Analyse und Reporting
für Web | Netzwerk | Sicherheit
Zugriffs- und Datenanalyse von Server-Logs (Proxy, Mailserver, Firewall, Webserver) und Überwachung der Sicherheit & Performance, Schwachstellenanalyse.
Sawmill Analytics 8 | Loganalyse
Sawmill-Tutorial
Detecting And Alerting On Intrusion Attempts With Sawmill
Sawmill's log filters make it possible to write very flexible rules for detecting certain conditions in the log data. This can be used for intrusion detection and alerting. Consider the following FTP log data from Microsoft Internet Information Services (IIS):
#Software: Microsoft Internet Information Services 6.0 #Version: 1.0 #Date: 2009-02-05 04:59:59 #Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status 04:59:59 12.34.56.78 [4007]USER Administrator 331 0 04:59:59 12.34.56.78 [4007]PASS - 530 1326 04:59:59 12.34.56.78 [4007]USER Administrator 331 0 04:59:59 12.34.56.78 [4007]PASS - 530 1326 05:00:01 12.34.56.78 [4007]USER Administrator 331 0 05:00:01 12.34.56.78 [4007]PASS - 530 1326 05:00:01 12.34.56.78 [4007]USER Administrator 331 0 05:00:02 12.34.56.78 [4007]PASS - 530 1326 05:00:02 12.34.56.78 [4007]USER Administrator 331 0 05:00:02 12.34.56.78 [4007]PASS - 530 1326 05:00:03 12.34.56.78 [4007]USER Administrator 331 0 05:00:03 12.34.56.78 [4007]PASS - 530 1326 05:00:03 12.34.56.78 [4007]USER Administrator 331 0 05:00:03 12.34.56.78 [4007]PASS - 530 1326 |
This log data shows a password-cracking attack originating from IP address 12.34.56.78. We can guess this is an attack, rather than a series of legitimate login attempts, because the logins are happening so fast--there are several attempts each second, from the same IP address, to log in as an Administrator.
Sawmill can show this data in the Log Detail of its standard reporting, of course, and that can be useful for examining past intrusion attempts. But if you want to know about the intrusion attempt as it occurs, or shortly thereafter, you need more--you need alerting.
To create an alert in Sawmill, first define for yourself what condition should trigger the alert. In this case, it is:
- The current line of log data is a PASS attempt.
- The previous login attempt for this user is in the same second as this one.
- We have not fired an alert for this IP previously.
Now that we've defined the condition, we need to implement it as a log filter (written in Salang, Sawmill's built-in language, which is used for advanced filtering). Below is a Salang log filter which implements this condition, and alerts on it. This can be copied and pasted directly into an "advanced expression" log filter created in your profile, in Config -> Log Filters:
# Only consider PASS lines as intrusions if (cs_method eq "PASS") then ( # Make sure the nodes we're going to use have been initialized v.password_attempt_times = ""; v.intrusion_reported_for_ip = ""; # Get the timestamp of the previous password attempt for the current user int last_password_attempt_for_this_user = @'v.password_attempt_times'{username}; # If the current timestamp matches the timestamp of the previous attempt, then this is an intrusion attempt if (date_time == last_password_attempt_for_this_user) then ( # If we've already reported this IP, don't do it again. if (!'v.intrusion_reported_for_ip'?{c_ip}) then ( # send email to admin@yourplace.com, from admin@yourplace.com, with a simple description in the subject, # and a longer description in the body. send_email("admin@yourplace.com", "admin@yourplace.com", "Subject: Password scan attempt on " . username . " from " . c_ip . "\r\n" . "To: admin@yourplace.com\r\n" . "\r\n" . "Sawmill has detected a password scan attempt on user " . username . " from IP address " . c_ip . ". There were multiple attempts to log in as " . username . " at " . date_time . ".", "smtp.yourplace.com"); # Remember that we have reported this IP @'v.intrusion_reported_for_ip'{c_ip} = true; ); # if intrusion not yet reported ); # if timestamp is the same # Remember the timestamp of this password attempt, for this username @'v.password_attempt_times'{username} = date_time; ); # if PASS |
NOTE: This script uses new syntax available only in Sawmill 8. If you're using Sawmill 7, you will need to use equivalent syntax, e.g., node_exists instead of "?", and subnode_by_name() instead of "@{}".
The lines beginning with # are comments, and describes the operation of the log filter in detail. Some comments:
- The log filter uses the node v.password_attempt_times
to remember the timestamps of previous password attempts on this user.
This is a string-to-string map which maps usernames to the date_time
values of the previous login attempt.
- The log filter uses the node v.intrusion_reported_for_ip
to keep track of which IPs have already been reported. IP addresses are
in this map only after they have been reported.
- The log filter uses send_email() to send email to admin@yourplace.com
when an intrusion needs to be reported. The file parameter must be a
SMTP server which accepts unauthenticated connections for the recipient
(e.g., their MX server).
Advanced Topic: Real-Time Alerting From Streaming Log Data
If the log filter we've created above, is in a profile when you build a database, it will trigger all alerts for the dataset during the build. This is fine for getting after-the-fact information about the intrusion, but if you want to be alerted as intrusions occur, you need to stream the log data into Sawmill as it is generated. This is best done with a command line log source, which monitors the log files and dumps new data to its standard output stream as it appears in the log files (UNIX "tail -f" is a simple example of this). This requires an external script to do the monitoring; once you have created such a script, you can do real-time alerting by doing a Real-Time database build (using the Real-Time feature of Sawmill 8 Enterprise), or using streaming alerting with the "-a pl" option (see the May 2007 Newsletter).
[Article revision v1.0]
Professionelle Dienstleistungen
Sollten Sie die Anpassung von Sawmill Analytics nicht selbst vornehmen wollen, können wir Ihnen dies als Dienstleisung anbieten. Unsere Experten setzen sich gerne mit Ihnen in Verbindung, um die Reports oder sonstige Aspekte von Sawmill Analytics an Ihre Gegebenheiten und Wünsche anzupassen. KontaktZur Tutorial-Übersicht