Daniel Cid <[EMAIL PROTECTED]> wrote:
>-For the symantec. Can you show me one or two entries of a log where a virus
was found?
Here is a sample of virus detection:
240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Nebuler,C:\WINDOWS\system32\winvdj32.dll,5,4,4,256,570441764,"",0,,0,,0,18150,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan Horse,C:\WINDOWS\TEMP\winD51.tmp,5,4,4,256,570441764,"",0,,0,,0,25464,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan Horse,C:\WINDOWS\TEMP\winDA7.tmp,5,4,4,256,570441764,"",0,,0,,0,25464,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ images.exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan Horse,C:\WINDOWS\TEMP\win1C.tmp,5,4,4,256,570441764,"",0,,0,,0,25464,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012128,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\bagle.exe,5,4,4,256,570441764,"",0,,0,,0,39707,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,[EMAIL PROTECTED],\\jsnail1\c$\WINNT\system32\ .exe,5,4,4,256,570441764,"",0,,0,,0,17525,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,Trojan Horse,C:\WINDOWS\TEMP\win19D3.tmp,5,4,4,256,570441764,"",0,,0,,0,25464,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,Trojan Horse,C:\WINDOWS\TEMP\win19E5.tmp,5,4,4,256,570441764,"",0,,0,,0,25464,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,Trojan Horse,C:\WINDOWS\TEMP\win1A04.tmp,5,4,4,256,570441764,"",0,,0,,0,25464,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
240801012127,5,1,720997,RBLWAP,SYSTEM,Trojan Horse,C:\WINDOWS\TEMP\win1A0B.tmp,5,4,4,256,570441764,"",0,,0,,0,25464,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
>-For the Windows Routing and Remote Access logs. Can you describe what
some of the fields in the log mean? >In addition to that, where in the
filesystem is this log located? >I couldn't find much information about
it on google. Any link would be appreciated.
Ok. I have the Win2K RRAS logging to a local text file located at :
C:\WINNT\system32\LogFiles
The RRAS settings are set for the file to be "database compatible file format". The other option for file format is "IAS file format" (I'm not currently using that format)
I have my RRAS server set to create new log files weekly. So the log filename format is INyymmww.log (yy=year, mm= month, ww=week).
I gather that it is pretty much a RADIUS style file. The RRAS server logging properties are also set to :
1. Log accounting requests (for example: accounting start or stop)
2. Log authentication requests (for example access-accept or access-reject)
3. Log periodic status (for example interim accounting requests)
These settings are optional though, so not everyone will have them set.
I found some links that may give some insight into the details of the log file.
Key Concepts for IAS SQL logging - http://technet2.microsoft.com/WindowsServer/en/library/5dcae8bc-d1e0-4562-9f53-b8478e5d33081033.mspx?mfr=true
Though it's about Microsoft's Radius server called Internet Authentication Server (IAS), it is essentially about importing the same "database compatible" RRAS log file into a SQL database.
I also found this link for: " Microsoft IAS RADIUS Attribute Sequence
(Database Compatible Log Format Only)" - http://www.radiusreporting.com/IAS-DB-Attribute-Format-Table.html
That last link actually does give a description of the fields.
What I do manually is to look in this log file to identify which windows userid logged onto the network via RRAS and was assigned the IP address that triggered my snort alerts, then revoke dialup access. If that kind of correlation could be done automatically, it would be very cool. Maybe active response would be possible (disabling dialup access for the offending account) via some windows scripting.
-For Jay: Where are these spamcops logs located and how often are they changed?
*I posted the provided logs in the wiki.
Thanks for the information and suggestions.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 11/6/06, Black CryptoKnight <[EMAIL PROTECTED]> wrote:
> Support for Symantec Antivirus Corporate Edition logs would be very cool.
>
> A description of their log format is here:
> http://service1.symantec.com/SUPPORT/ent-security.nsf/0/57757c1d149130b788256c760069f7f7?OpenDocument&seg=en&lg=en&ct=us
>
> I've attached a log sample (with IP addresses and other sensitive
> information changed).
>
>
> Black CryptoKnight <[EMAIL PROTECTED]> wrote:
> I'd also like to see support for Windows Routing and Remote Access logs.
> Samples attached for Win2K RRAS dialup (with IP addresses and other
> sensitive information modified).
>
>
>
> Black CryptoKnight <[EMAIL PROTECTED]> wrote:
> There are some logfiles I'd love to see OSSEC support for log analysis.
> I'll post log samples for them in this thread.
>
> I'd love to see support for analysing Lotus Domino http logs. Attached are
> some log samples for the Lotus Domino Web server (with IP addresses and
> sensitive info modified).
>
> ________________________________
> Want to start your own business? Learn how on Yahoo! Small Business.
>
>
> Visit Jamaica's Tech Portal http://www.techjamaica.com
> ________________________________
> Access over 1 million songs - Yahoo! Music Unlimited Try it today.
>
>
> ________________________________
> Sponsored Link
>
> Try Netflix today! With plans starting at only $5.99 a month what are you
> waiting for?
>
>
>
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
