Shulou(Shulou.com)06/01 Report--

Application scenario: visual analysis of SSH logs

When it comes to log visualization, it sounds classy, but it is either complicated to configure or need to write code. It is true that the threshold for rookies is high, but it is not, as long as you choose the right platform, it is easy to achieve.

The following is a random selection from several SSH logs. What clues can we find out?

Mar 17 01:47:21 10.X.Y.Z sshd [14845]: Failed password for root from 1X.1Y.Z.Z port 59562 ssh3

Generally speaking, we can get general information such as time, IP address, port number, process name and so on from the above log, but we can't see anything further. If there are thousands of such messages, how long will it take us to analyze them? Is the conclusion objective? I think there is an answer in everyone's heart. With questions, let's take a look at the results of OSSIM's analysis:

Feature: password verification failed

Time: the interval is very dense, how dense is it? Next, we use the timeline function under the SIEM console to quantify.

Source address, destination address, source port, destination port user name, risk value, and so on.

The following timeline analysis will visually see the number of times per second.

All right, let's take a closer look at the content of the security incident cracked by SSH brute force after normalization.

It intuitively tells us the type, the duration, the country where the IP address belongs, and you can even pinpoint the IP on Google Maps.

Next, we find this kind of SSH brute force cracking alarm message on the start-up global alarm chart.

It can also easily show the proportion of this kind of alarm on the dashboard, which is convenient for security personnel to analyze the occurrence and development of this security incident and some causality more deeply.

Well, only one log message of SSH password authentication failure involves so much content, and there are more logs waiting for us to analyze. For example, visual network risk analysis, visual event analysis, etc.

Reference:

Classic OSSIM tutorial "Open Source Security Operation and maintenance platform OSSIM Best practices"

OSSIM Multimedia tutorial: http://edu.51cto.com/course/course_id-1186.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.