Re: artificial ignorance: how-to guide

[Doug Hughes <Doug.Hughes () Eng Auburn EDU>]

(probably preaching to the choir - but..)

Perl is also extremely useful for these sort of things. One Perl script
here does the job of lots of shell sorts, greps, seds, and pipes.

I wrote a Perl script for analysing our tcp_wrappers reports nightly.
I condense about 2-5000 lines of tcp_wrappers logs from external logins
to a couple of hundred nicely formatted lines that provide insite as
to who is logging in from where, but only if that activity is not
normal activity for that user (it keeps a database of where the user
logs in from and where to.. Users tend to maintain a certain profile.
When they deviate, it is flagged so that I can investigate if it's
warranted)

Each connect is actually two syslog entries
The first entry is the actual connect (using ssh, stel, ssltelnet, or
something like that)
The second is logged by the replaced login program that tells which
internal machine the user is connecting to.

First you split up the syslog entries
($mon, $day, $time, $host, $f5, $f6, $f7, $f8, $f9, $f10) = split(' ', $_);

Then your correlate based on what host the user is coming from, the username
and what host the user is connecting to.
(lots of Perl cruft deleted - this is just a process not a case study for now)
Find out if the connecting host supports ident, and log that
find out if the internal connect-to host is part of their pattern, if not, log that
Find out if the user is logging in from several geographically distributed
remotes hosts in the same day (if a person logs in from Canadan and Greece in
the same day, chances are something is up)

Log all connects from foreign countries from that matter. We just don't have
that many people who go abroad, and the ones that do are easy to recognize
(wu connects from china, Murphy from Ireland, etc)

Finally, you end up with something readible and intelligible.

excerpt:
.... non-local with ident
.... suspect
ingraje  pm-atl-10-port3.randomc.  1 mig                       
ingraje  pm-atl-5-port20.randomc.  1 nimitz                    1% hit
ingraje  pm-atl-5-port20.randomc.  3 mig                       
eshaffer xavier.eecs.usma.edu      1 farnsworth                4% hit
.... foreign
lmurphy  zadok.eeng.dcu.ie         1 mimosa                    
zhoufan  maindns.buaa.edu.cn       1 charpy.me                


columns:
1 - username
2 - remote host
3 - number of connections from
4 - local host
5 - if exists, and less than 5%, log as possible deviation from standard pattern.
    not strictly useful by itself, but can be useful in investigating a broader
    pattern of account problems.


--
____________________________________________________________________________
Doug Hughes                                     Engineering Network Services
System/Net Admin                                Auburn University
                        doug () eng auburn edu