Re: [logs] what to log/what to look for: stateful log analysis?

From: Jose Nazario (joseat_private)
Date: Thu Aug 29 2002 - 09:35:49 PDT

  • Next message: yehuda: "RE: [logs] PIX logging"

    On Thu, 29 Aug 2002, Anton Chuvakin wrote:
    
    > Thoughts?
    
    this seems to be where tina was hoping to go: state creation, then state
    changes, then state deletion. ie smtpd is invoked, mail commads are issues
    and the server enters a new state (ie transient ok, give me data then
    "."), message accepted, servce is quit by the client. those are easily
    logged. obviously some log more easily than others having clearly defined
    states they enter and leave, but it shouldn't be too tough a mental
    exercise to think about how to list states of things which run,
    particularily daemons and services.
    
    to get to what darren reed said in a message that came to my inbox a few
    minutes ago, "look for bad stuff", well, that's of course an obvious goal.
    look for bad stuff: intrusions (attempts, successes and failures), system
    failures, terribly broken stuff (ie core dumps, misconfigurations). but
    *how*? thats what this conversation is about.
    
    using the state logging that anton was listing above we can now analyze
    behaviors. there's already research into this, its easy to build on that.
    as an example, a paper at this year's USENIX security symposium looked at
    clusters of system calls as a way to detect intrusions:
    
    	http://www.usenix.org/events/sec02/liao.html
    
    so, extending this, we can simply look at a sliding window of 3 or 4
    states and parameters which look ok, then filter those out and look at
    whats left.
    
    this strikes me as a relatively direct approach to the problem of how to
    analyze the data we log. now to get back to what we log, i agree with
    anton: state changes.
    
    some examples. ftpd, smtpd, httpd: all of those have well defined states
    they go through. lets look at something which has a loosely logged state,
    login daemons. i say loosely logged because it seems that so many systems
    log this in so many different ways. only when you standardize on one type
    of login daemon (ie sshd) do you see any sort of standardization.
    
    	inbound connection request to the system
    	connection handled by some process (ie sshd)
    	authorization request by some method
    	success or failure
    		do we repeat?
    	for success, what do we get passed off to?
    		at what priviledge level?
    
    
    run ssh -v your.login.server and you'll see the information, client side,
    listed there. or run sshd -d and you'll see all sorts of debug info logged
    for the daemon (non forking of course).
    
    just some ideas ... this information can then be processed to look for
    normal patterns and then deviations from this.
    
    wow, this basically said a lot to agree with anton!
    
    ___________________________
    jose nazario, ph.d.			joseat_private
    					http://www.monkey.org/~jose/
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 11:25:21 PDT