Thursday, June 5, 2008

Attacks against your intranet

When was the last time you looked at the logs of your intranet server? A day, week, month, year ago perhaps?

When you looked at them, was it to find usage? To see which departments were most active? Were those departments or personnel allowed to access those parts of the intranet?

Did you check what browser agents were using your intranet? Were the agents part of your SOE? Or are they foreign agents?

Were all the hits recorded in the log file from inside your business? If they weren't from inside, should your RAS (Remote Access Solution) allow outside contact to your intranet?

When you looked at the logfiles did you check for irregular entries in the requests? Were form submissions as you intended or as expected? Did you happen to record all of the form events, both POST and GET?

I bet your thinking "Ummm, jeez, I might go have a look at those log files right now".

But do you know what you are looking for?

For this exercise I will assume that you are using the common log format.

For those at home, the common log format is space delimited, meaning that each element of the record is separated by a space character (i.e. " ").

127.0.0.1 - frank [10/Oct/2007:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.14) Gecko/20080404 Iceweasel/2.0.0.14 (Debian-2.0.0.14-0etch1)

OK, the breakdown
  • 127.0.0.1- The IP Address
  • "-" - empty element
  • frank - username (For authenticated content) this will be a "-" if the content does not require authentication.
  • [10/Oct/2007:13:55:36 -0700] - The date and time the request ends
  • "GET /apache_pb.gif HTTP/1.0" - The object request from the client
  • 200 - The status code from the server pertaining to the object request, in this case the status code 200 mean
  • Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.14) Gecko/20080404 Iceweasel/2.0.0.14 (Debian-2.0.0.14-0etch1) - This is the useragent that describes both the browser and the OS supporting it.
You can conduct your analysis in a number of ways, either through tools like webtrends or through scripting with Perl.

What should I be looking for?
  • Checking IP addresses against a known subnets within your organisation. Does it fall out of the normal IP address range? Or does it come through the any form of proxy or DMZ?
  • Do login times to information lay outside normal parameters?
  • Are old/closed accounts accessing the account? Are non-shift workers logging in after hours.
  • By conducting volume analysis on the traffic that flows from the webserver you can identify if information is being accessed.
  • Continual 401 codes within the log could represent blind spidering occurring on your intranet
  • You can also can identify machines on your network that are not on your SOE by pulling the information from "useragent".
Posted by Matty B at 8:27 PM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)