Chinaunix首页 | 论坛 | 博客
  • 博客访问: 269107
  • 博文数量: 82
  • 博客积分: 2477
  • 博客等级: 大尉
  • 技术积分: 725
  • 用 户 组: 普通用户
  • 注册时间: 2009-06-06 23:24
文章分类

全部博文(82)

文章存档

2013年(1)

2012年(3)

2011年(15)

2010年(36)

2009年(27)

分类: LINUX

2009-11-30 11:46:46

In a previous post, we looked at .  Here, we will configure syslog-ng to accept messages from Snare and implement a few simple customizations, including storing the logs in individual files.  We will assume that Snare is operational for the purposes of this guide.  Please see the post referenced above for help with installing Snare.

For this test, I am running syslog-ng 3.0.1 on FreeBSD 7.1 and Snare 3.14 on Windows XP.

First, we will start with a very basic configuration that logs to /var/log/messages:

source src {
internal();
udp(port(514));
};
destination messages { file(”/var/log/messages”); };

log {source(src); destination(messages);};

That’s about as basic as it gets.   We listen to the network on the default IP and the default port (UDP/514) for incoming log messages.  Looking at the log file /var/log/messages, we see:

test# tail /var/log/messages
May 13 17:31:33 jerry/jerry MSWinEventLog       2       Security        9898    Wed: May 13 17:31:26 2009       642     Security        SYSTEM  User    Success Audit   JERRY   Account Management               User Account Changed:     -     Target Account Name: Guest     Target Domain: JERRY     Target Account ID: %{S-1-5-21-1390067357-926492609-682003330-501}     Caller User Name: JERRY$     Caller Domain: WORKGROUP     Caller Logon ID: (0×0,0×3E7)     Privileges: -           8940
May 13 17:31:33 jerry/jerry MSWinEventLog       2       Security        9899    Wed: May 13 17:31:27 2009       642     Security        SYSTEM  User    Success Audit   JERRY   Account Management               User Account Changed:     -     Target Account Name: Guest     Target Domain: JERRY     Target Account ID: %{S-1-5-21-1390067357-926492609-682003330-501}     Caller User Name: JERRY$     Caller Domain: WORKGROUP     Caller Logon ID: (0×0,0×3E7)     Privileges: -           8941
May 13 17:32:00 jerry/jerry MSWinEventLog       1       Security        9900    Wed: May 13 17:32:00 2009       540     Security        ANONYMOUS LOGON Well Known Group        Success Audit    JERRY   Logon/Logoff            Successful Network Logon:     User Name:      Domain:      Logon ID: (0×0,0xF549B3E6)     Logon Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM     Workstation Name: SARAH-LAPTOP     Logon GUID: -        8942
May 13 17:32:14 jerry/jerry MSWinEventLog       1       Security        9901    Wed: May 13 17:32:14 2009       538     Security        ANONYMOUS LOGON Well Known Group        Success Audit    JERRY   Logon/Logoff            User Logoff:     User Name: ANONYMOUS LOGON     Domain: NT AUTHORITY     Logon ID: (0×0,0xF549B3E6)     Logon Type: 3           8943
May 13 17:32:43 jerry/jerry MSWinEventLog       1       Security        9902    Wed: May 13 17:32:43 2009       861     Security        SYSTEM  User    Failure Audit   JERRY   Detailed Tracking                The Windows Firewall has detected an application listening for incoming traffic.        Name: -    Path: C:\Program Files\Snare\SnareCore.exe    Process identifier: 2920    User account: SYSTEM    User domain: NT AUTHORITY    Service: Yes    RPC server: No    IP version: IPv4    IP protocol: TCP    Port number: 6161    Allowed: No    User notified: No         8944
May 13 17:34:00 jerry/jerry MSWinEventLog       1       Security        9903    Wed: May 13 17:34:00 2009       540     Security        ANONYMOUS LOGON Well Known Group        Success Audit    JERRY   Logon/Logoff            Successful Network Logon:     User Name:      Domain:      Logon ID: (0×0,0xF54EF11E)     Logon Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM     Workstation Name: SARAH-LAPTOP     Logon GUID: -        8945
May 13 17:34:14 jerry/jerry MSWinEventLog       1       Security        9904    Wed: May 13 17:34:14 2009       538     Security        ANONYMOUS LOGON Well Known Group        Success Audit    JERRY   Logon/Logoff            User Logoff:     User Name: ANONYMOUS LOGON     Domain: NT AUTHORITY     Logon ID: (0×0,0xF54EF11E)     Logon Type: 3           8946

Good so far.  My Windows XP is being quite chatty via Snare.  Next, we’ll configure syslog-ng to log to a separate file for each host:

source src {
internal();
udp(port(514));
};
destination messages { file(”/var/log/$HOST”); };
log {source(src); destination(messages);};

Now, I wait a minute and take a look in /var/log:

test# ls -l /var/log/jerry
-rw——-  1 root  wheel  1195 May 13 18:12 /var/log/jerry

“jerry” is the name of my Windows XP PC.

Next, we will filter occurrances of cmd.exe into a special file – /var/log/cmdshell.log.  I know from horsing around that Snare sends logs when cmd.exe is run that look like this:

May 13 18:38:52 jerry/jerry MSWinEventLog       0       Security        9988    Wed: May 13 18:38:52 2009       592     Security        Jerryb  User    Success Audit   JERRY   Detailed Tracking                A new process has been created:     New Process ID: 3240     Image File Name: C:\WINDOWS\system32\cmd.exe     Creator Process ID: 444     User Name: Jerryb     Domain: JERRY     Logon ID: (0×0,0×1B054)        9029
May 13 18:38:58 jerry/jerry MSWinEventLog       0       Security        9989    Wed: May 13 18:38:56 2009       593     Security        Jerryb  User    Success Audit   JERRY   Detailed Tracking                A process has exited:     Process ID: 3240     Image File Name: C:\WINDOWS\system32\cmd.exe     User Name: Jerryb     Domain: JERRY     Logon ID: (0×0,0×1B054)          9030

So, we will create a filter to match “cmd.exe” and move those to our separate log file:

source src {
internal();
udp(port(514));
};
filter f_cmdshell{match(”cmd.exe”);};
destination messages { file(”/var/log/$HOST”); };
destination d_cmdshell { file(”/var/log/cmdshell.log”); };
log {source(src); destination(messages);};
log {source(src); filter(f_cmdshell); destination(d_cmdshell);};

First, we added a filter statement, with a pretty self explanitory “match()” arguement.  We define an additional destination for the cmdshell.log file, and create an additional log statement that includes the filter and the new destination.

On my XP PC, I open up a the command prompt, and close it again.  Then, on my syslog server, I see this:

test# ls -l /var/log/cmdshell.log
-rw——-  1 root  wheel  682 May 13 18:43 /var/log/cmdshell.log

test# more /var/log/cmdshell.log
May 13 18:44:12 jerry/jerry MSWinEventLog       0       Security        10000   Wed: May 13 18:44:12 2009       592     Security        Jerryb  User    Success Audit   JERRY   Detailed Tracking               A new process has been created:     New Process ID: 7964     Image File Name: C:\WINDOWS\system32\cmd.exe     Creator Process ID: 444     User Name: Jerryb     Domain: JERRY     Logon ID: (0×0,0×1B054)       9041
May 13 18:44:31 jerry/jerry MSWinEventLog       0       Security        10002   Wed: May 13 18:44:31 2009       593     Security        Jerryb  User    Success Audit   JERRY   Detailed Tracking               A process has exited:     Process ID: 7964     Image File Name: C:\WINDOWS\system32\cmd.exe     User Name: Jerryb     Domain: JERRY     Logon ID: (0×0,0×1B054)         9043

As you can see, we did not actually have to make any specific provisions in sysl0g-ng to work with Snare.

阅读(1326) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~