[logs] SIM solution - Objectives ? (Firewall logging)

Dave Ellingsberg Dave.Ellingsberg at csu.mnscu.edu
Wed May 30 06:43:50 PDT 2007 

B.)  how do you find this host?  In an edu setting we are open and many connections come and go from all parts of the world, and we have to allow them both ways on 80.  So say from a firewall log built messsage how can I tell this is passwords and not normal web traffic?

First I have to find the malware, ah that leads me to searching for Deny's and windows Executables to locate a system with infectious signs.  If lots of data is flowing out then maybe a snort rule is the best way to see what the data is!  But until you know you have something somewhere you have no idea from firewall logs or netflow data what the data is.

So again the best is to log as much as you can for forensic purposes and then you probably are guessing at what has really happened, because its just not possible to log full data packets.

there was one reply that gave me some thought as to what malware sigs I am looking for in addition to .exe .com .pif .bat using a piped egrep in logs.  I have seen malware downloaded as gif and then installed as an exe so this is not by any means foolproof.

foot.
 
 
>>>"Paul Melson" <pmelson at gmail.com> 05/30/07 8:31 am >>> 
>depends on which way traffic is flowing.  Logging deny's outbound is very 
affective in locating malware 
>on your hosts.  i do not care much about deny's inbound its blocked.  and 
its blocked outbound but it 
>still indicates a bot or some other malware on one of the internal hosts. 
Every log rule has value you 
>just have to find it sometimes. 
 
I don't think anybody's said that 'deny' messages were unimportant.  But 
from a security context, I would argue that they will almost always be less 
important than a similar 'accept'.  
 
Let's take your example of using outbound deny messages to find malware. 
And let's say that my firewall allows port 80 outbound but not port 25. 
Scenario A) is a spambot dropped on a workstation that is unable to send 
spam messages.  Scenario B) is a new Haxdoor variant that is scraping 
passwords and sending them to a web site in China.  In this case being able 
to analyze allowed traffic and respond to the incident where data actually 
left your network would be significantly more important.  It would also be 
important to know what else has come and gone from the IP address where the 
passwords were sent or even that entire APNIC address block.  And while all 
of the log data is useful, it's the successful connections that require 
immediate attention. 
 
PaulM

More information about the LogAnalysis mailing list