnh sau: arp -s 10.1.1.4 0A:0B:OC:OD:78:90 Cu lnh ny s trang tr IP stack ca thit b gi log sao cho ngi ta ngh rng c mt ci g ang chy ti a ch 10.1.1.4. Trong trng hp ny, c a ch IP v a ch MAC u c th khng c tht, nhng a ch IP nn l 1 a ch mng cc b. Hy lu rng a ch MAC khng cn thit phi thuc vo mt log server thc t no . La chn 1 server khng tn ti l hiu qu hn nu 1 mc cao hn ca stealth l cn thit. Phng php ny c th khng p dng c cho 1 mng Lan truyn thng, nhng n c th c ng dng trong rt nhiu trng hp c bit khc.

18.2.4 Nhng kiu Logging khc kt lun, hy ln na nhn li nhng Unix logfiles khc. Thm vo cc Unix syslogd chun v klogd logging daemons, cn c 1 tin trnh tnh ton BSD thng xuyn c nhn thy trn cc h thng Linux, Solaris v BSD khc. Tnh ton tin trnh lu cc tin trnh c chy trn h thng Unix v lu tr d liu trong cc file nh phn. Mt vi tin ch c cung cp kim tra d liu, ging nh trong v d sau: lastcomm S X root stdin 3.19 secs Sat Nov 2 22:16

head S root stdin 0.00 secs Sat Nov 2 22:16 egrep root stdin 0.01 secs Sat Nov 2 22:16 grep S root stdin 0.01 secs Sat Nov 2 22:16 bash F root stdin 0.00 secs Sat Nov 2 22:16 bash SF root stdin 0.00 secs Sat Nov 2 22:16 dircolors root stdin 0.00 secs Sat Nov 2 22:16 stty root stdin 0.00 secs Sat Nov 2 22:16 bash SF root stdin 0.00 secs Sat Nov 2 22:16 tput root stdin 0.01 secs Sat Nov 2 22:16 bash SF root stdin 0.00 secs Sat Nov 2 22:16 tput root stdin 0.01 secs Sat Nov 2 22:16 su anton stdin 0.04 secs Sat Nov 2 22:16 head anton stdin 0.01 secs Sat Nov 2 22:16 Nhng bn ghi trn (c to ra bi lnhlastcomm | head -20) ch ra rng nhng lnh trn bao gm grep, egrep, bash, v thm ch c chnh bn thn lnh lastcom u chy trn thit b di ti khon root v ngi s dng c ti khon anton c chuyn i thnh roor bng cch s dng lnh su vo lc 10.16PM ngy 2 thng 11. Phn nh phn ny ca bng thng k Unix hon thin bc tranh m c cung cp bi syslog bng cch thm v nhng tin trnh ang chy mt cch chi tit nht. Tht khng may mn, khng c thit b no cho vic chuyn dch t xa nhng bn ghi c lit k . Quy trnh logging h thng Unix cth c tch hp trong nhng thit b chy trn h iu hnh Windows bng cc gii php nh Kiwi Syslog, min ph ti http://www.kiwisyslog.com. Nhn chung, bin dch thng ip Unix tr nn d dng hn sau khi bn c c quyn kim sot h thng. Th thch i vi vic phn tch log l ti to li mt bc tranh hon chnh ca vic pht hin t cc log c thu thp bi nhng thit b khc nhau trn ton mng, khi a vo ti khon nhng s kin xut hin trong mt qu trnh trc . 18.3 Trng thi logging Trong phn ny chng ta s tng hp xem nhng v d trn v nhng log khc trong mt bc tranh chung nhng g m bn c th trong mong nhn thy trong 1 file log. S miu t ny nm trong 1 phn ca on ca Tina Bird gi ti mailing list phn tch log ca c y (xem phn reference) v vic tho lun c m bo, ci m c thit lp t tc gi ca cun sch ny). Mt vi s kin m my tnh c th t vo log: Tt, m, restart hoc bt c 1 hnh ng lin quan n u cui ca h thng hoc 1 phn mm. Various thresholds c thc thi hoc cc cp tm kim nguy joi. ging nh y dung lng a, exhausted b nh hoc b x l hot ng qu nhanh. Phn cng thng bo rng h thng c th gp vn hoc c th pht hin c v ghi log. Ngi dng truy cp vo h thng, c th l ng nhp t xa (telnet, SSH,,,) v cc ng nhp ni b hoc truy cp network (FTP) ti hoc t 1 h thng khc k c thnh cng hay khng thnh cng. Ngi dng truy cp n mt thay i ng k (privilege) ging nh lnh su k c thnh cng hay tht bi.

 Thay i credential ngi dng hoc quyn truy cp, ging nh cp nht ti khon, to mi hoc xa b , k c tht bi hay thnh cng. Thay i thit lp h thng v update phn mm, k c thnh cng hay khng thnh cng. Truy cp vo log ca h thng chnh sa, xa hoc thm ch l ch c. Danh sch cc s kin nu trn c th y cho log ca 1 h thng v sn sng cho vic phn tch. Cng vic c bn l c gng tr li cu hi Chuyn g xy ra s dng tt c cc bn ghi tim nng, phc tp . 18.4 Khi no cn phi quan st cc Log Mt ngi mi bt u nn bt u t vic quan st chung mt lt tt c nhng thng tin nhn c a ra s ch thch hp. C th, ch l c th thi, liu bn c th b qua tt c m khng cn phn tch d liu hay khng? Cu tr li dng nh l KHNG. Mt quy c n gin nht ca vic phn tch log l bn khng ghi nhn nhng g m bn khng c k hoch tm kim trn . Hoc l nh quy c Murphy "Ch tm kim nhng vn m bn c th bit cch gii quyt. Trong lnh vc an ton thng tin, c ngha l bn ch tm kin nhng g bn c k hoch tr li v ch ghi nhn nhng g m bn cn tm kim trn n. V d nh, 1 h thng pht hin xm nhp ( cp chng 19) ch lm vic tt khi m c ngi phn tch xem xt nhng u ra ca n. Bi vy, nu bn khng c hiu g v "WEB-CGI webdist.cgi access" bn s khng th chy c Snort vi cc quy c c cho php. To nn mt hot ng c nh gi cao da trn kt qu s l khng th nu bn khng hiu r chuyn g ang xy ra v nhng hnh ng m c nh gi cao c th tr thnh circumstances. Thit b ny khng negate rng vic logging tt c mi th u l cn thit cho 1 ng thi iu tra v tm kim. Thc t, nu log c th s dng cho tt c cc hi p i vi cc s kin, th rule ging nh "dont log what you wont look at" s khng bao gi c thc hin. Trong nhiu trng hp, logging tt c mi th l 1 router tt nht, bi v n dng nh ghi nhn tt c cc bit tn hiu m cho php bn gii quyt vn . Chng ti ch mun ni rng, nu logfile khng bao gi c nhn vo (hoc n gin l quay li bi 1 chng trnh log no ) th n s chng c tc dng g.. Hy cn nhc trng hp mt h thng my gia nh hoc my vn phng. Trong trng hp ny, log ch c tc dng chnh trong nhng vn ca h thng chnh (v d nh phn cng hoc l li ca h iu hnh) hoc l cc vn an ninh h thng (nhng vn m rt d c th ngn nga bi v bn ch phi xem xt trn mt h thng ring l hoc ch 1 s lng rt nh cc h thng. Thm ch trong nhng trng hp ny, bn bt buc phi nhn vo log nu n c hi vng gii quyt c cc vn hoc l ngn nga tc hi ca n. Tuy nhin, bn s tn t thi gian hn nu ngi ci li h iu hnh Windows ca bn, hoc l thay th n bi Unix. Chng ti khng khuyn bn c chm ch vo cc file log tm cc du hiu tim nng ca 1 v xm nhp ngoi tr khi bn thch th i vi cng vic hoc l bn ang chun b ly 1 chng ch cho vic phn tch xm nhp no . Ch nn cho php logging mt lng nh cn thit no . Tip theo, chng ta s xem xt mt business c va v nh, m c ch ra rng s khng c nhn vin an ninh. Cc hnh ng m bo an ton h thng c gii hn trong g b cc vn . Trong trng hp ny, n ging nh h thng gia nh vi nhng khc bit khng my quan trng. Mi trng ny cng thng xuyn c mt nhng ngi m (atonish) vic chuyn nghip hp cc hnh ng bo v an ton h thng bi nhng cu bnh lun ki nh Ti sao li c nhng ngi mun hack chng ta? Chng ta khng lm g hp dn cc hacker. Ngy nay, tt c mi ngi hiu rng b nh h thng, vng CPU v mt kt ni mng tc cao th c rt nhiu mi e da v an ton h thng cao. V bi v nhng mi him nguy c mc e da thp li c nhiu ngi bit n (chng hn nh mt ngi no thc hin vic scan cc cng) li c th c cnh bo nh mt cuc tn cng nghim trng (nh l c gng xm nhp h thng), do , mt cng ty nh him khi c ngun nhn lc mnh v c k nng khai thc chng Mt cng ty ln hn s c nhiu yu cu qun tr hn l 1 c nhn ring r. Do vy m mc an ton v kh nng accountability c nng cao hn. Tt c cc t chc kt ni n Internet ngy nay u c t nht 1 firewall v 1 vi b DMZ c ci t cho cc server public nh web, email, FTP, ng nhp t xa. Rt nhiu t chc pht trin nhng h thng pht hin xm nhp v cc mng ring o (VPNs). Tt c nhng cng ngh tin tin lm gia tng nhng mi quan tm mi nh s phi lm g vi tt c nhng tn hiu thu c t chng, v cc cng ty him khi thu nhng nhn vin an ninh h thng mi ch gii quyt nhng tn hiu . Cc logs biu din mt trong nhng cc pht hin ra cc mi e da t cc hostile Internet. T m li, tr li cho cu hi Ti c phi lm nh th ny khng c thay i t C th khng i vi cc giao dch nh cho n Vng, bn phi lm nh vy i vi nhng giao dch ln..

18.5 Log Overflow and Aggregation Thng tin t cc log file l rt a dng v phong ph, tuy nhin tht khng may mn l rt nhiu nhng thng tin l rt phc tp phn tch. Lng d liu hng gigabite thng tin c thu thp l khng bt thng i vi mt cng ty ln, c bit nu lng thng tin chuyn dch trn mng c log li. Trong khi tn ti nhiu phng php lu tr lng thng tin , th vic lm cho chng tr nn c th phn tch c v c th ng dng trong nhng thit b gim st li l mt cu chuyn khc. C c nhng log nh nhng thit b thu thp ti cng 1 a im lm cho gia tng tng th nhng thng tin thu thp c, tuy nhin li n gin ha vic tn ti hng ngy v nhng phn hi i vi cc s kin t xut nh vo tc truy cp log nhanh chng. Vic thng k hiu qu, lu tr an ton v c kh nng phn tch l mt trong nhng s thun tin ca vic tp trung cc log thu c. Thm vo , vic lu tr log mt cch an ton v t b thay i rt c ch nu mt k xm nhp b pht hin ra da trn nhng chng c log. Trong trng hp ny, nhng ti liu minh chng cn thn ca 1 chng trnh ghi log l c th rt cn thit Trong khi vic tp trung log ca h thng Unix c th t c d dng nh syslog chun, s thay th syslog cng c th lm vic mt cch tt hn. Vic tp trung log gip h tr cho rt nhiu mc ch trong qu trnh bin dch, mt khc n lm cho h thng tr nn an ton hn. Mt k xm nhp cn phi tn cng mt hoc nhiu server hn mi c th xa c nhng du vt ca anh ta. Mt khc, n cng lm cho h thng tr nn thun tin hn, ngi qun tr mng ch cn n gin kt ni vi mt thit b xem tt c nhng logfile t mng. Tuy vy, c rt nhiu vn xy ra i vi vic tp trung cc log, quan trng nht l phi gii quyt 1 lng rt ln nhng thng tin log. 18.6 Nhng th thch i vi vic phn tch log Sau khi b rt nhiu thi gian v cng sc tng hp v phn tch log, hy th ng vai tr bin h v a ra nhng chng c c gng chng minh mt vi li ch ca n. Chng ta cho rng nhng s vic v an ninh thng tin c iu tra bng cc logfile, tuy nhin gi thit c th ch l vic t ra nhng cu hi. Mt vi ngun cho thy rng tt c mi hacker ng gi nh Mountain Dew khng bao gi li du vt trong cc log v d dng b qua nhng h thng pht hin xm nhp. Nu nhng hnh ng khng b ghi nhn li th bn khng th phn tch chng. Thm vo , thit k h tng cho logging c nhng k tn cng bit n c th thao tc trn cc logfile v c th chng b xa bi tt c nhng k tn cng mun xa b du vt sau khi thm nhp h thng. Mt ln na, nu bn cho php k xm nhp xa log th bn cng khng th phn tch chng. Nhng chuyn thng xuyn xy ra (trong thc t, n tng xy ra i vi chnh tc gi ) v mt ngi iu tra xut sc nhy cm vi cc s kin my tnh, th hnh ng u tin ca ng ta l: u tin, hy nhn vo log h thng. Tuy nhin, cho d l ng ta tm kim n u th cng khng th tm thy. Vic logging cng khng c mc nh l cho php hoc l b iu chnh trc tip /dev/null bi con ngi khng mun nhn thy b nh b chim dng. Vy gii php l g? Thc t l khng ch c 1. Nu vic ghi nhnlog khng c sn sng cho n khi bn cn n th bn cng khng th phn tch c n. Thm ch ti t hn, thnh thong 1 s du hiu ca k xm nhp trong nhng file h thng,v d nh, 1 a ch IP ca mt ngi kt ni vo h thng c quyn khai thc trong thi im m s vic xy ra. Tuy nhin, nu tt c bn c ch l 1 a ch IP th liu bn c th chng minh c iu g? Rt d thuyt phc 1 s vic xy ra p tr li khi h thc hin vic chn bt ng truyn bng mt phin ca thit b ghi nhn 1 cng c thm nhp. Nhng trong thc t, log khng phi lc no cng c c thng tin chi tit. Nu log khng chi tit rt ra kt lun v d liu th bn cng khng th phn tch chng. Vic phn tch log thng xuyn phi thc hin cho du nhng kh khn lun xy ra. Tuy nhin, n dng nh buc chng ta phi lun suy ngh v chng. Nu logging tt c mi th khng phi l 1 la chn (do gii hn b nh, ng truyn hoc ng dng) th chng ta ch phn tch c trn nhng g c c v c gng c c mt kt lun y d cho lun c nhng kh khn . Nh chng ta cp, c rt nhiu cng c c th phn tch cc log. Tuy nhin, trong chng ny chng ti ch gii thiu gii php SIM (Qun l thng tin an ton) 18.7 Qun l thng tin an ton - SIM

Nhng cng c SIM tp hp, lm bnh thng ha, gim thiu, phn tch v lin kt rt nhiu log t b bin dch. Cc s kin an ton thng tin c tp hp t tt c cc thit b sn xut ra logfile nh firewall, thit b pht hin xm nhp, h thng bo v, cc cng c ngn chn virus cng nh cc server v cc ng dng . u tin, cc bn ghi log c chuyn i sang 1 nh dng thng thng, thng l s dng nh dng XML, Th 2, n s c gim i mt cch thng minh kch thc, ng gi vo nhng loi khc nhau v chuyn dch ti 1 im thu thp trung tm (thng l mt c s d liu quan h) cho nhng lu tr v phn tch khc. Thm vo , cc s kin c th c lin kt bng cc quy c v phng php thng k lin kt. Cui cng, cc s kin c biu din s dng mt giao din ha thi gian thc. Cc cng c nh netForensics (http://www.netForensics.com) c th thc hin hng ngn s kin an ton thng tin trong 1 giy v lin kt chng li trong thi gian thc cng nh ciung cp cho chng kh nng phn tch v long term trending. Mt s cng c cho php phn tch thi gian thc v phc hi mt lng ln nhng s kin. Chng c th bin dch trnh vic phi cnh bo rng nhng g ang din ra trong mi trng IP ca chng, cng nh b cnh bo bi cc mi e da m n ang phi i mt. Tuy nhin, vic thu thp cc s kin t hng ngn thit b pht trin trn ton th gii c th dn n vic lm qu ti 1 cng c rt mnh. Vn cn nhng chuyn gia tin rng, c nhiu cuc tn cng mi c th phng nga c nu cc thit b t nhiu ni trn th gii c th c logging vo mt h thng trung tm no . Bi vy, mt s tch hp log ton cu l cn thit. 18.8 Tch hp log ton cu (Global Log Aggregation) Mt chng v vic phn tch log s khng hon thin nu thiu cp n vn tch hp log ton cu. Rt nhiu t chc v cng ty thu thp cc logfile v sn sng chia s chng, v sau h phn tch ton MyNetWatchMans Watchman th d liu.SANSs Dshield.org (http://www.dshield.org), (http://www.mynetwatchman.com), and Symantecs DeepSight Analyzer (https://analyzer.securityfocus.com) thu thp rt nhiu logs t cc firewall c nhn n cc firewall ca cc cng ty ln v cc h thng pht hin xm nhp. Cc dch v c cung cp a dng trn giao din web cho vic phn tch v quan st log. Thm vo , nu pht hin tht c 1 hnh ng ng nghi, tt c chng s thng bo ti ngi ph trch ISP ca bn, v iu c th lm cho k tn cng b mt ti khon ca mnh. Li ch ca dch v kiu ny l cho 1 tp th khng phi cho nhng c nhn ngi s dng. Vic gii quyt mt lng rt ln d liu log cho php t chc c th pht hin ra nhng mi e da trn mng i vi h thng ca h t rt sm. Chng ta c th nhn thy iu ny trong thc t khi Dshield folks pht hin ra s phn tn ca CodeRed nm 2001 v mt loi MSSQL worm vo nm 2002. Con s pht trin v mt s hc ca s truy cp n cng (v d nh cng 80 i vi CodeRed v cng 1433 i vi SQL worm) a ra gi rng tt c nhng s tn cng t ng u b tht bi. Mt h thng cnh bo sm cho php cc nh phn tch an ninh c th bt c, nghin cu c v loi worm v a ra gii php trc khi chng c th vt ra ngoi tm kim sot. Chng ti lu rng bn nn cn nhc 1 trong nhng dch v ny c th quen thuc hn vi d liu log ca bn v xy dng 1 mng internet an ton hn.