Standardization of security incidents
The general log system can not do the standardization of the log, and in the Ossim system not only need a unified format, but also to special properties, we look at a few typical fields and descriptions:
L ALARM Alarm Name
L Event ID Security incident number
L Sensor ID: Number of sensors emitting events
L Source Ip:src_ip Security event Origin IP address
L Source Port:src_port Security event Origin port
L type types are classified into two categories, detector, and monitor
L SIGNATURE The eigenvalues of the triggering security event
L Reliability credibility of security events (describes whether a detected attack is a true success probability, which reflects the severity of the security incident)
To learn more about the Siem Console introduced in the 2nd Chapter, let's look at some examples of unified format security events,
Processing a large amount of unstructured data in a Redis server, but eventually a series of rules to detect the alarm, and then aggregated after the aggregation of the alarm has a unified format, and centrally stored in the MySQL database. A typical record format is given below.
1) Raw log typical record format 1 is shown.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image002 "border=" 0 "alt=" clip_ image002 "src=" http://s3.51cto.com/wyfs02/M01/7C/D0/wKioL1bYR9uwISrGAABTvRC24wI785.jpg "height=" "/>"
Figure 1 Raw log Record format
2) The Siem event is normalized to record format 2, as shown in Figure 3.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image004 "border=" 0 "alt=" clip_ image004 "src=" http://s3.51cto.com/wyfs02/M02/7C/D0/wKioL1bYR9yTbRwVAABaVcLkRU4440.jpg "height=" 141 "/>
Figure 2 Event Normalization processing format
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image006 "border=" 0 "alt=" clip_ image006 "src=" http://s3.51cto.com/wyfs02/M00/7C/D0/wKioL1bYR92id_I6AABP1TRt79o902.jpg "height=" 119 "/>
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image008 "border=" 0 "alt=" clip_ image008 "src=" http://s3.51cto.com/wyfs02/M01/7C/D0/wKioL1bYR97yVLmkAABZk8VETVU942.jpg "height="/>
Figure 3 Siem Record format
How does an event in Ossim implement storage? The sensor collects raw logs from various network devices and servers through Rsyslog, stores the hard disk waiting for processing on the server where the sensor resides, and when the log is received, the agent installed on the probe server begins to work. The pre-programmed security plug-in begins preprocessing the log (i.e. normalization), as shown in Process 4.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image010 "border=" 0 "alt=" clip_ image010 "src=" http://s3.51cto.com/wyfs02/M00/7C/D0/wKioL1bYR9-ylEFbAAAgfhkaK-E598.jpg "height=" 134 "/> 650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image012 "border=" 0 "alt=" clip_ image012 "src=" http://s3.51cto.com/wyfs02/M01/7C/D0/wKioL1bYR-DwBHq-AAAeI35silo492.jpg "height=" 123 "/>
Figure 4 Sensor Log capture process
The agent will send the logs received by the plugin to the server for further processing and re-assemble the fields into the following format (from raw log to the normalized processing log, as shown in Table 1.)
Table 1 Normalization processing log format
Date |
Src_port |
Sensor |
Dst_ip |
Interface |
Dst_port |
plugin_id |
Username |
Plugin_sid |
Password |
Prority |
FileName |
Protocol |
Userdata1~userdata5 |
Src_ip |
Userdata6~userdata9 |
Normalization, important fields have the following meanings:
L Source and Destination address: it is a very important part in the analysis of correlation.
L Source and destination ports: the service ports that can be analyzed for access and attempted access.
Message classification: Sorts the messages based on the success or failure of the user login or the attempted message.
L Timestamp: This includes the time that the log message was generated on the device and the time the system received the message (because of the various delays that existed and the time difference).
L Priority: For example, the log of a network device (switch) contains a priority (device vendor-developed). As part of normalization, logs are also required to contain the priority level.
L Interface: A log message received through that network interface.
The original log is an important part of the normalization process, and Ossim retains the original log while normalizing the log, which can be used for log archiving and provides a means of extracting the original log from the canonical event.
After normalization of the log, and then through the TCP 3306 port storage to the MySQL database, and then by the correlation engine according to rules, priorities, reliability and other parameters of cross-correlation analysis, to obtain the risk value and issued a variety of alarm information (details in the subsequent chapters re-analysis).
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image014 "border=" 0 "alt=" clip_ image014 "src=" http://s3.51cto.com/wyfs02/M02/7C/D0/wKioL1bYR-GQMQCjAABJ4jpw_iA453.jpg "height=" 176 "/>
Figure 5th Log Storage
Next, let's look at an example, below is an Apache original log, shown in 6.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image016 "border=" 0 "alt=" clip_ image016 "src=" http://s3.51cto.com/wyfs02/M02/7C/D0/wKioL1bYR-GQkAeRAAA4nD8G_L4792.jpg "height=" "/>"
Figure 6 Raw Log
First through the Ossim system collection and processing, and then through the Web front-end display to everyone, easy to read the format of 7 shows. How to compare the normalized event to the original log we'll explain later.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image018 "border=" 0 "alt=" clip_ image018 "src=" http://s3.51cto.com/wyfs02/M01/7C/D1/wKiom1bYR2jBZb3vAAB6pjwmRLY026.jpg "height=" 188 "/>
Figure 7 Apache Access log after normalization processing
In the example shown in Figure 7, only Userdata1 and Userdata2 are used, and they are not used userdata3~userdata9 these are extension bits, primarily to be reserved for use by other devices or services.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image020 "border=" 0 "alt=" clip_ image020 "src=" http://s3.51cto.com/wyfs02/M00/7C/D1/wKiom1bYR2nzbzIkAAAzq1FSEpw242.jpg "height=" "/>
Figure 8 Host identification form under the Siem Console
After normalization, the destination address is marked as a HOST-IP address, for example: Host-192-168-0-1. In fact, the normalization process occurs after the system collects and stores events, and before correlation and data analysis, the data is converted into an easy-to-read format in the Siem Tool, as shown in Figure 7, which is easier to understand with formatted data. If you would like to continue to learn about the standardization of security events, please refer to the "open source safe operation Dimensional plane-ossim best practices" book.
This article from "Lee Chenguang original Technology blog" blog, declined reprint!
Standardization of security incidents