-
April 2nd, 2004, 08:08 PM
#1
Junior Member
log analysis??
Could anyone recomend a book, site, tutorial, or article that would help me in reading
logs and analizing them. I currently know snort fairly well, i know how to write basic
rules but reading the hex logs have been always a strugle. I have some intermediate
understanding in TCP/IP as well. I was able to answer all the questions from the honeynet
challenge (for begginers) although i did not notice the decoy serves.
Help is deaply apriciated, also a sample file for begginers would also be helpfull.
thank you
-
April 3rd, 2004, 12:03 AM
#2
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
April 5th, 2004, 10:53 AM
#3
Reading and analyzing logs all depend on the application that does the logging.
To be able to read and understand weblogs i.e., you'll need to have a clear understanding of how a webserver and the HTTP protocol works. For firewalllogs, the firewall etc.
Do you have certain logfiles in mind?
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 6th, 2004, 12:17 AM
#4
****I currently know >>>>snort<<<< fairly well, i know how to write basic
rules but reading the hex logs have been always a strugle. ****
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
April 6th, 2004, 09:34 PM
#5
Junior Member
i guess what i am asking is.
how would something like this
Quote:
TCP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TCP Header Format
Note that one tick mark represents one bit position.
Figure 3.
apply to this log file.
Quote:
> > > 75 74 73 63 68 20 20 20 20 20 20 20 20 20 65 6E
> > > 5F 64 65 0A 2D 20 45 6E 67 6C 69 73 63 68 20 7A
> > > 75 20 49 74 61 6C 69 65 6E 69 73 63 68 20 20 20
> > > 20 20 65 6E 5F 69 74 0A 2D 20 45 6E 67 6C 69 73
> > > 63 68 20 7A 75 20 46 72 61 6E 7A 6F 65 73 69 73
> > > 63 68 20 20 20 20 65 6E 5F 66 72 0A 2D 20 45 6E
> > > 67 6C 69 73 63 68 20 7A 75 20 50 6F 72 74 75 67
> > > 69 65 73 69 73 63 68 20 20 20 65 6E 5F 70 74 0A
> > > 2D 20 45 6E 67 6C 69 73 63 68 20 7A 75 20 43 68
> > > 69 6E 73 65 73 69 63 68 20 20 20 20 20 20 65 6E
> > > 5F 7A 68 0A 2D 20 45 6E 67 6C 69 73 63 68 20 7A
> > > 75 20 4A 61 70 61 6E 69 73 63 68 09 20 20 20 20
> > > 20 20 65 6E 5F 6A 61 0A 2D 20 45 6E 67 6C 69 73
> > > 63 68 20 7A 75 20 4B 6F 72 65 61 6E 69 73 63 68
> > > 20 20 20 20 20 20 65 6E 5F 6B 6F 0A 2D 20 45 6E
> > > 67 6C 69 73 63 68 20 7A 75 20 53 70 61 6E 69 73
> > > 63 68 09 20 20 20 20 20 20 65 6E 5F 65 73 0A 2D
> > > 20 45 6E 67 6C 69 73 63 68 20 7A 75 20 52 75 73
> > > 73 69 73 63 68 09 20 20 20 20 20 20 65 6E 5F 72
> > > 75 0A 2D 20 44 65 75 74 73 63 68 20 7A 75 20 45
> > > 6E 67 6C 69 73 63 68 20 20 20 20 20 20 20 20 20
> > > 64 65 5F 65 6E 0A 2D 20 49 74 61 6C 65 6E 69 73
> > > 63 68 20 7A 75 20 45 6E 67 6C 69 73 63 68 20 20
> > > 20 20 20 20 69 74 5F 65 6E 0A 2D 20 46 72 61 6E
> > > 7A 6F 65 73 69 73 63 68 20 7A 75 20 45 6E 67 6C
> > > 69 73 63 68 20 20 20 20 66 72 5F 65 6E 0A 2D 20
> > > 50 6F 72 74 75 67 69 65 73 69 73 63 68 20 7A 75
> > > 20 45 6E 67 6C 69 73 63 68 20 20 20 70 74 5F 65
> > > 6E 0A 2D 20 4A 61 70 61 6E 69 73 63 68 20 7A 75
> > > 20 45 6E 67 6C 69 73 63 68 20 20 20 20 20 20 20
i have read many posts on TCP/IP and i understand all of the spcial fields. The oly problem i am having is maching the datagram to the hexdump.
thank you
-
May 3rd, 2004, 03:23 PM
#6
What OS are you using? You should be able to get intelligeable output at the command prompt using Windows. Don't know about *nix. Also, there is IDScenter, a neat GUI interface for snort;
www.packx.net/packx/html/en/idscenter/index-idscenter.htm
You can use WinSnort2HTML to view snort alerts, and snort logging to a MySQL server using a php enabled web server and ACID to present reports. Anyways, this is from class, far be it my field of expertise.
Unless you are actually trying to learn how to assign the dump to the datagram. Gee...
you might be able to capture a packet and match it with the MAC address of a known NIC, that may give you a starting point, as MAC addresses are usually represented in hex. That should take care of 64 bits, taking the dest. & source MAC addresses in the L2 frame header, unless its been already stripped off. The MAC addresses are relatively easy to get.
3rd edit:
Ethereal with WinPCap is great for taken the packets apart and reading the hex in another pane. Thats probably the best way to do what you want to do.
-
May 11th, 2004, 06:35 AM
#7
My above post needs some correction. Firstly, MAC addresses have six bytes in hex, therefore 48 bits for a total of 96 when taking the source and dest. address into account. Also, converting an IP address to hex shouldn't be to difficult. These do have 32 bits each for a total of 64.
OK, I'm happy now...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|