IDS Log Analysis

General Approach
General Method
1. Identify which log sources and automatic tools you can use during the analysis.
Confirm which log sources and automated tools can be used during analysis.
2. Copy log records to a single location where you will be able to review them.
Copy the log record to a place where you can review it.
3. Minimize "noise" by removing routine, repetitive log entries from view after confirming that they are benign.
Remove regular and repeated log records to reduce noise after confirming that logs are not at the severity level.
4. Determine whether you can rely on logs time stamps; consider time zone differences.
Depending on the time zone, determine whether to trust the log timestamp.
5. Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
Follow recent changes, failures, errors, status changes, access and management events in your environment, and other exception events.
6. Go backwards in time from now to reconstruct actions after and before the incident.
Start backtracking to reproduce the actions before and after the event.
7. Correlate activities into SS different logs to get a comprehensive picture.
Associate the action with different logs to get a comprehensive picture.
8. Develop theories about what occurred; choose e logs to confirm or disprove them.
Determine what happened based on theoretical knowledge, and confirm or deny them by studying logs.
Potential Security Log Sources
Possible security log sources
Server and workstation operating system logs
Server or workstation operating system logs
Application logs (e.g., web server, database server)
Application logs (such as WEB servers and database servers)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
Security Tool logs (such as anti-virus, change detection, IDS/IPS, etc)
Outbound proxy logs and end-user application logs
Boundary proxy log and terminal Application Log
Remember to consider other, non-log sources for security events.
Remember to consider other non-log sources related to security events
Typical Log Locations
Typical log location
Linux OS and core applications:/var/log
Linux operating system and key applications:/var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Windows operating System and key applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats
Network Device: usually recorded through syslog: Some use private locations and formats.
What to Look for on Linux
What to view in Linux
Successful user login
"Accepted password ",
"Accepted publickey ",
"Session opened"
Failed user login
User Login Failed "authentication failure ",
"Failed password"
User log-off (User logout) "session closed"
User account change or deletion
User Account change or delete "password changed ",
"New user ",
"Delete user"
Sudo actions
SUDO action "sudo :... COMMAND = ..."
"FAILED su"
Service failure (Service failure) "failed" or "failure"

What to Look for on Windows
What to view in Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.
The event ID for Windows 2000/XP/2003 is as follows. For Vista/7/2008, you must add 4096 to the event ID.
Most of the events below are in the Security log; they are only logged on the domain controller.
The following are the vast majority of events in security logs, some of which are only recorded by the domain controller.
User logon/logoff events
User Login/logout Event Successful logon 528,540; failed logon 529-537,539; logoff 538,551, etc
User account changes
User Account Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
Password Change To self: 628; to others: 627
Service started or stopped
The service starts or stops 7035,703 6, etc.
Object access denied (if auditing enabled)
Access Object rejected 560,567, etc
What to Look for on Network Devices
What to view under a network device
Look at both inbound and outbound activities.
Search for activities that contain both inbound and outbound traffic
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality. (take a Cisco device as an example)
Traffic allowed on firewall
FW allows... Connection ",
"Access-list... Permitted"
Traffic blocked on firewall
FW rejects access-list... Denied ",
"Deny inbound ",
"Deny... By"
Bytes transferred (large files ?)
Byte transfer "Teardown TCP connection... Duration... Bytes ..."
Bandwidth and protocol usage
Use "limit... Exceeded ",
"CPU utilization"
Detected attack activity
Detected attack activity "attack from"
User account changes
User Account change "user added ",
"User deleted ",
"User priv level changed"
Administrator access
The Administrator accesses "AAA user ...",
"User... Locked out ",
"Login failed"
What to Look for on Web Servers
What to view under the WEB Server
Excessive access attempts to non-existent files
Frequent attempts to access nonexistent files
Code (SQL, HTML) seen as part of the URL
(SQL/HTML) code exists in the URL
Access to extensions you have not implemented
Access the scaling service that you have not enabled
Web service stopped/started/failed messages
WEB Service stop/start/error message
Access to "risky" pages that accept user input
Access the threat page that allows users to enter
Look at logs on all servers in the load balancer pool
View logs of all machines in the Server Load balancer Cluster
Error code 200 on files that are not yours
There is an error code 200 that does not belong to you in the file.
Failed user authentication
Failed User authentication Error code 401,403
Invalid request
Invalid request Error code 400
Internal server error
Internal Server Error code 500
This is a key log review table for security events. If you are interested, take a look.
General Method
1. Confirm which log sources and automated tools can be used during analysis.
2. Copy the log record to the location where you can review it.
3. After confirming that the log is not serious, remove regular and repeated log records to reduce noise.
4. whether to trust the log timestamp depends on the time zone.
5. Pay attention to recent changes, failures, errors, status changes, access and management events in your environment, and other exception events.
6. start backtracking to reproduce the actions before and after the event.
7. Associate the action with different logs to get a comprehensive picture.
8. Determine what happened based on theoretical knowledge, and confirm or deny them by studying logs.

Possible security log sources

Server or workstation operating system logs

Application logs (such as WEB servers and database servers)

Security Tool logs (such as anti-virus, change detection, IDS/IPS, etc)

Boundary proxy log and terminal Application Log

Remember to consider other non-log sources related to security events

Typical log location

Linux operating system and key applications:/var/log

Windows operating System and key applications: Windows Event Log (Security, System, Application)

Network Device: usually recorded through syslog: Some use private locations and formats.

What to view in Linux
Successful user login
"Accepted password ",
"Accepted publickey ",
"Session opened"
Failed user login
User Login Failed "authentication failure ",
"Failed password"
User log-off (User logout) "session closed"
User account change or deletion
User Account change or delete "password changed ",
"New user ",
"Delete user"
Sudo actions
SUDO action "sudo :... COMMAND = ..."
"FAILED su"
Service failure (Service failure) "failed" or "failure"

What to view in Windows

The event ID for Windows 2000/XP/2003 is as follows. For Vista/7/2008, you must add 4096 to the event ID.

The following are the vast majority of events in security logs, some of which are only recorded by the domain controller.
User logon/logoff events
User Login/logout Event Successful logon 528,540; failed logon 529-537,539; logoff 538,551, etc
User account changes
User Account Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes
Password Change To self: 628; to others: 627
Service started or stopped
The service starts or stops 7035,703 6, etc.
Object access denied (if auditing enabled)
Access Object rejected 560,567, etc

What to view under a network device

Search for activities that contain both inbound and outbound traffic
Take Cisco devices as an Example
Traffic allowed on firewall
FW allows... Connection ",
"Access-list... Permitted"
Traffic blocked on firewall
FW rejects access-list... Denied ",
"Deny inbound ",
"Deny... By"
Bytes transferred (large files ?)
Byte transfer "Teardown TCP connection... Duration... Bytes ..."
Bandwidth and protocol usage
Use "limit... Exceeded