This is my experience. Following rule is one of the ids rules to detect sql injection.
alert tcp any any -> any 80 (content:"%20and%20"; nocase; http_uri;)
|
That rule made 6,078 logs for a week. Is it attack if the pattern matches all? Strings '%20and%20' is the just part of URI(Uniform Resource Identifier).
It means pattern of rule is possible to be pattern of attack. But matching patterns is not an unconditional attack. So you must analyze entire log messages including rule pattern.
By the way, Even though you analyze one log for one minute, you can just analyze 1,440 logs for a day. (A day is 1,440 minutes) The entire log analyzing is very difficult.
By the way, Even though you analyze one log for one minute, you can just analyze 1,440 logs for a day. (A day is 1,440 minutes) The entire log analyzing is very difficult.
So i tried following method. See the next example to normalize the text. First, you should choose the normalization basis.
I chose the rule pattern for the normalization basis. Next image is result of using following substitute command.
I chose the rule pattern for the normalization basis. Next image is result of using following substitute command.
I will normalize the text by the text divide function of excel. So i need a text separator without overlapping the English speaking character.
You are curious what is the 'ㅋ'. The symbol 'ㅋ' is korean language spell which used separator. See the next image.
You are curious what is the 'ㅋ'. The symbol 'ㅋ' is korean language spell which used separator. See the next image.
Entire log divided 3 fields like following image.
If you use the filter function of excel, you can analyze the log easier.
What do you think about this?
댓글 없음:
댓글 쓰기