Network Log Analysis - Nico's Knowledge Base

# Generic Log Analysis (Netflow) Netflow collects IP traffic information. Developed by Cisco, but supports Netflow from different manufacturers. Other manufacturers support Sflow or similar protocols. With Netflow or standin protocols: - ISPs bill for services - design/analyze networks - monitor networks - generating traffic - port communications - monitor service quality - provide information for SOC analysts on detection of anomalies Netflow has a stateful structure and monitors/reports all IP traffic passing over its monitored interface. Monitored information includes: - source IP - Destination IP - Source Port - Destination Port - IP Protocol - Interface Information - IP Version Information Using Netflow outputs, we can detect the following: - Abnormal traffic volume increases - Data Leaks - Private system access - New IPs - Systems accessed for the first time # Firewall Log Analysis First, check IP and port information. Then, check the action taken under 'action' date= Date time= Time devname= Hostname devid= Device ID eventtime= 1653131198230012501 tz= time zone logid= Log ID type= Log Type (traffic, utm, event, etc.) subtype=Sub Log Type (Forward, vpn, webfilter, virus, ips, system, etc.) level= log level srcip= Source IP Address **srcname**= Source Hostname **srcport**= Source Port srcintf= Name of the Source Interface srcintfrole= Role of the Source Interface **dstip**= Destination IP Address **dstport**= Destination Port dstintf= Name of the Destination Interface dstintfrole= Role of the Destination Interface srccountry= Source IP information (Country) dstcountry= Destination IP information (Country) **action**= info on the action taken (drop, deny, accept, etc.) service= service information transip= NAT IP info (internal output of the private source address) transport= NAT port info duration= time elapsed sentbyte= size of the packets sent (byte) rcvdbyte= size of the packets received (byte) sentpkt= number of the packets sent rcvdpkt= number of the packets received - **accept:** indicates that the packet passed successfully. - **deny:** packet transmission is blocked, information is returned back to the IP address that it is blocked. - **drop:** packet transmission is blocked. No information is returned back to the IP address that it is blocked. - **close:** indicates that the communication is mutually terminated. - **client-rst:** indicates that the communication was terminated by the client. - **server-rst:** indicates that the communication was terminated by the server. Firewall logs can also provide you with the following information: - are there accept requests at different times from IP addresses detected as attacking, but denied by IPS? - access to/from IPs/Domains obtained by antivirus logs - which systems an infected system is communicating with within the network - port-scan activities - communication with IoCs - Lateral or vertical unauthorized access # VPN Log Analysis As VPNs are generally used over an organization's existing Firewall, logs can typically be accessed by Firewall devices. Also provided by dedicated VPN services. date= Date time= Time devname= Hostname devid= Device ID eventtime= 1653131198230012501 tz= time zone logid= Log ID type= Log Type (traffic, utm, event, etc.) subtype=Sub Log Type (Forward, vpn, webfilter, virus, ips, system, etc.) level= log level logdesc= log description action= action taken tunneltype= VPN tunnel type remip= IP address that established the VPN connection user= User information reason= VPN Connection Request Result msg= Message (Detailed message after the access) Most important to review: - IP address requesting connection - user - result of request Suspicious Activities that reviewing VPN logs reveal: - Successful/unsuccessful access - brute force attacks against vpn - detection of VPN outside specified countries - detection of VPN outside specified time periods # Proxy Log Analysis Proxies provide centralized control and increase security levels by the organization. Transparent Proxies have the source IP visible Anonymous Proxies obfuscate the source IP and instead serve their own as the source IP. date= date information time= time information type= log type subtype= log sub type (values like forward, vpn, webfilter, virus, ips, system etc.) eventtype= event type that belongs to the sub type level= incident severity level srcip= source IP address srcport= source port information srcinfrole= source interface information dstip= destination IP address dstport= destination port information dstinfrole= destination interface information service= service information hostname= requested domain profile= source profile action= action information url= URL address requested sentbyte = size of data sent by bytes rcvdbyte= size of data received by bytes direction= direction of the traffic urlsource= URL sources msg= message information Proxy logs can help determine the following: - connections to/from suspicious URLs - infected system detection - detection of tunneling activities # IDS/IPS Log Analysis date= date information time= time information devname= system name devid= system ID information tz= timezone logid= log ID information type= log type (values like traffic, utm, event, etc.) subtype= log sub type (values like forward, vpn, webfilter, virus, ips, system etc.) level= log level severity= incident severity level srcip= source IP address dstip= destination IP address srccountry= source country dstcountry= destination country action= action information service= service information attack= attack details srcport= source port information dstport= destination port information direction= direction of packet attackid= attack ID information msg= additional message information Prioritize investigate the following: - direction of attack - severity level - **inequivalent trigger states** - port/service running on target? - response from target? - block attacker/disinfect target - only detected or also blocked? - blocked = lower priority - detected + allowed, review other requests These can be detected in IDS/IPS logs - Port scanning activities - Vulnerability scans - Code Injection attacks - Brute-Force attacks - Dos/Ddos attacks - Trojan activities - Botnet activities # WAF Log Analysis SSL offload is why we can't rely solely on firewall+IDS/IPS - decryption of SSL encrypted traffic WAF first inspects request and determines whether it will be transferred to Web Server or not. WAF then performs SSL offload to examine HTTPS traffic. F5 Big-IP, Citrix, Imperva, Fortinet WAF products, or Cloudflare, Akamai, and AWS solutions. date= date information time= time information type: log type main_type: detection type sub_type: detected activity detail severity_level: incident severity level proto: protocol service: service information action: action taken policy: rule name src: source IP address src_port: source port address dst: destination IP address dst_port: destination port address http_method: http request method http_url: URL requested http_host: host requested http_agent: user-agent info msg: message related to the incident signature_subclass: signature class srccountry: source IP country attack_type: attack type Prioritize: - IP addresses - WAF response to request - application response (if WAF did not block) Common Application Responses: - 200 - request reached application successfully and received requested resource - 301 - redirected - 403 - request declined - 404 - content requested not found - 503 - no response from server/application Categories - Informational responses (100–199) - Successful responses (200–299) - Redirection messages (300–399) - Client error responses (400–499) - Server error responses (500–599) WAFs help analyze following detections: - web vulnerabilities - common web attacks like SQLi, XSS, Code Injection, Directory Traversal - suspicious methods like PUT and DELETE - information on most requested IP - information on most requested URL REQUEST Methods to pay attention to: - GET retrieves data from server - POST sends data to server - DELETE is obvious - PUT sends data (creates/updates files) - OPTIONS tell which methods server accepts # Web Log Analysis ``` Source IP: 71.16.45.142 Date: 12/Dec/2021:09:24:42 +0200 Request Method: GET Requested URL: /?id=SELECT+*+FROM+users Version Info: HTTP/1.1 Server Response: 200 Data Size: 486 User-Agent Info: curl/7.72.0 ``` Request methods are same as WAF Log Analysis - NOTE: in logs, web servers do not typically write content of data sent to the server by POST or PUT unless configured to do so **Requested URL**: indicates directory or file on the server to which the request was made. This is where web attacks can be diagnosed Server Response Codes are same as WAF Log Analysis User-Agent Information indicates application used for the request - automated web tools (nessus, nmap, nikto) - web browser (mozilla, chrome) - **Can be spoofed** Web Logs provide the following - requests with attack vectors - top requested IP information - most requested URL information - most received response codes (HTTP) - suspicious method usage such as PUT or DELETE Decoder: http://meyerweb.com/eric/tools/dencoder find most requested IP address: ``` cat http.log | awk '{print $3}' |sort -n |uniq -c | sort -n ``` # DNS Log Analysis Used for Domain-IP resolution Prioritize: - has system made domain requests in categories it shouldn't access - risky category requests - known services attempted to be accessed during data leak or other compromise? - which systems make requests to domains obtained from Threat Intelligence resources - detect DNS over TLS or DNS over HTTPS DNS do not keep logs by default Queries generated directly can be difficult to analyze Applications which provide DNS services such as Microsoft DNS, Bind DNS, and Dnsmasq record DNS queries on request IOCs - Indicators of compromise - evidence before, during and after incidents. Revealed during analysis and investigation of CS incident Bind logs generated in DNS server services can be accessed via /var/log/querylog files in default configurations - Date-Time - Querying IP, Port - Query type - Domain Requested Look for: - first time visited domains - domains or subdomains over certain character size - detection of NX returning domains - domain IOC controls - Detection of DNS over TLS, DNS over HTTPS - port 853