log analysis??

Printable View

April 2nd, 2004, 08:08 PM
limperthek

log analysis??

Could anyone recomend a book, site, tutorial, or article that would help me in reading
logs and analizing them. I currently know snort fairly well, i know how to write basic
rules but reading the hex logs have been always a strugle. I have some intermediate
understanding in TCP/IP as well. I was able to answer all the questions from the honeynet
challenge (for begginers) although i did not notice the decoy serves.
Help is deaply apriciated, also a sample file for begginers would also be helpfull.

thank you
:)
April 3rd, 2004, 12:03 AM
Tedob1

TCP/IP Illustrated

you can buy it here:
http://www.amazon.com/exec/obidos/tg...18506?v=glance

or read it on line here:
http://home.student.uu.se/j/jolo4453/projekt/tcpip1/
April 5th, 2004, 10:53 AM
SirDice

Reading and analyzing logs all depend on the application that does the logging.

To be able to read and understand weblogs i.e., you'll need to have a clear understanding of how a webserver and the HTTP protocol works. For firewalllogs, the firewall etc.

Do you have certain logfiles in mind?
April 6th, 2004, 12:17 AM
Tedob1

****I currently know >>>>snort<<<< fairly well, i know how to write basic
rules but reading the hex logs have been always a strugle. ****
April 6th, 2004, 09:34 PM
limperthek

i guess what i am asking is.

how would something like this

Quote:

TCP Header Format

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

TCP Header Format

Note that one tick mark represents one bit position.

Figure 3.

apply to this log file.

Quote:

> > > 75 74 73 63 68 20 20 20 20 20 20 20 20 20 65 6E
> > > 5F 64 65 0A 2D 20 45 6E 67 6C 69 73 63 68 20 7A
> > > 75 20 49 74 61 6C 69 65 6E 69 73 63 68 20 20 20
> > > 20 20 65 6E 5F 69 74 0A 2D 20 45 6E 67 6C 69 73
> > > 63 68 20 7A 75 20 46 72 61 6E 7A 6F 65 73 69 73
> > > 63 68 20 20 20 20 65 6E 5F 66 72 0A 2D 20 45 6E
> > > 67 6C 69 73 63 68 20 7A 75 20 50 6F 72 74 75 67
> > > 69 65 73 69 73 63 68 20 20 20 65 6E 5F 70 74 0A
> > > 2D 20 45 6E 67 6C 69 73 63 68 20 7A 75 20 43 68
> > > 69 6E 73 65 73 69 63 68 20 20 20 20 20 20 65 6E
> > > 5F 7A 68 0A 2D 20 45 6E 67 6C 69 73 63 68 20 7A
> > > 75 20 4A 61 70 61 6E 69 73 63 68 09 20 20 20 20
> > > 20 20 65 6E 5F 6A 61 0A 2D 20 45 6E 67 6C 69 73
> > > 63 68 20 7A 75 20 4B 6F 72 65 61 6E 69 73 63 68
> > > 20 20 20 20 20 20 65 6E 5F 6B 6F 0A 2D 20 45 6E
> > > 67 6C 69 73 63 68 20 7A 75 20 53 70 61 6E 69 73
> > > 63 68 09 20 20 20 20 20 20 65 6E 5F 65 73 0A 2D
> > > 20 45 6E 67 6C 69 73 63 68 20 7A 75 20 52 75 73
> > > 73 69 73 63 68 09 20 20 20 20 20 20 65 6E 5F 72
> > > 75 0A 2D 20 44 65 75 74 73 63 68 20 7A 75 20 45
> > > 6E 67 6C 69 73 63 68 20 20 20 20 20 20 20 20 20
> > > 64 65 5F 65 6E 0A 2D 20 49 74 61 6C 65 6E 69 73
> > > 63 68 20 7A 75 20 45 6E 67 6C 69 73 63 68 20 20
> > > 20 20 20 20 69 74 5F 65 6E 0A 2D 20 46 72 61 6E
> > > 7A 6F 65 73 69 73 63 68 20 7A 75 20 45 6E 67 6C
> > > 69 73 63 68 20 20 20 20 66 72 5F 65 6E 0A 2D 20
> > > 50 6F 72 74 75 67 69 65 73 69 73 63 68 20 7A 75
> > > 20 45 6E 67 6C 69 73 63 68 20 20 20 70 74 5F 65
> > > 6E 0A 2D 20 4A 61 70 61 6E 69 73 63 68 20 7A 75
> > > 20 45 6E 67 6C 69 73 63 68 20 20 20 20 20 20 20

i have read many posts on TCP/IP and i understand all of the spcial fields. The oly problem i am having is maching the datagram to the hexdump.

thank you
May 3rd, 2004, 03:23 PM
bluthund

:)
What OS are you using? You should be able to get intelligeable output at the command prompt using Windows. Don't know about *nix. Also, there is IDScenter, a neat GUI interface for snort;

www.packx.net/packx/html/en/idscenter/index-idscenter.htm

You can use WinSnort2HTML to view snort alerts, and snort logging to a MySQL server using a php enabled web server and ACID to present reports. Anyways, this is from class, far be it my field of expertise.

Unless you are actually trying to learn how to assign the dump to the datagram. Gee...
you might be able to capture a packet and match it with the MAC address of a known NIC, that may give you a starting point, as MAC addresses are usually represented in hex. That should take care of 64 bits, taking the dest. & source MAC addresses in the L2 frame header, unless its been already stripped off. The MAC addresses are relatively easy to get.
3rd edit:
Ethereal with WinPCap is great for taken the packets apart and reading the hex in another pane. Thats probably the best way to do what you want to do.
May 11th, 2004, 06:35 AM
bluthund

:)
My above post needs some correction. Firstly, MAC addresses have six bytes in hex, therefore 48 bits for a total of 96 when taking the source and dest. address into account. Also, converting an IP address to hex shouldn't be to difficult. These do have 32 bits each for a total of 64.
OK, I'm happy now...