330 likes | 518 Views
Security Event Management for Windows. How to do it really cheap!. Presenter: Gord Taylor (CISSP, GCIH, GEEK). Apologies to the UNIX / Linux Guys. …but hopefully there will be some interesting things for you…. Taxonomy. What is SIM What is SEM SIM & SEM are not the same thing
E N D
Security Event Management for Windows How to do it really cheap! Presenter: Gord Taylor (CISSP, GCIH, GEEK)
Apologies to the UNIX / Linux Guys …but hopefully there will be some interesting things for you…
Taxonomy • What is SIM • What is SEM • SIM & SEM are not the same thing • Unfortunately, industry analysts like Gartner are blurring the lines :(
What is Syslog and where did it come from? • Originally created for BSD in early 1980s • Ported to virtually every platform since • Evolved with no standards until 2001 • Uses UDP/514 by default • A typical Syslog message: <133>Jul 17 13:55:51 MachineName SyslogTag: Here's my custom message.
Advantages of Syslog • Your network guys understand it • It’s probably already allowed on every firewall and router in your environment • (Almost) everything supports it • It’s LEAN, so network traffic isn’t typically a concern • It will be around for a long time
Advantages of Syslog (cont’d) • Even if you buy a vendor product, they’ll support it • A lot of vendor solutions are based on syslog-reliable
Disadvantages of Syslog • You’re on your own for creating reports, maintaining code changes, support, etc. • Traditional Syslog is UDP (unreliable) • Not supported natively in Windows • It’s not encrypted, but you can tunnel it (IPSec) – which also makes it more reliable • 1k limit on message (RFC) (maybe 4k) • Scalability
And along comes Syslog-NG and Syslog Reliable • Syslog-ng came out before the RFC standard - though the Syslog Reliable RFC is largely based on NG • Many syslog-ng implementations are now actually Syslog Reliable under the hood • Reliable has 2 modes: RAW & COOKED • WinSyslog has supported syslog-ng for a long while and have always been active on the RFC 3195 committee (Rainer Gerhards)
Advantages of Reliable • Does everything Syslog does • TCP based, reliable delivery, confidentiality, integrity, authentication • Provides for Relays and Collectors • More customization options • A single system can be a device, relay, collector, or all three. • Due to the path information you get both SENDER time and RECEIVER time
Disadvantages of Reliable • You’re on your own for creating reports, maintaining code changes, support, etc. • Not everyone has implemented the RFC • Some poor implementations open the TCP channel for EACH MESSAGE (ouch!) • Not clear on maximum message size (especially in RAW mode)
Disadvantages of Reliable (cont’d) • Still doesn’t provide the YEAR in the timestamp • Still not widely implemented (including Windows) • More customization options
So… What about Windows? Into this syslog message: We want to turn this: <pri>Dec 22 9:42:26 192.168.131.67 528: NT AUTHORITY\LOCAL SERVICE Successful Logon: UserName:LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0,0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate: Workstation Name: Logon GUID: - Caller User Name: MACHINENAME$ Caller Domain: Caller Logon ID: (0x0,0x3E7) Caller Process ID: 280 Transited Services: - Source Network Address: - Source Port: -
Windows Syslog Agents • NTSyslog (no longer in development) Sends everything by category • Snare (InterSect Alliance) Allows you to parse before sending • Lasso (newly release by LogLogic) Syslog Reliable • Many others on sourceforge.net and download.com etc.
Windows Syslog Daemons (server) • WinSyslog • Kiwi Syslog • Snare Server ($$) There’s also a ‘lite’ version called Snare Micro Server • Linux / Unix (all version have syslog) • Again, see sourceforge.net & download.com
WinSyslog • Syslog Reliable • Filter by many conditions • Many Actions to take when filter valid (true) • Log to File and/or DB most common • “Discard” is very valuable
Logging to Database • Simple table with ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message, SyslogTag • No Indices (indexes) • No Primary Keys • Poor Database Support - but see the “Database” discussion group :-)
Logging Problems • Database Blocking • Nightly Deletes / Transaction log explodes • Nightly Maintenance / run too long • Split Database & File Logging • File Logging & Nightly Import • Hourly Deletes
Tail & Logger(Syslog’s Best Friends) • Tail allows you to view the “tail end” of a file Tail –f will show new messages as they arrive • Logger sends a file to a Syslog daemon Sends entire file, line-by-line Each line is a separate Syslog message UDP, TCP, or 3195RAW (not Cooked) Can send a single “custom message” log line Can specify Priority
Uses for Logger (cont’d) • Logger –f webserver_today.log –l syslogserver –m 3195raw • Tail –f webserver.log | logger –l dest –m proto You can do the same thing with FW1 logs !! • Autorunsc -c –m | logger –l dest –m proto
Where do vendor products fit in? • Homegrown can be a lot of work - vendor solutions are “out of the box” • There is a LOT of value in doing this in-house to learn what you need (including event volumes) • Do you need forensics abilities or just reporting (SEM vs SIM)? • Real-time correlation is exceptionally difficult • Does the vendor provide for all your platforms? • Don’t include building of reports into your decision – you’ll ALWAYS have to build
Various Sites • The most important: www.loganalysis.org Syslog Tools • WinSyslog Server (Adiscon) http://www.monitorware.com • KiwiSyslog Server http://www.kiwisyslog.com • Snare Agents for Windows, IIS, ISA, Apache, etc… http://snare.sourceforge.net • Lasso (syslog-reliable based on Snare source) http://lassolog.sourceforge.net
Modular Syslog (BSD flavours, Unix, Linux only) http://msyslog.sourceforge.net http://msyslogui.sourceforge.net • NTSyslog (no longer in development) http://ntsyslog.sourceforge.net Windows Security Eventlog Information • Altair Technologies Event ID database http://www.eventid.net • Randy Franklin Smith’s Event Encyclopedia http://www.ultimatewindowssecurity.com/encyclopedia.html
Other Open Source Tools • Privateye (SIM) http://privateye.sourceforge.net • Splunk (Google for log files – no more to be said.) http://www.splunk.com • Simple Event Correlator http://simple-evcorr.sourceforge.net
Whitepapers & Other Reading • SANS Top 5 Essential Log Reports http://www.sans.org/resources/top5_logreports.pdf • The Ins and Outs of System Logging Using Syslog http://www.sans.org/reading_room/whitepapers/logging/1168.php • BSD Syslog (RFC 3164) http://www.networksorcery.com/enp/rfc/rfc3164.txt • Syslog Reliable (RFC 3195) http://www.networksorcery.com/enp/rfc/rfc3195.txt • BEEP Protocol (RFC 3080) http://www.networksorcery.com/enp/rfc/rfc3080.txt • Draft Special Publication 800-92 Guide to Computer Security Log Management http://csrc.nist.gov/publications/drafts.html Complementary Tools • Any “tail” utility http://www.baremetalsoft.com (GUI based, allows color coding for manual review & highlighting of interesting entries in realtime) • A command-line tail utility Windows 2003 Resource kit comes with a tail.exe • Logger (Unix port of command line tool) http://www.monitorware.com/logger
xNix-only Tools • Logcheck (http://sourceforge.net/projects/logcheck) Parses logs looking for “interesting” patterns (includes an ignore file) Output is straightforward for admins – good to mail to yourself for daily reviews • Logwatch (http://www.logwatch.org) Similar to Logcheck, but summarizes all entries and the number of times they occurred. • Swatch (http://swatch.sourceforge.net) Regex to monitor log files in real time (alert via pager, mail) • LogSurfer (http://www.cert.dfn.de/eng/logsurf/) Realtime monitoring of any log file – a little more verbose than Swatch