[Part 1][summary] Data

1.例如一次针对SSH的密码猜解攻击,受害者的SSH logfile 会记录下攻击发生的充足证据,但是并不都能得知攻击者的其他行为(如是否成功建立起了长期的session),然而通过网络流量分析虽然不能让我们重建session,但是我们能找到其他行为的证据,如session的成功建立。

以下引用来自https://www.imzcy.cn/1274.html,ssh logfile 的格式
1、每行信息各字段含义:
月份 日期 时分秒 服务器主机名 程序(sshd或则su) 模块 详细信息 1 月份 日期 时分秒 服务器主机名 程序(sshd或则su)
模块 详细信息

2、正常通过ssh连接进服务器的日志

Aug 8 02:20:09 imzcy sshd[18936]: Accepted password for root from
192.168.217.10 port 57516 ssh2 Aug 8 02:20:09 imzcy sshd[18936]: pam_unix(sshd:session): session opened for user root by (uid=0) 1 2
Aug 8 02:20:09 imzcy sshd[18936]: Accepted password for root from
192.168.217.10 port 57516 ssh2 Aug 8 02:20:09 imzcy sshd[18936]: pam_unix(sshd:session): session opened for user root by (uid=0)

3、正常登陆后,退出日志

Aug 8 02:01:38 imzcy sshd[18252]: pam_unix(sshd:session): session
closed for user root 1 Aug 8 02:01:38 imzcy sshd[18252]:
pam_unix(sshd:session): session closed for user root

4、切换到其他用户日志

Aug 8 02:20:54 imzcy su: pam_unix(su-l:session): session opened for
user zcy by root(uid=0) Aug 8 02:21:06 imzcy su:
pam_unix(su-l:session): session closed for user zcy 1 2 Aug 8
02:20:54 imzcy su: pam_unix(su-l:session): session opened for user zcy
by root(uid=0) Aug 8 02:21:06 imzcy su: pam_unix(su-l:session):
session closed for user zcy

5、使用root用户登录进系统户,切换到zcy用户,直接从zcy用户关掉连接窗口。

Aug 8 02:38:11 imzcy sshd[19167]: Accepted password for root from
192.168.217.10 port 58165 ssh2 Aug 8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0) Aug 8
02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy
by root(uid=0) Aug 8 02:38:27 imzcy su: pam_unix(su-l:session):
session closed for user zcy Aug 8 02:38:27 imzcy sshd[19167]:
pam_unix(sshd:session): session closed for user root 1 2 3 4 5 Aug 8
02:38:11 imzcy sshd[19167]: Accepted password for root from
192.168.217.10 port 58165 ssh2 Aug 8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0) Aug 8
02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy
by root(uid=0) Aug 8 02:38:27 imzcy su: pam_unix(su-l:session):
session closed for user zcy Aug 8 02:38:27 imzcy sshd[19167]:
pam_unix(sshd:session): session closed for user root

6、连接到服务器,提示输入密码时取消了

Aug 8 02:31:03 imzcy sshd[19046]: Received disconnect from
192.168.217.10: 13: The user canceled authentication. 1 Aug 8 02:31:03 imzcy sshd[19046]: Received disconnect from 192.168.217.10:
13: The user canceled authentication.

7、密码输入错误

Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10
user=root Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root
from 192.168.217.10 port 57994 ssh2 1 2 Aug 8 02:33:28 imzcy
sshd[19125]: pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root Aug 8
02:33:31 imzcy sshd[19125]: Failed password for root from
192.168.217.10 port 57994 ssh2

8、密码错误次数太多

Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10
user=root Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root
from 192.168.217.10 port 57994 ssh2 Aug 8 02:34:06 imzcy last message
repeated 3 times Aug 8 02:34:13 imzcy last message repeated 2 times
Aug 8 02:34:47 imzcy sshd[19126]: Disconnecting: Too many
authentication failures for root Aug 8 02:34:47 imzcy sshd[19125]:
Failed password for root from 192.168.217.10 port 57994 ssh2 Aug 8
02:34:47 imzcy sshd[19125]: PAM 6 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:34:47 imzcy sshd[19125]: PAM service(sshd) ignoring max
retries; 7 > 3 1 2 3 4 5 6 7 8 Aug 8 02:33:28 imzcy sshd[19125]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.217.10 user=root Aug 8 02:33:31 imzcy
sshd[19125]: Failed password for root from 192.168.217.10 port 57994
ssh2 Aug 8 02:34:06 imzcy last message repeated 3 times Aug 8
02:34:13 imzcy last message repeated 2 times Aug 8 02:34:47 imzcy
sshd[19126]: Disconnecting: Too many authentication failures for root
Aug 8 02:34:47 imzcy sshd[19125]: Failed password for root from
192.168.217.10 port 57994 ssh2 Aug 8 02:34:47 imzcy sshd[19125]: PAM 6 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.217.10 user=root Aug 8 02:34:47 imzcy sshd[19125]: PAM
service(sshd) ignoring max retries; 7 >

2.搜集Data是一个简单的任务,然而真正困难的是我们往往不明白需要收集什么样的Data,在安全领域,我们应当关注的是真实存在的安全威胁
攻击行为是常见的,安全威胁却不常见,大部分网络流量无害且重复性极高。而攻击流量散布其中,它们大多被自动发送且较为死板/(赤裸裸),攻击流量中的一小部分才真正代表着安全威胁
(灵魂画手)[Part 1][summary] Data

3.关于大量Data处理,安全威胁是大量数据中挖掘出的罕见现象(相对于整个traffic,安全威胁只是非常小的一部分),因此I/O处理即占了安全分析的几乎绝大多数,举个例子,一根OC-3可以每天产生5T数据,而一块eSATA每秒读取0.3G数据,那么需要好几小时才能完成一次数据的读取,
而我们采集的Data很可能来计多个数据源,那么就不免会产生数据冗余,而这些冗余数据会进一步增大负载,延长处理时间。

4.好的存储查询系统总能在合理的时间范围内响应分析人员的任意查询,而辣鸡系统的查询开销总是更高于数据存储和收集,对不同sensors的原理,实施过程,接口等的理解与系统最终效果好坏直接相关。

相关文章:

  • 2022-12-23
  • 2021-06-06
  • 2021-12-01
  • 2022-12-23
  • 2021-09-14
  • 2021-12-27
猜你喜欢
  • 2022-01-01
  • 2022-12-23
  • 2022-12-23
  • 2021-05-16
  • 2022-12-23
  • 2022-12-23
  • 2021-05-27
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode