Firewall Wizards mailing list archives
Re: artificial ignorance: how-to guide
From: Doug Hughes <Doug.Hughes () Eng Auburn EDU>
Date: Wed, 24 Sep 1997 11:28:46 -0500
(probably preaching to the choir - but..) Perl is also extremely useful for these sort of things. One Perl script here does the job of lots of shell sorts, greps, seds, and pipes. I wrote a Perl script for analysing our tcp_wrappers reports nightly. I condense about 2-5000 lines of tcp_wrappers logs from external logins to a couple of hundred nicely formatted lines that provide insite as to who is logging in from where, but only if that activity is not normal activity for that user (it keeps a database of where the user logs in from and where to.. Users tend to maintain a certain profile. When they deviate, it is flagged so that I can investigate if it's warranted) Each connect is actually two syslog entries The first entry is the actual connect (using ssh, stel, ssltelnet, or something like that) The second is logged by the replaced login program that tells which internal machine the user is connecting to. First you split up the syslog entries ($mon, $day, $time, $host, $f5, $f6, $f7, $f8, $f9, $f10) = split(' ', $_); Then your correlate based on what host the user is coming from, the username and what host the user is connecting to. (lots of Perl cruft deleted - this is just a process not a case study for now) Find out if the connecting host supports ident, and log that find out if the internal connect-to host is part of their pattern, if not, log that Find out if the user is logging in from several geographically distributed remotes hosts in the same day (if a person logs in from Canadan and Greece in the same day, chances are something is up) Log all connects from foreign countries from that matter. We just don't have that many people who go abroad, and the ones that do are easy to recognize (wu connects from china, Murphy from Ireland, etc) Finally, you end up with something readible and intelligible. excerpt: .... non-local with ident .... suspect ingraje pm-atl-10-port3.randomc. 1 mig ingraje pm-atl-5-port20.randomc. 1 nimitz 1% hit ingraje pm-atl-5-port20.randomc. 3 mig eshaffer xavier.eecs.usma.edu 1 farnsworth 4% hit .... foreign lmurphy zadok.eeng.dcu.ie 1 mimosa zhoufan maindns.buaa.edu.cn 1 charpy.me columns: 1 - username 2 - remote host 3 - number of connections from 4 - local host 5 - if exists, and less than 5%, log as possible deviation from standard pattern. not strictly useful by itself, but can be useful in investigating a broader pattern of account problems. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug () eng auburn edu
Current thread:
- artificial ignorance: how-to guide Marcus J. Ranum (Sep 23)
- Re: artificial ignorance: how-to guide Doug Hughes (Sep 24)
- Re: artificial ignorance: how-to guide James W. Abendschan (Sep 24)
- Re: artificial ignorance: how-to guide Neil Readwin (Sep 24)