1. Trang chủ
  2. » Công Nghệ Thông Tin

Tài liệu A collection of various computer and security logs pdf

39 739 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 39
Dung lượng 225,34 KB

Nội dung

A collection of various computer and security logs The logs contained in this document are divided in four categories The categories are router, firewall, Intrusion Detection Systems (IDS) and miscellaneous These logs are meet to be used as reference to identify the type of software that generated a log model and if necessary, how they can be interpreted Copyright  Guy Bruneau, 2000-2001 All rights reserved Router • • • Ascend Cisco Cisco ACL Firewall • • • • • • • • • • • • • Gauntlet Raptor IPFilter (FreeBSD, OpenBSD) IPChains (Linux) ConSeal Firewall (Windows) ZoneAlarm (Windows) Cisco PIX SonicWall SOHO Cyberguard EnterNet Check Point FireWall-1 3Com OfficeConnect Internet Firewall 25 (Appliance) Norton Internet Security 2001 – Family Edition Intrusion Detection Systems • • • • • • • • Snort Snortsnarf Shadow SecureNet Pro BlackICE Defender ClearICE report (BlackICE) PortSentry Rainbow Diamond The meaning of various computer and security logs Page of 39 • • • • • Argus RealSecure RSLog Cisco Secure IDS Pakemon Alert Pakemon Dump Miscellaneous • • • • • • • • • • • • • • • • • • • • ASCTcpdump TCPLogd UNIX messages Apache access Apache error Ethereal Protolog TCP Protolog UDP Protolog ICMP Windows NT Security log Sniffer Pro Samba NMB Samba SMB Solaris snoop TCPDump TCPDump and DNS TCPDump ICMP and TCP stimulus response IP and TCP IP and UDP IP and ICMP Revision history: Guy Bruneau, version 0.5 – 14 February 2001 The meaning of various computer and security logs Page of 39 Router Logs Ascend router Oct 24 01:03:13 192.168.101.20 ASCEND: wan4 tcp 192.168.101.2;9704 192.168.1.1(16), packet Oct 15 22:21:54 [192.168.50.32] 508476: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2590) -> 192.168.1.1(101), packet Oct 15 22:21:57 [192.168.50.32] 508477: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), packet Oct 15 22:22:05 [192.168.50.32] 508481: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2533) -> 192.168.1.1(16), packet Oct 15 22:22:06 [192.168.50.32] 508482: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.90.24.12(2590) -> 192.168.1.1(101), packet More information available at: http://www.networkingunlimited.com/white007.html The meaning of various computer and security logs Page of 39 Cisco ACL access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 access-list 101 permit ip any any (implicit deny all) interface ethernet ip access-group 101 out Access-list Command 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 permit ip any any ip access-group 101 Command out Description Access list number, indicates extended IP access list Traffic that matches selected parameters will not be forwarded Transport-layer protocol Source IP address and mask; the first three octets must match but not care about the last octet Match any destination IP address Specifies well-known port number for Telnet Traffic that matches selected parameters will be forwarded Any IP protocol Keyword matching traffic from any source Keyword matching traffic to any destination Description Links access list 101 to interface E0 as an output filter Access control lists (ACL) offer another powerful tool for network control These lists add the flexibility to filter the packet flow in or out router interfaces Such control can help limit network traffic and restrict network use by certain users or devices For TCP/IP packet filtering, Cisco IOS has two types of access list, standard and extended Here is a brief description of what they are used for: • Standard access list (1 to 99) check source IP address • Extended access list (100 to 199) check source and destination IP, and specific protocols, TCP and UDP port numbers The meaning of various computer and security logs Page of 39 Access List Type IP Standard Extended Named IPX Standard Extended SAP filters Named Number Range/Identifier - 99 100 - 199 Name (Cisco IOS 11.2 and later) 800 - 899 900 - 999 1000 - 1099 Name (Cisco IOS 11.2.F and later) More information available at: http://www.cisco.com/univercd/cc/td/doc/product/voice/ics7750/tblshoot/tstcp.htm Firewall Logs Gauntlet Firewall Oct 24 08:47:16 server kernel: securityalert: tcp if=ef0 from 10.60.255.46:1720 to 10.4.12.99 on unserved port 27374 Oct 24 11:45:05 server kernel: securityalert: tcp if=ef0 from 192.168.146.16:3626 to 10.4.12.99 on unserved port 20139 Oct 24 11:48:53 server kernel: securityalert: udp if=ef0 from 10.9.6.53:61036 to 10.4.12.99 on unserved port 137 Oct 24 17:40:49 server kernel: securityalert: tcp if=ef0 from 10.7.28.13:9704 to 10.4.12.99 on unserved port 9704 More information available at: http://www.pgp.com/products/config-guide.asp#gauntlet Raptor Firewall Sep 14:50:02.282 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to noninformation ICMP (hsa1.sdg net[192.168.5.13]->10.253.5.62: Protocol=ICMP[Unreachable (host)] {Inner: 10.253.5.62->202.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 44301->12489}) received on interface 10.253.4.1 Sep 15:26:07.955 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to noninformation ICMP (pb-nap.net[1.32.128.39]->10.253.2.52: Protocol=ICMP[Unreachable (host)] {Inner: 10.253.2.52->10.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 1611->7024}) received on interface 10.253.4.1 Sep 15:52:56.268 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to noninformation ICMP (Level.net[192.168.2.23]->10.253.5.86: Protocol=ICMP[Unreachable (host)] {Inner: 10.253.5.86->10.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 48137->17684}) received on interface 10.253.4.1 Sep 15:53:27.755 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to noninformation ICMP (above.sea.above.net[192.168.175.105]->10.253.5.12: Protocol=ICMP[Unreachable The meaning of various computer and security logs Page of 39 (host)] {Inner: 10.253.5.12->10.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 39965>6563}) received on interface 10.253.4.1 Field Sep 15:53:27.755 Kernel 120 ICMP Info: Not sending ICMP Unreachable in response to noninformation ICMP Above.sea.above.net[192.168.175.105] 10.253.5.12 Protocol=ICMP Meaning of field Timestamp Device name Service error Informational field Source name, IP address Destination IP address Protocol More information available at: http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=2667 029 IPfilter firewall This firewall is used with OpenBSD and FreeBSD Unix systems Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129790 icmp len 20 29 icmp 13/0 IN Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129826 icmp len 20 29 icmp 14/0 IN Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129861 icmp len 20 29 icmp 15/0 IN Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129897 icmp len 20 29 icmp 16/0 IN Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129933 icmp len 20 29 icmp 17/0 IN Meaning of field Date/Time group Host name Firewall type/process ID Timestamp Interface Rule designator that “fired” Permit/block rule Source IP Destination IP Protocol identifier Protocol specific info Traffic flow rl0 @0:1 p 10.245.45.90 -> my-fw PR rl0 @0:1 p 10.46.101.79 -> my-fw PR rl0 @0:1 p 10.208.1.4 -> my-fw PR rl0 @0:1 p 10.129.70.57 -> my-fw PR rl0 @0:1 p 10.0.231.109 -> my-fw PR field Aug 15 10:11:49 quasi-evil ipmon[28775] 10:11:49.129790 rl0 @0:1 p 10.245.45.90 my-fw PR (PSH & RST) icmp len 20 29 icmp 13/0 IN The meaning of various computer and security logs Page of 39 More information available at: http://www.obfuscation.org/ipf/ IPChains Firewall Jun 11:11:49 mail kernel: Packet log: input REJECT eth0 PROTO=17 10.100.1.228:57048 192.168.1.211:137 L=78 S=0x00 I=53412 F=0x0000 T=108 (#3) Field Date & Time Hostname Syslog Facility Example Jun 11:11:49 Mail kernel: Packet log: Chain Name Input Action Taken REJECT Interface Protocol # eth0 PROTO=17 Source Destination Length TOS ID 10.100.1.228:57048 192.168.1.211:137 L=78 S=0x00 I=53412 Fragment Offset TTL Rule # F=0x0000 T=108 (#3) Description Date and time that the packet was logged The hostname of the computer The syslog level at which the syslog event occurred Should always be ‘kernel’ ‘Packet log:’ is appended for clarity’s sake and can be used in searching the logs The chain to which the rule is attached to Possible values are: input, output and forward How the packet was handled Possible values are: ACCEPT, REJECT, DENY, MASQ, REDIRECT and RETURN The network interface on which the packet was detected The protocol of the packet Common values are: (ICMP), (TCP), and 17 (UDP) ICMP traffic is also displayed with the ICMP code The source IP address and port number of the packet The destination IP address and port number of the packet The total length of the packet The ‘Type of Service’ values from the packet Either the Packet ID or the segment that the TCP fragment belongs to If the packet is part of a fragment, this field contains the fragment offset The time-to-live values from the packet The rule number that logged this entry More information is available at: http://ldp.iol.it/HOWTO/IPCHAINS-HOWTO.html ConSeal firewall 2000/01/03 6:14:20 PM GMT -0500: AcerLAN ALN-325 [0000][Ref# 3] Blocking outgoing ICMP: src=10.12.63.10, dst=192.168.15.113, type 2000/01/04 4:58:21 AM GMT -0500: AcerLAN ALN-325 [0000][No matching rule] Blocking incoming UDP: src=192.168.240.143, dst=10.12.63.10, sport=31790, dport=31789 2000/01/04 5:32:54 PM GMT -0500: AcerLAN ALN-325 [0000][Ref# 3] Blocking incoming ICMP: src=10.112.60.254, dst=10.12.63.10, type 2000/01/04 6:30:01 PM GMT -0500: AcerLAN ALN-325 [0000][No matching rule] Blocking incoming UDP: src=192.168.240.143, dst=10.12.63.10, sport=31790, dport=31789 The meaning of various computer and security logs Page of 39 2000/01/04 9:48:24 PM GMT -0500: AcerLAN ALN-325 [0000][No matching rule] Blocking incoming ICMP: src=10.112.86.167, dst=10.112.87.255, type 11 More information available at: http://www.consealfirewall.com ZoneAlarm (Windows 9x/NT) ZoneAlarm Basic Logging Client v2.1.3 Windows NT-4.0.1381-Service Pack 5-SP type date time source FWIN FWIN FWIN PE PE FWIN PE PE FWIN FWIN 192.168.120.24:1364 192.168.209.246:161 192.168.120.24:0 192.168.209.246:0 192.168.1.150:0 192.168.209.246:0 Telnet Program 10.0.0.120:10023 Telnet Program 10.0.0.120:10023 192.168.120.24:0 192.168.209.246:0 Telnet Program 10.0.0.120:10023 Telnet Program 10.0.0.120:10023 192.168.1.151:0 192.168.209.246:0 192.168.1.150:0 192.168.209.246:0 2000/04/28 2000/04/28 2000/04/28 2000/04/28 2000/04/28 2000/04/28 2000/04/28 2000/04/28 2000/04/28 2000/04/28 09:48:24 -5:00 GMT 10:02:34 -5:00 GMT 10:33:44 -5:00 GMT 11:03:35 -5:00 GMT 11:04:58 -5:00 GMT 11:05:24 -5:00 GMT 11:05:29 -5:00 GMT 11:06:23 -5:00 GMT 11:12:32 -5:00 GMT 11:37:50 -5:00 GMT Meaning Type (Firewall Input) Date (yyyy/mm/dd) Time (GMT-00:00) Source IP Source Port Destination IP Destination Port Transport Protocol (ICMP/TCP/UDP/IGMP) destination transport Firewall information FWIN 2000/04/28 09:48:24 -5:00 GMT 192.168.120.24 1364 192.168.209.246 161 UDP More information available at: http://www.zonealarm.com Cisco PIX Firewall Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-2-106001: Inbound TCP connection denied from 12.20.64.120/10101 to cidr.addr.pool.98/111 flags SYN on interface outside Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate) tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.101/111 Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate) tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.102/111 Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate) tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.103/111 Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate) tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.108/111 The meaning of various computer and security logs Page of 39 UDP ICMP ICMP ICMP ICMP ICMP More information available at: http://www.cisco.com SonicWall SOHO 11/01/2000 23:56:30.208 - Sub Seven Attack Dropped Source:10.21.187.87, 4426, WAN - Destination:10.110.193.10, 1243, LAN 11/01/2000 23:56:30.768 - Sub Seven Attack Dropped Source:10.21.187.87, 4426, WAN - Destination:10.110.193.10, 1243, LAN 11/02/2000 00:09:34.592 - Sub Seven Attack Dropped Source:10.21.187.87, 2012, WAN - Destination:10.110.193.10, 1243, LAN 11/02/2000 00:09:35.144 - Sub Seven Attack Dropped Source:10.21.187.87, 2012, WAN - Destination:10.110.193.10, 1243, LAN More information available at: http://www.sonicwall.com/products/soho/index.html Cyberguard 2000/07/06 00:14:55: http: 10.250.1.30 - 192.168.1.138 :14055: connection established 2000/07/06 00:14:55: http: 10.125.10.100 > 192.168.78.173 :14080: GET / HTTP/1.0 2000/07/06 00:14:55: http: 10.125.10.100 - 192.168.78.173 :14080: access to web site 192.168.78.173 denied 2000/07/06 00:14:56: http: 10.125.10.100 < 192.168.1.138 :14055: Content-type: text/html, Contentlength: 2000/07/06 00:14:56: http: 10.125.10.100 - 192.168.1.138 :14055: connection closed 2000/07/06 00:14:57: http: 10.125.10.100 > 192.168.1.57 :14075: GET /image.ng/Params.richmedia=yes&uniqueID=unique_id&size=468x60&site=cbcca&zone=news§or=1&pa geloc=1 HTTP/1.0 2000/07/06 00:14:57: http: 10.125.10.100 - 192.168.1.57 :14075: connection established 2000/07/06 00:14:57: http: 10.125.10.100 < 192.168.1.57 :14075: Content-type: text/html, Contentlength: 305 2000/07/06 00:14:57: http: 10.125.10.100 - 192.168.1.57 :14075: connection closed 2000/07/06 00:14:57: http: 10.125.10.100 > 192.168.1.57 :14077: GET /image.ng/Params.richmedia=yes&uniqueID=unique_id&size=468x60&site=cbcca&zone=news§or=1&pa geloc=1 HTTP/1.0 2000/07/06 00:14:58: http: 10.125.10.100 - 192.168.1.57 :14077: connection established 2000/07/06 00:14:58: http: 10.125.10.100 < 192.168.1.57 :14077: Content-type: text/html, Contentlength: 305 2000/07/06 00:14:58: http: 10.125.10.100 - 192.168.1.57 :14077: connection closed Meaning Date/Time Destination Port Firewall Address Direction of the connection Address firewall is connecting to Source port Firewall information 2000/07/06 00:14:55: http: 10.250.1.30 (Initial or closure) (out) > or < (in) 192.168.1.138 14055: The meaning of various computer and security logs Page of 39 Firewall comments connection established More information available at: http://www.cyberguardcorp.com EnterNet 1999-12-14 18:15:30 192.168.1.1 Category: DROP Access Rule 6: Disallowed source IP address ENet 0040:95a0:9d21 -> 0010:4b99:0487, type 0x0800, len 93 IP 90.0.0.1->10.0.0.2 IHL:20 DataLen:59 Proto:UDP UDP netbios-ns->domain DataLen:51 DNS Query : SeqNo=030c OpCode:0(STD_QRY) More information available at: http://www.enternet.net Check Point FireWall-1 Time Origin Action Dst Port Src IP Dst IP Protocol Src Port 11:11:11 11:11:12 11:11:12 11:11:12 11:11:18 11:11:19 11:11:21 11:11:22 Firewall-1 Firewall-1 Firewall-1 Firewall-1 Firewall-1 Firewall-1 Firewall-1 Firewall-1 reject reject reject reject reject reject reject reject 80 23 8001 8080 755 1409 1604 9200 192.168.59.9 192.168.59.9 192.168.59.9 192.168.59.9 192.168.59.9 192.168.59.9 192.168.59.9 192.168.59.9 172.15.100.5 172.15.100.5 172.15.100.5 172.15.100.5 172.15.100.5 172.15.100.5 172.15.100.5 172.15.100.5 Tcp Tcp Tcp Tcp Tcp Tcp Tcp Tcp 1111 1111 1111 1111 1111 1111 1111 1111 More information available at: http://www.checkpoint.com/products/firewall-1/ 3Com OfficeConnect Internet Firewall 25 Note: due to NAT on Internet side of firewall, attacked host IP is shown as 192.168.99.12 Times are shown as UTC Numbers following source and destination IP are the port numbers UTC 11/22/2000 04:04:13.128 - TCP connection dropped - Source:192.168.143.189, 2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule UTC 11/22/2000 04:04:14.000 - TCP connection dropped - Source:192.168.143.189, 2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule Times are shown as local The above events get reported in syslog by the firewall in the following format: The meaning of various computer and security logs Page 10 of 39 = Urgent: Not set = Acknowledgment: Set = Push: Not set .0 = Reset: Not set = Syn: Not set = Fin: Not set Window size: 8280 Checksum: 0xc47d More information available at: http://www.ethereal.com Protolog TCP -Protolog TCP logger - Begins at Thu Apr 20 04:46:54 2000 Date - Source IP - Domain Name - dst port- Service name -16:37:56 04/20/100 192.168.30.1 (Seeker.erin.com ) 4808 (4808 ) 16:37:56 04/20/100 192.168.30.1 (Seeker.erin.com ) 113 (auth ) 16:37:56 04/20/100 192.168.30.1 (Seeker.erin.com ) 4807 (4807 ) 16:37:56 04/20/100 192.168.30.1 (Seeker.erin.com ) 25 (smtp ) 16:37:56 04/20/100 192.168.30.1 (Seeker.erin.com ) 25 (smtp ) 17:18:26 04/20/100 192.168.30.10 (starbase1.erin.com ) 110 (pop3 ) 17:17:30 04/20/100 192.168.30.10 (starbase1.erin.com ) 80 (www ) 17:17:30 04/20/100 192.168.30.10 (starbase1.erin.com ) 1243 (1243 ) More information available at: http://www.doclib.org/Linux/system/network/monitor/protolog-1.0.8/index.html Protolog UDP -Protolog UDP logger - Begins at Thu Apr 20 04:46:54 2000 -Ignore hostname/mask enabled : Mask : 255.255.255.0 : Ignore host mask: 10.2.9.0 : Mask : 255.255.255.255 : Ignore host mask: 10.112.32.8 Date - Source IP - Domain Name -dst port - Service name -17:13:23 04/20/100 192.168.30.10 (starbase1.erin.com ) 67 (bootps ) 17:13:23 04/20/100 127.0.0.1 (localhost ) 137 (netbios-ns ) The meaning of various computer and security logs Page 25 of 39 17:03:53 04/20/100 10.2.0.27 17:03:54 04/20/100 127.0.0.1 (name.sever.net ) (localhost ) 53 137 (domain ) (netbios-ns ) More information available at: http://www.doclib.org/Linux/system/network/monitor/protolog-1.0.8/index.html Protolog ICMP -Protolog ICMP logger - Begins at Thu Apr 20 04:46:54 2000 -Ignore hostname/mask enabled : Mask : 255.255.255.255 : Ignore host mask: 10.1.9.33 Date - Source IP - Domain Name - ICMP type -code -16:12:19 04/20/100 192.168.9.15 (posted ) Time Exceeded 16:13:30 04/20/100 127.0.0.1 (localhost ) Dest Unreachable 16:15:54 04/20/100 10.123.117.24 (reached.ppp ) Echo Request 16:32:39 04/20/100 127.0.0.1 (localhost ) Dest Unreachable 16:38:34 04/20/100 192.168.30.1 (Seeker.erin.ca ) Dest Unreachable 16:55:51 04/20/100 192.168.30.10 (starbase1.erin.ca) Echo Reply More information available at: http://www.doclib.org/Linux/system/network/monitor/protolog-1.0.8/index.html Windows NT Security log 21/04/00 2:00:36 PM Security Failure Audit Logon/Logoff 529 AUTHORITY\SYSTEM SECURITY-CONSCIOUS Logon Failure: Reason: Unknown user name or bad password User Name: seeker Domain: SECURITY-CONSCIOUS Logon Type: Logon Process: User32 Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SECURITY-CONSCIOUS 21/04/00 12:15:38 PM Security Success Audit Policy Change Administrator SECURITY-CONSCIOUS Audit Policy Change: New Policy: The meaning of various computer and security logs Page 26 of 39 NT 612 Success Failure + System + + Logon/Logoff + Object Access Privilege Use Detailed Tracking + + Policy Change Account Management Changed By: User Name: Administrator Domain Name: SECURITY-CONSCIOUS Logon ID: (0x0,0x924FB) Sniffer Pro Frame Src Address Dst Address Size Abs Time Summary [10.30.218.54] [192.168.11.3] SEQ=2959551080 LEN=0 WIN=32120 [10.30.218.54] [192.168.11.3] SEQ=3216854501 LEN=0 WIN=32120 [10.30.218.54] [192.168.11.3] SEQ=1734404 LEN=0 WIN=32120 [10.30.218.54] [192.168.11.3] SEQ=2481137249 LEN=0 WIN=32120 [10.30.218.54] [192.168.11.3] SEQ=3575336282 LEN=0 WIN=32120 74 11/17/2000 09:59:34 AM TCP: D=25 S=1973 SYN 74 11/17/2000 09:59:34 AM TCP: D=25 S=1955 SYN 74 11/17/2000 09:59:34 AM TCP: D=25 S=1940 SYN 74 11/17/2000 09:59:34 AM TCP: D=25 S=1923 SYN 74 11/17/2000 09:59:34 AM TCP: D=25 S=1908 SYN More information available at: http://www.snifferpro.co.uk/ Samba NMB [2000/11/12 13:40:57, 1] nmbd/nmbd.c:main(684) Netbios nameserver version 2.0.5a started Copyright Andrew Tridgell 1994-1998 [2000/11/12 13:40:57, 0] nmbd/nmbd_logonnames.c:add_logon_names(159) add_domain_logon_names: Attempting to become logon server for workgroup PLAY on subnet 192.168.30.1 [2000/11/12 13:41:01, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(118) become_logon_server_success: Samba is now a logon server for workgroup PLAY on subnet 192.168.30.1 [2000/11/14 05:40:44, 0] nmbd/nmbd.c:sig_hup(95) Got SIGHUP dumping debug info [2000/11/14 05:40:44, 0] nmbd/nmbd_workgroupdb.c:dump_workgroups(308) dump_workgroups() dump workgroup on subnet 192.168.30.1: netmask= 255.255.254.0: The meaning of various computer and security logs Page 27 of 39 PLAY(1) current master browser = STARBASE1 SEEKER 40009b0b (Samba Server) [2000/11/14 05:40:50, 0] nmbd/nmbd.c:sig_term(68) Got SIGTERM: going down [2000/11/14 10:05:38, 1] nmbd/nmbd.c:main(684) Netbios nameserver version 2.0.5a started Copyright Andrew Tridgell 1994-1998 [2000/11/14 10:05:38, 0] nmbd/nmbd_logonnames.c:add_logon_names(159) add_domain_logon_names: Attempting to become logon server for workgroup PLAY on subnet 192.168.30.1 [2000/11/14 10:05:42, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(118) become_logon_server_success: Samba is now a logon server for workgroup PLAY on subnet 192.168.30.1 More information available at: http://www.samba.org Samba SMB [2000/11/13 14:05:13, 1] smbd/service.c:make_connection(521) starbase1 (192.168.30.10) connect to service guy as user guy (uid=1000, gid=100) (pid 2357) [2000/11/13 14:05:13, 0] smbd/oplock.c:oplock_break(948) oplock_break: no break received from client within 30 seconds oplock_break failed for file Program Files/Microsoft Office/Office/PSS8.HLP (dev = 341, inode = 418499) [2000/11/13 14:05:13, 0] smbd/oplock.c:oplock_break(992) oplock_break: client failure in break - shutting down this smbd [2000/11/13 14:05:13, 1] smbd/service.c:close_cnum(557) starbase1 (0.0.0.0) closed connection to service guy [2000/11/13 14:05:13, 1] smbd/service.c:close_cnum(557) starbase1 (0.0.0.0) closed connection to service share [2000/11/14 09:46:55, 1] smbd/password.c:pass_check_smb(532) smb_password_check failed Invalid password given for user 'joe' More information available at: http://www.samba.org Solaris snoop ftp.merchant.com -> cloak.seek.net HTTP (body) cloak.seek.net -> ftp.merchant.com HTTP C port=1186 ftp.merchant.com -> cloak.seek.net HTTP (body) The meaning of various computer and security logs Page 28 of 39 cloak.seek.net -> ftp.merchant.com HTTP C port=1186 ftp.merchant.com -> cloak.seek.net HTTP (body) 192.168.224.106 -> 192.168.22.173 HTTP R port=1647 192.168.22.173 -> 192.168.224.106 HTTP C port=1647 192.168.224.106 -> 192.168.22.173 HTTP R port=1648 192.168.224.106 -> 192.168.22.173 HTTP R port=1649 192.168.22.173 -> 192.168.224.106 HTTP C port=1648 192.168.22.173 -> 192.168.224.106 HTTP C port=1649 192.168.22.178 -> (broadcast) ARP C Who is 192.168.22.14, host-gw2.seek.net ? More information available at: http://www.cis.ohio-state.edu/htbin/rfc/rfc1761.html TCPDump log 10:46:35.080330 10.225.86.207.1976 > 192.168.23.82.1243: S 6246565:6246565(0) win 8192 (DF) 10:46:35.081749 192.168.255.10.27623 > 10.25.71.20.80: P 1:257(256) ack win 8704 10:46:35.090753 10.146.240.86.43307 > 192.168.96.10.80: P 13823:14152(329) ack 134754 win 8280 (DF) 10:46:35.093603 10.225.86.207.1985 > 192.168.23.91.1243: S 6246580:6246580(0) win 8192 (DF) 10:46:35.097322 192.102.198.160.80 > 192.168.114.60.1025: S 2677642199:2677642199(0) ack 551722 win 29200 (DF) 10:46:35.100459 10.225.86.207.1989 > 192.168.23.95.1243: S 6246585:6246585(0) win 8192 (DF) 10:46:35.103192 192.168.114.49.1637 > 10.101.251.59.110: P 31:37(6) ack 154 win 8423 (DF) 10:46:35.107709 192.168.96.10.80 > 10.146.240.86.43307: P 138894:139965(1071) ack 14152 win 6968 (DF) 10:46:35.116015 10.225.86.207.1991 > 192.168.23.97.1243: S 6246587:6246587(0) win 8192 (DF) 10:46:35.121536 192.168.255.10.27623 > 10.25.71.20.80: P 257:550(293) ack win 8704 10:46:35.122375 10.101.251.59.110 > 192.168.114.49.1637: P 154:163(9) ack 37 win 9112 (DF) More information available at: http://www.tcpdump.org The meaning of various computer and security logs Page 29 of 39 TCPDump and DNS Intrusion Analyst Packet Header Chart TCPDump DNS output Resolution - The maximum allowable size for a UDP DNS response is 512 bytes - Minimum of 20 bytes reserved for IP header - Eight must be reserved for UDP header - This leaves 484 bytes for the DNS message - IF the DNS datagram response exceeds 484 bytes, the response returns an answer with the truncated bit turned on - The information will then be passed on via TCP protocol Blocking inbound traffic to tcp port 53 will prevent unauthorized zone transfers This will also prevent any external host from resolving large responses Trace host.my.com.321 dns.my.com.domain: 1+ (35) - Ident field (1) - Recursion Desired (+) - Length (35) Trace h.root-servers.net.domain dns.my.com.domain: 12420- Ident field (12420) - Recursion not available (-) Trace seeker.net.domain dns.my.com.domain: 12421* 1/3/3 - This is an authoritative answer (*) - One answer/ three authoritative records/three additional records (1/3/3) Trace dns.verbose.com.domain dns.my.com.domain: 18033| 7/0/0 (494) (DF) - DNS ID field (18033) - DNS record has been truncated (|) - One answer/ three authoritative records/three additional records (7/0/0) - Length (494) - Don't Frag bit set (DF) The meaning of various computer and security logs Page 30 of 39 Trace query.net.2002 dns1.my.com.domain: 1243 inv_q+ [b2&3=0x980] A? (27) - DNS ID field (1243) - Inverse query with recursion desired (inv_q+) - Bytes (b2&3) - Hex value (0x980) - Address query type A (See chart below) and it is a query (?) - Length (27) Trace dns1.my.com.domain query.net.2002: 1243 inv_q Refused [0q] 1/0/0 (27) - DNS ID (1243) - Inverse query (inv_q) - Positive ID The name server responded to the query (Refused) - No question (0q) - One answer/zero authoritative records/no additional records (1/0/0) - Length (27) Name (Type) A NS CNAME PTR HINFO MX AXFR or ANY Numeric Value 12 13 15 252 255 Description Type? Query type? IP address Name server Canonical name Pointer record Host info Mail exchange record Request for zone transfer Request for all records * * * * * * * * * * * * * * Reference: TCP/IP Illustrated Volume 1, The Protocols, W Richard Stevens The meaning of various computer and security logs Page 31 of 39 TCPDump ICMP and TCP stimulus response ICMP error messages ICMP provides a means of communicating between hosts or routers to alert either one there is a problem(s) Timestamp request/reply This one is a request by one host to another host to return its current time of day This may be used by two hosts to have their clocks synchronized sending.host > destination.host: icmp: time stamp request destination.host > sending.host: icmp: time stamp reply Host Unreachable No host resides at the request IP address, temporarily unavailable or encountering configuration problems The router will then return and error message router > sending.host:ICMP host destination.host unreachable Port Unreachable This is how the destination source.host informs a sending host that a requested UDP port is not listening UDP has no built in mechanism to report errors so it enlists ICMP to it Under TCP, it informs a sending host that a port was not active It returned a TCP packet with the RST/ACK flags set to indicate that the port was not listening destination.host > source.host: icmp: destination.host udp port 31337 unreachable (DF) Admin Prohibited The router has an access control list that prohibits certain types of traffic from entering network such as port blocked, protocol blocked, source IP or subnet that is denied access router > source.host: icmp: host destination.host unreachable - admin prohibited Redirect A router informs the sending host that this is not the optimum router to be used to send the traffic to the destination The non-optimum router forward the traffic to the destination, but informs the sending hosts to change its routing table to a more optimum router next time it has to send traffic to the same host non-optimum.router > source.host: icmp redirect destination.host to net optimum.router The meaning of various computer and security logs Page 32 of 39 Fragmentation required, DF flag set The router discovers a datagram that is send over a network which is too large, it then discards the datagram and sends ICMP error message back to source host, this error message contains the MTU of the network that requires fragmentation Some hosts will intentionally send an initial datagram across the network with the DF flag set as a way to discover the MTU for a particular source to destination router > source.host: icmp: destination.host unreachable - need to frag (mtu 1250) Time exceeded in-transit If the TTL becomes 0, the router will discard datagram and send error message ICMP time exceeded in-transit back to source host This is a way for TCP/IP to flush from a network lost datagrams It is a count of "hops to live" before being discarded from the network routerx > source.host: icmp: time exceeded in-transit [tos 0xc0] Reassembly time exceeded When a destination host receives fragmented datagrams, it begins a timer when the first fragmented datagram arrives If the timer expires and all the fragment have not arrived, it returns an ICMP reassembly time exceeded error back to the source host This ensures the destination host doesn't tie up resources waiting for all fragments to arrive destination.host > source.host: icmp: ip reassembly time exceeded (DF) Address mask The ICMP address mask request is intended for a diskless system to obtain its subnet mask at bootstrap time The requesting system broadcasts its ICMP request However, others may use this to determine a subnet mask of a network to find out how many hosts reside on the network source.host > destination.host icmp: address mask request destination.host > source.host icmp: address mask is 0xffffffe0 TCP STIMULUS Listening server > If a service is permitted and there are no other implementations, the expected response will be a SYN/ACK This means the service exist and is capable of establishing a connection The meaning of various computer and security logs Page 33 of 39 Non listening server > Reset is generated by attempt to open a connection to a nonexistent port, the expected response will be a RESET/ACK This means an abrupt termination of the connection Destination host doesn't exist > A router will respond to such a situation where a host is incapable of responding such as; the IP address no longer exist or it has some kind of misconfiguration problem The expected response from the router will be an icmp: host unreachable Service blocked by router > If the port is blocked by a router, the expected response will be an icmp: host unreachable – admin prohibited filter Service blocked, router silenced > If there is no icmp error message to inform the host who initiated the request that something is wrong, the host will continue to try to connect After the maximum number of retries has been reached, it will give up on the connection (the number of retries depends on OS) The meaning of various computer and security logs Page 34 of 39 Intrusion Analyst Packet Header Chart IP and TCP 31 4-bit version 4-bit header length 82 8-bit type of service (TOS) 7620 16-bit identification 3-bit flags 80 8-bit time to live (TTL) 06 8-bit protocol 002c 16-bit total length (in bytes) 4000 (DF) or 2000 (MF) or 0000 13-bit fragment offset c6cb 16-bit header checksum c0a8 1e0c 32-bit source IP address c0a8 1e01 32-bit destination IP address Options (if any) 040e 16-bit source port number 0017 16-bit destination ort number 0000 e875 32-bit sequence number 0000 0000 32-bit acknowledgment number 4-bit header length 002 reserved (6 bits) U ce2d 16-bit TCP checksum A P R S F Options (if any) 0204 05b4 Data (if any) The meaning of various computer and security logs Page 35 of 39 2000 16-bit window size 0000 16-urgent pointer 20:50:42.096190 Rover.1038 > Seeker.telnet: S 59509:59509(0) win 8192 (DF) [tos 0x82] 4582 002c 7620 4000 8006 c6cb c0a8 1e0c c0a8 1e01 040e 0017 0000 e875 0000 0000 6002 2000 ce2d 0000 0204 05b4 05b4 8-PROTOCOL NUMBERS In the Internet Protocol version (IPv4) [RFC791] there is a field, called "Protocol", to identify the next level protocol This is an bit field In Internet Protocol version (IPv6) [RFC1883] this field is called the "Next Header" field These protocols are bite of the IP field; 8-bit type of service (TOS) Assigned Internet Protocol Numbers Decimal Keyword Protocol HEX 17 41 43 44 50 51 88 89 ICMP IGMP TCP UDP IPv6 IPv6-Route IPv6-Frag ESP AH EIGRP OSPFIGP Internet Control Message Internet Group Management Transmission Control User Datagram Ipv6 Routing Header for IPv6 Fragment Header for IPv6 Encap Security Payload for IPv6 Authentication Header for IPv6 EIGRP OSPFIGP 0x01 0x02 0x06 0x11 0x29 0x2b 0x2c 0x32 0x33 0x58 0x59 Reference: TCP/IP Illustrated Volume 1, The Protocols, W Richard Stevens The meaning of various computer and security logs Page 36 of 39 Intrusion Analyst Packet Header Chart IP and UDP 31 4-bit version 4-bit header length 00 8-bit type of service (TOS) 4615 16-bit identification 3-bit flags 40 8-bit time to live (TTL) 11 8-bit protocol 0044 16-bit total length (in bytes) 4000 (DF) or 2000 (MF) or 0000 13-bit fragment offset d70d 16-bit header checksum c0a8 1e01 32-bit source IP address 8009 401a 32-bit destination IP address 0035 16-bit source port number 0030 0035 16-bit destination port number 7a8a 16-bit UDP length 16-bit UDP checksum a6ff 0000 Data (if any) 21:43:38.809994 seeker.domain > blackhole.isi.edu.domain: 42751 PTR? 3.0.17.10.in-addr.arpa (40) 4500 0044 4615 0000 4011 d70d c0a8 1e01 8009 401a 0035 0035 0030 7a8a a6ff 0000 0001 0000 0000 0000 0133 0130 0231 3702 3130 0769 6e2d 6164 6472 0461 7270 6100 000c 0001 The meaning of various computer and security logs Page 37 of 39 Intrusion Analyst Packet Header Chart IP and ICMP 31 4-bit version 4-bit header length 00 8-bit type of service (TOS) a624 16-bit identification 20 8-bit time to live (TTL) 3-bit flags 01 8-bit protocol 003c 16-bit total length (in bytes) 4000 (DF) or 2000 (MF) or 0000 13-bit fragment offset 373f 16-bit header checksum c0a8 1e0c 32-bit source IP address c0a8 1e01 32-bit destination IP address 08 8-bit message type 00 8-bit message code type 395c 16-bit checksum 0100 1300 Data (if any) 21:07:15.456145 Rover > Seeker: icmp: echo request 4500 003c a624 0000 2001 373f c0a8 1e0c E

Ngày đăng: 21/12/2013, 05:17

TỪ KHÓA LIÊN QUAN