1.例如一次針對SSH的密碼猜解攻擊,受害者的SSH logfile 會記錄下攻擊發生的充足證據,但是並不都能得知攻擊者的其他行爲(如是否成功建立起了長期的session),然而通過網絡流量分析雖然不能讓我們重建session,但是我們能找到其他行爲的證據,如session的成功建立。
以下引用來自https://www.imzcy.cn/1274.html,ssh logfile 的格式
1、每行信息各字段含義:
月份 日期 時分秒 服務器主機名 程序(sshd或則su) 模塊 詳細信息 1 月份 日期 時分秒 服務器主機名 程序(sshd或則su)
模塊 詳細信息2、正常通過ssh連接進服務器的日誌
Aug 8 02:20:09 imzcy sshd[18936]: Accepted password for root from
192.168.217.10 port 57516 ssh2 Aug 8 02:20:09 imzcy sshd[18936]: pam_unix(sshd:session): session opened for user root by (uid=0) 1 2
Aug 8 02:20:09 imzcy sshd[18936]: Accepted password for root from
192.168.217.10 port 57516 ssh2 Aug 8 02:20:09 imzcy sshd[18936]: pam_unix(sshd:session): session opened for user root by (uid=0)3、正常登陸後,退出日誌
Aug 8 02:01:38 imzcy sshd[18252]: pam_unix(sshd:session): session
closed for user root 1 Aug 8 02:01:38 imzcy sshd[18252]:
pam_unix(sshd:session): session closed for user root4、切換到其他用戶日誌
Aug 8 02:20:54 imzcy su: pam_unix(su-l:session): session opened for
user zcy by root(uid=0) Aug 8 02:21:06 imzcy su:
pam_unix(su-l:session): session closed for user zcy 1 2 Aug 8
02:20:54 imzcy su: pam_unix(su-l:session): session opened for user zcy
by root(uid=0) Aug 8 02:21:06 imzcy su: pam_unix(su-l:session):
session closed for user zcy5、使用root用戶登錄進系統戶,切換到zcy用戶,直接從zcy用戶關掉連接窗口。
Aug 8 02:38:11 imzcy sshd[19167]: Accepted password for root from
192.168.217.10 port 58165 ssh2 Aug 8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0) Aug 8
02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy
by root(uid=0) Aug 8 02:38:27 imzcy su: pam_unix(su-l:session):
session closed for user zcy Aug 8 02:38:27 imzcy sshd[19167]:
pam_unix(sshd:session): session closed for user root 1 2 3 4 5 Aug 8
02:38:11 imzcy sshd[19167]: Accepted password for root from
192.168.217.10 port 58165 ssh2 Aug 8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0) Aug 8
02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy
by root(uid=0) Aug 8 02:38:27 imzcy su: pam_unix(su-l:session):
session closed for user zcy Aug 8 02:38:27 imzcy sshd[19167]:
pam_unix(sshd:session): session closed for user root6、連接到服務器,提示輸入密碼時取消了
Aug 8 02:31:03 imzcy sshd[19046]: Received disconnect from
192.168.217.10: 13: The user canceled authentication. 1 Aug 8 02:31:03 imzcy sshd[19046]: Received disconnect from 192.168.217.10:
13: The user canceled authentication.7、密碼輸入錯誤
Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10
user=root Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root
from 192.168.217.10 port 57994 ssh2 1 2 Aug 8 02:33:28 imzcy
sshd[19125]: pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root Aug 8
02:33:31 imzcy sshd[19125]: Failed password for root from
192.168.217.10 port 57994 ssh28、密碼錯誤次數太多
Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10
user=root Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root
from 192.168.217.10 port 57994 ssh2 Aug 8 02:34:06 imzcy last message
repeated 3 times Aug 8 02:34:13 imzcy last message repeated 2 times
Aug 8 02:34:47 imzcy sshd[19126]: Disconnecting: Too many
authentication failures for root Aug 8 02:34:47 imzcy sshd[19125]:
Failed password for root from 192.168.217.10 port 57994 ssh2 Aug 8
02:34:47 imzcy sshd[19125]: PAM 6 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:34:47 imzcy sshd[19125]: PAM service(sshd) ignoring max
retries; 7 > 3 1 2 3 4 5 6 7 8 Aug 8 02:33:28 imzcy sshd[19125]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.217.10 user=root Aug 8 02:33:31 imzcy
sshd[19125]: Failed password for root from 192.168.217.10 port 57994
ssh2 Aug 8 02:34:06 imzcy last message repeated 3 times Aug 8
02:34:13 imzcy last message repeated 2 times Aug 8 02:34:47 imzcy
sshd[19126]: Disconnecting: Too many authentication failures for root
Aug 8 02:34:47 imzcy sshd[19125]: Failed password for root from
192.168.217.10 port 57994 ssh2 Aug 8 02:34:47 imzcy sshd[19125]: PAM 6 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.217.10 user=root Aug 8 02:34:47 imzcy sshd[19125]: PAM
service(sshd) ignoring max retries; 7 >
2.蒐集Data是一個簡單的任務,然而真正困難的是我們往往不明白需要收集什麼樣的Data,在安全領域,我們應當關注的是真實存在的安全威脅
攻擊行爲是常見的,安全威脅卻不常見,大部分網絡流量無害且重複性極高。而攻擊流量散佈其中,它們大多被自動發送且較爲死板/(赤裸裸),攻擊流量中的一小部分才真正代表着安全威脅
(靈魂畫手)
3.關於大量Data處理,安全威脅是大量數據中挖掘出的罕見現象(相對於整個traffic,安全威脅只是非常小的一部分),因此I/O處理即佔了安全分析的幾乎絕大多數,舉個例子,一根OC-3可以每天產生5T數據,而一塊eSATA每秒讀取0.3G數據,那麼需要好幾小時才能完成一次數據的讀取,
而我們採集的Data很可能來計多個數據源,那麼就不免會產生數據冗餘,而這些冗餘數據會進一步增大負載,延長處理時間。
4.好的存儲查詢系統總能在合理的時間範圍內響應分析人員的任意查詢,而辣雞系統的查詢開銷總是更高於數據存儲和收集,對不同sensors的原理,實施過程,接口等的理解與系統最終效果好壞直接相關。