General Approach
通用方法
1. Identify which log sources and automated tools you can use during the analysis.
确认哪些日志源和自动化工具在分析过程中可以使用。
2. Copy log records to a single location where you will be able to review them.
将日志记录拷贝到你可以进行复查的地方。
3. Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
在确认日志不处于严重级别之后,通过移除常规、重复的日志记录来降噪。
4. Determine whether you can rely on logs' time stamps; consider time zone differences.
考虑到时区的不同,决定是否信赖日志的时间戳。
5. Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
关注你环境中最近的变更、失败、错误、状态变化、访问和管理事件,以及其他的异常事件。
6. Go backwards in time from now to reconstruct actions after and before the incident.
从现在开始回溯来重现事件发生前后的动作。
7. Correlate activities across different logs to get a comprehensive picture.
通过不同的日志来关联动作从而得到一幅综合的画面。
8. Develop theories about what occurred; explore logs to confirm or disprove them.
根据理论知识来判断发生了什么,并通过研究日志来确认或否定它们。
Potential Security Log Sources
可能的安全日志源
Server and workstation operating system logs
服务器或工作站操作系统日志
Application logs (e.g., web server, database server)
应用日志(如WEB服务器、数据库服务器)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
安全工具日志(如反病毒、变更探测、IDS/IPS等)
Outbound proxy logs and end-user application logs
边界代理日志和终端应用日志
Remember to consider other, non-log sources for security events.
记住考虑其他,与安全事件有关的非日志源
Typical Log Locations
典型日志位置
Linux OS and core applications: /var/log
Linux操作系统和关键应用:/var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Windows操作系统和关键应用:Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats
网络设备:通常通过syslog方式记录:某些使用私有位置和格式。
What to Look for on Linux
Linux下查看什么
Successful user login
用户登陆成功 “Accepted password”,
“Accepted publickey”,
"session opened”
Failed user login
用户登录失败 “authentication failure”,
“failed password”
User log-off(用户登出) “session closed”
User account change or deletion
用户账户变更或删除 “password changed”,
“new user”,
“delete user”
Sudo actions
SUDO动作 “sudo: … COMMAND=…”
“FAILED su”
Service failure(服务失败) “failed” or “failure”
What to Look for on Windows
Windows下查看什么
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.
Windows 2000/XP/2003的事件ID如下所示, Vista/7 /2008的事件ID需要加上4096.
Most of the events below are in the Security log; many are only logged on the domain controller.
以下是安全日志中的绝大部分事件,部分仅仅是域控制器的记录。
User logon/logoff events
用户登入/登出事件 Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes
用户账户变更 Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
密码变更 To self: 628; to others: 627
Service started or stopped
服务启动或停止 7035, 7036, etc.
Object access denied (if auditing enabled)
访问对象拒绝 560, 567, etc
What to Look for on Network Devices
网络设备下查看什么
Look at both inbound and outbound activities.
寻找同时包含进站和出站的活动
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.(以思科设备为例)
Traffic allowed on firewall
FW允许通过 “Built … connection”,
“access-list … permitted”
Traffic blocked on firewall
FW拒绝通过 “access-list … denied”,
“deny inbound”,
“Deny … by”
Bytes transferred (large files?)
字节转移 “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage
带宽和协议使用 “limit … exceeded”,
“CPU utilization”
Detected attack activity
监测到攻击活动 “attack from”
User account changes
用户账户变更 “user added”,
“user deleted”,
“User priv level changed”
Administrator access
管理员访问 “AAA user …”,
“User … locked out”,
“login failed”
What to Look for on Web Servers
WEB服务器下查看什么
Excessive access attempts to non-existent files
频繁尝试访问不存在的文件
Code (SQL, HTML) seen as part of the URL
URL里边存在(SQL/HTML)代码
Access to extensions you have not implemented
访问你没有使之生效的扩展服务
Web service stopped/started/failed messages
WEB服务停止/启动/出错的消息
Access to “risky” pages that accept user input
访问到允许用户输入的威胁页面
Look at logs on all servers in the load balancer pool
查看负载均衡集群中的所有机器的日志
Error code 200 on files that are not yours
文件中存在不属于自己的错误代码200
Failed user authentication
失败用户认证 Error code 401, 403
Invalid request
非法请求 Error code 400
Internal server error
内部服务器错误 Error code 500
通用方法
1. Identify which log sources and automated tools you can use during the analysis.
确认哪些日志源和自动化工具在分析过程中可以使用。
2. Copy log records to a single location where you will be able to review them.
将日志记录拷贝到你可以进行复查的地方。
3. Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
在确认日志不处于严重级别之后,通过移除常规、重复的日志记录来降噪。
4. Determine whether you can rely on logs' time stamps; consider time zone differences.
考虑到时区的不同,决定是否信赖日志的时间戳。
5. Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
关注你环境中最近的变更、失败、错误、状态变化、访问和管理事件,以及其他的异常事件。
6. Go backwards in time from now to reconstruct actions after and before the incident.
从现在开始回溯来重现事件发生前后的动作。
7. Correlate activities across different logs to get a comprehensive picture.
通过不同的日志来关联动作从而得到一幅综合的画面。
8. Develop theories about what occurred; explore logs to confirm or disprove them.
根据理论知识来判断发生了什么,并通过研究日志来确认或否定它们。
Potential Security Log Sources
可能的安全日志源
Server and workstation operating system logs
服务器或工作站操作系统日志
Application logs (e.g., web server, database server)
应用日志(如WEB服务器、数据库服务器)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
安全工具日志(如反病毒、变更探测、IDS/IPS等)
Outbound proxy logs and end-user application logs
边界代理日志和终端应用日志
Remember to consider other, non-log sources for security events.
记住考虑其他,与安全事件有关的非日志源
Typical Log Locations
典型日志位置
Linux OS and core applications: /var/log
Linux操作系统和关键应用:/var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Windows操作系统和关键应用:Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats
网络设备:通常通过syslog方式记录:某些使用私有位置和格式。
What to Look for on Linux
Linux下查看什么
Successful user login
用户登陆成功 “Accepted password”,
“Accepted publickey”,
"session opened”
Failed user login
用户登录失败 “authentication failure”,
“failed password”
User log-off(用户登出) “session closed”
User account change or deletion
用户账户变更或删除 “password changed”,
“new user”,
“delete user”
Sudo actions
SUDO动作 “sudo: … COMMAND=…”
“FAILED su”
Service failure(服务失败) “failed” or “failure”
What to Look for on Windows
Windows下查看什么
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.
Windows 2000/XP/2003的事件ID如下所示, Vista/7 /2008的事件ID需要加上4096.
Most of the events below are in the Security log; many are only logged on the domain controller.
以下是安全日志中的绝大部分事件,部分仅仅是域控制器的记录。
User logon/logoff events
用户登入/登出事件 Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes
用户账户变更 Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
密码变更 To self: 628; to others: 627
Service started or stopped
服务启动或停止 7035, 7036, etc.
Object access denied (if auditing enabled)
访问对象拒绝 560, 567, etc
What to Look for on Network Devices
网络设备下查看什么
Look at both inbound and outbound activities.
寻找同时包含进站和出站的活动
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.(以思科设备为例)
Traffic allowed on firewall
FW允许通过 “Built … connection”,
“access-list … permitted”
Traffic blocked on firewall
FW拒绝通过 “access-list … denied”,
“deny inbound”,
“Deny … by”
Bytes transferred (large files?)
字节转移 “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage
带宽和协议使用 “limit … exceeded”,
“CPU utilization”
Detected attack activity
监测到攻击活动 “attack from”
User account changes
用户账户变更 “user added”,
“user deleted”,
“User priv level changed”
Administrator access
管理员访问 “AAA user …”,
“User … locked out”,
“login failed”
What to Look for on Web Servers
WEB服务器下查看什么
Excessive access attempts to non-existent files
频繁尝试访问不存在的文件
Code (SQL, HTML) seen as part of the URL
URL里边存在(SQL/HTML)代码
Access to extensions you have not implemented
访问你没有使之生效的扩展服务
Web service stopped/started/failed messages
WEB服务停止/启动/出错的消息
Access to “risky” pages that accept user input
访问到允许用户输入的威胁页面
Look at logs on all servers in the load balancer pool
查看负载均衡集群中的所有机器的日志
Error code 200 on files that are not yours
文件中存在不属于自己的错误代码200
Failed user authentication
失败用户认证 Error code 401, 403
Invalid request
非法请求 Error code 400
Internal server error
内部服务器错误 Error code 500
这个是安全事件关键日志复查核查表,有兴趣的可以看一下。
通用方法
1. 确认哪些日志源和自动化工具在分析过程中可以使用。
2. 将日志记录拷贝到你可以进行复查的地方。
3. 在确认日志不处于严重级别之后,通过移除常规、重复的日志记录来降噪。
4. 考虑到时区的不同,决定是否信赖日志的时间戳。
5. 关注你环境中最近的变更、失败、错误、状态变化、访问和管理事件,以及其他的异常事件。
6. 从现在开始回溯来重现事件发生前后的动作。
7. 通过不同的日志来关联动作从而得到一幅综合的画面。
8. 根据理论知识来判断发生了什么,并通过研究日志来确认或否定它们。
可能的安全日志源
服务器或工作站操作系统日志
应用日志(如WEB服务器、数据库服务器)
安全工具日志(如反病毒、变更探测、IDS/IPS等)
边界代理日志和终端应用日志
记住考虑其他,与安全事件有关的非日志源
典型日志位置
Linux操作系统和关键应用:/var/log
Windows操作系统和关键应用:Windows Event Log (Security, System, Application)
网络设备:通常通过syslog方式记录:某些使用私有位置和格式。
Linux下查看什么
Successful user login
用户登陆成功 “Accepted password”,
“Accepted publickey”,
"session opened”
Failed user login
用户登录失败 “authentication failure”,
“failed password”
User log-off(用户登出) “session closed”
User account change or deletion
用户账户变更或删除 “password changed”,
“new user”,
“delete user”
Sudo actions
SUDO动作 “sudo: … COMMAND=…”
“FAILED su”
Service failure(服务失败) “failed” or “failure”
Windows下查看什么
Windows 2000/XP/2003的事件ID如下所示, Vista/7 /2008的事件ID需要加上4096.
以下是安全日志中的绝大部分事件,部分仅仅是域控制器的记录。
User logon/logoff events
用户登入/登出事件 Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes
用户账户变更 Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
密码变更 To self: 628; to others: 627
Service started or stopped
服务启动或停止 7035, 7036, etc.
Object access denied (if auditing enabled)
访问对象拒绝 560, 567, etc
网络设备下查看什么
寻找同时包含进站和出站的活动
以思科设备为例
Traffic allowed on firewall
FW允许通过 “Built … connection”,
“access-list … permitted”
Traffic blocked on firewall
FW拒绝通过 “access-list … denied”,
“deny inbound”,
“Deny … by”
Bytes transferred (large files?)
字节转移 “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage
带宽和协议使用 “limit … exceeded”,
“CPU utilization”
Detected attack activity
监测到攻击活动 “attack from”
User account changes
用户账户变更 “user added”,
“user deleted”,
“User priv level changed”
Administrator access
管理员访问 “AAA user …”,
“User … locked out”,
“login failed”
WEB服务器下查看什么
频繁尝试访问不存在的文件
URL里边存在(SQL/HTML)代码
访问你没有使之生效的扩展服务
WEB服务停止/启动/出错的消息
访问到允许用户输入的威胁页面
查看负载均衡集群中的所有机器的日志
文件中存在不属于自己的错误代码200
失败用户认证 Error code 401, 403
非法请求 Error code 400
内部服务器错误 Error code 500
通用方法
1. 确认哪些日志源和自动化工具在分析过程中可以使用。
2. 将日志记录拷贝到你可以进行复查的地方。
3. 在确认日志不处于严重级别之后,通过移除常规、重复的日志记录来降噪。
4. 考虑到时区的不同,决定是否信赖日志的时间戳。
5. 关注你环境中最近的变更、失败、错误、状态变化、访问和管理事件,以及其他的异常事件。
6. 从现在开始回溯来重现事件发生前后的动作。
7. 通过不同的日志来关联动作从而得到一幅综合的画面。
8. 根据理论知识来判断发生了什么,并通过研究日志来确认或否定它们。
可能的安全日志源
服务器或工作站操作系统日志
应用日志(如WEB服务器、数据库服务器)
安全工具日志(如反病毒、变更探测、IDS/IPS等)
边界代理日志和终端应用日志
记住考虑其他,与安全事件有关的非日志源
典型日志位置
Linux操作系统和关键应用:/var/log
Windows操作系统和关键应用:Windows Event Log (Security, System, Application)
网络设备:通常通过syslog方式记录:某些使用私有位置和格式。
Linux下查看什么
Successful user login
用户登陆成功 “Accepted password”,
“Accepted publickey”,
"session opened”
Failed user login
用户登录失败 “authentication failure”,
“failed password”
User log-off(用户登出) “session closed”
User account change or deletion
用户账户变更或删除 “password changed”,
“new user”,
“delete user”
Sudo actions
SUDO动作 “sudo: … COMMAND=…”
“FAILED su”
Service failure(服务失败) “failed” or “failure”
Windows下查看什么
Windows 2000/XP/2003的事件ID如下所示, Vista/7 /2008的事件ID需要加上4096.
以下是安全日志中的绝大部分事件,部分仅仅是域控制器的记录。
User logon/logoff events
用户登入/登出事件 Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes
用户账户变更 Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
密码变更 To self: 628; to others: 627
Service started or stopped
服务启动或停止 7035, 7036, etc.
Object access denied (if auditing enabled)
访问对象拒绝 560, 567, etc
网络设备下查看什么
寻找同时包含进站和出站的活动
以思科设备为例
Traffic allowed on firewall
FW允许通过 “Built … connection”,
“access-list … permitted”
Traffic blocked on firewall
FW拒绝通过 “access-list … denied”,
“deny inbound”,
“Deny … by”
Bytes transferred (large files?)
字节转移 “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage
带宽和协议使用 “limit … exceeded”,
“CPU utilization”
Detected attack activity
监测到攻击活动 “attack from”
User account changes
用户账户变更 “user added”,
“user deleted”,
“User priv level changed”
Administrator access
管理员访问 “AAA user …”,
“User … locked out”,
“login failed”
WEB服务器下查看什么
频繁尝试访问不存在的文件
URL里边存在(SQL/HTML)代码
访问你没有使之生效的扩展服务
WEB服务停止/启动/出错的消息
访问到允许用户输入的威胁页面
查看负载均衡集群中的所有机器的日志
文件中存在不属于自己的错误代码200
失败用户认证 Error code 401, 403
非法请求 Error code 400
内部服务器错误 Error code 500
