7. 1 Particularity of log file
To understand the log file, we should first start with its particularity, saying that it is special because this file is managed and protected by the system, and ordinary users can't change it at will under normal circumstances. We can't edit it with the editing method of ordinary TXT file. For example, wps series, Word series, wordpad, Edit and so on. Why not? We can't even "rename" or "delete" or "move" it, otherwise the system will tell you rudely that access is denied. Of course, in the pure DOS state, you can do some routine operations on it (such as Win98 state), but you will soon find that your modification is of no help at all. When you restart Windows 98, the system will automatically check this special text file, and if it does not exist, it will automatically generate one; If it exists, the log record will be appended to the text.
7. 1. 1 Why are hackers interested in log files?
Hackers can destroy files, including log files, on the system at will after obtaining the system administrator authority of the server. But all this will be recorded in the system log, so hackers must modify the log if they want to hide the traces of intrusion. The easiest way is to delete system log files, but this is usually done by junior hackers. Real advanced hackers always use the method of modifying logs to prevent system administrators from tracking themselves. There are many programs on the Internet that specialize in this kind of function, such as Zap and Wipe.
7.1.2 Brief Introduction of Windows Series Log System
Log file of 1 windows98
At present, most users still use Windows 98 as the operating system, so this section begins with the log file of Windows 98. Ordinary users under Windows 98 do not need to use system logs unless they have special purposes. For example, when using Windows 98 to build a personal Web server, they need to enable system logs as a reference for server security. When users have established a personal Web server using Windows 98, they can do the following to enable the logging function.
(1) Double-click the personal Web server icon in the control panel; (You must have configured the relevant network protocols and added a Personal Web Server).
(2) Click the "Manage" button in the "Manage" tab;
(3) Click "WWW Management" in the "Internet Service Administrator" page;
(4) Click the Log tab in the WWW management page;
(5) Select the "Enable Recording" check box and make changes as needed. Name the log file "Inetserver_event.log". If the directory of the log file is not specified in the Log tab, the file will be saved in the Windows folder.
Ordinary users can find the log file schedlog.txt in the system folder of Windows 98. We can find it in the following ways. Find it in Start/Find, or start Task Scheduler and click View Log on the Advanced menu to view it. The log file of Windows 98 ordinary users is very simple, and only records some preset task running processes. Compared with NT operating system as a server, real hackers are rarely interested in Windows 98. So people don't pay attention to the logs under Windows 98.
Log system under 2.2. Windows operating system
Windows NT is an operating system that has been attacked a lot at present. In Windows NT, almost every transaction in the system must be audited to some extent through the log file. Windows NT log files are usually divided into three categories:
System log: Track various system events and record events generated by Windows NT system components. For example, errors in loading drivers during startup or failures of other system components are recorded in the system log.
Application log: Records the events generated by the application or system program, such as the failure to load the dll (dynamic link library) generated by the application, which will appear in the log.
Security log: records events such as logging in to the Internet, logging out of the Internet, changing access rights, system startup and shutdown, and creating, opening or deleting files and other events related to resource use. The event manager of the system can be used to specify the events that need to be recorded in the security log, and the default state of the security log is closed.
The logging system of Windows NT is usually placed in the following location, which is slightly different according to the operating system.
c:\ systemroot \ system32 \ config \ sys event . evt
c:\ systemroot \ system32 \ config \ sec event . evt
c:\ systemroot \ system32 \ config \ app event . evt
Windows NT uses a special format to store log files. Files in this format can be read by the event viewer, which can be found in the control panel. System administrators can use Event Viewer to select log entries to view. The viewing criteria include category, user and message type.
3.3 log system. Windows 2000
Like Windows NT, the event viewer is also used to manage the log system in Windows 2000, and you need to enter the system as a system administrator before operation, as shown in Figure 7- 1.
Figure 7- 1
In Windows 2000, there are many types of log files, such as application logs, security logs, system logs, DNS server logs, FTP logs, WWW logs and so on. , which may change slightly according to the services opened by the server. When Windows 2000 starts, the event log service will start automatically, and all users can view the application log, but only the system administrator can access the security log and system log. By default, the security log is turned off, but we can use group policy to enable the security log to start recording. Once the security log is opened, it will be recorded indefinitely until it is full.
Default location for Windows 2000 log files:
The default location of application logs, security logs, system logs and DNS logs is %systemroot%\sys tem32\config, and the default file size is 5 12KB, but experienced system administrators often change this default size.
Security log file: c: \ systemroot \ system32 \ config \ secevent.evt.
System log file: c: \ systemroot \ system32 \ config \ sysevent.evt.
Application log file: c: \ systemroot \ system32 \ config \ appevent.evt.
The default location of Internet information service FTP log is c: \ systemroot \ system32 \ logfiles \ msftpsvc1\.
The default location of WWW log of Internet information service: c: \ systemroot \ system32 \ logfiles \ W3SVC1\.
The default location of the scheduler server log is c: \ systemroot \ schedlgu.txt. The log records the IP of the visitor, the time of the visit and the content of the request.
Since Windows2000 continues NT log files and adds FTP and WWW logs on its basis, this section gives a simple description of FTP logs and WWW logs. The FTP log records the files, sources and file names uploaded by FTP in detail in the form of text files. However, because the log is too obvious, advanced hackers will not transfer files in this way at all, but will use RCP. Logs generated by FTP log files and WWW log files are generally in the directory C: \ sytemroot \ system32 \ logfiles \ W3SVC1,and the default is one log file per day.
FTP and WWW logs can be deleted, but everything recorded in FTP logs will still be recorded in system logs and security logs. If users need to try to delete these files, they can delete log files by some less complicated methods, such as stopping some services first. The specific methods are outlined in this section.
Windows 2000 provides a tool named CyberSafe Log Analyst (CLA), which has powerful log management function. It enables users to sort out various events by classification, instead of slowly looking for a record in a dazzling log, so that users can quickly find the required items. Another outstanding feature of it is that it can analyze all kinds of activities of multiple systems in the whole network environment at the same time, avoiding the trouble of analyzing them one by one.
4.Windows XP log file
When we talk about the log file of Windows XP, the first thing to talk about is the log of Internet Connection Firewall (ICF). ICF logs can be divided into two categories: one is IP packets approved by ICF, and the other is IP packets discarded by ICF. Logs are generally stored in Windows directory with the file name pfirewall.log, and its file format conforms to W3C extended log file format, which is divided into two parts: file header information and file body information. The file header is mainly about the description of the file Pfirewall.log, and the main part of the file should be paid attention to. The main part of the file records the information of each IP packet that successfully passed the ICF audit or was abandoned by ICF, including source address, destination address, port, time, protocol and other information. Understanding this information requires more knowledge of TCP/IP protocol. The format used by ICF to generate security logs is W3C extended log file format, which is similar to the format used in common log analysis tools. When we are in the control panel of WindowsXP, open the event viewer, as shown in Figure 7-2.
It can be seen that WindowsXP also has three commonly used log files: system log, security log and application log. When you click on any of these files, you can see some records in the log file, as shown in Figure 7-3.
Figure 7-2 Figure 7-3
In advanced equipment, we can also make some storage addresses, size restrictions and some related operations of log files, as shown in Figure 7-4.
Figure 7-4
To enable logging of unsuccessful connection attempts, select the Log dropped packets check box, otherwise disable it. In addition, we can also use tools such as Kingsoft Netdart to export and delete the "security log".
5. Log analysis
When the log faithfully records everything that happens in the system every day for users, users also need to standardize and manage the log regularly, but the huge log records make users at a loss. At this time, we need to use tools to analyze and summarize the logs. Log analysis can help users get useful information from log records, so that users can take necessary measures according to different situations.
7.2 Delete the system log
Because of the different operating systems, the method of deleting logs has also changed slightly. This paper introduces the method of deleting logs in Windows 98 and Windows 2000, which have obvious differences.
7.2. Log deletion under1Windows 98
Windows 98 log records can be eliminated by starting the computer under pure DOS and using some commonly used modification or deletion commands. When Windows98 restarts, the system will check whether the log file exists. If it is found that the log file does not exist, the system will automatically rebuild one, but all the original log files will be eliminated.
7.2.2 Log deletion of Windows 2000
Windows 2000 logs are much more complicated than Windows 98 logs. As we know, logs are managed and protected by the system. In general, it is forbidden to delete or modify, which is also closely related to the registry. To delete logs in Windows 2000, you must first obtain permission from the system administrator, because security logs and system logs must be viewed by the system administrator before they can be deleted.
We will briefly explain the deletion of application logs, security logs, system logs, DNS server logs, FTP logs and WWW logs. To delete the log file, you must stop the system's protection function for the log file. We can use command statements to delete log files except security log and system log, but the security log must be controlled by using the event viewer in the system. Open the Event Viewer in the Administrative Tools in the Control Panel. There is a menu named "Connect to another computer" in the "Operation" item of the menu. Click on it, as shown in figure 7-5.
Figure 7-5
Enter the IP of the remote computer, then wait, select the security log of the remote computer, and click the "Clear Log" button in the properties.
7.3 Found traces of invasion
How to find the trace in time and effectively when the intruder tries or has implemented the system is one of the hot issues to prevent intrusion. The premise of finding intrusion traces is to have an intrusion feature database. We generally use system logs, firewalls, check the source address of IP headers, detect the security of emails, and use Intrusion Detection System (IDS) to determine whether there are signs of intrusion.
Let's learn how to use port common sense to judge whether there are signs of intrusion:
After computer installation, if it is not adjusted, its default port number is 139. If you don't open other ports, hackers can't enter the system under normal circumstances. If the normal system often checks for viruses, and when surfing the Internet, it suddenly feels that the computer is slow to respond, the mouse is ineffective, the screen is blue, and the system crashes, we can judge that a hacker has implanted a Trojan horse in the system by email or other means. At this time, some measures can be taken to remove it. For specific methods, please refer to the relevant chapters in this book.
Signs of invasion
Intrusion always follows certain steps, and experienced system administrators can judge the degree of intrusion by observing whether the system is abnormal.
1. Scan flag
When the system receives continuous and repeated port connection requests, it may mean that an intruder is using a port scanner to scan the system from the outside. Advanced hackers may use secret scanning tools to avoid detection, but in fact, experienced system administrators can still judge everything by various signs.
Use attack
When intruders use various programs to invade the system, the system may report some abnormal situations and give relevant files (commonly used processing methods of IDS). When the intruder succeeds, the system will always leave more or less traces of damage and abnormal access, so it should be found that the system may be invaded.
3. Signs of DoS or DDoS attacks
This is a common attack method used by intruders at present, so when the system performance suddenly drops seriously or stops working completely, we should immediately realize that the system may be under denial of service attack. The general signs are that the CPU utilization rate is close to above 90%, the network traffic is slow, the system appears blue screen and restarts frequently.
7.3.2 Reasonable use of system logs for intrusion detection.
The function and importance of system log are understood through the above chapters. However, although the log that comes with the system can tell us everything that happens in the system, the log records increase too fast, which eventually makes the log just waste a lot of disk space, so the log can not be used indefinitely. Reasonable and standardized log management is a good way to use logs. Experienced system administrators will use some log auditing tools and filtering logging tools to solve this problem.
In order to make full use of log files, it is necessary to make a management plan first.
1. What does the specified log do?
2. Develop triggers that can obtain the details of these records.
7.3.3 An excellent log management software
In order to quickly find intrusion information from numerous log files, it is necessary to use some professional log management tools. Surfstats Log Analyzer4.6 is such a professional log management tool. Through it, the network administrator can clearly analyze the "log" file and see the current situation of the website, and from the "report" of the software, he can see how many people have been to your website, where they come from, and what search words are widely used in the system, thus helping you to accurately understand the situation of the website.
The main functions of the software are:
1, which integrates the functions of consulting and outputting, and can output the results regularly through screen, file, FTP or E-mail;
2. More than 30 kinds of summary information can be provided;
3. It can automatically detect file formats and support many common log file formats, such as W3 extended log format of MS IIS;
4. In the "password protection" directory, add the analysis report of the authenticated user;
5. It can be analyzed by hours, weeks and months;
6. number six. The DNS database will store the resolved IP address;
7. You can set different backgrounds, fonts and colors for each analyzed picture.
There are many ways to find intrusion traces, such as IDS, which can do this well. In the next section, we will explain the intrusion detection system in detail.
7.4 Do a good job in system intrusion detection
7.4. 1 What is an intrusion detection system?
With more and more people in close contact with the network, passive defense can no longer guarantee the security of the system. In view of more and more network intrusions, we need to choose a tool to help the firewall nip in the bud. This tool requires real-time judgment and recording of potential intrusions, which can resist network intrusions to a certain extent, expand the security management ability of system administrators and ensure the absolute security of the system. It greatly enhances the preventive function of the system, even if the intrusion behavior has been confirmed, it can automatically cut off the network connection and protect the absolute security of the host. In this case, Intrusion Detection System (IDS) came into being. Intrusion detection system is a network security product developed based on years of research on network security prevention technology and hacker intrusion technology.
It can monitor network transmission in real time, automatically detect suspicious behaviors, analyze intrusion signals from outside the network and illegal activities from inside, issue warnings before the system is harmed, respond to attacks in real time, and provide remedial measures to ensure system security to the greatest extent.
Nestle watch
This is a log management software running on Windows NT. It can import log files from servers and firewalls and provide reports to system administrators in HTML format.
7.4.2 Difference between Intrusion Detection System and Log
The log function of the system itself can automatically record the intrusion behavior of intruders, but it can't analyze and record the intrusion signs well, and can't accurately distinguish normal service requests from malicious intrusion behaviors. For example, when an intruder scans a host with CGI, the analysis data that the system security log can provide to the system administrator is pitiful and almost useless, and the increasingly large nature of the security log file itself makes it difficult for the system administrator to use tools to find traces left by some attacks in a short time. Intrusion detection system can do this completely. Using the report data provided by the intrusion detection system, the system administrator will easily know some intrusion attempts of intruders and take preventive measures in time.
7.4.3 Classification of Intrusion Detection System
At present, intrusion detection systems can be divided into four categories according to their functions:
1. System integrity check system (SIV)
SIV can automatically judge whether the system is attacked by hackers, check whether the system files have been changed by system intruders, whether there is a back door (left by hackers for the next visit to the host), and monitor the activities aimed at the system (user's commands, login/logout process, used data, etc.). ). This kind of software is generally controlled by the system administrator.
2. Network Intrusion Detection System (NIDS)
NIDS can detect network packets in real time and find out whether there are signs of hacker scanning in the port in time. Monitor the events on the computer network, and then analyze its security to judge the intrusion attempt; Distributed IDS monitors the whole network and host environment through sensors or agents distributed in each node, and the central monitoring platform collects information from each node to monitor the data flow and intrusion attempts in this network.
3. Log Analysis System (LFM)
The log analysis system is very important for the system administrator to take system security precautions, because the log records all kinds of things that happen in the system every day, and users can check the causes of errors or the traces left by attackers through the log records. The main functions of the log analysis system are: auditing and monitoring, tracking intruders, etc. Log files will also cause system administrators to use some professional tools to analyze logs or alarm files because of a large number of records. At this point, the log analysis system can play a role, which helps the system administrator to obtain useful information from the log, so that the administrator can take necessary measures against the attack threat.
4. Deception system
Ordinary system administrators can only predict and identify intruders' attacks, but can't fight back. However, Deception System (DS) can help system administrators pave the way for counterattack. Deception system (DS) cheats intruders by simulating some system vulnerabilities. When the system administrator obtains the signs of hacker's attempted invasion through some methods, good results can be obtained by using deception system. For example, rename the administrator account on nt, and then set a fake account without permission for hackers to attack. When the intruder feels cheated, the administrator will know his every move and his level.
7.4.4 Detection Steps of Intrusion Detection System
Intrusion detection systems usually use feature-based detection methods and anomaly detection methods. Before judging whether the system is invaded, the intrusion detection system needs to collect some information first. Information is often collected from all sides. For example, scanning the security holes on the network or host computer, looking for attempts to use the network or host computer system without authorization, and judging whether there is intrusion from several aspects.
The detection system will then check the network log file, because hackers can easily leave clues in the log file, so the network log file information is often used as the main method for system administrators to detect whether there is an intrusion. After gaining the management right of the system, the hacker's favorite thing to do is to destroy or modify the system files. At this time, SIV will quickly check whether there are signs of abnormal changes in the system, so as to judge the severity of the invasion. Compare the running situation of the system with the consequence data caused by common intrusion programs, so as to find out whether it has been invaded. For example, after the system is attacked by DDoS, the system performance will be seriously degraded in a short time. At this time, the detection system can judge that it has been invaded.
Intrusion detection system can also use some system commands to check and search whether the system itself is attacked. When enough information is collected, the intrusion detection system will automatically match the known intrusion patterns with the relevant parameters set in its own database, and the detection accuracy is quite high, which makes users feel inconvenient and needs to constantly upgrade the database. Otherwise, we can't keep up with the pace of intrusion tools in the internet age. The real-time protection function of intrusion detection is very powerful. As an "active prevention" detection technology, the detection system can quickly provide real-time protection for system attacks, network attacks and user misoperation, intercept itself when intrusion attempts are predicted and remind administrators to take precautions.
7.4.5 Steps after discovering that the system has been invaded
1. Find out how the intruder got into the system carefully and try to plug this security hole.
2. Check whether all system directories and files have been tampered with and repair them as soon as possible.
3. Modify some passwords in the system to prevent the loopholes caused by violent password cracking again.
7.4.6 Introduction of Common Intrusion Detection Tools
1. Internet Wanderer
As a world-class manufacturer of Internet security technology, Symantec's products cover all aspects of network security, especially in security vulnerability detection, intrusion detection, Internet content/email filtering, remote management technology and security services. Symantec's advanced technology is amazing! NetProwler is a tool software developed by Symantec based on network intrusion detection. NetProwler adopts advanced patented dynamic signal state detection (SDSI) technology, which enables users to design unique attack definitions. Even the most complex attacks can be generated through its intuitive attack definition interface.
The architecture of (1)NetProwler
NetProwler has a multi-layer architecture, which consists of three parts: agent, console and manager. Agents are responsible for monitoring network packets in their network segments. Send the detected attacks and all relevant data to the administrator, and combine the network structure and security policy of the enterprise when installing. The console is responsible for collecting information from agents and displaying information about attacks so that you can configure and manage agents belonging to the Manager. The manager responds to the configuration and attack warning information, executes the command issued by the console, and sends the attack warning issued by the agent to the console.
When NetProwler finds an attack, it will immediately record the attack event, disconnect the network, create a report, notify the system administrator by file or email, and finally notify the host intrusion detection manager and console of the event.
(2) Network thief detection technology.
NetProwler adopts SDSI (Stateful Dynamic Signature Inspection Stateful Dynamic Feature Detection) intrusion detection technology with patented technology. In this design, each attack feature is a set of instruction sets, which are executed by the SDSI virtual processor by using cache entries to describe the current user status and the data packets currently received from the network. Each monitored network server has a small set of related attack characteristics, which are established according to the operation of the server and the applications supported by the server. Stateful can effectively analyze and record complex events by comparing contexts according to the monitored network transmission content.
The workflow of NetProwler based on SDSI technology is as follows:
Step 1: SDSI virtual processor obtains today's data packet from network data;
Step 2: put the obtained data packet into the status buffer belonging to the current user or application session;
Step 3: Execute attack features from a feature buffer specially designed to optimize server performance;
Step 4: When the attack is detected, the processor immediately triggers the response module to execute corresponding response measures.
(3)NetProwler working mode
Because it is a network-based IDS, according to different network structures, the data acquisition part (that is, proxy) of NetProwler has many different connection forms: if the network segment is connected through a bus-based hub, it can be simply connected to a port of the hub.
(4) System installation requirements
Users install the NetProwler agent on a special Windows NT workstation. If NetProwler and other applications run on the same host, the performance of both programs will be seriously affected. Network intrusion detection system takes up a lot of resources, so manufacturers generally recommend using a special system to run the driver engine, requiring it to have128 RAM and Intel Pentium II or Pentium with a frequency of 400MHz.