• ethical disclosure
  
• a tale of two log files part 1
  
• a tale of two log files part 2
  
• a tale of two log files part 3
  
• a tale of two log files final
  

• investigating malware in action
  
• investigating malware in action cont
  
• quick and dirty pgp setup for w32
  
• how to: sign a certificate request with openssl
  
• application fuzzing
  

• central secure logging in a win2k environment
  
• central secure logging in a win2k environment cont
  
• central secure logging in a win2k environment cont 2
  
• central secure logging in a win2k environment cont 3
  
• central secure logging in a win2k environment cont 4
  

• example forensics sop/procedure
  
• example forensics sop/procedure cont
  
• example forensics sop/procedure cont 2
  
• buffer overflows part one
  
• buffer overflows part two
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials5
  

SECURE LOGGING IN A WINDOWS 2K ENVIRONMENT CONT...

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here: http://www.antionline.com/showthread.php?s=&threadid=246159

Enjoy

Configuring BacklogIIS

Surprisingly enough, since they both came from the same "stable" BacklogIIS is similar in appearance and function to Snare. Install it on any server that provides public web access and configure it to report your IIS logs to the Log Server. Test it by connecting to one of the web servers and checking the log file.

NOTE: Remember the point above that BacklogIIS will currently only transfer log entries that are logged to %system root%\system32\logfiles. This means that if you have customized your log file paths in the IIS Manager you will need to return them to this path in order for this system to work.

Configuring your Firewall

I really can’t help much here. This depends on your firewall and it’s ability to log natively to syslog, (in which case it’s easy, point it at the Log Server). If it can log in a "clear" format, (not encrypted), then you might be able to capture it with another snort sensor that logs, (rather than alerting on them), all packets sent to the log server and reports them to it. If your system can only log in a proprietary encrypted format than I would suggest reassessing your firewall solution since, in my experience, those formats are large in size for the information that is really of use.

NOTE: If your system requires you to use another snort sensor to log packets then let’s be evil. Send them to a machine that does not exist. In that way the snort box will still pick them up but if the cracker notices the traffic he’ll waste a lot of resources and time trying to locate the non-existent log server. While he’s doing that he may make the mistake that "keys" you to his presence.




Configuring the Syslog Snorts

According to the psd.conf file, (PureSecure executable configuration file), it is possible to have PureSecure run three separate snort services and therefore, technically, report to three different logging systems. Frankly, I have never managed to make any "multiple" installations work reliably. So I cheat....

Firstly I create a folder off the root of the Primary Sensor called Snort on the Primary Sensor and copy the snort executable to it from c:\puresecure\sensor\bin. Then copy and paste the snort configuration for the external interface in the PureSecure console into a notepad file in the c:\snort folder and call the file external.conf.

Install srvany.exe and use instsrv.exe to create a new service called snortext. Use regedit to edit the registry and navigate to HK_Local_Machine\system\currentcontrolset\services
\snortext and open it.

1. Add a new key called Parameters.
2. Add a new string value under Parameters called appDirectory and give it a value of c:\snort.
3. Add a new string value called Application and give it a string value of c:\snort\snort.exe
4. Add a new string value called appParameters and give it the value:-
-iX -cc:\snort\external.conf -N -sxxx.xxx.xxx.xxx (where the xxx.xxx.xxx.xxx is the IP address of your Log Server and X is the interface number of the external interface).

Follow the same process on the SA PC but copy the internal snort conf to a file called internal.conf and replace -cc:\snort\external.conf with the new internal.conf file.

At this point you now have all the loggable events on the network going to the syslog file on the Log Server and on my network, (650 workstations and servers), this generates some 40Mb of log file per day on weekdays and between 12-20Mb on weekends. With this setup we now have the Primary Sensor holding the Snort alerts for the external and internal interfaces and the HIDS and Service records for the network and the Log Server contains Snort alerts, Event Log entries, firewall logs and IIS logs for the entire network. This is a good setup insofar as there are two separate machines holding logs but it would be nice to extend this a bit further. On the log server I have the log directory set to G:\syslog\logs. The following VBS script is scheduled to run every night at 12:05am. In order to determine which log to move, (there will be two if you have set the log files to roll daily), it looks at the file size since when the new log is only five minutes old it should still be small. The script copies the old file to a sub folder called \old logs and then moves the original to a drive mapped on the SA PC. (The move action ensures that there will only be two files in the logs folder tomorrow so it will be clear which is the last days file by it’s size). The share is only accessible by a different username/password combination and can only be accessed by the SA PC administrator and this username so now we have three different username/password combinations protecting our valuable logs.

Begin Code:


'Get the log file's name and copy and move it
'================================

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set FileList = objWMIService.ExecQuery _
("ASSOCIATORS OF {Win32_Directory.Name='E:\syslog\logs'} Where " _
& "ResultClass = CIM_DataFile")
For Each objFile In FileList
If objFile.filesize > 5000000 Then
'wscript.echo objfile.name
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile objfile.name, "E:\Syslog\logs\old logs\" & objfile.filename & ".txt"
objFSO.MoveFile objfile.name, "F:\logana~1\" & objfile.filename & ".txt"
End If
Next

End code

Now we have the log file on the SA PC we really need to look at it to see what is of interest. You can take a look through X megabytes of file if you like but I prefer to chop it up into manageable chunks of things that might peek my interest. I do this through the use of LineStrip. If you place LineStrip in your %system path%/system32 folder then you can access it from anywhere. I use a folder structure as follows:-

Log Analysis
Old
Reports
Stripped

I then use the following, (sanitized), script to chunk out the interesting stuff, archive, (yet again), the log file, create a report and archive it and send me an email of the report. The script is scheduled to run at 12:30am daily so that the report is available to me when I wake up every day. A more thorough explanation of this script and it’s use can be found in my post at http://www.antionline.com/showthrea...mp;pagenumber=2

Begin Code:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
strMsgBody = ""
strMsgBodyCell = ""

'Get the log file's name
'==================

Set FileList = objWMIService.ExecQuery _
("ASSOCIATORS OF {Win32_Directory.Name='c:\log analysis'} Where " _
& "ResultClass = CIM_DataFile")
For Each objFile In FileList
If objFile.Extension = "txt" Then
strNewName = objfile.filename
strMsgBody = strMsgBody + "Today's file is: " & strnewname & vbcrlf

'Create the Report text file
'====================
Const ForAppending = 2
Set objReport = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objReport.OpenTextFile _
("c:\log analysis\" & strNewName & ".rpt", ForAppending, True)
objTextFile.WriteLine("Security Logs Analysis for " & date() & " at " & time() & vbcrlf & " **************************************************
**************************" & vbcrlf & vbcrlf)
objTextFile.WriteLine("File being analyzed: " & strNewName & ".txt. Size " & objfile.filesize & " bytes." & vbcrlf & "====================================" & vbcrlf & vbcrlf)
strMsgBody = strMsgBody + "File being analyzed: " & strNewName & ".txt. Size " & objfile.filesize & " bytes." & vbcrlf & "====================================" & vbcrlf & vbcrlf
strMsgBodyCell = strMsgBodyCell + "File: " & strNewName & ".txt." & vbcrlf & "Size " & objfile.filesize & vbcrlf & vbcrlf
End If
Next 

Original Tutorial Submitted by nokia for TheTAZZone-TAZForum

Originally posted on March 4th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.