Sawmill Analytics

Analyse und Reporting
für Web | Netzwerk | Sicherheit

Zugriffs- und Datenanalyse von Server-Logs (Proxy, Mailserver, Firewall, Webserver) und Überwachung der Sicherheit & Performance, Schwachstellenanalyse.

Sawmill Analytics 8 | Loganalyse


Detecting And Alerting On Intrusion Attempts With Sawmill

Sawmill's log filters make it possible to write very flexible rules for detecting certain conditions in the log data. This can be used for intrusion detection and alerting. Consider the following FTP log data from Microsoft Internet Information Services (IIS):

 #Software: Microsoft Internet Information Services 6.0
 #Version: 1.0
 #Date: 2009-02-05 04:59:59
 #Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
 04:59:59 [4007]USER Administrator 331 0
 04:59:59 [4007]PASS - 530 1326
 04:59:59 [4007]USER Administrator 331 0
 04:59:59 [4007]PASS - 530 1326
 05:00:01 [4007]USER Administrator 331 0
 05:00:01 [4007]PASS - 530 1326
 05:00:01 [4007]USER Administrator 331 0
 05:00:02 [4007]PASS - 530 1326
 05:00:02 [4007]USER Administrator 331 0
 05:00:02 [4007]PASS - 530 1326
 05:00:03 [4007]USER Administrator 331 0
 05:00:03 [4007]PASS - 530 1326
 05:00:03 [4007]USER Administrator 331 0
 05:00:03 [4007]PASS - 530 1326

This log data shows a password-cracking attack originating from IP address We can guess this is an attack, rather than a series of legitimate login attempts, because the logins are happening so fast--there are several attempts each second, from the same IP address, to log in as an Administrator.

Sawmill can show this data in the Log Detail of its standard reporting, of course, and that can be useful for examining past intrusion attempts. But if you want to know about the intrusion attempt as it occurs, or shortly thereafter, you need more--you need alerting.

To create an alert in Sawmill, first define for yourself what condition should trigger the alert. In this case, it is:
The last condition is intended to prevent Sawmill from sending a million emails to you, as one IP attempts to crack passwords over a million lines--we only want one email in this case.

Now that we've defined the condition, we need to implement it as a log filter (written in Salang, Sawmill's built-in language, which is used for advanced filtering). Below is a Salang log filter which implements this condition, and alerts on it. This can be copied and pasted directly into an "advanced expression" log filter created in your profile, in Config -> Log Filters:

 # Only consider PASS lines as intrusions
 if (cs_method eq "PASS") then (

   # Make sure the nodes we're going to use have been initialized
   v.password_attempt_times = "";
   v.intrusion_reported_for_ip = "";
   # Get the timestamp of the previous password attempt for the current user
   int last_password_attempt_for_this_user = @'v.password_attempt_times'{username};
   # If the current timestamp matches the timestamp of the previous attempt, then this is an intrusion attempt
   if (date_time == last_password_attempt_for_this_user) then (
     # If we've already reported this IP, don't do it again.
     if (!'v.intrusion_reported_for_ip'?{c_ip}) then (
       # send email to admin@yourplace.com, from admin@yourplace.com, with a simple description in the subject,
       # and a longer description in the body.
                  "Subject: Password scan attempt on " . username . " from " . c_ip . "\r\n" .
admin@yourplace.com\r\n" .
                    "\r\n" .
                    "Sawmill has detected a password scan attempt on user " . username . " from IP address " .
                      c_ip . ".  There were multiple attempts to log in as " . username . " at " . date_time . ".",

       # Remember that we have reported this IP
       @'v.intrusion_reported_for_ip'{c_ip} = true;
     ); # if intrusion not yet reported

   ); # if timestamp is the same

   # Remember the timestamp of this password attempt, for this username
   @'v.password_attempt_times'{username} = date_time;

 ); # if PASS

NOTE: This script uses new syntax available only in Sawmill 8. If you're using Sawmill 7, you will need to use equivalent syntax, e.g., node_exists instead of "?", and subnode_by_name() instead of "@{}".

The lines beginning with # are comments, and describes the operation of the log filter in detail. Some comments:

Advanced Topic: Real-Time Alerting From Streaming Log Data

If the log filter we've created above, is in a profile when you build a database, it will trigger all alerts for the dataset during the build. This is fine for getting after-the-fact information about the intrusion, but if you want to be alerted as intrusions occur, you need to stream the log data into Sawmill as it is generated. This is best done with a command line log source, which monitors the log files and dumps new data to its standard output stream as it appears in the log files (UNIX "tail -f" is a simple example of this). This requires an external script to do the monitoring; once you have created such a script, you can do real-time alerting by doing a Real-Time database build (using the Real-Time feature of Sawmill 8 Enterprise), or using streaming alerting with the "-a pl" option (see the May 2007 Newsletter).

[Article revision v1.0]

Professionelle Dienstleistungen

Sollten Sie die Anpassung von Sawmill Analytics nicht selbst vornehmen wollen, können wir Ihnen dies als Dienstleisung anbieten. Unsere Experten setzen sich gerne mit Ihnen in Verbindung, um die Reports oder sonstige Aspekte von Sawmill Analytics an Ihre Gegebenheiten und Wünsche anzupassen. Kontakt

Zur Tutorial-Übersicht

Weitere Informationen

      Live-Demonstrationen »    
© 1995-2011 HAAGE & PARTNER Computer GmbH · Impressum · Datenschutz · www.haage-partner.de