IDS Signatures and Detectable Events

This section includes raw log data from operating systems and intrusion detection systems, forensic evidence of system compromises, and configuration files for log monitoring programs (primarily checksyslog, logsurfer, and swatch).

  • yppasswd Buffer Overflow exploit & log data
  • cachefsd -- CERT issued an advisory about a remotely exploitable heap overflow in the Solaris cachefsd service. They included the following log data:
    May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
    May 16 22:46:21 victim-host last message repeated 7 times
    May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
    May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
    May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
    May 16 22:46:59 victim-host last message repeated 1 time
    May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
    May 16 22:47:07 victim-host last message repeated 3 times
    May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
    May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped

    CERT also stated that it's received reports that this vulnerability is being exploited in the wild, as of 9 May 2002.

  • emf's logsurfer configuration page -- emf's logsurfer signatures, as posted to the Log Analysis mailing list.
  • Fingerprinting Port 80 Attacks. Great analysis of Web server attacks, including log data. Part 2 covers characters missed in the first, along with additional information that proves useful when dealing with Port 80 related attacks.
  • Hacked by FTP. A posting from the Incidents mailing list, describing a system compromised through FTP, and showing the syslog evidence of the attacker's actions.
  • Laurie Zirkle's aggregated IDS and firewall logs, based on data collected through http://www.dshield.org and http://aris.securityfocus.com. The text files are named by date (i.e. year/month/day as in 02051). They start with April 16, 2002.
  • Repeated lpr exploit attempts. This November 6, 2001 posting to the intrusions@incidents.org mailing list shows an attack attempting to find UNIX boxes vulnerable to printer daemon exploits. The data is syslog output from the boxes under attack.
  • Solaris SNMP syslog data: In testing the PROTOS SNMP test suite against snmpdx on Solaris 2.7, Counterpane has discovered that a variety of syslog messages are created. Here's the raw data (names have been changed to protect the innocent) and here's a summary of our results:
    In their original form, each of these messages is preceded by an "snmpdx:" service field. Some of the numbers in ()'s are just byte counts or other stuff taken from the input, not specific error codes. Essentially, these are examples of many occurrences of each type of message, and the occurrences have some different #'s depending on the test case. Some stay the same.
    agent snmpd not responding
    SNMP error (UNKNOWN! (16777215), 0) sent back to test.counterpane.com.65314
    SNMP error (badValue(3), 0) sent back to test.counterpane.com.33141
    SNMP error (genErr(5), 16533) sent back to test.counterpane.com.33306
    SNMP error (readOnly(4), 0) sent back to test.counterpane.com.33212
    SNMP error (tooBig(1), 0) sent back to test.counterpane.com.32999
    error while receiving a pdu from test.counterpane.com.60271: The message has a wrong version (65793)
    error while sending a pdu back to test.counterpane.com.33363: The buffer is too small
    error while sending a pdu to localhost.32789: The buffer is too small
    no variable in PDU received from test.counterpane.com.33570
    session_open() failed for a pdu received from test.counterpane.com.33576
    session_send_request() failed
    unable to handle SNMP request with more than 32 variables
    Agent snmpd appeared dead but responded to ping
  • The following lines in syslog data indicate a probe for SSH CRC-32 Compensation Attack Detector Vulnerability:

    sshd[6169]: fatal: Local: Corrupted check bytes on input.
    sshd[6253]: fatal: Local: crc32 compensation attack: network attack detected

    Dave Dittrich's analysis of this attack against a University of Washington system

  • Jeremy Mates' swatch configuration
  • Stuart Kendrick's swatch configuration
  • The Worms Come Marching In: analysis of two years of web server logs on a single system, to look for the patterns of infections from code red 1, code red 2, and the nimda worm.
  • Detecting SQL Injection Attacks on Oracle: Pete Finnegan's paper on SQL injection includes discussions of system and application logs in the context of Oracle security

NEW!Learn
Log
Analysis!

(Bonus: Now You can download Tbird's SANS Webcast Slides)