Scripts: Simple Log Parsing
				The following is a simple script you can use to parse router logs. The initial instructions copy the logs to a new location, so the originals remain intact for auditing purposes. The grep commands that follow look for potentially threatening traffic (e.g., an abnormally high number of TCP resets or attackers using ICMP) and stash them in a separate file for further analysis. cp /var/log/messages.1 /root/logcheck/full_router.log cd /root/logcheck grep ' R ' full_router.log > resets.txt grep udp full_router.log | grep '.53[: ]' > dns_udp.txt grep tcp full_router.log | grep '.53[: ]' > dns_tcp.txt grep '.25: ' full_router.log | grep ' S ' > smtp.txt grep '.22[: ]' full_router.log > internal_ssh.txt grep '.123: ' full_router.log > ntp.txt grep '.3307[: ]' full_router.log > op-session-proxy.txt grep unreachable full_router.log > icmp-unreachables.txt

Routers see everything that crosses your network. They direct the flow from LAN to LAN, and--with their access control lists (ACLs)--can regulate access to network segments. But, you're not getting the most out of your routers unless you're using them to help audit your security devices.

Router logs are a treasure trove of security intelligence that, with proper analysis, can help you be proactive and correct firewall configuration errors, tune IDSes and measure your network's security posture. The concept is simple: Compare what arrives at your enterprise's front door with what actually gets through.

Routers can locally store logs, but they have storage limits. The first step is to create a syslog server to collect external and internal router logs; the server can also consolidate logs from multiple routers for efficient reviews. From there, you can audit just about any device that generates logs, but we'll focus on firewalls and IDSes. First, though, let's see how you can use scripts to cut the job down to size.

Follow the Script
Dumping router logs into a readable text file is easy. Pulling logs from every border and internal router, then parsing them for meaningful, actionable intelligence isn't as simple.

Scripts can automate the retrieval of router logs and parse them on a regular schedule. These scripts should reflect your security policies--basically what kinds of traffic shouldn't be allowed. Key types of external traffic to look for are RPC and SNMP queries and NetBIOS scans, none of which should legitimately be coming into your network. In the case of NetBIOS, closing TCP/UDP ports 135-139 and 445 can head off a potential attack foreshadowed by a light probing.

The testing scripts can be written in any language and created at the same time as rule sets. However, scripts written in PERL using the simple grep command are quickly modifiable and easy to use. Grep is a powerful complement to a scripting language because it lets you quickly isolate important traffic. It would be almost impossible, for example, to see a DNS attack through 20,000 log entries; however, by parsing the data to show only the 30 lines associated with the DNS, the attack becomes much easier to spot. (See "Simple Log Parsing".)

< PREV PAGE   |   1  |   2  |   NEXT PAGE  >