Results 1 to 7 of 7

Thread: log analysis??

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    2

    Arrow log analysis??

    Could anyone recomend a book, site, tutorial, or article that would help me in reading
    logs and analizing them. I currently know snort fairly well, i know how to write basic
    rules but reading the hex logs have been always a strugle. I have some intermediate
    understanding in TCP/IP as well. I was able to answer all the questions from the honeynet
    challenge (for begginers) although i did not notice the decoy serves.
    Help is deaply apriciated, also a sample file for begginers would also be helpfull.

    thank you

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Reading and analyzing logs all depend on the application that does the logging.

    To be able to read and understand weblogs i.e., you'll need to have a clear understanding of how a webserver and the HTTP protocol works. For firewalllogs, the firewall etc.

    Do you have certain logfiles in mind?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    ****I currently know >>>>snort<<<< fairly well, i know how to write basic
    rules but reading the hex logs have been always a strugle. ****
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Junior Member
    Join Date
    Apr 2004
    Posts
    2
    i guess what i am asking is.

    how would something like this

    Quote:

    TCP Header Format



    0 1 2 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Source Port | Destination Port |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Sequence Number |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Acknowledgment Number |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Data | |U|A|P|R|S|F| |
    | Offset| Reserved |R|C|S|S|Y|I| Window |
    | | |G|K|H|T|N|N| |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Checksum | Urgent Pointer |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Options | Padding |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | data |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    TCP Header Format

    Note that one tick mark represents one bit position.

    Figure 3.




    apply to this log file.

    Quote:

    > > > 75 74 73 63 68 20 20 20 20 20 20 20 20 20 65 6E
    > > > 5F 64 65 0A 2D 20 45 6E 67 6C 69 73 63 68 20 7A
    > > > 75 20 49 74 61 6C 69 65 6E 69 73 63 68 20 20 20
    > > > 20 20 65 6E 5F 69 74 0A 2D 20 45 6E 67 6C 69 73
    > > > 63 68 20 7A 75 20 46 72 61 6E 7A 6F 65 73 69 73
    > > > 63 68 20 20 20 20 65 6E 5F 66 72 0A 2D 20 45 6E
    > > > 67 6C 69 73 63 68 20 7A 75 20 50 6F 72 74 75 67
    > > > 69 65 73 69 73 63 68 20 20 20 65 6E 5F 70 74 0A
    > > > 2D 20 45 6E 67 6C 69 73 63 68 20 7A 75 20 43 68
    > > > 69 6E 73 65 73 69 63 68 20 20 20 20 20 20 65 6E
    > > > 5F 7A 68 0A 2D 20 45 6E 67 6C 69 73 63 68 20 7A
    > > > 75 20 4A 61 70 61 6E 69 73 63 68 09 20 20 20 20
    > > > 20 20 65 6E 5F 6A 61 0A 2D 20 45 6E 67 6C 69 73
    > > > 63 68 20 7A 75 20 4B 6F 72 65 61 6E 69 73 63 68
    > > > 20 20 20 20 20 20 65 6E 5F 6B 6F 0A 2D 20 45 6E
    > > > 67 6C 69 73 63 68 20 7A 75 20 53 70 61 6E 69 73
    > > > 63 68 09 20 20 20 20 20 20 65 6E 5F 65 73 0A 2D
    > > > 20 45 6E 67 6C 69 73 63 68 20 7A 75 20 52 75 73
    > > > 73 69 73 63 68 09 20 20 20 20 20 20 65 6E 5F 72
    > > > 75 0A 2D 20 44 65 75 74 73 63 68 20 7A 75 20 45
    > > > 6E 67 6C 69 73 63 68 20 20 20 20 20 20 20 20 20
    > > > 64 65 5F 65 6E 0A 2D 20 49 74 61 6C 65 6E 69 73
    > > > 63 68 20 7A 75 20 45 6E 67 6C 69 73 63 68 20 20
    > > > 20 20 20 20 69 74 5F 65 6E 0A 2D 20 46 72 61 6E
    > > > 7A 6F 65 73 69 73 63 68 20 7A 75 20 45 6E 67 6C
    > > > 69 73 63 68 20 20 20 20 66 72 5F 65 6E 0A 2D 20
    > > > 50 6F 72 74 75 67 69 65 73 69 73 63 68 20 7A 75
    > > > 20 45 6E 67 6C 69 73 63 68 20 20 20 70 74 5F 65
    > > > 6E 0A 2D 20 4A 61 70 61 6E 69 73 63 68 20 7A 75
    > > > 20 45 6E 67 6C 69 73 63 68 20 20 20 20 20 20 20


    i have read many posts on TCP/IP and i understand all of the spcial fields. The oly problem i am having is maching the datagram to the hexdump.

    thank you

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    What OS are you using? You should be able to get intelligeable output at the command prompt using Windows. Don't know about *nix. Also, there is IDScenter, a neat GUI interface for snort;

    www.packx.net/packx/html/en/idscenter/index-idscenter.htm

    You can use WinSnort2HTML to view snort alerts, and snort logging to a MySQL server using a php enabled web server and ACID to present reports. Anyways, this is from class, far be it my field of expertise.

    Unless you are actually trying to learn how to assign the dump to the datagram. Gee...
    you might be able to capture a packet and match it with the MAC address of a known NIC, that may give you a starting point, as MAC addresses are usually represented in hex. That should take care of 64 bits, taking the dest. & source MAC addresses in the L2 frame header, unless its been already stripped off. The MAC addresses are relatively easy to get.
    3rd edit:
    Ethereal with WinPCap is great for taken the packets apart and reading the hex in another pane. Thats probably the best way to do what you want to do.

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    My above post needs some correction. Firstly, MAC addresses have six bytes in hex, therefore 48 bits for a total of 96 when taking the source and dest. address into account. Also, converting an IP address to hex shouldn't be to difficult. These do have 32 bits each for a total of 64.
    OK, I'm happy now...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •