RE: BSM Audit Records

Well,

I still haven't figured out the solution to my question. In a nut shell it's this:
I'm stuck on is figuring out how to interpret the ports in the login/logout records. If you look at this type of record: auditreduce -c lo | praudit -l

For each record, you will see something like this: header,81,2,login - telnet,,Wed 21 May 2003 11:43:09 AM EDT, + 65 msec subject,root,root,other,root,other,5861,5861,183 131095 host1.dom1.com text,successful login
return,success,0

On the "subject" line, the last field is: 183 131095 host1.dom1.com

If you look on docs.sun.com
(http://docs.sun.com/db/doc/806-4078/6jd6cjs73?a=view#aparecord-947) under the subject token information, you will see that this is the terminal ID which breaks down into a port, IP type, and IP address.

The IP address is obvious-host1.dom1.com.

I'm not sure what the IP type is.

I'm not sure what exactly the port is either and this is what I'm interested in. According to the docs, it's a 4-byte number. Is this 2-bytes for the local port and 2 for the remote? The information: 183 131095 doesn't seem to match anything, either the local or remote port. I tried converting it all to hex and grouping the hex digits in different ways, but that doesn't seem to work either. Am I doing it wrong or missing something?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

How do you interpret the information to get the correct port out of it?

If it is helpful, here is what information I have found about BSM:

I've found two tools and the following articles about BSM: First tool:
http://home.twmi.rr.com/jayd/bsm.html
A java BSM log viewing tool. Slick and easy to use, nice Jay!

Second tool:
bsmvwr from the following System Admin Magazine Article: http://www.samag.com/documents/s=1157/sam0013d/0013d.htm A perl based tool to parse BSM logs. Unfortunately I couldn't get it to run to completion. I couldn't compile the exact versions of the perl utilities the author specified in the article, I got slightly later versions. I finally got everything to compile (on Solaris 9 12/02, Ultra 80), and the program would start and start running. However, it would end up crashing. I wrote the author, and if he has time to help me, I'll post the solution.

Docs/Info:
System Admin Magazine Article:
http://www.samag.com/documents/s=1157/sam0013d/0013d.htm

Darren's InFocus Article:
http://www.securityfocus.com/infocus/1362

InFocus Article (for Intrusion Detection): http://www.securityfocus.com/infocus/1211

SANS Article:
http://www.sans.org/rr/paper.php?id=537

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Sun BluePrint:
http://www.sun.com/solutions/blueprints/0201/audit_config.pdf

Another Article and Tool:
http://www.boran.com/security/sp/Solaris_bsm.html

Sun Docs:
http://docs.sun.com/db/doc/816-4883/6mb2joave?a=view

<> Jim

-----Original Message-----
From: Small, Jim [mailto:jim.small@eds.com] Sent: Tuesday, May 20, 2003 3:34 PM
To: focus-sun@securityfocus.com
Subject: RE: BSM Audit Records

Darren,

I know about the docs.sun.com reference. Specifically, just like you said, it covers the terminal ID:
For device numbers:
32-bit applications: 4-byte device number, 4-bytes unused 64-bit applications: 8-byte device number, 4-bytes unused

For port numbers in the Solaris 7 release or earlier releases: 32-bit applications: 4-byte port number, 4-byte IP address 64-bit applications: 8-byte port number, 4-byte IP address

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

For port numbers in the Solaris 8 or 9 releases:

32-bit with IPV4: 4-byte port number, 4-byte IP type, 4-byte IP address
32-bit with IPV6: 4-byte port number, 4-byte IP type, 16-byte IP address
64-bit with IPV4: 8-byte port number, 4-byte IP type, 4-byte IP address
64-bit with IPV6: 8-byte port number, 4-byte IP type, 16-byte IP address

This doesn't completely clear things up for me though. Perhaps an example would be better. If I am parsing login/logout (lo) records in my "short" form, I might see something like this (truncated for clarity):

+ftp access for root from 8197 21 host1.dom1.com on Wed 07 May 2003...
+login - local for root from 0 0 192.168.128.95 on Mon 12 May 2003...
+login - telnet for root from 419 23 192.168.145.35 on Mon 12 May 2003...
+login - ssh for root from 0 1447 host1.dom1.com on Tue 20 May 2003...

Here we have 4 types of access:
ftp, dtlogin, telnet, and ssh (All on Solaris 9 12/02)

If I do a file on ftp, dtlogin, telnet, and ssh, I can determine that they are all 32bit apps:
ELF 32-bit MSB executable SPARC Version 1, dynamically linked, [not] stripped

Therefore, all of these except for dtlogin should be giving me a 4-byte port number, and 4-byte IP type, and a 4-byte IP address.

The 4-byte IP is obvious.
I don't know what the 4-byte IP type is. I'm not sure what the 4-byte port number is. Is this 2 bytes for the local port and 2 bytes for the remote port? How does praudit interpret this?

Now dtlogin, since you are logging in via the console, I'm not sure what you should expect and you get 0 0.

For the other 3, I connected to the Solaris 9 box and using netstat detected the ports on the local and remote end.
For ftp, 8197 21, I'm not sure how to parse this. Is 21 the local port? If so, then what's 8197? It does not correspond with the remote port. I tried converting the numbers to hex and then adding/removing digits to see if some combination would yield the remote port number, but no dice.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

For telnet, 419 23, it's the same story. 23 could be the local port, but what is 419? Also, this is not consistent with the documentation which states a 4-byte port number, especially because see below with ssh.

For ssh, 0 1447, 1447 is the remote port, and 22 is the local. This seems to contradict the logic displayed by telnet and ftp earlier. So I don't know how I should interpret the port numbers.

Is there more documentation somewhere or an example program? Is this just a problem with using praudit?

Any advice or pointers would be greatly appreciated.

Heck Darren, I'm in the Detroit Area Sun Technologies User Group, let me know who maintains BSM/auditd and maybe my local Sun friends can get them to speak at our group!

Thanks,

   <> Jim Received on Fri May 23 15:12:05 2003