New book Unix/Linux Log Analysis and traffic monitoring is coming soon
The new book "Unix/Linux Log Analysis and traffic monitoring" is about to release the 0.75 million-word book created in three years. It has been approved by the publishing house today and will be published soon. This book provides a comprehensive and systematic explanation of Various Unix/Linux systems and network service logs on the subject of network security, starting from the collection and analysis of the original system logs (RawLog, it gradually goes deep into the log auditing and forensics process. This book provides multiple cases, each of which uses a vivid recording method to describe the network intrusion, the management personnel carry out the system forensics and recovery process, and use case analysis techniques with stories to enable readers to test their emergency response and Computer Forensics capabilities. This book uses various logs, script programs, and other information from the perspective of O & M engineers to handle various system and network faults. It focuses on delivering a solution to the readers, IT also demonstrates the use and deployment of some open-source security tools and delivers a positive energy to the IT practitioners. This book featured a special book with Unix/Linux as the main platform, an open source software as the main analysis tool, and Enterprise Network Security O & M as the background. The selected cases cover typical attack types in today's network applications, such as DDOS, malicious code, Web application attacks, wireless network attacks, and SQL injection attacks, each story first describes all the evidence and evidence of a security event (including log files, topology maps, and device configuration files) and raises some questions to guide readers to analyze the cause of intrusion, at last, I went deep into the case analysis and used detailed evidence to thoroughly explain the ins and outs of the intrusion process. At the end of each case, I proposed preventive measures and remedial measures for such cases. The biggest highlight of this book is to show you how to use the Ossim open-source system to solve in-depth mining of network security issues. This book uses a selection of more than 20 complete cases (the more difficult the stars are) for the majority of readers to share is a real dry goods, it has a great reference value for improving the level of network maintenance and event analysis capabilities. if you pay attention to network security, the cases in this book will surely resonate with you. This book is suitable for reference by experienced network engineers, system administrators, and information security personnel. Previously, the published best-selling book "Linux Enterprise Application Case Analysis" (This book was released in the spring of 2014) is the companion article of log case analysis, this book provides a deeper and multi-angle explanation of the Unix/Linux system and network problems that enterprises are most concerned about. This book shares the experience and joy of operating and maintaining Unix/Linux systems over the past 10 years, the three chapters of the book are as follows: The first log analysis basics
Chapter 2 network log acquisition and analysis 1st network environment log classification 141.1.1UNIX/Linux System Log 141.1.2Windows log 151.2.3Windows System Log 161.1.4 network device log 161.1.5 Application System Log 171.2Web log analysis 171.2.1 access log record process 171.2.2Apache access log function 181.2.3 location of access log 181.2.4 access log format analysis 181.2.5HTTP return status code 191.2.6 record Apache Virtual Machine log 191.2.7Web log statistics example ..2.6apache Error Log Analysis 211.2.7 log polling 231.2.8 tips for clearing logs 241.2.9 linux Apache Log location 251.2.10Nginx log 251.2.11Tomcat log 251.2.12 common Apache Log Analysis Tool 261.3FTP server log parsing 271.3.1 analysis vsftpd. log and xferlog2 81.3.2 impact of Chinese characters on Vsftp logs 291.3.2 use Logparser to analyze FTP logs 301.4 use LogParser to analyze Windows system logs 321.4.1LogParser overview of container structure 321.4.3 installation of container application case 331.4.5 Graphical Analysis output 361.5Squid Service Log Analysis 371.5.2 typical Squid access log analysis 371.5.3Squid timestamp conversion 381.5.4Squid log location: 391.5.5 graphical LOG analysis tool 401.5.6 other UNIX/Linux Squid locations 401.6NFS Service LOG Analysis 411.6.1Linux nfs log 411.6.2Solaris NFS server LOG 411.7IPtables LOG analysis 441.7.1 LOG format problems: 451.8Samba log audit 471. 8.1Samba default log 481.8.2Samba audit 491.9DNS log analysis 501.9.1DNS log location 501.9.2DNS Log Level 501.9.3DNS query request log instance explanation 501.9.4DNS analysis tool-DNStop511.10DHCP server log 521.11 mail server log offline dual-machine system log 541.12.1Heartbeat log 541.12.2 log information on the slave node 551.12.3 log segmentation 561.13 other UNIX System Log Analysis GUI tool 561.13.1 use SMC Analysis System Log 561.13.2MacOSX GUI log query tool 571.14 dead machine log summary analysis 1.15 Visualization log Analysis Tool 581.15.1. color log tool: CCZE591.15.2 dynamic log viewing tool: Logstalgia591.15.3 3D log display tool: Gourc E601.15.4 use AWStats to monitor website traffic 61 Chapter 2nd UNIX/Linux system forensics 652.1 common IP tracking methods 652.1.1IP tracking tools and technologies 652.1.2DoS/DDoS attack source tracking ideas 672.2 important 692.2.1 collect ongoing process 692.2.2 collection/proc system information 722.2.3UNIX file storage and deletion 732.2.4 hard disk evidence collection method 732.2.5 collection of evidence from the image file system 752.2.6 use Ddrescue recovery data 772.2.7 View Details 782.2.8 collection and hiding directory and file 782.2.9 check executable file 802.3 common search tools 802.3.1 special file processing 802.3.2TheCoroner 'sToolkit (TCT Toolkit) 812.3.3Forensix toolkit 812.4 integrated forensics toolkit introduction 822.4.1 using a CD System for forensics 822.4.2 screen recording forensics method 832.5 Case study 1: Flash Segmentatio What is nFault? 83 Difficulty coefficient:★★★83 event background 84 interactive Q & A 87 difficult analysis 87 prevention measures: 892.6 Case study 2: Who moved my film 90 Difficulty coefficient:★★★★★90 event background 90 forensic analysis 92 interactive Q & A 94 suspicious analysis 95 difficult analysis 96 preventive measures 99 chapter 99 establishing a Log Analysis System 3rd log collection basics 1003.1.1SYSLOG protocol 1003.1.2Syslog log recorded events 1023.1.3Syslog.conf configuration file DETAILS 1033.1.4Syslog operating 1053.1.5Syslog Security Vulnerability 1053.1.6rsyslog00003.1.7syslog-ng00003.2 time synchronization 3.2.1 basic concepts 3.2.2 identifying forged time information in logs 3.2.3 synchronization method 1083.3 network device log analysis and examples 3.3.1 vro log analysis 3.3.2 vswitch log analysis 1103.3.3 Firewall log Analysis 1103.3.4 identify ARP virus through Logs 1123.4 select Top Ten Problems of the log management system 1163.5 use log management tools more easily 1203.5.1 deployment of the log host system 1203.5.2 Log Analysis and Monitoring 1223.5.3 use EventlogAnalyzer to analyze network logs 1223.5.4. analysis of firewall logs 1253.6 use Sawmill to build the log platform 1263.6.1 system introduction 1263.6.2 deployment notes: ipv3.6.3 installation example: ipv3.6.4 network intrusion monitoring 1293.7 use Splunk to analyze the log 1303.7.1Splunk introduction 1303.7.2Splunk installation: 1313.7.3 set to automatically run 1313.7.4 System Configuration 1323.7.5 set log analysis directory 133
Article 2 log Practice Case Analysis Chapter 2 DNS System Fault Analysis 4th Case Study III: 1404.1 Difficulty coefficient of DNS failure:★★★★140 event background 140 interactive Q & A 143 forensic analysis 144 Q & A 146 preventive measure 1474.2DNS vulnerability scan method 1484.2.1DNS key technology 1494.2.2 check tool: 1494.3DNSFloodDetector makes DNS more secure 154.3.1threats to DNS in Linux 1514.3.2BIND vulnerability 1514.3.3DNS management 1524.3.4 protection against DNSFlood attack 153 Chapter 1 DOS attack defense analysis 5th case study 4: the website suffered DOS attacks. 155 Difficulty coefficient:★★★155 event background 155 troubleshooting measures 159 case summary 161 case study 5: "Too busy" firewall 1625.2 Difficulty coefficient:★★★★164 event background 164 interactive Q & A 166 investigation and analysis 166 Q & A 168 chapter 6th UNIX backdoors and overflow case analysis 1686.1 how to prevent RootKit attacks 1696.1.1 understanding RootKit1696.1.2RootKit type 1696.2 prevention RootKit tool 1716.2.1 use chkrootkit 1716.2.2RootKitHunt tool 1736.3 main function of installing supervisor 1736.3.2 configure LIDS1746.3.3 use Lidsadm tool 1756.3.4 use LIDS to protect system 1776.4 install and configure supervisor install AIDE1786.4.2 use Aide to reinforce Ossim platform supervisor install and configure supervisor functions and principle 1826.5.2 create a pair of RSA keys 1826.5.3 initialize database 1836.5.4 enable lids18b20 36.5.5nabou database maintenance 1836.5.6Nabou application instance 1856.5.7Nabou applicability 1866.6 case study 6: solaris abnormal backdoor 187 Difficulty coefficient:★★★★★187 intrusion background 187 prevention measures 1936.7 case study 7: encountering overflow attacks 195 Difficulty coefficient:★★★★★195 event background 195 log analysis 195 case decoding 200 prevention measures 2026.8 case study 8: true and false Root account 203 Difficulty coefficient:★★★★203 event background 203 forensic analysis 206 interactive Q & A: 207 Q & A: 208 preventive measure 2096.9 case study 9: 209 Difficulty coefficient for RootKit:★★★★★209 event background 209 interactive Q & A 214 event analysis: 214 preventive measures 216 chapter 7th UNIX system prevention cases 2177.1 case study 10: 217 Difficulty coefficient after a webpage is tampered:★★★★217 event background 218 interactive Q & A 219 intrusion event analysis 219 troubleshooting 221 protection measures 222Web vulnerability scanning tool-Nikto2237.2 case 11 UNIX bug catch 225 Difficulty coefficient:★★★★★225 event background 225 forensic analysis 226 interactive Q & A 228 intrusion resolution 229 prevention measures 2337.3 case study 12: Leaked layoff list 234 Difficulty coefficient:★★★★234 event background 234 forensic analysis 235 interactive Q & A 236 Q & A 237 preventive measures 238 chapter 8th SQL Injection Protection case analysis 2398.1 case 13: Background Database encounters SQL Injection 239 Difficulty coefficient:★★★★239 case Background: 239 analysis process 242 prevention and remedy 2448.2 case study 14: careless programmers-SQL Injection 244 Difficulty coefficient:★★★★244 event background 244 interactive Q & A 246 analysis and evidence collection 246 Q & A 247 prevention measure 2518.3 OSSIM monitoring SQL Injection 2518.3.2 Ossim detection SQL Injection 252Ossim Snort rules 2548.4LAMP website SQL Injection prevention 2558.4.1 server end security Configuration 2558.4.2PHP code Security Configuration 2558.4.3PHP code security writing 2568.5 log detection prevention SQL Injection 2568.5.1 WEB access log discovery SQL attack 2578.5.2 use VisualLogParser to analyze log chapter 257 remote connection security case 9th case 15: fix the difficulty factor of 259 for the SSH server:★★★259 event background 259 reinforce SSH server 262 implement SSH logon Failure Alarm Through Ossim 265 preventive measure 2679.2 case study 16th: innocent stepping stone 268 event background 268 prevention measures 272 Chapter 10th Snort System deployment and application case 27310.1Snort system principle 27310.2Snort installation and maintenance 27310.1.1 preparation 27310.1.2 in-depth understanding of Snort27410.1.3 installing Snort 27610.1.4 less than 28010.2Snort log analysis 28010.2.1 text-based format 28110.2.2 typical attack log information deployment probe 28210.2.3 log analysis tool 28310.3Snort Rule Analysis Rules 28310.3.2 write SNORT rule 28410.4 Ossim-based WIDS system 28710.4.1 install wireless 29010.5 Case Study on setting an Ossim Wireless Sensor for NICs 28810.4.2: the IDS system suffers an IP Fragment attack, which is 293 difficult:★★★★293 event background 293 difficult issues 301 interactive Q & A: 30110.5.1 defense and handling ideas 30110.5.2nort + Iptables linkage 30210.5.3IP fragment attack prevention 30310.5.4 evaluation NIDS tool 30310.5.5IDS system and network sniffer differences 30410.6 case 18: the Difficulty coefficient is 305 for customers who are not quick customers:★★★★305 event background 305 interactive Q & A 307 forensic analysis 307 troubleshooting 310 preventive measures 311 chapter 11th WLAN case analysis 31111.1WLAN security vulnerabilities and threats 31211.2 case study 19: Wireless Network Attacks 313 Difficulty coefficient:★★★★313 event background 313 interactive Q & A 315 doubt Resolution 317 prevention measure 31811.2.2 collection of WIFI Internet logs 31811.2.3 use open source NAC to prevent unauthorized network access 31811.2.4 hidden risks of BYOD in enterprises 32011.3 case study 20: 321 Difficulty coefficient of "non-fast customers" in wireless venues:★★★★321 event Background: 321 forensic analysis 324 chapter 12th data encryption and decryption case 32712.1GPG overview 32712.1.1 create key 32712.1.2 import key 32812.1.3 encrypt and decrypt 32812.1.4 sign and verify 32912.2 case study 21: "Mysterious" encrypted fingerprint 330 Difficulty coefficient:★★★330 event background 330 difficult issues 333 case decoding 333 analysis of attack processes 337 Q & A 337 prevention measures 338
Article 3 network traffic and log monitoring Chapter 3 network traffic monitoring 13th network listening Key Technologies 33913.1.1 network listening 33913.1.2SNMP protocol insufficiency 33913.1.3 listener Key Technologies 33913.1.4differences between NetFlow and sFlow 34013.1.5 protocol and application recognition 34013.1.6 Network limitations of data stream collection technology 34013.1.7SPAN 34113.2 use Netflow to analyze Cache Management for abnormal network traffic metrics 34213.2.2NetFlow output format 34213.2.3NetFlow sampling mechanism 34213.2.4NetFlow performance impact 34313.2.5NetFlow application monitoring server on worm monitoring 34713.4 application layer data packet decoding 35113.4.1 overview 35113.4.2 system architecture 35113.4.3Xplico Data Acquisition Method 35213.4.4Xplico deployment 35213. 4.5 application of gossip network sniffer detection and prevention of 35813.5.1 sniffer detection of 35813.5.2 prevention of network sniffing chapter 359 OSSIM comprehensive application of 36014.1OSSIM generation of 36014.1.1 overview 36014.1.2 from SIM to OSSIM36114.1.3 Security Information and event management (SIEM)) 36214.2Ossim architecture and principle architecture 36314.2.2Agent event type 201714.2.3rrd Drawing Engine 37014.2.4OSSIM workflow analysis 37114.3 deployment OSSIM37114.3.1 preparation: worker server selection 37314.3.3 distributed Ossim system probe layout worker system installation steps: 37414.4Ossim installation and subsequent work; 14.4.1 time synchronization problem; 14.4.2 system upgrade; 14.4.3 firewall configuration 38114.4.4 Database Access 3 8114.4.5 synchronous Openvas plug-in 38414.4.6 install remote management tool 11214.4.7 install X-window38614.5 use Ossim system 38714.5.1 familiar with main interface Butler event console 38914.6 Risk Assessment Method 392Ossim system risk measurement method 39314.7Ossim Association Analysis Technology 39414.7.1 association analysis generic association detection rule 39514.8OSSIM log management platform 39814.8.1Ossim log processing process overview collect Windows logs Through WMI 39914.8.4 configure the differences between memory and WMI 40114.9 install 40214.10Ossim traffic monitoring tool application 41314.10.1 traffic monitoring filter 41 314.10.3 traffic analysis 201714.10.4 network weather map 201714.10.5 configure monitoring 41914.10.7 integrate with third-party monitoring software 42114.11 detect Shellcode attacks 14.12Ossim application Asset Management Middleware Architecture 42314.13Ossim application in worm prevention 42314.14 monitor shellcode=14.15 vulnerability scanning Application 42714.15.1 Vulnerability Assessment Method 42714.15.2 detailed description of vulnerability library 42814.16 use Openvas scan 42914.16.1 distributed vulnerability scan 201714.17metasploit penetration testing hybrid + Nessus linkage analysis 43414.18 common Ossim deployment and application Q & A 437 Appendix A distributed Honeypot system deployment 460 appendix B monitoring software comparison 464 Appendix C full-text index 4 66. In more than 1000 days and nights of book creation, I started writing at home every day except for work. I recalled my past experiences, sorted out my recent notes, and started my creation. Every night is the most efficient time for my creative inspiration and writing, no one will disturb you at that time, you can devote yourself to it. I'm afraid I can only understand the hardships of writing. I hope that the security log analysis in this book can enlighten the personnel engaged in security O & M.