RE: [logs] RE: NT Event Log and Web Server Attacks

• Previous message: Klaus Moeller: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Maybe in reply to: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Reply: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Reply: Paul D. Robertson: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks Paul!

This is a really interesting idea- the ability to pivot audit data
around other criteria besides time.

I think that the main problem is that Event Viewer was never designed
for correlation or advanced querying, which need to be built-in
functions when dealing with large data sets that change rapidly.
Hopefully we'll resolve that in our next release of Windows; we are
aware of that problem.

For a single machine, using an object-based view for analysis is already
possible with only a little work: use the EventQuery.vbs tool on Windows
XP or Windows Server 2003 to dump the events to a csv file, then import
into Excel. Excel has a feature called "autofilter" which greatly
simplifies querying the log, as well as PivotTable and PivotChart
functionality. I will occasionally chart audit data to see trending- for
instance a few weeks ago I used this method to analyze logon traffic to
our domain controllers in one of our development domains.

We have something up our sleeve but I don't want to over-promise &
under-deliver.  Look for a significant audit collection and analysis
tool from us this summer, and a completely replaced event log service
with some really neat analysis capabilities in the next version of
Windows.

Eric

-----Original Message-----
From: Paul D. Robertson [mailto:probertsat_private] 
Sent: Friday, January 17, 2003 6:55 PM
To: Eric Fitzgerald
Cc: H C; Rainer Gerhards; loganalysisat_private; Tina Bird; Marcus
J. Ranum; Ben Laurie
Subject: RE: [logs] RE: NT Event Log and Web Server Attacks


On Fri, 17 Jan 2003, Eric Fitzgerald wrote:

> I would be very interested in hearing any suggestions on how to 
> improve the ability to analyze the Windows security log. I've 
> explained why some of the events seem to be "missing" information even

> though the information is really in the log, and Microsoft's strategy 
> moving forward, but if you have other suggestions then I would be very

> open to hearing them.

Hi Eric,

I received this response from another person at our company- 

====
In response to request for suggestions regarding auditing;

Windows auditing should be tree oriented around objects known to
Administrators, rather than time oriented as it is now (or the views
should be switchable). Typically you reach a point in auditing where you
want to track a user, machine, process, or other tangible object.
Tracking by event ID, or time, is not appropriate at that point. Same is
true in System logs (and other event logs). The biggest struggle with MS
event logs has been digesting the information and knowing what you are
trying to track. Tracking by known objects should make the process more
comprehendible.

So, for example, what did userX do since their next to last log off?
What has been done on this machine? What has IIS been doing since it was
last restarted? That sort of scenario. ===

I'll add my two cents, which is that the time-oriented view is _crucial_

to forensics, so "rather than" isn't realistic, but "as well as" would 
work quite nicely.  Personally, I don't overly mind doing correlation 
(heck, that's half the value of doing the forensics well) as long as 
there's a good key to go off of.  But I think the above point is valid, 
and should have at least some level of thought- even if it's weird, like

something along the lines of per-object logging options for some events 
(like "I want to audit users, give me per-user logs" or "I want to audit

tbird, shove that stuff over there, as well as here in the event log 
in traditional format....") 

I think "You can switch on this slower, but object/target/subject stuff
on 
if you want" kind of thing might be a good idea given the level of
admins 
we've seen of late running single-purpose systems like Web servers.  
Anyway, I wanted to throw it out there as a thought and see if you had 
some comments on views of log events in formats that those of us doing a

lot of log processing don't tend to think of- the sorts of questions 
normal admis have that relate to logged events (I spend way too much
time 
reading log tea leaves to diagnose attacks and malice to think much
about 
normal daily adminish stuff.)

Regards,

Paul
------------------------------------------------------------------------
-----
Paul D. Robertson      "My statements in this message are personal
opinions
probertsat_private      which may have no basis whatsoever in fact."
probertsonat_private Director of Risk Assessment TruSecure
Corporation

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Previous message: Klaus Moeller: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Maybe in reply to: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Reply: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Reply: Paul D. Robertson: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 10:47:14 PST