Log Centralisation for Prelude

Alexandre Launay,
Pierre-Jean Turpeau

January 24, 2002

Goals

At the moment, the Prelude [14] system is only working on some UNIX-like operating systems. It's okay for the Prelude Manager which centralize the information but it's a limitation if you have other types of computers running on your local network and if you want to enhance the security of it.

**Figure 1:** Simple overview of the Prelude architecture
$\includegraphics[width=0.80\linewidth]{prelude-overview.eps}$

According to this problem, the main goal of our project is to centralize as most as possible all types of logs from any computer connected to a LAN. By all types of computers it means that any host, with a modified version of Syslog running on it, should be able to contact the Prelude Manager in order to emit a security warning or to simply archive the logs. Of course, such host could be a NT/2k system or other _UNIX-like_ system not supported by Prelude.

Solution

Our solution is mainly focused on the Win NT/2k architecture by modifying an existing tool called NTSyslog [11] available for free under the GPL license. In the standard distribution of NTSyslog (figure 2), the logs are transmitted from a WinNT/2k system to a syslog host using the UDP protocol which is known to not be secure.

**Figure 2:** NTSyslog actual architecture
$\includegraphics[width=0.80\linewidth]{ntsyslog-overview.eps}$

What we want is to add some features to NTSyslog so that it will be able to securely transmit datas to a Prelude Manager with a simple pre-filtering system with the ability to remove useless system warnings (less warnings == less bandwidth used). Other features are also illustrated in our architecture proposal (figure 3). One of them is the IDMEF-binary converter. It will convert the filtered logs into the IDMEF specification in a binary form (C structure) instead of a text form like standard XML documents. It will save network bandwith during transmission and ease the decoding process on the Prelude Manager side.

There are other minor changes we can add to NTSyslog to improve its efficiency. First, it could be interesting to save logs in a text file on each WinNT/2k machine. If the connection to the Prelude Manager is broken we still have a trace of what happened on this machine. We can also secure this local log file by using the PEO protocol [9] as used in Modular Syslog [1]. That prevents any hidden modification from an intruder which has gained the ``root'' account (or the ``Administrator'' account) on the attacked host.

**Figure 3:** Modified NTSyslog architecture
$\includegraphics[width=0.80\linewidth]{solution-overview.eps}$

If we have enough time we would like to propose some interesting rules for the regexp filter. A sort of mixed-up between good security and less log interference.

Another nice thing would be to test how NTSyslog react with advanced scanners [5] and IDS testers [2], so that we could tune the filtering rules.

Details

The command line part of NTSyslog have been successfully compiled with cygwin [10] (using the MingW-environment package) under Win2k. We will use this kind of environment to implement the new features on the Windows plateform.

In particular, we will try to use libpcre for the regexp filter and OpenSSL for the secure connection between NTSyslog and a Prelude Manager. They are both provided as a package in the CygWin environment.

Bibliography

1: Ariel Aizenberg, Alejo Sanchez, and Claudio Castiglia.
Modular syslog, 2001.
http://msyslog.sourceforge.net/.
2: Stephane Aubert.
Idswakeup, 2000.
http://www.hsc.fr/ressources/outils/idswakeup/.
3: Inc. B. Feinstein/Guardent, G. Matthews/CSC/NASA Ames Research Center, and J. White/MITRE Corporation.
The intrusion detection exchange protocol, november 2001.
http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-03.txt.
4: D. Curry, H. Debar, and Merryl Lynch/France Telecom.
Intrusion detection message exchange format data model and extensible markup language (xml) document type definition, december 2001.
http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-06.txt.
5: Renaud Deraison.
Nessus.
http://www.nessus.org/.
6: Intrusion Detection Working Group.
The idwg-public mailing list.
http://www.semper.org/idwg-public/.
7: Paul Innella.
The evolution of ids.
Security Focus, november 2001.
Tetrad Digital Integrity, LLC. http://www.securityfocus.com/infocus/1514.
8: Paul Innella and Oba McMillan.
An introduction to intrusion detection systems.
Security Focus, december 2001.
Tetrad Digital Integrity, LLC. http://www.securityfocus.com/infocus/1520.
9: Emiliano Kargieman and Ariel Futoransky.
Vcr and peo revised.
Technical report, CORE SDI S.A., october 1998.
http://www.corest.com/files/files/11/PEO.pdf.
10: Inc. RedHat.
Cygwin : Unix environment for windows.
http://sources.redhat.com/cygwin/.
11: Sabernet.net.
Windows nt syslog service, 2001.
http://ntsyslog.sourceforge.net/.
12: Alejo Sanchez.
Do you trust your system logs ?
Daemon News, december 2001.
http://ezine.daemonnews.org/200112/log_protection.html.
13: Matthew Tanase.
The future of ids.
Security Focus, december 2001.
http://www.securityfocus.com/infocus/1518.
14: Yoann Vandoorselaere.
Prelude before the tempest: Hybrid intrusion detection system.
http://www.prelude-ids.org/.

Pierre-Jean 2002-04-01