Two New SANS Reading Room Papers on Logging Available

Posted on February 3rd, 2008 | by Andrew Hay |

Many who know me, know that I am a huge fan of free security resources. Papers from the SANS Information Security Reading Room are just such a resource. Two new papers were recently posted to the reading room that are certainly worth checking out. I’m sure the authors would greatly appreciate any additional incite you might have.

The first paper is entitled Auditing a Corporate Log Server by Roger Meyer. The paper is not about log management or analysis per se, but rather discusses how to audit a corporate log server that houses all of your logs.

Abstract:

This paper was written to fulfill requirements for GIAC Gold for the GSNA1 (GIAC Systems and Network Auditor) Certification.

This paper details an audit of a corporate log server. The goal of the audit is to measure if implemented security controls are adequate on the server and to validate the configuration, since prevention is always better than cure.

The ever increasing number of computer devices located in a corporation produce a vast amount of log data. This log data contains information related to specific events that have occurred on a system. Collection and storage of these logs is important for reasons like traceability, statistics and identifying security events. Increasingly compliance requirements, laws, and industry regulations dictate the storage, and analysis of security events.

The audited log server collects log data from multiple sources including firewalls, VPN, routers and other security related systems, stores them and permits analysis and monitoring.

The remainder of this paper is divided into 5 parts:

It starts with the Introduction which explains the background material like risk and log management. The Identification describes the audited device, in this case the log server and surrounding infrastructure. The Risk Analysis defines the terms risk, threat, vulnerability and impact. Three risks to the log server are isolated and analyzed in detail.
The next part – Testing – compiles a list of tests to determine the vulnerabilities chosen in the preceding part. The Audit performs the tests developed in the previous chapter.
The methodology used to evaluate the risk was derived from the function that risk is a multiplication of the threat likelihood and the threat impact. The vulnerabilities with the biggest impacts were chosen and analyzed. The tests showed that the identified risks were addressed appropriately with some minor recommendations for improvements.

The second paper is entitled Detecting Attacks on Web Applications from Log Files also by Roger Meyer (looks like someone was busy over the past couple of months). This paper discusses the logs generated from web application servers when subjected to common attacks.

Abstract:

Web traffic (Hypertext Transfer Protocol, HTTP) has overtaken P2P traffic and continues to grow. [Ellacoya, 2007] Web site hacks are on the rise and pose a greater threat than the broadbased network attacks as they threaten to steal critical customer, employee, and business partner information stored in applications and databases linked to the Web. [Greenemeier, 2006]

The increasing shift towards web applications opens new attack vectors. Traditional protection mechanisms like firewalls were not designed to protect web applications and thus do not provide adequate defense. Current attacks cannot be thwarted by just blocking ports 80 (HTTP) and 443 (HTTPS).

Preventive measures (like Web Application Firewall rules) are not always possible. Reactive methods – to detect what happened previously – are usually easier but have the disadvantage of always being behind the actual event.

This paper explains how to detect the most critical web application security flaws. Web application log files allow a detailed analysis of a users actions. Log files have its limits, though. Web server log files contain only a fraction of the full HTTP request and response. Knowing those limits, the majority of attacks can be recognized and acted upon to prevent further exploitation.