Newsletters

Sawmill Newsletter   Feburary 15, 2009

Welcome to the Sawmill Newsletter!

You’re receiving this newsletter because during the downloading or purchase of Sawmill, you checked the box to join our mailing list. If you wish to be removed from this list, please send an email, with the subject line of “UNSUBSCRIBE” to newsletter@sawmill.net .


News

Sawmill 8.0.3 shipped on January 23, 2009. This is a minor "bug fix" release, and it is free to existing Sawmill 8 users.  It is recommended for anyone who is experiencing problems with Sawmill 8.0.0. You can download it from http://sawmill.net/download.html .

Sawmill 7 users can upgrade to Sawmill 8 for half of the license price; or if you currently have Premium Support, the upgrade is free. Major features of Sawmill 8 include support for Oracle and Microsoft SQL Server databases, real-time reporting, a completely redesigned web interface, better multi-processor and multi-core support, and role-based authentication control.

This issue of the Sawmill Newsletter describes a method for using Sawmill's log scanning and alerting features to detect and alert on intrusion attempts.


Get The Most Out Of Sawmill With Professional Services

Looking to get more out of your statistics from Sawmill? Running short on time, but need the information now to make critical business decisions? Our Professional Service Experts are available for just this situation and many others. We will assist in the initial installation of Sawmill using best practices; work with you to integrate and configure Sawmill to generate reports in the shortest possible time. We will tailor Sawmill to your environment, create a customized solution, be sensitive to your requirements and stay focused on what your business needs are. We will show you areas of Sawmill you may not even be aware of, demonstrating these methods will provide you with many streamlined methods to get you the information more quickly. Often you'll find that Sawmill's deep analysis can even provide you with information you've been after but never knew how to reach, or possibly never realized was readily available in reports. Sawmill is an extremely powerful tool for your business, and most users only exercise a fraction of this power. That's where our experts really can make the difference. Our Sawmill experts have many years of experience with Sawmill and with a large cross section of devices and business sectors. Our promise is to very quickly come up with a cost effective solution that fits your business, and greatly expand your ROI with only a few hours of fee based Sawmill Professional Services. For more information, a quote, or to speak directly with a Professional services expert contact consulting@flowerfire.com.

---

Tips & Techniques: Detecting And Alerting On Intrusion Attempts With Sawmill

Sawmill's log filters make it possible to write very flexible rules for detecting certain conditions in the log data. This can be used for intrusion detection and alerting. Consider the following FTP log data from Microsoft Internet Information Services (IIS):

#Software: Microsoft Internet Information Services 6.0  #Version: 1.0  #Date: 2009-02-05 04:59:59  #Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status  04:59:59 12.34.56.78 [4007]USER Administrator 331 0  04:59:59 12.34.56.78 [4007]PASS - 530 1326  04:59:59 12.34.56.78 [4007]USER Administrator 331 0  04:59:59 12.34.56.78 [4007]PASS - 530 1326  05:00:01 12.34.56.78 [4007]USER Administrator 331 0  05:00:01 12.34.56.78 [4007]PASS - 530 1326  05:00:01 12.34.56.78 [4007]USER Administrator 331 0  05:00:02 12.34.56.78 [4007]PASS - 530 1326  05:00:02 12.34.56.78 [4007]USER Administrator 331 0  05:00:02 12.34.56.78 [4007]PASS - 530 1326  05:00:03 12.34.56.78 [4007]USER Administrator 331 0  05:00:03 12.34.56.78 [4007]PASS - 530 1326  05:00:03 12.34.56.78 [4007]USER Administrator 331 0  05:00:03 12.34.56.78 [4007]PASS - 530 1326

This log data shows a password-cracking attack originating from IP address 12.34.56.78. We can guess this is an attack, rather than a series of legitimate login attempts, because the logins are happening so fast--there are several attempts each second, from the same IP address, to log in as an Administrator.

Sawmill can show this data in the Log Detail of its standard reporting, of course, and that can be useful for examining past intrusion attempts. But if you want to know about the intrusion attempt as it occurs, or shortly thereafter, you need more--you need alerting.

To create an alert in Sawmill, first define for yourself what condition should trigger the alert. In this case, it is:

• The current line of log data is a PASS attempt.
• The previous login attempt for this user is in the same second as this one.
• We have not fired an alert for this IP previously.
  

The last condition is intended to prevent Sawmill from sending a million emails to you, as one IP attempts to crack passwords over a million lines--we only want one email in this case.

Now that we've defined the condition, we need to implement it as a log filter (written in Salang, Sawmill's built-in language, which is used for advanced filtering). Below is a Salang log filter which implements this condition, and alerts on it. This can be copied and pasted directly into an "advanced expression" log filter created in your profile, in Config -> Log Filters:

# Only consider PASS lines as intrusions  if (cs_method eq "PASS") then (    # Make sure the nodes we're going to use have been initialized    v.password_attempt_times = "";    v.intrusion_reported_for_ip = "";      # Get the timestamp of the previous password attempt for the current user    int last_password_attempt_for_this_user = @'v.password_attempt_times'{username};      # If the current timestamp matches the timestamp of the previous attempt, then this is an intrusion attempt    if (date_time == last_password_attempt_for_this_user) then (        # If we've already reported this IP, don't do it again.      if (!'v.intrusion_reported_for_ip'?{c_ip}) then (          # send email to admin@yourplace.com, from admin@yourplace.com, with a simple description in the subject,        # and a longer description in the body.        send_email("admin@yourplace.com",                   "admin@yourplace.com",                   "Subject: Password scan attempt on " . username . " from " . c_ip . "\r\n" .                     "To: admin@yourplace.com\r\n" .                     "\r\n" .                     "Sawmill has detected a password scan attempt on user " . username . " from IP address " .                       c_ip . ".  There were multiple attempts to log in as " . username . " at " . date_time . ".",                    "smtp.yourplace.com");        # Remember that we have reported this IP        @'v.intrusion_reported_for_ip'{c_ip} = true;        ); # if intrusion not yet reported    ); # if timestamp is the same    # Remember the timestamp of this password attempt, for this username    @'v.password_attempt_times'{username} = date_time;  ); # if PASS

NOTE: This script uses new syntax available only in Sawmill 8. If you're using Sawmill 7, you will need to use equivalent syntax, e.g., node_exists instead of "?", and subnode_by_name() instead of "@{}".

The lines beginning with # are comments, and describes the operation of the log filter in detail. Some comments:

• The log filter uses the node v.password_attempt_times to remember the timestamps of previous password attempts on this user. This is a string-to-string map which maps usernames to the date_time values of the previous login attempt.
  
• The log filter uses the node v.intrusion_reported_for_ip to keep track of which IPs have already been reported. IP addresses are in this map only after they have been reported.
  
• The log filter uses send_email() to send email to admin@yourplace.com when an intrusion needs to be reported. The file parameter must be a SMTP server which accepts unauthenticated connections for the recipient (e.g., their MX server).
  

Advanced Topic: Real-Time Alerting From Streaming Log Data

If the log filter we've created above, is in a profile when you build a database, it will trigger all alerts for the dataset during the build. This is fine for getting after-the-fact information about the intrusion, but if you want to be alerted as intrusions occur, you need to stream the log data into Sawmill as it is generated. This is best done with a command line log source, which monitors the log files and dumps new data to its standard output stream as it appears in the log files (UNIX "tail -f" is a simple example of this). This requires an external script to do the monitoring; once you have created such a script, you can do real-time alerting by doing a Real-Time database build (using the Real-Time feature of Sawmill 8 Enterprise), or using streaming alerting with the "-a pl" option (see the May 2007 Newsletter).


Professional Services

The techniques described in this newsletter involve advanced Salang programming and scripting. This is something you can implement yourself, if you have programming or scripting experience, or if you are willing to spend time learning Salang. If you would like this sort of alerting implemented in your Sawmill installation, but are not familiar with programming, or Salang, or don't have time to do it yourself, we can help. Sawmill's Professional Services experts can implement a filter like this one for you, using your own rules and your own data, and in your own profile, very quickly. Contact support@sawmill.net for a quote.


[Article revision v1.0]
[ClientID: 43726]