Security Tools 1¶
links: SPA TOC - Security Tools - Index
Syslog¶
- Invented in 1980's
- Standard specification about forwarding "log messages" in an IP network
- Syslog protocol is Client \(\leftrightarrow\) Server
- Default port: UDP 514
Syslog Layers¶
- syslog content (message)
- The management information contained in a syslog messages
- syslog application
- Responsible for generation, interpretation, routing, and storage of syslog messages
- syslog transport
- Responsible for transporting the messages
Syslog Components¶
- Originator = Client \(\rightarrow\) sends the message
- Relay = Receives the message \(\rightarrow\) processes it \(\rightarrow\) forwards it (All according to its configuration)
- Collector = Server \(\rightarrow\) write the message to the file/DB/...
Syslog Header¶
PRI (for Priority) (must):
PRI is a calculated value
Example: MAIL.INFO = \(2\cdot8+6\)
PRI - Facility
Numerical Code | Facility |
---|---|
0 | kernel messages |
1 | user-level messages |
2 | mail system |
3 | system daemons |
4 | security/authorization messages |
5 | messages generated internally by syslog |
6 | line printer subsystem |
7 | network news subsystem |
8 | UUCP subsystem |
9 | clock daemon |
10 | security/authorization messages |
11 | FTP daemon |
12 | NTP subsystem |
13 | log audit |
14 | log alert |
15 | clock daemon |
16 - 23 | local use 0 - 7 (local0 - local7) |
PRI - Severity
Numerical Code | Severity |
---|---|
0 | Emergency: system is unusable |
1 | Alert: action must be taken immediately |
2 | Critical: critical conditions |
3 | Error: error conditions |
4 | Warning: warning conditions |
5 | Notice: normal but significant condition |
6 | Informational: informational messages |
7 | Debug: debug-level messages |
- Version (must): A IANA assigned version number. RFC5424 uses version 1
- Timestamp (must): Date followed by uppercase T followed by time and maybe time zone
- Hostname (must):
- FQDN
- IP Address
- Hostname
- NIL Value (NULL)
- Application name (should): Name of the application gathering the log message
- Process ID (should): Numerical value representing the PID (normally) of the application gathering the log message
- Message ID (should): Message type to identify the message
Syslog MSG/Message¶
Anything can be a syslog message
UTF-8 for data and messages text
Syslog message up to 480 Octets must be accepted but 2048 should be accepted
Syslog implementations¶
UNIX/LINUX
- syslog-ng
- rsyslog
- sysklogd
- systemd (journald)
- Default journal service of Linux systems (which uses systemd)
- Replacement for rsyslog
- Received from variety of sources:
- Kernel log messages (kmsg)
- simple system log messages (libvc syslog)
- structured system log messages (Journal API)
- standard output and standard error of service units
- audit records
- can be queried with journalctl
- stored in
/var/log/journal
- can be sent to remote server using systemd-journal-upload
Windows
- NTsyslog
- Kiwi Syslog
- Win Syslog
- Megalog Suite
- Rsyslog Windows Agend
Frontends
- LogAnalyzer
- ELK Stack (Elasticsearch Logstash Kibana)
- Logzilla NEO
- Splunk
- Grafana Loki
TCPDUMP¶
Command-line packet analyzer
tcpdump <options> <filter>
options:
-n
no dns resolution-i
interface to listen on-s
snaplen-w
write out to file-v
verbose-Z
drop privileges to user-D
available network interfaces-e
print link-level header-F
use file as input to filter expression-p
Dont put interface into "promiscuous" mode-
-r
Read packets from file -
filter = pcap filtering language using
- filter expressions = consists of one or more primitives
- primitives = consists of an id (name or number) and one or more qualifiers. Special primitives = gateway, broadcast, less, greate
- qualifiers: one of...
- type: qualifiers say what kind the id refers to (host, net, port, portrange)
- dir(direction): qualifier specify a transfer direction (src, dst, src | dst, src, dst)
- or proto(protocol): qualifier restrict the match to a protocol (ether, wlan, ip, ip6, arp, rarp, tcp and udp, ...)
Wireshark¶
- Network packet/protocol analyzer for Unix/Linux, OS X and Windows
- Based on libpcap/npcap with graphical frontend
- Open-Source
- Licence = GPL
Use Cases
- Troubleshoot network problems
- Examine security problems
- Verify network applications
- debug protocol implementations
- Learn network protocol internals
Features
- Capture packet data from network interface
- Open pcap files from different sources (tcpdump/WindDump, Wireshark and others)
- Import hex dumps of packet data
- Display packets
- Save packet data
- Export packet data
- Filter packets
- Search packets
- Create statistics
Capture Sources
- Ethernet
- 802.11 Wireless LAN
- Bluetooth
- USB interfaces
Filters
There are two different types of filters Capture filters (during capture time) and Display filters (can be used to analyze captured traffic). They use different filter languages.
TShark
TShark is the command-line interface of wireshark.
Nmap¶
Nmap is a free network security scanner. Allows network-wide ping sweep, port, OS detection scans
Syntax:
nmap <options> <targets>
Options:
-P0 do not ping
-sT connect scan
-sP ping scan
-v verbose
-O guess OS
-sS syn stealth scan
-sV service version scan
TCP State Machine:
Vulnerability scanner¶
Nessus
- Plugin based
- Client server structured
- network assessment and discovery
- patch, configuration and content auditing
Greenbone OpenVAS
- Pendant to Nessus but open-source
- Part of the Greenbone Security manager (GSM)
Honorable mentions¶
- THC amap = service scanner with version detection
- netcat = network debugging and exploration tool
- Metasploit = Open-Source platform for developing testing and using exploits
- hping2 = Network tool to send custom TCP/IP packets
- xprobe2 = Operating system fingerprinting tool
- firewalk = Reconnaissance network security tool to test layer 4 services forwarded by firewalls
- scrapy = Interactive packet manipulation tool, packet generator, network scanner, network discovery tool and packet sniffer
Top 125 Network Security Tools
links: SPA TOC - Security Tools - Index