Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your Network Security Babelfish a.k.a. Security Event Actionable Log Parser Mike Halsall & Graeme Connell ©, Michael T. Halsall, 2006.

Published byAudrey Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "Your Network Security Babelfish a.k.a. Security Event Actionable Log Parser Mike Halsall & Graeme Connell ©, Michael T. Halsall, 2006."— Presentation transcript:

1 Your Network Security Babelfish a.k.a. Security Event Actionable Log Parser Mike Halsall & Graeme Connell ©, Michael T. Halsall, 2006

2 2 Why We’re Here Scripting Creativity Automation

3 3 What We Had Pure Cisco architecture –Managed switches, 802.1q trunking capable –Small SNMP/Net::Telnet based scripts –Logging (via syslog) to a central location

4 4 Evolution of a System Purchased Bradford Networks’ Campus Manager –Forced us to trunk out to the edges to provide Registration VLAN, Quarantine VLAN and Penalty Box VLAN –Gave us a database centralizing users, their MAC addresses, their currently leased IP address and the port/switch they appear on, in real time

5 5 Campus Manager Benefits, Cont. Forced black hole DNS techniques Added multi-interfaced web server to handle each VLAN Forced Windows Update for students –Used GP to force Updates for Fac/Staff

6 6 Purchased Enterprise Level IPS Very fast Signature/Anomaly based detection of attacks In-line, allowing us to drop attack packets Custom signatures (not as nice as Snort) Exports alerts, in real time, to syslog

7 7 Privateye’s Conception (v. 1.0) Initially, a simple log parser (like swatch) for dealing with IPS logs –Hard-coded database capabilities –Threshold based –Ran external scripts

8 8 Privateye 1.0’s Config File # ::: ::: ::: ::: ::: ID ::: 0x40009a00 ::: SH ::: shun.sh ${7} ::: 0 ::: week ID ::: 0x49700500 ::: SH ::: penalty.sh ${4} ::: 5 ::: day RE_NAME ::: /NULL/ ::: SH ::: shun.sh ${7} ::: 0 ::: week RE_NAME ::: /Buffer Overflow/ ::: SH ::: shun.sh ${7} ::: 2 ::: week RE_NAME ::: /Apache/ ::: MAIL :::emails/email1.txt::: 15 ::: hour

9 9 Problems With v. 1.0 Not extensible Too specialized (IPS, CM) Restrictive triggers –Inside/Outside –CM/Non-CM users –Standard/Non-standard ports

10 10 Privateye 2.0 Pushed functionality to config file Object oriented Complex trigger set –Boolean chaining –Regular expressions –Math Ability to remember user states AND OR NOT

11 11 Privateye 2.0 Alert Data Flow Input → AlertParser → UserHash → RuleList → Rule Rule = Trigger + Threshold + Action

12 12 Input → AlertParser → UserHash → RuleList → Rule Log file (syslog data) #####2006-03-17 15:40:59 EST#####Medium#####irc#####Signature #####IRC: IRC Client Activity Detected#####140.233.203.41:1048 #####65.98.55.82:8080#####tcp#####Outbound#####0x40f00100 TCP session STDIN

13 13 Uses Regular Expression to split input into relevent fields Becomes Severity: Medium Input_IP: 140.233.203.41 Output_Port: 8080 CM_User: jstudent Etc…. Input → AlertParser → UserHash → RuleList → Rule #####2006-03-17 15:40:59 EST#####Medium#####irc#####Signature #####IRC: IRC Client Activity Detected#####140.233.203.41:1048 #####65.98.55.82:8080#####tcp#####Outbound#####0x40f00100

14 14 Severity: Medium Input_IP: 140.233.203.41 Output_Port: 8080 CM_User: jstudent Etc…. Becomes User_ jstudent User_everybody User_inside Input → AlertParser → UserHash → RuleList → Rule User_abc User_def User_Everyone User_inside User_outside User_jstudent User_xyz User_jstudent Rule1 data Rule2 data Rule3 data …

15 15 Chain of rules Checked serially Rules can execute RuleLists Input → AlertParser → UserHash → RuleList → Rule Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Rule 1 Rule 2 Rule 3 Rule 1 Rule 2 Rule 1 Rule 2 Rule 3 Rule 4 Rule 5

16 16 All rules are threshold based Each rule contains –Trigger –Threshold data –Action Input → AlertParser → UserHash → RuleList → Rule TRIGGER ssh_scan SUBSTR name "SSH" ACTION src_shun SH scripts/shun.pl "${src_ip}" RULE ssh_scan_rule ssh_scan src_shun 5 60 #####2006-03-20 13:41:41 EST#####Informational#####ssh#####Signature #####SSH: SSH Version 1 Server Detected#####216.180.225.242:43346 #####140.233.190.2:22#####tcp#####Inbound#####0x45b00300

17 17 Recap Input AlertParser UserHash RuleList Rule

18 18 External Actions Shun at firewall –Our IPS does not possess this capability for our model firewalls Flip a port into penalty VLAN –Fortunately, we could do this via an SNMP trap to CM, maintaining central user status –We can also flip ports using same technique below Shut a port, if need be –Given an IP, find the port on campus network, even if not known to CM (CDP walk) –Send a port ‘shutdown’ command to the switch Disconnect user from dial-in/VPN TCP Reset –Out of band –Sends TCP resets to internal host when triggered (pattern match)

19 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Current Network Layout

20 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Privateye Input Vectors

21 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Privateye Mitigation/ Remediation Vectors Firewall shun VLAN switch Port Shut VLAN switch cont.

22 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Example Single client infected by bot, sends bot command request out to IRC server

23 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Example IPS Alert seen by Privateye through Logging Server

24 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Example Privateye contacts Campus Manager, which switches client into quarantined VLAN VLAN switch VLAN switch cont.

25 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Example Client redirected to web server by DNS black-holing, outside access to client disabled.

26 Campus Manager Hosts Switch FW IPS Privateye Internal Network Logging Server The Internet SnifferVLAN Webserver Example Client and web server are now in same VLAN

27 27

28 28 FYI How do they get here? Document root’s Index page is a PHP script Get IP of machine user is coming from Look at local ARP table to get user’s MAC address Match MAC address to “Actions Done” DB table Privateye updated when it told CM to place user in Penalty Redirect user to static “reason” page

29 29

30 30 Privateye 2.1 User flags: Multi-alert correlation Rule Action thresholding User-state Backups Real time configuration Protected TCP sessions

31 31 Privateye Speed It all depends… –Database lookups –Trigger types / complexity Regular expression? Substring? Equality? –Script speed Speed bottlenecks do occur in current version –Everything done serially –Second alert never starts until first finished Fully processed (including DB lookups, etc.) All actions completed

32 32 The possibilities are endless… Web Server Logs Logging Server Look for SQL Injection Scanning Logs HoneyNet Logs Look for Port Scans Look for Recon DarkNet Traffic Stats. via Unencrypted TCP Connection Look for Misbehavior Privateye

33 33 The possibilities are endless… Web Server Logs Logging Server Look for SQL Injection Scanning Logs HoneyNet Logs Look for Port Scans Look for Recon DarkNet Traffic Stats. via Unencrypted TCP Connection Look for Misbehavior Privateye Real Time Configuration via Encrypted TCP Connection

34 34 What Privateye Has Handled Version 2.0 was put into production in September, 2005 264 unique machines have visited the Penalty Box –162 due to IRC Botnet activity Successfully stopped virus proliferation as soon as rule was added, on 3 separate occasions Mitigated thousands of attacks from outside world –Most popular: SSH Brute Force attacks XMLRPC Exploits

35 35 IPS and CM Are Not Requirements If you have managed switches, you can find clients on network using creative scripting Snort can certainly be used ARP manipulation can take the place of VLAN switching (not as secure)

36 36 Scripting Be creative –Building blocks – small scripts beget big scripts PHP Net-SNMP Perl –Net::Telnet::Cisco (cpan.org) Automate the mundane Obsolete yourself Automate carefully

37 37 Questions?

Download ppt "Your Network Security Babelfish a.k.a. Security Event Actionable Log Parser Mike Halsall & Graeme Connell ©, Michael T. Halsall, 2006."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Virtual LANs.

Virtual LANs.
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
NetPass and Northwestern By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services.

NetPass and Northwestern By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.

Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.

1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak

Similar presentations

Ads by Google