'프로젝트 관련 조사/로그 관련' 카테고리의 글 목록

프로젝트 관련 조사/로그 관련

[Elasticsearch] 관계형 DB와 Elasticsearch 비교 2019.11.13
[Log] 크리티컬한 보안 로그 체크리스트 2015.12.03
정규식 적용 2015.11.27
[Rsyslog] Rsyslog conf 상황에 맞게 필터링 하기 2015.11.24

[Elasticsearch] 관계형 DB와 Elasticsearch 비교

호레 2019. 11. 13. 16:28

2019. 11. 13. 16:28

1. RDB ElasticSearch 비교

RDB	ElasticSearch
Database	Index
Table	Type
Row	Document
Column	Field

참고사이트

http://sarc.io/index.php/aws/565-aws-elasticsearch-index-document

'프로젝트 관련 조사 > 로그 관련' 카테고리의 다른 글

[Log] 크리티컬한 보안 로그 체크리스트 (0)	2015.12.03
정규식 적용 (0)	2015.11.27
[Rsyslog] Rsyslog conf 상황에 맞게 필터링 하기 (0)	2015.11.24
Rsyslog IP로 필터링 하기 (0)	2015.11.16
정규표현식 - 1장 (0)	2015.11.12

[Log] 크리티컬한 보안 로그 체크리스트

호레 2015. 12. 3. 13:10

2015. 12. 3. 13:10

critical log checklist.pdf

출처: https://zeltser.com/security-incident-log-review-checklist/

http://www.tecmint.com/linux-directory-structure-and-important-files-paths-explained/

-> Linux Directory Structure and Important Files Paths Explained

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs. If you like this, take a look at my other IT cheat sheets.

General Approach

Identify which log sources and automated tools you can use during the analysis.
Copy log records to a single location where you will be able to review them.
Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
Determine whether you can rely on logs’ time stamps; consider time zone differences.
Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
Go backwards in time from now to reconstruct actions after and before the incident.
Correlate activities across different logs to get a comprehensive picture.
Develop theories about what occurred; explore logs to confirm or disprove them.

Potential Security Log Sources

Server and workstation operating system logs
Application logs (e.g., web server, database server)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
Outbound proxy logs and end-user application logs
Remember to consider other, non-log sources for security events.

Typical Log Locations

Linux OS and core applications: /var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats

What to Look for on Linux

Successful user login	“Accepted password”,“Accepted publickey”, “session opened”
Failed user login	“authentication failure”,“failed password”
User log-off	“session closed”
User account change or deletion	“password changed”,“new user”, “delete user”
Sudo actions	“sudo: … COMMAND=…”“FAILED su”
Service failure	“failed” or “failure”

What to Look for on Windows

Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.
Most of the events below are in the Security log; many are only logged on the domain controller.
User logon/logoff events	Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes	Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes	To self: 628; to others: 627
Service started or stopped	7035, 7036, etc.
Object access denied (if auditing enabled)	560, 567, etc

What to Look for on Network Devices

Look at both inbound and outbound activities.
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.
Traffic allowed on firewall	“Built … connection”,“access-list … permitted”
Traffic blocked on firewall	“access-list … denied”,“deny inbound”, “Deny … by”
Bytes transferred (large files?)	“Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage	“limit … exceeded”,“CPU utilization”
Detected attack activity	“attack from”
User account changes	“user added”,“user deleted”, “User priv level changed”
Administrator access	“AAA user …”,“User … locked out”, “login failed”

What to Look for on Web Servers

Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours
Failed user authentication	Error code 401, 403
Invalid request	Error code 400
Internal server error	Error code 500

저작자표시

'프로젝트 관련 조사 > 로그 관련' 카테고리의 다른 글

[Elasticsearch] 관계형 DB와 Elasticsearch 비교 (0)	2019.11.13
정규식 적용 (0)	2015.11.27
[Rsyslog] Rsyslog conf 상황에 맞게 필터링 하기 (0)	2015.11.24
Rsyslog IP로 필터링 하기 (0)	2015.11.16
정규표현식 - 1장 (0)	2015.11.12

정규식 적용

호레 2015. 11. 27. 13:26

2015. 11. 27. 13:26

^(?<time>[^ ]* [^ ]* [^ ]*) (?<host>[^ ]*) \[(?<toolName>[^ ]*)\] \[Attack_Name=]*(?<atackName>[^\]]*)\]\, \[Time=]*(?<time2>[^\]]*)\]\, \[Hacker=]*(?<hackerIP>[^\]]*)\]\, \[Victim=]*(?<victimIP>[^\]]*)\]\, \[Protocol=]*(?<protocol>[^\/]*)\/(?<port>[^\]]*)\]\, \[Risk=]*(?<priority>[^\]]*)\]\, \[Handling=]*(?<handling>[^\]]*)\]\, \[Information=]*(?<information>[^\]]*)\]\, \[SrcPort=]*(?<srcPort>[^\]]*)\]$

^(?<time>[^ ]* [^ ]* [^ ]*) (?<host>[^ ]*) \[(?<toolName>[^ ]*)\] \[Attack_Name=]*(?<attackName>[^\]]*)\] \[Time=]*(?<time2>[^\]]*)\] \[Src_ip=]*(?<srcIP>[^\]]*)\] \[Dst_ip=]*(?<dstIP>[^\]]*)\] \[Protocol=]*(?<protocol>[^\/]*)\/*(?<port>[^\]]*)\] \[Filter=]*(?<filter>[^\]]*)\] \[Action=]*(?<action>[^\]]*)\] \[Src_port=]*(?<srcPort>[^\]]*)\]

^(?<time>[^ ]* [^ ]* [^ ]*) (?<host>[^ ]*) \[(?<toolName>[^ ]*)\] \[Attack_Name=$\d*$]*(?<attackName>[^\]]*)\]\, \[Time=]*(?<year>\d{4})\/(?<month>\d{1,2})\/(?<day>\d{1,2})(?<time2>[^\]]*)\]\, \[Hacker=]*(?<hackerIP>[^\]]*)\]\, \[Victim=]*(?<victimIP>[^\]]*)\]\, \[Protocol=]*(?<protocol>[^\/]*)\/(?<port>[^\]]*)\]\, \[Risk=]*(?<priority>[^\]]*)\]\, \[Handling=]*(?<handling>[^\]]*)\]\, \[Information=]*(?<information>[^\]]*)\]\, \[SrcPort=]*(?<srcPort>[^\]]*)\]$

^(?<time>[^ ]* [^ ]* [^ ]*) (?<host>[^ ]*) \[(?<toolName>[^ ]*)\] \[Attack_Name=]*(?<attackName>[^\]]*)\] \[Time=]*(?<year>\d{4})\/(?<month>\d{1,2})\/(?<day>\d{1,2})(?<time2>[^\]]*)\] \[Src_ip=]*(?<srcIP>[^\]]*)\] \[Dst_ip=]*(?<dstIP>[^\]]*)\] \[Protocol=]*(?<protocol>[^\/]*)\/*(?<port>[^\]]*)\] \[Filter=]*(?<filter>[^\]]*)\] \[Action=]*(?<action>[^\]]*)\] \[Src_port=]*(?<srcPort>[^\]]*)\]

^(?<time>[^ ]*) \[\*\*] [^ ]* (?<messages>[^\[]*)\[\*\*] \[Classification: (?<classification>[^\]]*)\] \[Priority: (?<priority>[^\]]*)] {(?<protocol>[^ ]*)} (?<srcIP>[^:]*):(?<srcPort>[^ ]*) -> (?<dstIP>[^:]*):(?<dstPort>[^ ]*)$

- 수리카타 fast.log 정규식

[Sun Nov 15 08:34:33 2015] [error] [client 111.85.191.131] request failed: error reading the headers

^\[[^ ]* (?<time>[^\]]*)\] \[(?<level>[^\]]*)\] \[client (?<client_ip>[^\]]*)\] (?<message>.*)$

-apache2 error 정규식

저작자표시

'프로젝트 관련 조사 > 로그 관련' 카테고리의 다른 글

[Elasticsearch] 관계형 DB와 Elasticsearch 비교 (0)	2019.11.13
[Log] 크리티컬한 보안 로그 체크리스트 (0)	2015.12.03
[Rsyslog] Rsyslog conf 상황에 맞게 필터링 하기 (0)	2015.11.24
Rsyslog IP로 필터링 하기 (0)	2015.11.16
정규표현식 - 1장 (0)	2015.11.12

[Rsyslog] Rsyslog conf 상황에 맞게 필터링 하기

호레 2015. 11. 24. 11:25

2015. 11. 24. 11:25

Rsyslog conf 상황에 맞게 필터링 하기

위와 같은 문법을 이용하면 특정 ip를 필터링 할 수 있다.

msg에 들어 있는 값들로 필터링을 하며,

위 로그는 침해사고시 분석할만한 주요 로그들을 분류하여 보았다.

syslogtag을 확인화며 위와 같은 tag일 때 로그를 분류 함

저작자표시

'프로젝트 관련 조사 > 로그 관련' 카테고리의 다른 글

[Log] 크리티컬한 보안 로그 체크리스트 (0)	2015.12.03
정규식 적용 (0)	2015.11.27
Rsyslog IP로 필터링 하기 (0)	2015.11.16
정규표현식 - 1장 (0)	2015.11.12
자주 쓰는 정규 표현식 (0)	2015.11.11

PREV 이전 1 2 3 4 ···17 NEXT 다음

Unique Life