LnS Logparser in tds-3 script suite

Discussion in 'LnS English Forum' started by Andreas1, Jun 23, 2003.

Thread Status:
Not open for further replies.
  1. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,
    just want to tell all of you who are licenced TDS-operators that "screx", my suite of ss3 scripts for TDS now includes a module to watch LnS logs. You can specify which file should be watched and will be alerted by TDS when "suspicious" lines show up in there. Alerts will be in TDS console and/or speech and/or MS Agents.

    It has several "threat levels" and "Suspiciousness" is being defined by a couple of properties (e.g. whether or not the string "RAT:" shows up in TDS's port-service database for the involved ports). Also, if your rulenames have a '-' or a '+' left of their ':' to indicate blocked/allowed status of the event, the parser will be able to understand this. (I name my rules like "TCP-O: Service", "UDP+B: Service", "TCP-I: Service" etc. - where I/O/B stands for In/Out/Both.)

    The only problem is that LnS does its own logrotation, so that you will have to specify a new file to watch every day...

    Have fun, and I'd appreciate any feedback at A.Wagner<at>stud.uni-frankfurt.de
    Cheers,
    Andreas


    Aaah, i almost forgot the url:
    http://www.commontology.de/pub/tds/screx/screx02beta3.zip

    Some more information about screx can be found in the (also included in the zipfile) readme:
    http://www.commontology.de/pub/tds/screx/screadme.txt
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    ...I can hear you asking: What are the advantages of this logwatching over LnS's own logging/alerting?

    Not easy to answer, here are a few thoughts:
    • A first assessment of how suspicious the communication in question is.
    • A more extensive port-to-service database tuned for security needs is used to assess threat of a log entry and to inform you about the communication.
    • Speech/Agents.
    • Finally, you have all the relevant stuff at hand in one - TDS - environment. Involved IP's/ports, tracert, ping, TCP Port inspector, irc (that's in screx, too), ...

    Cheers,
    Andreas
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Sounds handy Andreas, I will give it a try soon since I am now using LNS :)
    -Jason-
     
  4. Plavi

    Plavi Registered Member

    Joined:
    May 1, 2003
    Posts:
    27
    Hi Andreas,

    New to using TDS and L&S.

    Please be patient with my illiteracy but... downloaded the script and and ran ParseLnS.ss3. Got the following below:

    23:05:59 [Script Error] ERR: Expected 'End' (LINE: 1 COL:21)
    23:05:59 [Script Error] SRC: Sub ParseLog(LogLine)
    23:05:59 [Script Error] ERR: Expected 'Next' (LINE: 1 COL:20)
    23:05:59 [Script Error] SRC: For i = 1 to 16
    23:05:59 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:9)
    23:05:59 [Script Error] ERR: Unexpected 'Next' (LINE: 1 COL:5)
    23:05:59 [Script Error] SRC: Next
    23:05:59 [Script Error] ERR: Type mismatch: 'StripCRLF' (LINE: 1 COL:5)
    23:05:59 [Script Error] ERR: Expected 'End' (LINE: 1 COL:56)
    23:05:59 [Script Error] SRC: If Mid(LogLine, 18,1) = "," Then ' we have a raw log
    23:05:59 [Script Error] ERR: Expected 'End' (LINE: 1 COL:32)
    23:05:59 [Script Error] SRC: If Matches.Count > 0 Then
    23:05:59 [Script Error] ERR: Invalid procedure call or argument (LINE: 1 COL:9)
    23:05:59 [Script Error] ERR: Syntax error (LINE: 4 COL:7)
    23:05:59 [Script Error] SRC: Else
    23:06:00 [Script Error] ERR: Invalid 'exit' statement (LINE: 1 COL:14)
    23:06:00 [Script Error] SRC: Exit Sub
    23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:7)
    23:06:00 [Script Error] SRC: End If
    23:06:00 [Script Error] ERR: Expected 'End' (LINE: 1 COL:32)
    23:06:00 [Script Error] SRC: If Matches.Count > 0 Then
    23:06:00 [Script Error] ERR: Invalid procedure call or argument (LINE: 1 COL:9)
    23:06:00 [Script Error] ERR: Object required: 'Match' (LINE: 1 COL:9)
    23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:7)
    23:06:00 [Script Error] SRC: Else
    23:06:00 [Script Error] ERR: Invalid 'exit' statement (LINE: 1 COL:14)
    23:06:00 [Script Error] SRC: Exit Sub
    23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:7)
    23:06:00 [Script Error] SRC: End If
    23:06:00 [Script Error] ERR: Expected 'End' (LINE: 1 COL:27)
    23:06:00 [Script Error] SRC: If rawlog = False Then
    23:06:00 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL::cool:
    23:06:00 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL::cool:
    23:06:00 [Script Error] ERR: Expected 'End' (LINE: 1 COL:2:cool:
    23:06:00 [Script Error] SRC: Select Case Field(6)
    23:06:00 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
    23:06:00 [Script Error] SRC: Case "TCP"
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:13)
    23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
    23:06:01 [Script Error] SRC: Case "UDP"
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:13)
    23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
    23:06:01 [Script Error] SRC: Case "ICMP"
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:13)
    23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:01 [Script Error] SRC: End Select
    23:06:01 [Script Error] ERR: Expected 'End' (LINE: 1 COL:30)
    23:06:01 [Script Error] SRC: If Field(2) = "D" Then
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:01 [Script Error] SRC: ElseIf Field(2) = "U" Then
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:01 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:01 [Script Error] SRC: End If
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL::cool:
    23:06:01 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL::cool:
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL::cool:
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL::cool:
    23:06:02 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
    23:06:02 [Script Error] SRC: End If
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:5)
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:5)
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:5)
    23:06:02 [Script Error] ERR: Expected 'End' (LINE: 1 COL:56)
    23:06:02 [Script Error] SRC: If Field(3) = "D" Then ' inbound packet
    23:06:02 [Script Error] ERR: Expected 'End' (LINE: 1 COL:59)
    23:06:02 [Script Error] SRC: If Field(6) = "0800" Then ' it's an IP packet
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:02 [Script Error] ERR: Expected 'End' (LINE: 1 COL:62)
    23:06:02 [Script Error] SRC: Select Case Field(10) ' What IP protocol is this?
    23:06:02 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:02 [Script Error] SRC: Case "6" ' TCP
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:02 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:02 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:02 [Script Error] SRC: Case "17" ' UDP
    23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:03 [Script Error] SRC: Case "1" ' ICMP
    23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:03 [Script Error] SRC: Case Else ' some other IP protocol
    23:06:03 [Script Error] ERR: Expected 'End' (LINE: 1 COL:43)
    23:06:03 [Script Error] SRC: If IsNumeric(Field(10)) Then
    23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
    23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
    23:06:03 [Script Error] SRC: Else
    23:06:03 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
    23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
    23:06:03 [Script Error] SRC: End If
    23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
    23:06:03 [Script Error] SRC: End Select
    23:06:03 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:03 [Script Error] SRC: ElseIf Field(6) = "0806" Then ' it's an ARP packet
    23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:04 [Script Error] SRC: Else
    23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:04 [Script Error] SRC: End If
    23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
    23:06:04 [Script Error] SRC: ElseIf Field(3) = "U" Then ' outbound packet
    23:06:04 [Script Error] ERR: Expected 'End' (LINE: 1 COL:59)
    23:06:04 [Script Error] SRC: If Field(6) = "0800" Then ' it's an IP packet
    23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:04 [Script Error] ERR: Expected 'End' (LINE: 1 COL:62)
    23:06:04 [Script Error] SRC: Select Case Field(10) ' What IP protocol is this?
    23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:04 [Script Error] SRC: Case "6" ' TCP
    23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:04 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:04 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:05 [Script Error] SRC: Case "17" ' UDP
    23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:05 [Script Error] SRC: Case "1" ' ICMP
    23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:15)
    23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:13)
    23:06:05 [Script Error] SRC: Case Else ' some other IP protocol
    23:06:05 [Script Error] ERR: Expected 'End' (LINE: 1 COL:43)
    23:06:05 [Script Error] SRC: If IsNumeric(Field(10)) Then
    23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
    23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
    23:06:05 [Script Error] SRC: Else
    23:06:05 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:16)
    23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:15)
    23:06:05 [Script Error] SRC: End If
    23:06:05 [Script Error] ERR: Expected statement (LINE: 1 COL:11)
    23:06:06 [Script Error] SRC: End Select
    23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:06 [Script Error] SRC: ElseIf Field(6) = "0806" Then ' it's an ARP packet
    23:06:06 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:06 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:06 [Script Error] SRC: Else
    23:06:06 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL:11)
    23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:06 [Script Error] SRC: End If
    23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
    23:06:06 [Script Error] SRC: End If
    23:06:06 [Script Error] ERR: Expected 'End' (LINE: 1 COL:83)
    23:06:06 [Script Error] SRC: If InStr(1, Left(CStr(RuleName), InStr(1, CStr(RuleName), ":")), "-") > 0 Then
    23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
    23:06:06 [Script Error] SRC: ElseIf InStr(1, Left(CStr(RuleName), InStr(1, CStr(RuleName), ":")), "+") > 0 Then
    23:06:06 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
    23:06:06 [Script Error] SRC: End If
    23:06:07 [Script Error] ERR: Expected 'End' (LINE: 1 COL:39)
    23:06:07 [Script Error] SRC: If Left(RuleName,5) = "APP: " Then
    23:06:07 [Script Error] ERR: Type mismatch: 'Field' (LINE: 1 COL::cool:
    23:06:07 [Script Error] ERR: Expected 'End' (LINE: 1 COL:67)
    23:06:07 [Script Error] SRC: Select Case Mid(RuleName, 6, 5) ' Blocked or permitted?
    23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:10)
    23:06:07 [Script Error] SRC: Case "Asked"
    23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:10)
    23:06:07 [Script Error] SRC: Case "Block"
    23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:10)
    23:06:07 [Script Error] SRC: Case "Allow"
    23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL::cool:
    23:06:07 [Script Error] SRC: End Select
    23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:5)
    23:06:07 [Script Error] SRC: End If
    23:06:07 [Script Error] ERR: Type mismatch: 'AusgabeLogMon' (LINE: 1 COL:5)
    23:06:07 [Script Error] ERR: Expected statement (LINE: 1 COL:0)

    I realise in my ignorance i may have done something wrong in the process but there is not too much 'clarity' here as to whether someone has indeed 'attacked' today or 'not' in todays L&S log

    Please advice and many thanks
    P
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    @ Jason
    Hi, nice to see you here. LnS is really a great fw - and will be much more so when the (announced) new version comes out. :D
    (If it only wouldn't include the current date in the logfile's filename - which makes it a bit more difficult to find. One day, i'll do it programmatically, but right now, relying on the user configuring the path to the to-be-watched logfile means requiring him/her to reconfigure daily :rolleyes:.)

    @ Plavi
    Hi Plavi,
    thanks for giving it a try - and for your feedback.
    I'd like to mention just a few general things over here and if problems persist, I would suggest (but you decide) discussing the script further at the dedicated ss3 forum (which is hosted over at DCS's private forums: http://diamondcs.com.au/forum/forumdisplay.php?s=&forumid=3 (I assume you're a registered tds customer - else you wouldn't have been able to run a script as large as screx at all))

    1. You have to load "loadme.ss3", not "parselns.ss3"...
    (It can load all of screx's modules, but you can configure which modules should be loaded and which shouldn't - for saving resources, e.g. Thus, you can configure to use only the logmon part with LnS parsing and on reload you should be there...)
    2. You have to "load" the script in TDS (and not "run" it)...
    (Actually, there is a description of how screx can set up itself and how to launch it in the readme file - screadme.txt)
    3. Do you have the latest version of Windows Scripting Host for your OS installed?
    (English - 2k/XP; English - 98/ME/NT)

    Hope this helps,
    Andreas
     
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Why do i find this to be a smart move ? :D
     
  7. Plavi

    Plavi Registered Member

    Joined:
    May 1, 2003
    Posts:
    27
    Hi Andreas,

    Thanks for the advice and guidance. Am TDS registered so will visit there, download window's Scripting Host and do some homework. I find the scripts facinating and realize the how powerful both tools are (in addition to being easy to use) but the learning curve is slow. Cheers for the patience.

    P
     
Thread Status:
Not open for further replies.