Seci-log 1.02, log analysis software adds a variety of alarms

We in the log analysis software seven kinds of alarm (non-Office hours access, non-work location access, password guessing, account guessing, account guessing success, sensitive file operation alarm and high-risk command operation) on the basis of increased host scanning, port scanning, illegal external alarm content.

Host Scan

Host scanning refers to a network of internal or external network on a machine to scan, the purpose is to discover the network of surviving hosts, for the next step of the operation lay the foundation. This alarm and the following port scanning and illegal external connection are all network-level alarms, provided that you need to configure the logging policy. Most of the Linux systems have built-in iptabe firewalls, which can be used to collect logs using the log function of the iptable firewall and then analyze these alarms. The following describes the log configuration:

1, under Linux to execute a command, can be iptables log sent from the syslog:

Iptables-aoutput-ptcp-jlog--log-prefix "Seci-iptables"--log-level4

Iptables-aoutput-pudp-jlog--log-prefix "Seci-iptables"--log-level4

2. Configure the Syslog send policy:

[Email protected] Address

Need to note is *.info;mail.none;authpriv.none;cron.none;kern.none to add kern.none, otherwise it will be repeated send, of course, can not be the first, directly in info send is also possible.

3, from the start of the Syslog service:

Servicersyslogrestart

4, install Nmap, the following CentOS as an example:

Yuminstallnmap

After the above configuration, you can configure the firewall log sending policy.

The authentication process, first to be configured, is a legitimate port. See:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172557_CPit.png "height=" 154 "width=" 575 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172557_cpit.png "/>

Execute nmap command: nmap-sp192.168.21.1-20, scan 20 hosts.

To view alarms:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172558_6ILq.png "height=" 121 "width=" 576 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172558_6ilq.png "/>

Then check the alarm details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172558_tx6I.png "height=" 308 "width=" 575 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172558_tx6i.png "/>

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172558_mO3D.png "height=" 308 "width=" 575 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172558_mo3d.png "/>

Can be found, nmap in the host found in the scan, the main detection of 443 and 80 ports, this time the alarm will generate two host scan alarm.

Port scan

Port scanning refers to the port scanning on one machine on the other machine on the intranet or outside, in order to discover the open port information of the host network, and lay the foundation for the next operation. This alarm is also a network-level alarm, provided that you need to configure the logging policy. Detailed configuration information is described in the host scan.

Verification process: Execute NMAP command: nmap-p20-80192.168.21.1 address, scan 61 ports.

To view alarms:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172558_a8bz.png "height=" 172 "width=" 575 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172558_a8bz.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172558_qxNs.png "height=" 283 "width=" 576 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172558_qxns.png "/>

You can see the information that scanned multiple ports on the port of this machine.

Illegal foreign-linked

Illegal outreach refers to a machine should not have other connection information, such as the server, under normal circumstances may only open the 80,22 port, and the general server is passively received logs, when found in the log has initiated the connection and not the specified port, it is likely to be in a Trojan, this time to pay special attention. This alarm is also a network-level alarm, provided that you need to configure the logging policy. Detailed configuration information is described in the host scan.

The authentication process, first to be configured, is a legitimate port. See:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172557_CPit.png "height=" 154 "width=" 575 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172557_cpit.png "/>

Indicates that the native 22 and 514 ports are legitimate ports other ports are illegal ports, perform the above host scan or port Scan nmap command, can generate illegal external alarm.

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172558_6ILq.png "height=" 121 "width=" 576 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172558_6ilq.png "/>

View Details:

650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/07172559_TlHp.png "height=" 292 "width=" 576 "style=" margin:0px;padding:0px;border:1px solid rgb (221,221,221); "alt=" 07172559_tlhp.png "/>

It can be seen that there is illegal outreach behavior, the inside of the log and the host scan or port scan duplication.

This article is from the "Zhulinu blog" blog, make sure to keep this source http://zhulinu.blog.51cto.com/539189/1685062

Seci-log 1.02, log analysis software adds a variety of alarms