Shulou(Shulou.com)06/01 Report--

We have added host scan, port scan and illegal outreach alarm on the basis of seven alarms of log analysis software (off-duty visit, off-duty visit, password guessing, account guessing, account guessing success, sensitive file operation alarm and high-risk command operation).

Host scan

Host scanning refers to scanning a network segment of the internal network or external network on a machine in order to find the surviving hosts in the network and lay the foundation for the next step of operation. This alarm and the port scanning and illegal outreach below belong to the alarm at the network level, as long as the log policy needs to be configured. Most of the linux systems have built-in iptabe firewall, so you can use the log function of iptable firewall to collect logs, and then analyze these alarms. The following describes the log configuration:

1. Execute the command under linux. The log of iptables can be sent from syslog:

Iptables-AOUTPUT-ptcp-jLOG--log-prefix "seci-iptables"-- log-level4

Iptables-AOUTPUT-pudp-jLOG--log-prefix "seci-iptables"-- log-level4

2. Configure syslog sending policy:

Kern.warning@IP address

It is important to note that * .info; add kern.none to the mail.none;authpriv.none;cron.none;kern.none, otherwise it will be sent repeatedly. Of course, you can skip the first item, and it is also possible to send it directly in the info.

3. From syslog service:

Servicersyslogrestart

4. Install nmap. Take centos as an example:

Yuminstallnmap

After the above configuration, you can configure the defense wall log sending policy.

In the verification process, the first step is to configure the legal port. See the following figure for details:

Execute the nmap command: nmap-sP192.168.21.1-20, scan 20 hosts.

View alarms:

Then check the alarm details:

It can be found that nmap mainly detects ports 443 and 80 in the scan found by the host. At this time, the alarm will generate two alarms scanned by the host.

Port scan

Port scanning refers to the port scanning of another machine in the internal network or external network on one machine. the purpose is to find the open port information of the host in the network and lay the foundation for the next operation. This alarm also belongs to the alarm at the network level, as long as the log policy needs to be configured. For detailed configuration information, please see Host scan.

Verification process: execute the nmap command: nmap-p20-80192.168.21.1 address, scan 61 ports.

View alarms:

View details:

You can see that the port of this machine has been scanned for information about multiple different ports.

Illegal outreach

Illegal outreach refers to other connection information that should not be available on a machine, such as a server, which may only open port 80B22 under normal circumstances, and the server generally receives logs passively. When it is found that there is an active connection in the log and it is not a specified port, it is very likely that it has been won *. Pay special attention to it at this time. This alarm also belongs to the alarm at the network level, as long as the log policy needs to be configured. For detailed configuration information, please see Host scan.

In the verification process, the first step is to configure the legal port. See the following figure for details:

Indicates that ports 22 and 514 of this machine are legitimate ports. Other ports are illegal ports. Illegal outreach alarm can be generated by executing the nmap command of host scan or port scan above.

View details:

It can be seen that there is illegal outreach behavior, and some of the logs are repeated with the host scan or port scan.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.