High Log Volume – What to Filter and What to Keep?

What and How much to Collect concentrated on giving a starting point for log collection and usage. Here, I am going to talk about Log Filtering for Security Investigations and Analysis purpose. If you are collecting logs from a troubleshooting perspective, you can collect without filtering, but for Security analysis, we would need less of haystack so that we can have a better chance of finding the needle.
In organizations, where several thousands of devices are sending Syslog, managing them is really a nightmare. In such scenarios, more focus is required on Log filtering. Log Filtering for Security Infrastructure use is one of the most ignored aspects of Log Management but it is the most important aspect for a cleaner and efficient log management and Security Event Analysis.

Log Filtering can be done at the Source or at the Syslog Server Location.

  1. Filtering at Source is the best approach when it comes to Log Filtering. This provides for better control of your infrastructure as you know what is being logged and what is not. Indirectly, it also aids in less utilization of System Resources. But the downside is, this is the most difficult to implement. Network devices have very little capability of Source filtering. Firewalls have a lot of options when it comes to Logging, but Routers and Switches offer very less. UNIX offers basic filtering natively and with third party tools like rsyslog, syslog-ng offer granular filtering capabilities. As all would know, there is no native Syslog capability in Windows and it would typically need a third party client to fill in for this lack of capability. This works in favor of filtering because; generally Third Party tools give filtering options.
  2. Filtering at Destination is the most practical and easiest to implement when it comes to Log Filtering. Here, Log Management Solutions or SIEM Tools take care of filtering what is needed and what is not. However, your Source Devices will be generating tons of logs and will be using System resources as well as Bandwidth.

Based on your organizations Architecture, it will help to decide on what is easier to implement and manage. Both have their pros and cons and its up to the Security Teams to decide. Once the filtering approach is decided, it is time to move on to the “Filtering” itself. This is the hard part. Before you start filtering, start understanding the device families present in the Environment. Every Vendor logs events differently and every event log means differently as well. So, care should be taken that we don’t end up filtering logs for one version and in reality we have another.

Example Log Filtering for Cisco ASA:
Let’s take an example of a Cisco ASA Firewall. The Cisco Adaptive Security Appliance (CISCO ASA in short) Operating System generates several logs. Out of the several thousands of messages, the most important events from a Security perspective are the following events given in the table. These events are built in protection defaults for Cisco ASA appliances. Apart from the following events, we can pick and choose Traffic Based events for analysis purpose. If interested to receive the full list, please comment below and I will put up that list too.

%PIX|ASA-2-106016 Deny IP spoof from (IP_address) to IP_address on interface interface_name. – Spoofing Detection
%PIX|ASA-2-106017 Deny IP due to Land Attack from IP_address to IP_address – Spoofing Detection
%PIX|ASA-2-106020 Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address – Teardrop Attack
%PIX|ASA-1-106021 Deny protocol reverse path check from source_address to dest_address on interface interface_name – Protocol Reverse Attack
%PIX|ASA-1-106022 Deny protocol connection spoof from source_address to dest_address on interface interface_name – Spoofing Detection
%PIX|ASA-3-109010 Auth from inside_address/inside_port to outside_address/outside_port failed (too many pending auths) on interface interface_name. (floodguard enable)
%PIX|ASA-4-109017 User at IP_address exceeded auth proxy connection limit (max) – DOS Attack Possible
%PIX|ASA-4-109022 exceeded HTTPS proxy process limit  – DOS Attack Possible
%PIX|ASA-5-111001 Begin configuration: IP_address writing to device – Privilege Use
%PIX|ASA-5-111003 IP_address Erase configuration – Privilege Use
%PIX|ASA-6-113006 User user locked out on exceeding number successive failed authentication attempts – Brute Force
%PIX|ASA-3-201002 Too many TCP connections on {static|xlate} global_address! econns nconns – DOS Attack Possible Behavior
%PIX|ASA-3-201004 Too many UDP connections on {static|xlate} global_address! udp connections limit – DOS Attack Possible Behavior
%PIX|ASA-4-209003 Fragment database limit of number exceeded: src = source_address, dest = dest_address, proto = protocol, id = number  – DOS Attack Possible Behavior
%PIX|ASA-4-209004 Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = source_address, dest = dest_address, proto = protocol, id = number – Possible Intrusion Event
%PIX|ASA-4-209005 Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set  – Possible Intrusion Event
%PIX|ASA-3-210011 Connection limit exceeded cnt/limit for dir packet from sip/sport to dip/dport on interface if_name  – DOS Attack Possible Behavior
%PIX|ASA-4-405001 Received ARP {request | response} collision from IP_address/MAC_address on interface interface_name to IP_address/MAC_address on interface interface_name – ARP Poisoning
%PIX|ASA-4-405002 Received mac mismatch collision from IP_address/MAC_address for authenticated host – ARP Spoofing
%PIX|ASA-2-410002 Dropped num DNS responses with mis-matched id in the past sec second(s): from src_ifc:sip/sport to dest_ifc:dip/dport – Possible DNS Attack Detected
%PIX|ASA-4-412002 Detected bridge table full while inserting MAC MAC_address on interface interface. Number of entries = num – Possible L2 Attack Detected
%ASA-4-424001 Packet denied protocol_string intf_in:src_ip/src_port intf_out:dst_ip/dst_port. [Ingress|Egress] interface is in a backup state – Possible Intrusion
%ASA-4-424002 Connection to the backup interface is denied: protocol_string intf:src_ip/src_port intf:dst_ip/dst_port – Possible Intrusion
%PIX|ASA-6-605004 Login denied from source-address/source-port to interface:destination/service for user “username” – Possible Intrusion
%PIX|ASA-5-304001 [email protected]_address Accessed {JAVA URL|URL} dest_address: url

If you carefully note the structure of the Event message itself you will notice that almost all of the Syslog Messages I have chosen have facilities that range from 1 to 5. These Event IDs can be used for analysis of different scenarios. Here, I have listed down some pointers on how to select these Events of Interest. Some approaches that we can use are:

  1. Focus on the Utility of an Event rather than the data it generates. The description of an Event ID will be misleading many a times, and hence looking at the Generated Data from the Event is important.
  2. Focus on what events will help you track back the actual Attacker/User/Service responsible for triggering the Event in the first place. This event independently or in tandem with another should be able to help you
  3. Look for what Event Collection is more suited to your environment in terms of Security Monitoring. For Example, if you have an Internet Firewall, Spoofing events don’t make sense to collect, whereas internal firewalls would need spoofing events.
  4. Look for Optimal Event ID Selection for auditing so that you get the right amount of data with One Event ID rather than many. This may be difficult in some cases with some devices, but still where ever possible this should be employed.
  5. Finally, see if your SIEM tools can parse these event properly for you to analyze

Now let us look at Juniper NetScreen Firewall Events using the same approach as we used for Cisco ASA.

Critical (00031) Message 〈string〉 detected an IP conflict (IP 〈IP address〉, MAC %m) on interface 〈string〉
Notification (00031)Message ARP detected IP conflict: IP address 〈ip〉 changed from interface 〈if_old〉 to interface 〈if_new〉
Notification (00051) Message Static ARP entry added to interface 〈string〉 with IP 〈IP address〉 and MAC %m
Notification (00052)Message Static ARP entry deleted from interface 〈string〉 with IP address 〈IPaddress〉 and MAC address %m
Emergency Message Ping of Death! From 〈src_ip〉 to 〈dst_ip〉, proto 1 (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Emergency Message SYN flood! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto TCP (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Emergency Message Teardrop attack! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto { TCP | UDP | 〈number1〉 } (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number2〉 times.
Alert Message Address sweep! From 〈src_ip〉 to 〈dst_ip〉, proto 1 (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Alert Message ICMP flood! From 〈src_ip〉 to 〈dst_ip〉, proto 1 (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Alert Message IP spoofing! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto {TCP | UDP | 〈number1〉 } (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Alert Message Land attack! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto TCP (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Alert Message Port scan! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto { TCP| UDP | 〈number1〉 } (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number2〉 times.
Alert Message Source Route IP option! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto { TCP | UDP | 〈number1〉 } (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number2〉 times.
Alert Message UDP flood! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto UDP (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Alert Message WinNuke attack! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:139, proto TCP (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Critical Message – Bad IP option! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto{ TCP | UDP | 〈number1〉 } (zone 〈zone_name〉, int 〈interface_name〉).Occurred 〈number2〉 times.
Critical Message EXE file blocked! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto { TCP | UDP | 〈number1〉 } (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number2〉 times.
Critical Message FIN but no ACK bit! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉, proto TCP (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.
Critical Message SYN and FIN bits! From 〈src_ip〉:〈src_port〉 to 〈dst_ip〉:〈dst_port〉,proto TCP (zone 〈zone_name〉, int 〈interface_name〉). Occurred 〈number〉 times.

If you see in the case of Juniper, Alert and Critical messages are sent to Syslog and these events are not always identifiable using Event IDs. From a Syslog facility all these would be still at Level 5. These events are also default Security Messages generated from Juniper. In addition to these messages, we would be collecting the Traffic Logs (Event ID 000257) from Juniper that helps in Security analysis for correlation.

This same approach can be used for Windows, Unix, Security Application Devices etc. For  more details of specific Device type filtering, please request in the comment section and I will post the filtering for the same.

If you effectively identify the Events of Interest for various devices and filter out the chaff, you would be able to harness the power of Syslog for your Security Investigation purposes. SIEM is getting bigger by the day in terms of data usage. The world is moving towards big data collection. But the key thing to note is, in spite of data growth, the quality of SIEM tools in log analysis has not been going North. Quality does not essentially come with Quantity. Filtering will always be needed no matter how much logs we collect.

Remember “Logs don’t lie”

Episode 2 – Security Investigation Series – Reverse Protocol Attack

Preface: The image in the blog is a capture from the Cisco Firewall Syslog Message guide explaining an Event regarding a Reverse Protocol Attack. Cisco tells you that the packet is dropped and that the firewall defended you from a Spoofing attack. Such events are dicey in nature because you don’t know what to do, how to react and how to respond to these events in Security Operations.As with every Investigation, everything begins with a “Tip”The Tip:

  • The Event itself – In this case Cisco PIX/ASA Firewall message
  • The IP source from which the packet originated
  • The timestamp at which the event occurred
  • The Firewall from which the alert originated

Investigation Methodology:

We need to identify “who” is the person performing this attack. Since this is a firewall, all we can get is a IP address from where this originated. But from an investigation perspective, we need to identify the “real machine”doing this. If it is an internal segment or VLAN in the enterprise network we can do a few things like below:

  • Tracing the MAC address from which the IP originated. For this we would typically need Switch Logs and/or DHCP logs.
  • Identify the IP and MAC pairings logs during the said time period. Watch out for MAC address Spoofing scenarios as well.
  • Based on these two data sources we will be able to identify the physical machines which are possible candidates for this attack
  • In MAC Spoofing scenarios, looking at the physical machine will help. There is a Microsoft API that helps you gather this real MAC information. I have seen some tools that provide this information as well.
In case of Internet facing Firewall, this spoofing detection is going to be a tough ask. We may not have a capability to identify the source performing the spoof. So if the Internet Firewall throws this alert, its safe to ignore as Cisco recommends, whereas if the Internal Firewall throws this alert, it needs to be investigated to identify insider attack scenarios involving spoofing.
Detection of this event is the simplest in SIEM terms. The event ID is unique for Cisco devices and hence they can be triggered directly. These alerts can be filtered for internal firewalls only unless and until the Internet firewall is overwhelmed with these alerts. In case of enormous amount of alerts from Internet firewall, we may have to look at potential DoS scenarios. Several threshold based rules can be created in SIEM to look for such attack patterns
In case of Internet facing Firewall, uRPF filtering definitely helps. There are several different modes for enabling uRPF. Before enabling we need to understand whether our network is routed symmetrically or not. In case of symmetric routing, the uRPF filtering is straight forward and we can go for Strict Mode, but in case of asymmetric routing, the filtering is not easy and hence we may configure uRPF in Loose Mode or Feasible Mode. There are several articles from Cisco on uRPF that can serve as good references.
In essence, every event means different things in different scenarios. Placement of the device in the network and its relevance gives a new meaning to the event triggered. Investigation of every “event type” is mandatory in Security Operations. Results of such analysis should be fed back into a Knowledge Base that will help the enterprise react to several different alerts in the right way.
Update based on the comments received:
For scenarios where both IP and MAC spoofing is involved, there is no easy way of identifying the real machine. The closest in case of Internal Network would be to look at the Switch Network to identify the source segment of the MAC thereby narrowing done on the investigation. But even after narrowing down, you will have to go down to the Asset Enumeration level to exactly identify the spoofing host. This enumeration should be done in tandem with packet captures in the switched network. One of the other things to look at in packet captures would be to look for the presence of a Locally administered address bit. This will be set in case of a spoof. Smart hackers know this and can circumvent it by a custom driver code, but this is just another pointer of what we can look for.

False Positive in a SIEM

People always try to convince me that SIEM gives a lot of false positives. I am surprised by this accusation of a “Passive” Technology like SIEM that I decided to blog about it. I call SIEM technology to be Passive in the first place because these systems are not changing anything on the IT Infrastructure nor are they Defending against anything. They are simply a “log pattern matching” tool. It’s as true as the logs being fed into it for Matching against what SIEM Industry calls as Correlation Rules. Correlation rules in SIEM are nothing but a set of patterns in the Logs to watch for and alert on.

Lets take an example of a typical SIEM Analysis scenario

Rule in SIEM – Identify Port Scan or Network Scan happening in the Network followed by successful connection on an open port.
Rule Logic – IDS Signature based detection or Pattern Based Detection from Network Firewalls (X number of Port Connections in Y Time from the same IP Address)
Rule Output – Source IP, Destination IP, Port Numbers

Based on the IP Address and Port information, analysis was done on what is happening in the Network between these two machines. At the end of the Analysis the Security Analyst found that the behavior of Source IP is expected or normal and there is nothing malicious about it. He collects the evidentiary data (whether the data collected justifies this behavior or not is a different question but not important at this point in time), follows the Incident Management life cycle and closes this Incident as “False Positive”.

For me, categorization of the Entire Event as False positive is where the problem is. This is not a False Alarm. This Alert did what it was supposed to do or rather designed to do. The Pattern Matcher detected the pattern and triggered an alert. If the pattern is wrong, the pattern needs to be updated and not deemed as False Alarm. From a Security Point of view, this entire Analysis might help in understanding your Network better, Applications better and the Security Gaps better.
In my life, I have come across several instances where such “False Positives” have turned out to be gold mines to gather valuable information about the things happening in your network. Sometimes, such events open our eyes to previously unknown or unseen Security Risks in the organization.

For me they are just “Positives” and there is nothing “False” about it!!!