Looking for IDS log examples

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Looking for IDS log examples

heinbockel
Folks,

I am searching for examples of IDS logs/alerts from a variety of
IDS/IPS products.
It is fairly easy to find examples of snort logs, but I would also
like to see some logs from devices such as the CA eTrust, Cisco Secure
IDS, BlackICE, ISS RealSecure, etc.

Any pointers or examples would be much appreciated!
Thanks,


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Looking for IDS log examples

David Corlette
Hey Bill,

So, lessee:

Many IDSs store stuff in databases, so it will be hard to send samples, exactly.  IBM Proventia SiteProtector is in that boat, for example.

Here are some samples that I have.  Not sure how much use they'll be without docs, however, which is another proposition.  Wouldn't it be nice if there were a standard way to log all this data? ;-)


TippingPoint:
May 19 12:14:41 192.168.170.28 7|2|00000002-0002-0002-0002-000000001790|00000001-0001-0001-0001-000000001790|1790: Backdoor: DFch Grisch 0.1 b1|1790|tcp|192.168.33.165|16661|192.168.33.167|1202|1|1A|1B|1|0|device31|33761793|1172587861086
May 19 12:14:41 192.168.170.28 7|1|00000002-0002-0002-0002-000000001648|00000001-0001-0001-0001-000000001648|1648: SMTP: From: Message Header Anomaly (nonprintables)|1648|tcp|192.168.43.251|34261|192.168.36.181|25|31|1A|1B|1|0|device31|100738301|1172587861086
May 19 12:14:41 192.168.170.28 7|1|00000002-0002-0002-0002-000000000141|00000001-0001-0001-0001-000000000141|0141: ICMP: Destination Unreachable (Port Unreachable)|141|icmp|192.168.48.102|0|192.168.48.100|0|2|1A|1B|1|0|device31|100732157|1172587861086

Juniper IDP:
May 24 23:40:36 10.156.0.156 127.0.0.1 20040507-60517 2004/05/07 23:19:15 192.156.104.130 192.42.122.36:38314 10.156.104.105:111 0.0.0.0:0 0.0.0.0:0  eth3  4E90-20AA-4BA5-8E20 s0 PORTMAPPER:ERR:WRONG-DIR Inline_temp:1 IDS 4 0 0 0 UDP ATTACK-PORTMAPPER_WRONG_DIRECTION DROP 0,0 no no yes HIGH no no no no
May 24 23:40:36 10.156.0.156 127.0.0.1 20040507-60570 2004/05/07 23:19:16 192.156.104.130 192.156.104.105:45835 192.109.19.183:53 0.0.0.0:0 0.0.0.0:0  eth3  4E90-20AA-4BA5-8E20 s0 DNS:OVERFLOW:OVERSIZED-UDP-MSG Inline_temp:1 IDS 4 0 0 0 UDP ATTACK-DNS_OVERSIZED_UDP_MSG DROP 0,0 no no yes HIGH no no no no
May 24 23:40:36 10.156.0.156 127.0.0.1 20040507-60599 2004/05/07 23:19:16 192.168.104.130 192.150.68.87:51029 10.156.104.105:15 0.0.0.0:0 0.0.0.0:0  eth3  4E90-20AA-4BA5-8E20 s0 ICMP:EXPLOIT:NON-ZERO-DATA-LEN Inline_temp:1 IDS 4 0 0 0 ICMP ATTACK-ICMP_NON_ZERO_DATA_LENGTH DROP 0,0 no no yes HIGH no no no no

Cisco IPS:
<sd:evIdsAlert xmlns:sd="http://example.org/2003/08/sdee" xmlns:cid="http://www.cisco.com/cids/2006/08/cidee" cid:alarmTraits="2147483648" eventId="1220491283224148236" severity="medium" vendor="Cisco">
<sd:originator>
<sd:hostId>xyz-lmno</sd:hostId>
<cid:appName>sensorApp</cid:appName>
<cid:appInstanceId>447</cid:appInstanceId>
</sd:originator>
<sd:time offset="0" timeZone="UTC">1226421324951337000</sd:time>
<sd:signature cid:created="20051011" cid:type="other" cid:version="S268" description="Client Service for NetWare Overflow" id="5644">
<cid:subsigId>2</cid:subsigId>
<cid:sigDetails>This signature is a Metacomponent</cid:sigDetails>
<marsCategory xmlns="http://www.cisco.com/cids/2006/08/cidee">Penetrate/BufferOverflow/Misc</marsCategory>
</sd:signature>
<sd:interfaceGroup>vs0</sd:interfaceGroup>
<sd:vlan>0</sd:vlan>
<sd:participants>
<sd:attacker>
<sd:addr cid:locality="10_Host_Address">10.11.23.237</sd:addr>
<sd:port>2608</sd:port>
</sd:attacker>
<sd:target>
<sd:addr cid:locality="10_Host_Address">10.26.16.216</sd:addr>
<sd:port>445</sd:port>
<cid:os idSource="unknown" relevance="relevant" type="unknown"/>
</sd:target>
</sd:participants>
<sd:actions>
<sd:ipLoggingActivated>true</sd:ipLoggingActivated>
<sd:tcpResetSent>true</sd:tcpResetSent>
<sd:shunRequested>true</sd:shunRequested>
<cid:denyPacketRequestedNotPerformed>true</cid:denyPacketRequestedNotPerformed>
<cid:denyFlowRequestedNotPerformed>true</cid:denyFlowRequestedNotPerformed>
<cid:denyAttackerRequestedNotPerformed>true</cid:denyAttackerRequestedNotPerformed>
<cid:blockConnectionRequested>true</cid:blockConnectionRequested>
<cid:logAttackerPacketsActivated>true</cid:logAttackerPacketsActivated>
<cid:logVictimPacketsActivated>true</cid:logVictimPacketsActivated>
<cid:logPairPacketsActivated>true</cid:logPairPacketsActivated>
<cid:snmpTrapRequested>true</cid:snmpTrapRequested>
<cid:denyAttackerVictimPairRequestedNotPerformed>true</cid:denyAttackerVictimPairRequestedNotPerformed>
<cid:denyAttackerServicePairRequestedNotPerformed>true</cid:denyAttackerServicePairRequestedNotPerformed>
</sd:actions>
<cid:context>
<cid:fromTarget>AAAAw/9TTUJyAAAAAJhTyAAAAAAAAAAAAAAAAAAA//4AAAAAEQUABzIAAQAEQQAAAAABAAAAAAD98wGA/AVlhRtEyQEsAQB+AGU08M2oslRBjR2CrFe8ZEdgbAYGKwYBBQUCoGIwYKAwMC4GCSqGSIL3EgECAgYJKoZIhvcSAQICBgoqhkiG9xIBAgIDBgorBgEEAYI3AgIKoywwKqAoGyZ1c3RwYTNndHNhZDEwMyRATkFNLkFELlBXQ0lOVEVSTkFMLkNPTQ==</cid:fromTarget>
<cid:fromAttacker>imhFTsan/wJjP1jxIPM852f4qKkFyQ+XrPTu7/27gsv1Seiw4p0bhwJJZfqEmMwckjYIhT1g9Ze7hLl6zZzsiutAxjqDtjTFDIDblSbIW319E600nT8xfnmeJhM4qBSQGnugfxPEAuDZFiC8RGvtrnG+zn6D/i74zuMMGVmqZnzX9A0UmBAL9Y0asFb1ExrN0g2ZCl/CttYazKtNu3zewgb901jGDiwFxde6w0MXMJZSKxDJ8Sc1uRX10ylkYABXAGkAbgBkAG8AdwBzACAAMgAwADAAMgAgAFMAZQByAHYAaQBjAGUAIABQAGEAYwBrACAAMgAgADIANgAwADAAAA==</cid:fromAttacker>
</cid:context>
<cid:ipLogIds>
<cid:ipLogId>1701736967</cid:ipLogId>
</cid:ipLogIds>
<cid:triggerPacket>ABUr+NEDABfgrtMUCABFAAVcLbNAAHwGjv8KCxftChoQ2AowAb09P9Mvk/4WAoAY9SOaaAAAAQEICgANe0YA8ydM6OpneEpoO+XkWx4jrgb7+Nu2aipcLANcQTruUNr2sMlFUIHJr5x9in8FWdB1ZdyAikTZ07Zny7WPUjPWi6swg4atkuo3JzIZIynJbODCsYL8rv6CgpAO3qPAh+GKIG/+WxC7aZSpxb9sqLCQs7J7jmORSWxbVKWEqwfDwyH4NNff/lAajJUcZdNhuUmF4i/mLmdaL2zSMAR5g+9Gj/HELZ+y2jKi6kAgnmhHj3OCndzUm8m/cX4eo073PkBXwiFlUYOEh22TR5SRtKNWGnvYreaIR+M8TV+oBOeZdXn4x7Vy9DteHDOCI9uf/tlrYGTtKQKo0t0FGM81qwqBU127rw/w82MjHJABVGRwxoroHH4pmVz32IlWLy7x1MSseWOhCWgkDiTaeGjh1YfUgdi+XlsvzEEcTFAcfyPHQCVT1C5G6mY9VgoT8P0rOAx4b7AimwZ7J75wmTrYqIpQnMJt/8BEsjx0Jxoc09U80rAR9qittA8mEkB+dwbnn6JOgbDHoXHr5rYl4mYJfXYGZaRYH/q06IrgFpCamER3KTwUxS6JooXOtLSXmCFKiWh80T1YgE0DL9V2sEVGHoHRkdrTGzGuUwHy4/PPkA8grm8I168ysPOjx7kj/CfatpDFx1aN6OGclePp20270ZxLKHN1T0ic4RYdSwc543XiQQlvDL1TJOKpxCJfwb2zNmXYXWtxCKP6sL7Gbr5e9mVuohJKM9WFlrp4R/OhXqpvZI76t45vYpLkXZLc8PXaYihL98sep6W9y9g3Ey/nsBJXuRMP0HmTASbAAnI5J/+LjT5Mw4qA1zluckPLikP6CS78QtpmDrojThNW/+KIbv9jHM2EFZBHnfN2nFDUIZ+zdZ4Be2bIses1PmExab+u6O0CzLxClNDUWwC/EZPfrMVv3FkCmEiWtvQLxjaKJ32OAn8C+tErxseihJ0tEhxmaeA2KxZhUhxDRs3s4yYT2fbCfE3ARDtsrXOBclw8gFLOPIJAcGyoN694L1FFYfe7uRksNKc0Io478upHOJzQwsUZ2HNDmiYUpNqJ57+hJHSaoJavPnXOku1TKEqb62uqHUx9QANhSIyM8S4+K29aloIRVGbsBG/ATbwJtNVRSKFKtgExtesApBn9SzeKGLPehDEbS1Y7z/pMqaC2q2WiDBSel24G7x8B4MIoW67RzP5hHooJdv4G21/d9O8F+JCz/QDLZTAngCaTzUkuNFH90EuIRyGTNfsfwLrQMIOmSc8ZBzFWO9eVSC3lI3IKHd6BMpyLfZVMehJwLQOMvM35lRoiwTw+ngU47gboRo7bm64/UAOSLc37YwGwSvSHbiU8wBG+yGzdGB0WaEYC948LfNEMoNkCkxoRtYpoRU7Gp/8CYz9Y8SDzPOdn+KipBckPl6z07u/9u4LL9UnosOKdG4cCSWX6hJjMHJI2CIU9YPWXu4S5es2c7IrrQMY6g7Y0xQyA25UmyFt9fROtNJ0/MX55niYTOKgUkBp7oH8TxALg2RYgvERr7a5xvs5+g/4u+M7jDBlZqmZ81/QNFJgQC/WNGrBW9RMazdINmQpfwrbWGsyrTbt83sIG/dNYxg4sBcXXusNDFzCWUisQyfEnNbkV9dMpZGAAVwBpAG4AZABvAHcAcwAgADIAMAAwADIAIABTAGUAcgB2AGkAYwBlACAAUABhAGMAawAgADIAIAAyADYAMAAwAAAAVwBpAG4AZABvAHcAcwAgADIAMAAwADIAIAA1AC4AMQAAAAAA</cid:triggerPacket>
<cid:riskRatingValue attackRelevanceRating="relevant" targetValueRating="medium">40</cid:riskRatingValue>
<cid:threatRatingValue>20</cid:threatRatingValue>
<cid:interface>ge3_1</cid:interface>
<cid:protocol>tcp</cid:protocol>
</sd:evIdsAlert>


<sd:evIdsAlert xmlns:sd="http://example.org/2003/08/sdee" xmlns:cid="http://www.cisco.com/cids/2006/08/cidee" cid:alarmTraits="2147483648" eventId="1220491283224148249" severity="medium" vendor="Cisco">
<sd:originator>
<sd:hostId>xyz-lmno</sd:hostId>
<cid:appName>sensorApp</cid:appName>
<cid:appInstanceId>447</cid:appInstanceId>
</sd:originator>
<sd:time offset="0" timeZone="UTC">1226421325253808000</sd:time>
<sd:signature cid:created="20051011" cid:type="other" cid:version="S268" description="Client Service for NetWare Overflow" id="5644">
<cid:subsigId>2</cid:subsigId>
<cid:sigDetails>This signature is a Metacomponent</cid:sigDetails>
<marsCategory xmlns="http://www.cisco.com/cids/2006/08/cidee">Penetrate/BufferOverflow/Misc</marsCategory>
</sd:signature>
<sd:interfaceGroup>vs0</sd:interfaceGroup>
<sd:vlan>0</sd:vlan>
<sd:participants>
<sd:attacker>
<sd:addr cid:locality="10_Host_Address">10.5.153.167</sd:addr>
<sd:port>0</sd:port>
</sd:attacker>
<sd:target>
<sd:addr cid:locality="OUT">0.0.0.0</sd:addr>
<sd:port>0</sd:port>
<cid:os idSource="unknown" relevance="unknown" type="unknown"/>
</sd:target>
</sd:participants>
<sd:actions>
<cid:snmpTrapRequested>true</cid:snmpTrapRequested>
</sd:actions>
<cid:summary cid:final="true" cid:initialAlert="1220491283224147784" cid:summaryType="Regular">2</cid:summary>
<cid:alertDetails>Regular Summary: 2 events this interval ; </cid:alertDetails>
<cid:riskRatingValue targetValueRating="medium">30</cid:riskRatingValue>
<cid:threatRatingValue>30</cid:threatRatingValue>
<cid:interface>ge3_1</cid:interface>
<cid:protocol>tcp</cid:protocol>
</sd:evIdsAlert>
Reply | Threaded
Open this post in threaded view
|

Re: Looking for IDS log examples

Anton Chuvakin
In reply to this post by heinbockel
Bill,

I can definitely share parts of my collection later today.

On Wed, Jul 1, 2009 at 7:36 AM, Heinbockel, Bill<[hidden email]> wrote:

> Folks,
>
> I am searching for examples of IDS logs/alerts from a variety of
> IDS/IPS products.
> It is fairly easy to find examples of snort logs, but I would also
> like to see some logs from devices such as the CA eTrust, Cisco Secure
> IDS, BlackICE, ISS RealSecure, etc.
>
> Any pointers or examples would be much appreciated!
> Thanks,
>
>
> William Heinbockel
> Infosec Engineer, Sr.
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> [hidden email]
> 781-271-2615
>
>



--
    Anton Chuvakin, Ph.D
   http://www.chuvakin.org
http://chuvakin.blogspot.com
  http://www.info-secure.org