SECURE
LOGGING IN A WINDOWS 2K ENVIRONMENT CONT...
Tiger Shark
from Antionline has kindly given his permission for his tutorial to be
hosted at The Taz.
You can find the original post here:
http://www.antionline.com/showthread.php?s=&threadid=246159
Enjoy
'Dump the FORTBU Logon Failures
'===========================
strFilename = strnewname & "-FORTBU.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " &
strnewname & "-FORTBU.txt" & " /FS Failure
Audit<009>FORTBU<009>Account Logon /dn /q"),,TRUE
Delfile
'Dump the XXX-ADMIN Logon Failures
'===========================
strFilename = strnewname & "-XXX-ADMIN.txt"
WshShell.run("linestrp " & strnewname & ".txt /O " &
strnewname & "-CIC-ADMIN.txt" & " /FS Failure
Audit<009>CIC-ADMIN<009>Account Logon /dn /q"),,TRUE
Delfile
objTextFile.WriteLine(vbcrlf & vbcrlf &"Analysis Complete at "
& time() & vbcrlf & "
__________________________________________________
____________")
strMsgBody = strMsgBody + vbcrlf & vbcrlf &"Analysis Complete
at " & time() & vbcrlf& "
__________________________________________________
____________" & vbcrlf
objTextFile.WriteLine(vbcrlf &"Begin Archive at " & time()
& vbcrlf)
strMsgBody = strMsgBody + vbcrlf &"Begin Archive at " & time()
& vbcrlf & vbcrlf
'Move the logfile to the server
'=======================
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.MoveFile "C:\Log analysis\" & strNewName & ".txt" ,
"F:\Information system\XXXXStuff\Security Archives\firewall logs\"
& strNewName & ".txt"
objTextFile.WriteLine("Log Archived to server at " & time())
strMsgBody = strMsgBody + vbtab + "File " & strNewName & ".txt
Archived at " & time() & vbcrlf
'Move the stripped files out of the working directory
'========================================
Set FileList = objWMIService.ExecQuery _
("ASSOCIATORS OF {Win32_Directory.Name='c:\log analysis'} Where " _
& "ResultClass = CIM_DataFile")
For Each objFile In FileList
If objFile.Extension = "txt" Then
strFileName = objfile.filename + "." + objfile.extension
objFSO.MoveFile "C:\Log analysis\" & strFileName , "C:\log
analysis\stripped\"
objTextFile.WriteLine(strFileName & "moved at " & time())
strMsgBody = strMsgBody + vbtab + "File " & strFileName & "
moved at " & time() & vbcrlf
End If
Next
'Send an Email to Administrator with the report
'====================================
objTextFile.WriteLine(vbcrlf & "Email generated at " & time())
strMsgBody = strMsgBody + vbtab + "Email Generated at " & time()
& vbcrlf
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "Log_Server@XXXXXXXXX"
objEmail.To = "XXXXXX@XXXXXX"
objEmail.Subject = "Log Analysis at " & time() & " on " &
date()
objEmail.Textbody = strMsgBody
objEmail.Send
'Close the Report file before trying to move it
'==================================
objTextFile.WriteLine(vbcrlf & "Report moved at " & time())
objTextFile.Close
'Move the Report files out of the working directory
'========================================
Set FileList = objWMIService.ExecQuery _
("ASSOCIATORS OF {Win32_Directory.Name='c:\log analysis'} Where " _
& "ResultClass = CIM_DataFile")
For Each objFile In FileList
If objFile.Extension = "rpt" Then
strFileName = objfile.filename + "." + objfile.extension
objFSO.MoveFile "C:\Log analysis\" & strFileName , "C:\log
analysis\reports\"
End If
Next
'Function to delete the empty files
'==========================
Function Delfile
Set colFiles = objWMIService.ExecQuery _
("Select * from CIM_Datafile Where name = 'c:\\log analysis\\" &
strFileName & "'")
for each objFile in colFiles
if objfile.filesize = 0 then
objFSO.DeleteFile("C:\log analysis\" & strFileName)
objTextFile.WriteLine(strFileName & Vbtab & vbtab & "Zero
length" & vbtab & "Deleted" & vbtab & time())
strMsgBody = strMsgBody + strFileName & Vbtab & vbtab & "
Zero length" & vbtab & "Deleted" & vbtab & time() &
vbcrlf
else
objTextFile.WriteLine(strFileName & Vbtab & vbtab &
objfile.filesize & vbtab & "Data Recorded" & vbtab &
time())
strMsgBody = strMsgBody + strFileName & Vbtab & vbtab &
objfile.filesize & vbtab & "*** Data ***" & vbtab &
time() & vbcrlf
end if
next
end function
End code
As you can see, it’s long, but it processes the equivalent of 8Gb of
data in under two minutes on my SA PC. Each morning I can see at a
glance if there are glaring issues with the previous days traffic. For
example I may note that there was stealth scanning activity taking
place. By going to the "Stripped" folder and opening the "stripped"
file I can see at a glance which IP addresses took part in the
activity. This is obviously going to get my attention. I cut and paste
the IP’s into LineStrip and have it search the entire days log for any
other activity from that IP address. This will often show other
activity from the IP and I can determine whether or not to place that
address on the hostile or blocked site list at my firewall.
I may determine from the last paragraph that an IP address needs some
more investigation and this is where we can put the final tool to good
use. Let’s say that I want to know all the activity of a given IP for
the last two weeks. I could just run each daily log through LineStrip
and end up with 14 different files but that sounds like work and it
would be more prone to error. So I create a temp folder under the
loganalysis\old folder and copy the last 14 log files to it. I then
start TxtCollector and point it at the temp folder. This takes all the
files in the folder and creates one big file which can then be parsed
by LineStrip giving a nice picture of everything that occurred from
that IP address in the last 14 days. On every occasion I have used it,
it creates a proper chronology though this may be a product of the file
names and may fall down under certain circumstances so be ready to cut
and paste within the stripped file to get an accurate look at the data
chronologically.
One last thing I do is to write all the old logs to CD-R when they will
fill the CD. This usually takes about 14 days so I can minimize the
total storage requirements and make the logs untouchable unless
physical access is gained - in which case I’m in big trouble anyway -
should I do it daily? Probably, but there is a cost in both time and
materiel associated with that.
Conclusion:
Overall, I find this system to be efficient, relatively accurate and of
great help. Could it be improved? Of course it can but unfortunately my
employer expects me to carry out other tasks too so time is an issue.
One quick little thing I will be doing in the near future is to use
that old laptop that no-one else uses because it is too slow as another
internal snort box that reports it’s syslog alerts to a server I have
in my home just to make life really difficult for someone who has
compromised my network to cover their tracks entirely. I’m sure that
some of you will be able to see flaws in my system overall and I would
appreciate any suggestions. You do need to remember though that the
system I described has two functions. One is to collect the logs
centrally and the other is to make it as difficult and time consuming
as possible to mess with them after the fact. I believe that it will
take a day or more to compromise all the logs during which time I
should be able to detect the presence of the cracker. If I can’t detect
their presence in that time I was probably never going to detect them
anyway and will sail along in my blissful ignorance anyway.
Snort Stuff:
Let me first say that snort has great documentation available at
www.snort.org and I thoroughly recommend that you download it and read
it before you begin playing with "The Pig". Make sure that you go
through the snort.conf files carefully to make sure they are optimized
for your network. Make sure you understand the implications of removing
rules from the rules files and which ones you can remove and which ones
you really shouldn’t. Go to Arachnids, (www.whitehats.com), to
determine which rules apply to your shop if you are not sure.
In these days of litigation and liability I like to use Snort to try to
mitigate the damage your (L)users may try to inflict upon your
organization. To that end here are a few rules I implement on the
internal Snort sensors:
alert tcp $HOME_NET any -> any 1214 (msg: "Attempted Kazaa?"; Flags:
S; classtype: Bad-unknown;)
alert tcp $HOME_NET any -> any 6699 (msg: "Attempted Napster?";
Flags: S; classtype: Bad-unknown;)
alert tcp $HOME_NET any -> any 8080 (msg: "Attempted Webmail?";
Flags: S; classtype: Bad-unknown;)
alert tcp $HOME_NET any -> any 1863 (msg: "Attempted MSN
Messenger?"; Flags: S; classtype: Bad-unknown;)
These are just a few of the ones I use and with a little research on
port numbers you can catch the initial outbound attempts, (that should
be blocked at the firewall), prior to these programs switching to their
"alternate" ports to make their connection. At least this way you get
to see which machine has Kazaa loaded on it and you can "slap" the
(L)user.
Original Tutorial
Submitted by nokia for TheTAZZone-TAZForum
Originally posted on March 4th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.