1 / 32

Security Event Management for Windows

Security Event Management for Windows. How to do it really cheap!. Presenter: Gord Taylor (CISSP, GCIH, GEEK). Apologies to the UNIX / Linux Guys. …but hopefully there will be some interesting things for you…. Taxonomy. What is SIM What is SEM SIM & SEM are not the same thing

thi
Download Presentation

Security Event Management for Windows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Event Management for Windows How to do it really cheap! Presenter: Gord Taylor (CISSP, GCIH, GEEK)

  2. Apologies to the UNIX / Linux Guys …but hopefully there will be some interesting things for you…

  3. Taxonomy • What is SIM • What is SEM • SIM & SEM are not the same thing • Unfortunately, industry analysts like Gartner are blurring the lines :(

  4. What is Syslog and where did it come from? • Originally created for BSD in early 1980s • Ported to virtually every platform since • Evolved with no standards until 2001 • Uses UDP/514 by default • A typical Syslog message: <133>Jul 17 13:55:51 MachineName SyslogTag: Here's my custom message.

  5. A Basic Syslog Implementation

  6. Advantages of Syslog • Your network guys understand it • It’s probably already allowed on every firewall and router in your environment • (Almost) everything supports it • It’s LEAN, so network traffic isn’t typically a concern • It will be around for a long time

  7. Advantages of Syslog (cont’d) • Even if you buy a vendor product, they’ll support it • A lot of vendor solutions are based on syslog-reliable

  8. Disadvantages of Syslog • You’re on your own for creating reports, maintaining code changes, support, etc. • Traditional Syslog is UDP (unreliable) • Not supported natively in Windows • It’s not encrypted, but you can tunnel it (IPSec) – which also makes it more reliable • 1k limit on message (RFC) (maybe 4k) • Scalability

  9. And along comes Syslog-NG and Syslog Reliable • Syslog-ng came out before the RFC standard - though the Syslog Reliable RFC is largely based on NG • Many syslog-ng implementations are now actually Syslog Reliable under the hood • Reliable has 2 modes: RAW & COOKED • WinSyslog has supported syslog-ng for a long while and have always been active on the RFC 3195 committee (Rainer Gerhards)

  10. Advantages of Reliable • Does everything Syslog does • TCP based, reliable delivery, confidentiality, integrity, authentication • Provides for Relays and Collectors • More customization options • A single system can be a device, relay, collector, or all three. • Due to the path information you get both SENDER time and RECEIVER time

  11. Disadvantages of Reliable • You’re on your own for creating reports, maintaining code changes, support, etc. • Not everyone has implemented the RFC • Some poor implementations open the TCP channel for EACH MESSAGE (ouch!) • Not clear on maximum message size (especially in RAW mode)

  12. Disadvantages of Reliable (cont’d) • Still doesn’t provide the YEAR in the timestamp • Still not widely implemented (including Windows) • More customization options

  13. A Simple Syslog Reliable Implementation

  14. So… What about Windows? Into this syslog message: We want to turn this: <pri>Dec 22 9:42:26 192.168.131.67 528: NT AUTHORITY\LOCAL SERVICE Successful Logon: UserName:LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0,0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate: Workstation Name: Logon GUID: - Caller User Name: MACHINENAME$ Caller Domain: Caller Logon ID: (0x0,0x3E7) Caller Process ID: 280 Transited Services: - Source Network Address: - Source Port: -

  15. Windows Syslog Agents • NTSyslog (no longer in development) Sends everything by category • Snare (InterSect Alliance) Allows you to parse before sending • Lasso (newly release by LogLogic) Syslog Reliable • Many others on sourceforge.net and download.com etc.

  16. NTSyslog

  17. Snare

  18. Snare (cont’d)

  19. Windows Syslog Daemons (server) • WinSyslog • Kiwi Syslog • Snare Server ($$) There’s also a ‘lite’ version called Snare Micro Server • Linux / Unix (all version have syslog) • Again, see sourceforge.net & download.com

  20. WinSyslog • Syslog Reliable • Filter by many conditions • Many Actions to take when filter valid (true) • Log to File and/or DB most common • “Discard” is very valuable

  21. WinSyslog (cont’d)

  22. WinSyslog (cont’d)

  23. Logging to Database • Simple table with ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message, SyslogTag • No Indices (indexes) • No Primary Keys • Poor Database Support - but see the “Database” discussion group :-)

  24. Logging Problems • Database Blocking • Nightly Deletes / Transaction log explodes • Nightly Maintenance / run too long • Split Database & File Logging • File Logging & Nightly Import • Hourly Deletes

  25. Tail & Logger(Syslog’s Best Friends) • Tail allows you to view the “tail end” of a file Tail –f will show new messages as they arrive • Logger sends a file to a Syslog daemon Sends entire file, line-by-line Each line is a separate Syslog message UDP, TCP, or 3195RAW (not Cooked) Can send a single “custom message” log line Can specify Priority

  26. Uses for Logger (cont’d) • Logger –f webserver_today.log –l syslogserver –m 3195raw • Tail –f webserver.log | logger –l dest –m proto You can do the same thing with FW1 logs !! • Autorunsc -c –m | logger –l dest –m proto

  27. Where do vendor products fit in? • Homegrown can be a lot of work - vendor solutions are “out of the box” • There is a LOT of value in doing this in-house to learn what you need (including event volumes) • Do you need forensics abilities or just reporting (SEM vs SIM)? • Real-time correlation is exceptionally difficult • Does the vendor provide for all your platforms? • Don’t include building of reports into your decision – you’ll ALWAYS have to build

  28. Various Sites • The most important: www.loganalysis.org Syslog Tools • WinSyslog Server (Adiscon) http://www.monitorware.com • KiwiSyslog Server http://www.kiwisyslog.com • Snare Agents for Windows, IIS, ISA, Apache, etc… http://snare.sourceforge.net • Lasso (syslog-reliable based on Snare source) http://lassolog.sourceforge.net

  29. Modular Syslog (BSD flavours, Unix, Linux only) http://msyslog.sourceforge.net http://msyslogui.sourceforge.net • NTSyslog (no longer in development) http://ntsyslog.sourceforge.net Windows Security Eventlog Information • Altair Technologies Event ID database http://www.eventid.net • Randy Franklin Smith’s Event Encyclopedia http://www.ultimatewindowssecurity.com/encyclopedia.html

  30. Other Open Source Tools • Privateye (SIM) http://privateye.sourceforge.net • Splunk (Google for log files – no more to be said.) http://www.splunk.com • Simple Event Correlator http://simple-evcorr.sourceforge.net

  31. Whitepapers & Other Reading • SANS Top 5 Essential Log Reports http://www.sans.org/resources/top5_logreports.pdf • The Ins and Outs of System Logging Using Syslog http://www.sans.org/reading_room/whitepapers/logging/1168.php • BSD Syslog (RFC 3164) http://www.networksorcery.com/enp/rfc/rfc3164.txt • Syslog Reliable (RFC 3195) http://www.networksorcery.com/enp/rfc/rfc3195.txt • BEEP Protocol (RFC 3080) http://www.networksorcery.com/enp/rfc/rfc3080.txt • Draft Special Publication 800-92 Guide to Computer Security Log Management http://csrc.nist.gov/publications/drafts.html Complementary Tools • Any “tail” utility http://www.baremetalsoft.com (GUI based, allows color coding for manual review & highlighting of interesting entries in realtime) • A command-line tail utility Windows 2003 Resource kit comes with a tail.exe • Logger (Unix port of command line tool) http://www.monitorware.com/logger

  32. xNix-only Tools • Logcheck (http://sourceforge.net/projects/logcheck) Parses logs looking for “interesting” patterns (includes an ignore file) Output is straightforward for admins – good to mail to yourself for daily reviews • Logwatch (http://www.logwatch.org) Similar to Logcheck, but summarizes all entries and the number of times they occurred. • Swatch (http://swatch.sourceforge.net) Regex to monitor log files in real time (alert via pager, mail) • LogSurfer (http://www.cert.dfn.de/eng/logsurf/) Realtime monitoring of any log file – a little more verbose than Swatch

More Related