I’m using Splunk to try to detect multiple Windows login sessions by a single user, as an indicator of compromise. However, I’m not sure how to go about this – I can ingest workstation logs (events 4624/4634) and look for a large discrepancy between logins and logouts (indicating a high number of sessions) in the workstation logs, but there’s a few problems.
First, a discrepancy between logins and logouts does not necessarily indicate compromise, it’s (relatively) normal for a user to be logged in to multiple devices at once. Secondly, login/logout events are generated for a user unlocking their computer, but are not generated for a user locking/sleeping their machine.
Is there an elegant solution for this? Even if there isn’t – is there an agreed-upon list of Windows event IDs I should track to develop a better picture of high login sessions? Thanks!
I am not very knowledgeable about IIS 7, so I thought this was the right place to ask.
While inspecting the web server logs, I came across several instances of separate records that look just the same. For example:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453
The question is – do those records correspond to two actual separate requests, or perhaps it was just one that for some reason got duplicated? This is not an isolated occurrence (there are hundreds more). Just for the record, these are all GET requests coming from the same source (an Apache Tomcat-based application that resides in the same web server and is invoking APIs in different application pools).
Thanks in advance,
When I’m investigating systems, the SMB client logs are a good place to tell me if a baddie tried mapping/navigating network shares and they often outlive the security logs.
Does anyone know a good reference to find out what exactly the codes mean? Such as event IDs? I tried Google and have not had much luck.
30805 30808 30800 30811 etc.
I am receving logs on UDP 514 from another server and i have configured rsyslog.conf to save the logs to another custom directory but i am unable to do so, i confirmed through tcpdump logs are getting on 514 but not getting saved. Any thing i’ve missed?
Here’s the config i’ve made in rsyslog.conf
$ umask 0000 # ownership and permissions $ FileOwner punk $ FileGroup punk $ FileCreateMode 0640 $ DirCreateMode 0755 # save that when possible $ PreserveFQDN on # local ruleset (to control local syslogging) $ RuleSet local $ template CustomFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $ ActionFileDefaultTemplate CustomFormat $ template prod1,"/ab/cs/edl/172.x.x.x/%$ now%.log" if $ fromhost-ip == '172.x.x.x' then ?prod1
When securing my device (ubuntu) I noticed strange ufw logs. I am behind a router which should be blocking these kinds of requests? I realise these are using port 443 but I was under the impression that my outgoing connections to a website shouldn’t produce incoming connections to me.
[UFW BLOCK] IN=wlp1s0 OUT= MAC=b0:fc:36:e0:0f:2d:2c:30:33:34:bf:32:08:00 SRC=18.104.22.168 DST=<my ip> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=0 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=0 RES=0x00 RST URGP=0
- There was only one other device connected to the network.
- This router was recently reset. upnp is disabled.
- Recently plugged a usb stick into the pc.
- I have all incoming connections blocked and only allow http, https and dns out.
I want to copy data of binary file to .txt file
[ec2-user@ip-172-31-28-70 mysql]$ sudo mysqlbinlog tajamul.000006 > /var/www/tajamul.txt
It give me the following error.
-bash: /var/www/tajamul.txt: Permission denied
Can anyone help me, how to copy binary file data to txt file?
Working with Galera 25.3.23 on RHEL 7.3
Galera works good before. After changing the MySQL server port from 3306 to 13306, one of the node report error, after restart:
Slave I/O: error connecting to master 'repuser@<IP>:3306' - retry-time: 60 maximum-retries: 86400 message: Can't connect to MySQL server on '<IP>' (111 "Connection refused"), Internal MariaDB error code: 2003
The other 2 nodes works fine after the restart.
Googled the web, but don’t find the way to specify the port number.
Also, if possible, please share the usage of the “repuser” ID.
Looking for general mail server security best practices here.
I did some research and it’s really hard to find the information out there.
How do you safe guard a smtp server log? Are there any encryption tools out there? Our reason is if the server is compromised, at least the logs are not in plaint text format for attackers to see without obtain our tool/keys.
It seems like most SMTP servers out there stores recipient information in the log files, how can we ensure these information are not stored or at a minimum are scrambled. Is that possible?
Thank you and I’m still researching on the subject.
I want to create a plugin which enables a user to like and collect things(posts, links, qoutes, pictures etc) while he/she is logged in and the user would be able to see all his or her liked & collected times on his front-end profile page. What I know is how to create a user and assign roles programmatically. But I don’t know how to get posts “marked” as liked and enable them to add items in his collection ( my be with a button option which says “add to my collection”) and then save it to the users collection and show it on the front-end profile page. It would be really helpful if I could get directions that what should I search for ? i-e keywords to search. Any suggestion idea whould be appreciated. Thanks