4th Bicol Youth Congress in IT

I was invited to join and give a talk in an IT Youth Congress last November 2013. I came with my colleagues, Ernesto Boydon and Noel Anonas from Asia Pacific College (APC) Makati City, Philippines.

The event was held in Camarines Sur Polytechnic Colleges in Nabua, Camarines Sur in the Bicol Region.

The key points of my talk are:

1) Define ethical hacking (specifically to answer the question: Is there such thing as ethical hacking?)

2) Information Security as a discipline. I included this as a key point because majority of the audience are either Computer Science or Information Technology undergraduates. I wanted them to know that Infosec exists and there are a lot of career opportunities for them in the said field.

3) The need for cybercrime law. I obviously had to emphasize the need for a “real” cyber crime law that will protect the people especially their virtual assets.

The PDF version of my presentation can be downloaded here: 4th BYCIT Presentation

I really enjoyed my stay in Nabua. I would like to thank the Camarines Sur Polytechnic Colleges for sponsoring my trip there!

Speaker's profile
Speakers Profile in the Invitation booklet for the 4th BYCIT
A talk on Ethical Hacking
A talk on Ethical Hacking
Discussing reconnaissance, the first step in hacking.

Lesson 1: Introduction to Information Security

Information Security (Infosec) is relatively a new discipline in Information Technology (IT). Usually, it is included as an elective in a course or just a section in software development or network administration. But in these modern times, the study of Infosec encompasses various domains in IT and industries. Meaning to say, Infosec can be applied to database, business administration, human resource etc. It is important to understand that Infosec must be taken as a disparate discipline. Lastly, there are a lot of career opportunities that focus on Infosec because the field is taken as a separate entity. In the 90’s for instance, Infosec is just part of the IT department. Now, there is a separate Security Operations team that manages just security related incidents.

Infosec vs. IT Security

The question “What is the difference between Infosec and IT Security?” is usually queried in job interviews. Now, is there any distinction between the two terms? The answer can be based on the scope of the two. When we say IT Security, this talks about security solutions that are deployed to answer IT needs. For instance, IT Security can be deploying a firewall in the network to control acceptable packets that go in and out of the private network. Another IT Security solution can be deployment of Anti-virus (AV) software in end devices such as desktop computers and laptops.

Infosec is bigger than just IT. IT Security is a subset of Infosec. A good example is, what type of door should I buy to securely lock the servers in the data center? Another example can be, what skills should the receptionist have in order to detect and counteract with fraud calls asking for confidential information?

Formula of Security

Can you imagine yourself going to SM Mall of Asia? Before you are allowed to get inside the mall, you will be subjected to so much inspection and frisking. I’m just not sure if the guards know what they are looking for (pun intended). After the bag inspection and frisking, the queue of people getting in becomes longer and a lot are already angry.

Same is true when you are going to inquire about your credit card balance over the phone. Before you are given the account balance, you will be subjected to various verification questions like date of birth, mother’s maiden name, address and phone number.

Isn’t security a hassle? You may somehow have thought how to show the formula for security.

Simply put, Security is inversely proportional to Convenience. This formula is applicable to all scenarios that will involve security. The more you enforce security, the more it is inconvenient to the users of the facility.

Functionality-Usability-Security (FUS) Model

Supposed you are in your Software Development class or a freelance programmer doing a project for a client. The normal tendency of the programmer is to make sure that the requirements are met and that it is “user-friendly” with the user. In short, you need to please your client.

In security, it will teach you to lessen the attack surface of your application. Yes, you will have to meet the client requirements but you have to check if you can improve it in the security perspective. If you have written the program with 1,000 lines of code, can you improve it by lessening the lines of code? Hypothetically, if you can provide the same program with 100 lines of code with the same functionalities (or removing unnecessary functionalities), then your program is much better for security. There are less ways to exploit a program of 100 lines of code compare to 1,000.

The FUS Model simply states that if you focus solely on Usability, then there will be less Functionality and Security in your program. If you focus on Security on the other hand, there will be less Functionality and Usability in the program. The ideal scenario is to have balance between the three, as depicted in Figure 2.

Depending on the program, however, the focus can change. If you are creating an online banking system for example, the program should be more on Security. In reality, the functionalities of online banking systems are very limited such as view account balance and transfer money from verified accounts at the very least. It is not user-friendly because you will be prompted to type a Transaction Password every time you do a transaction. All your activities are logged for auditing purposes.

—– NOTHING FOLLOWS —–

You can download the PDF version of this lesson here: INFOSEC_L1_IntroToInfosec.

Career talk for incoming college students

Every year, I think most high schools conduct a career exploration/talk series every July for senior students who will be applying for college. The career exploration event intends to help them have a clear mind on what course to take, jobs awaiting them etc.

For my alma mater, Elizabeth Seton School-South (ESS) in Imus, Cavite, this career exploration is a week-long event. Various alumni of ESS give their talk and insights about college and career. Last July 2011, I was invited to give a talk about college life and real-world work experience in the industry.

I was still employed in my first company, Perimeter E-Security (known as Silversky now) during that time. My presentation can be found here: Career Talk slides.

My goal that day was to make students realize that choosing a course must be taken with a thorough analysis rather haphazardly. I realized that there are still many instances where it’s the parents who decide for their children. For instance, my thesis mate who wanted to take Com Arts ended up taking Com Sci because his father wanted him to take a technical course. Otherwise, his dad won’t allow him to go to college.

Other students choose a particular school because of its prestige. A lot of students will limit their choices to the so-called “Top Schools.” Some other students will take a trending course like Nursing, for instance.

I realized also that a good number of students still don’t know which course to take and they end up choosing some course they are not really sure they want.

career_formula

I emphasized 3 key important aspects when choosing a course:

  1. Desire — So you are planning to take Nursing for example. Are you good in assisting and servicing other people? Or are you the type who is shy and a person who doesn’t want to interact with people? Desire is important because it will be your motivation to fulfill your course. If you are into helping people as a profession, then Nursing can be for you.
  2. Ability — You want to take up Architecture. You really want to design and create patterns etc. You need to understand that you must have the “hands” for Architecture. You have to be keen, meticulous and detailed when doing your designs. In short, you need to have these minimum abilities in order for you to have a free-flowing journey in finishing your course.
  3. Practicality — So, you want to take Culinary Arts in college. You have the Desire and Ability to cook and experiment on creating your dishes. That’s good. You’re planning to go to College of St. Benilde (CSB) because it’s known for their Culinary Arts program. However, your family cannot afford a 100,000php tuition and fees (excluding materials) per trimester to sustain your stay there. So what will you do? The best decision might be to look for another school that offers the course with a more affordable tuition and fees.

The scenarios above are hypothetical. I believe that these components are very helpful in determining which course to take. These components have to be balanced.

I do not fully agree that a student must limit himself/herself to Top Schools that they say, such as UP, Ateneo, La Salle and UST. There are a lot of schools out there that provide quality education as well. I won’t agree that successful people only come from those “top schools.” I think that due to massive advertising and marketing, these schools are very much overrated.

I’ve met and made friends at work who are very smart and skilled who graduated from universities in the province. They are so down-to-earth but a subject matter expert (SME) in our field. So, although it’s good to aim for schools in Manila, I can say that there are good schools found in other places in the Philippines.

My point is, it boils down to how the person develops himself/herself. The school may be a key, but the choice and decision to do best is up to the person.

Hot Issues in Information Security

I delivered a short seminar about some of the current events and trends in information security. Basically, I divided my presentation into 3 parts:

1. 2014 Vulnerabilities – This part talks about 2 of the biggest bugs discovered in 2014 namely Heartbleed and Shellshock. Description for each vulnerability is briefly discussed.

2. Fiction to Non-Fiction – This part talks about the books written by Daniel Suarez namely “Daemon,” “Freedom” and “Kill Decision.” I related the technologies used by Daniel Suarez in what we have right now. In conclusion, these technologies he mentioned are existing.

3. Day-to-day issues in the industry – This last part talks about the security challenges faced by the industry such as cloud computing, bring your own device (BYOD), incident response and regulations.

I have attached the PDF format of my presentation in this link for reference: Hot issues in Information Security

MPH, Asia Pacific College Photo by Kareen Gancio
MPH, Asia Pacific College
Photo by Kareen Gancio

10382653_10201966610487475_5554486194324266819_n

MPH, Asia Pacific College Photo by Kareen Gancio
MPH, Asia Pacific College
Photo by Kareen Gancio

Understanding Ecatel

Understanding Ecatel

By Justin David Pineda

Some people have been visiting to websites hosted in Europe which are part of the Ecatel network. Seclist says that the Ecatel network is the source of a rootkit callesd Zero Access, “…purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers.” [1] As of writing, the Elcatel Network is rated second, in the Top 10 Hosts Bad for the 1st quarter of 2011. [2]

A malware site has only one goal: to do something bad to you like getting confidential/private information and doing something harmful to your computer. Considerably, many sites under the said network are considered harmful but of course, we cannot generalize that all of them are. But since it’s coming from the same network, then we might consider it as suspicious.

The Ecatel Network is part of the Russian Business Network (RBN) which is known for cybercrime activities since 2007. News also say that Russian authorities don’t give enough attention to the cybercrimes made.

A lot of articles tell that this particular network is noted for spammers. Spamhaus event named it as “The Most Notorious Spammers.” Further, it listed 15 known sites which were classified as popular for Zeus Botnet Command & Control Activity, Showshoe Spam Sources, Heavily Abused Redirect, Botnet Pharma Spammers and Cybercrime Hosting of Fake A/V Malware. [4] It also plants rootkits on infected machines which can monitor and control personal workstations illegally. Some sites under Ecatel also trick users of Fake Antivirus crimeware. These crimeware resulted to more than 250,000 computers became affected. [5]

To make our measurement of Ecatel Network’s maliciousness quantitative, let’s look at the numbers: [6]

1 Zeus server

3285 malicious URLs

1076 badware instances

846 spam bots

16 spam IPs

Here are also the IP addresses that are considered the “dangerous” as related to Ecatel Network: [7]

62.41.26.0/24

62.41.27.0/24

89.248.160.0/21

89.248.168.0/24

89.248.169.0/24

89.248.170.0/23

89.248.172.0/23

89.248.174.0/24

89.248.175.0/24

93.174.88.0/21

94.102.48.0/20

94.102.49.0/24

94.102.62.0/24

Now that we know some knowledge about Elcatel and how it can affect us then I suggest that we do best practices when doing transactions through the net. Of course, it’s good to have an AV with updated set of signatures. I know that new malwares are emerging everyday but AV will also help somehow. We should also have our personal firewall installed because it will help in classifying rules. For example, there might be site redirection and might bring you to a malicious site. If the firewall has restricted that particular IP/URL to your network, then it can’t enter. And try to avoid going to sites that you are not familar with. Chances are, it may be a malicious site. But when that comes and there’s a pop-up that says that you need to run this kind of AV, you know that it is a Fake AV. So don’t.

Finally, as what I always say when there is an infected workstation, remove it from the network immediately and run an AV with updated set of signatures. But to be sure, it is a best recommendation to re-image the system to completely remove any malware.

References:

[1] Reverse Engineering the source of the ZeroAccess crimeware rootkit from http://seclists.org/pen-test/2010/Nov/33

[2] Top 10 Bad Hosts – 2011 Q1 from http://www.hostexploit.com/

[3] Shadowy Russian Firm Seen as Conduit for Cybercrime from http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html

[4] The Spamhaus Project Reports Ecatel.net Network Host The Most Notorious Spammers Cybe from http://www.scamfraudalert.com/identity_theft_phishing_spam_blackmails/13773-spamhaus_project_reports_ecatel_net_network_host_most_notorious_spammers_cybe.html

[5] White Hat Hacker Cracks ZeroAccess Rootkit from http://www.informationweek.com/news/windows/security/228300156

[6] AS29073 – ECATEL-AS from http://badhost.info/AS29073

[7] Ecatel: Need more proof of their being crimeware? from http://hphosts.blogspot.com/2010/04/as29073-ecatel-need-more-proof-of-their.html

NETWORKING 101

NETWORKING 101

By Justin Pineda

This article is created to serve as an introduction to basic networking concepts. This involves some discussion about the Internet, network devices, how it works and the like. We will also talk about some technical concepts for us to better understand the networking process (i.e. how a data is transmitted over the network).

Introduction

 

In today’s world, the Internet plays a vital role in communication. Everything became easier because of the Internet. Distance is not a barrier anymore. Before the arrival of Internet, the popular mode of communication to far places requires time, like when sending a mail for example. Now, it’s just a click away through e-mail. We can also talk to our friends real-time through Instant Messenger (IM). Now, do you know how data is transmitted to your friend when you chat?

A normal flow of communication contains a sender, a receiver and a channel. This also applies to a network. But of course, aside from the humans, devices also play its role. When you chat for example, the data is translated into a series of numbers which we call binary numbers (1 & 0) to be understood by the computer and to be able to send it to its proper channel. There is a process of converting these messages to binary numbers through layers and network protocols.

Elements of a Network

 

As mentioned, the communication process for computer networking remains the same. What we need to understand now are things that make up the communication for computer networking. There are four elements:

1.                  Rules

Like when sending a snail mail to a friend, there are procedures on how to successfully send it. This includes putting it in an envelope, writing the address both of the sender and receiver of the mail at the back of the envelope and putting stamps. This is same with networking where rules, which are technically termed as protocols, define how the data is sent.

2.                  Message

Message is the actual data itself. It is the file that you have sent through email. It is the video you are waiting to view in You Tube. This is the message in the letter you sent. This is self-explanatory.

3.                  Medium

The medium is the element that says in what way the message is sent. For example in networking, for a typical Local Area Network (LAN), standard workstations are connected through a cable (a straight cable to be exact) while other laptops/net books connect via Wi-Fi (Wireless Fidelity).

4.                  Device

Of course, the device is an essential element as well. Different devices have their own role. Computers are used by the end users and these are connected to a switch and data are transmitted by a router to another.

These elements comprise the network. We will take a look at each element and give more details to each one of them.

Network Architecture

If you are tasked to create a network, what will your basis be? Will you just buy workstations and connect them in a switch? There are concepts you need to consider in order to build a good network. You need to design your network based on the following key factors:

1.                  Fault Tolerance

In creating a network, you shouldn’t think of an ideal scenario where everything is all right. You have to think of possible problems which your network might encounter. For example, you put all your workstations connected in one switch. You find it very easy to do, setup and configure. But what happens if the switch goes down? Then your network will go down as well. Fault tolerance refers to the capability of the network to withstand forms of interruptions of its service. So most cases, there are back up servers, generators and network planned topologies in order to cater this particular concern.

2.                  Scalability

So you have created the fault tolerant network that is good for the users in it. But is your network ready for a dynamic environment? Have you considered that the network may grow and will require more space, bandwidth etc? Scalability refers to the capability of the network to adjust in changes in the components of the network, may it be the number of users or devices.

3.                  Security

When you design your network, considerations must be made in order to group workstations based on security importance. What is security in this context? Security refers to giving access that is only needed by a particular type of user. For example, company reference materials should only be available within the company’s network. External users should not be able to access these files. These particular privileges of access should be determined in the network design. The example I gave is what we call Intranet, which means access only “inside” the local network. You have to consider which part of the network should be given Admin access, User access and Guest access.

4.                  Quality of Service (QoS)

The demands for network bandwidth vary from the type of work that people have. Which is more likely to consume more network bandwidth, the cashier or the web developer? You need to give priority over the ones who need more. In the field like IT Security, Security Analysts like me need more bandwidth because we are all connected to the Internet and all our work relies on having good network connection access.

Network Communication

So let’s say that you try to send an e-mail through http://mail.yahoo.com. The first thing you do is to type the Uniform Resource Locator (URL) of the website which is – http://mail.yahoo.com. The URL is equivalent to an Internet Protocol (IP) address which is represented by numbers. We have URL’s so that we don’t need to remember numerical forms of addresses. Instead, we just type it based on the name that we associate with it like “mail” and “yahoo.” A particular protocol which is the Domain Name System (DNS) resolves the URL to its corresponding IP address. So think of the IP address a Website ID and the URL as the Website name.

The image above shows how the personal workstation travels going to http://mail.yahoo.com with IP address – 203.84.219.114.

I just showed you how data travels to the domain Yahoo. Anyway, when the website appears in a web browser like the Internet Explorer or Mozilla Firefox, the data from the Yahoo site goes to your network and displays it. So from data understandable by the user, it goes through different layers which translate this data understandable by machines that can travel through different media (such as cables, atmosphere etc). A reference model is used for protocol classification per layer. We call it the Open Systems Interconnection (OSI) model. The OSI model has 7 layers which defined to sort of give us an understanding of how data is transmitted and retransmitted.

So going back to the Yahoo mail site, the user interface that we see in the web browser is in the Application Layer of the OSI model. This is the topmost layer of the OSI model. This is quite easy to understand since the Application Layer gives interface of the data to the user. For this example, the protocol used is Hyper Text Transfer Protocol (HTTP). HTTP is a protocol used to be able to browse web pages. There are a lot of Application Layer protocols aside from HTTP.

The next layer is the Presentation Layer. Its main responsibility is to do compression/decompression, coding, conversion and encryption/decryption. For example, when you load an HTTP, when we try to save images, there’s a default “Save As” to type of image which the site dictated what it should be like .jpg, .gif etc. Same is true with video types and media files. Sometimes for proprietary sites they have their own extensions.

After the data is compressed, converted and coded, it checks the status of the data and connection. Did the data go to the correct destination? Is the connection active or not? Is the device idle or has been receiving information?

Let’s now go to the next layer called the Transport Layer. This layer is responsible for determining the kind of services the client/server are running and directing this particular service to the right port. For example, when you visit the site http://mail.yahoo.com, you go to a particular IP address 203.84.219.114. This particular domain might be running different services. Like for example, if you open its site through HTTP, it actually connecting to Yahoo’s domain through port 80. If you are trying to send an e-mail through Yahoo mail, a connection is made through port 25 which is Simple Mail Transfer Protocol (SMTP).

There are two popular protocols under the Transport Layer- User Datagram Protocol (UDP) and the Transmission Control Protocol (TCP). The former is connectionless while the other is connection-based. There are services that are considered very essential to have an established first to make that the communication of data is received successfully. The three way handshake is a process used by TCP to ensure that connection is established before transmitting data. For example, in SMTP, the sure way to send an e-mail is to established a connection between the client and the server. Otherwise, we are not sure whether the data is sent properly or not.

Basically, we learned how services are connected through ports. But before we’re able to send the data to the right service, we have to send the data to the right network. This what makes the IP address necessary. This next protocol is called the Network Protocol. An IP address can be private or public. A private IP is an address given by a router used for local network. These include IP families from 192.168.x.x, 172.x.x.x and 10.x.x.x. Any IP addresses under those mentioned families are considered to be private. Public IP’s are numbers otherwise and doesn’t exceed 255.255.255.255. There are other conditions though. But for simplicity sake, public IP’s are those that host a site for a particular organization.

Each Local Area Network (LAN) has a gateway. When a particular host tries to send a data to another IP, it first checks whether the said destination IP is found within the network. If it finds it, then it is send directly to it. However for most cases, the destination is outside the LAN. Now, a target IP that is not found on the LAN is directly sent to the default gateway. This gateway passes the data to other routes in order to find the right destination. The router has three processes: forward the packet to the next route, deliver the packet to the destination or drop the packet. There are mechanisms through routing protocols used on how to determine best paths for data routing.

Attack of the Day: The FTP Bounce Attack

I encountered an IDS signature stating that a user accessed an FTP site but a possible FTP Bounce Attack might occur. Why is that so?

The severity of this attack is high because it indicates potential port scanning activities as well as bypassing basic packet filtering services and export restrictions through FTP. (Fortiguard, 2006)

How does FTP Bounce Attack work? In order for an FTP connection to occur, the client tries to connect to FTP through port 21. Another data connection is made between the two so that when the client wants to download something from the server, the latter can send the data back. To do this, through the ‘PORT’ command, the client sends its IP address and an arbitrary port that is free to establish a successful connection

Now the attack commences in the ‘PORT’ command because the attacker can alter and send another IP address and port to the FTP server.

With the ‘PORT’ command the attacker can do a port scan to another host in the Internet through a third party FTP server or even bypass filtering devices. (Telindus, 2003)

What can we do to prevent this attack from happening? If the root cause is the ‘PORT’ command, then the solution is to limit the functionality of the ‘PORT’ command to its purpose of sending its legitimate IP address and port number.

A package called the wu-ftpd addresses the FTP bounce problem by ensuring that the ‘PORT’ command won’t be used to make connections to machines other than the original client.(CERT, 1997)

Creating a Device Normalizer

Device Normalizer Paper – ACM-formatted journal

Hello!

Today, I will try to share my research and implementation of one of the modules of our undergraduate thesis, the Adaptable Software-based Log Consolidation and Incident Management (AdLCIM), called the Log Normalizer Module. This module is very important for standardization of logs gathered for network monitoring.   The module is adaptable to other projects that need normalization or topics related to that.

Some prerequisites

There are some lessons required to learn to be able to understand this article although level of knowledge doesn’t have to be very advanced. These include: object oriented programming,  basic syntax in C#, dynamic loading. In order to follow the article per se, C# should be installed in a Windows platform.

Brief background re AdLCIM

Our thesis AdLCIM is basically a networking monitoring tool that accepts logs coming from different network devices in a LAN. The system collects the logs and analyzes them. But before the logs are analyzed, the logs must be put in a standardized form. Although the logs that are sent to the system have a format (Syslog format thru RFC 3164), the message still differs from one device to another due to device type or proprietary differences. This makes the role of the Log Normalizer Module very essential. If the system can standardize the log collected in a way that the user can easily understand then it will be very helpful to monitor the whole network. And since the system is adaptable to new devices, the system can be useful in future deployments/updates/versions by just creating new normalizers. To cut the story short, the standardized logs are summarized and correlated. The logs are classified as normal, attack or alerts logs. The attack logs are handled by an incident manager while alert logs are given recommendations to be resolved.

Building Device Normalizers

The research paper we made regarding the normalization of logs can be seen before the start of this article although it’s very boring to read. I just put it for reference. Anyway, a very important characteristic of the AdLCIM is that it is adaptable to new devices. This means that it should also be adaptable to standardization of new devices. But of course, handling new devices should not require the system to be rebuilt again for the sake of the new device. The program for the new device should be the only one compiled so it can connect to the system. To solve the issue, the use of dynamic loading is necessary. In this sense, dynamic loading is the ability to run a program together with a newly deployed program (connected together) without recompiling the original system.

In the Visual C# environment, some necessary configurations must be done in order to invoke dynamic loading. Here are some necessary codes:

using System.Reflection;

public static Object FindNormalizer(string AssemblyName,
string ClassName, string MethodName, Object[] args)

{
// Load Assembly
Assembly assembly = Assembly.LoadFrom(AssemblyName);

// Get Class
foreach (Type type in assembly.GetTypes())
{
if (type.IsClass == true)
{
if (type.FullName.EndsWith(“.” + ClassName))
{
// Activate Class
object ClassObj = Activator.CreateInstance(type);

// Dynamically Invoke the method
object Result = type.InvokeMember(MethodName,
BindingFlags.Default | BindingFlags.InvokeMethod,
null,
ClassObj,
args);
return (Result);
}
}
}
throw (new System.Exception(“Could not invoke method”));
}

The code shown above is the code use to invoke dynamic loading. In the first line you will see the library used so that assemblies can be called- System.Reflection. This library is capable of invoking and manipulating dynamically linked classes although we won’t be digging deeper on its other functionalities but its more or less its major function.

The FindNormalizer method has 4 parameters: Assembly name, Class name, Method and Parameters. This is a very easy to analyze since any source code has a file name (Assembly name), class, method and parameters. These are the main considerations that you have supply in order to invoke something dynamically. Once it is supplied with the necessary contents, the dynamically loaded program will be run when the method FindNormalizer is called with its fields filled.

Classifying Normalizer Type

When the AdLCIM is run, it accepts logs from network devices but from recognized ones. Meaning if a device tries to send logs but it is not recognized in the database then no log is recorded. A recognized device is a device given with proper identification such as a hostname, device type, device specification and device details. An example can be the laptop I’m using right now. Its hostname is Plato-DaAcademy, device type is COMPUTER, device specification is WINDOWS and device detail is 7. This process is required to other devices to be able to have its logs recorded to the database.

The importance of identifying devices is for you to know what devices you’re monitoring. Getting logs from unrecognized devices may bring confusion to log analysis. Thus, if there’s no device identification then all devices can just send logs though not necessary for monitoring. Another reason is for normalization process. It will be explained in the next paragraph.

As seen in the first code above, the FindNormalizer method has 4 parameters. The first parameter is the assembly name or the file name of the normalizer to be opened. The assembly name is classified based on the device type and device specification of the hostname that wants to send a log. So for example, the hostname Plato-DaAcademy (from previous example) tries to send a log. The system will look for the device type and device specification of Plato-DaAcademy and after that, its assembly name can be classified. For this example the device type and device specification are COMPUTER and WINDOWS. Therefore the assembly name that will be opened is “COMPUTER_WINDOWS_NORMALIZER.dll.”

The second parameter is the class name, which is the same as the format for the assembly name. Therefore the class name for the previous example is still COMPUTER_WINDOWS.  The third parameter is the method which in the system it is standardize as “Normalize.” All devices have a method “Normalize” which literally normalizes a log based on the standard imposed on them. The fourth parameter is the parameter of the method which is an object because there can be multiple parameters of different data types.

Below is a normalizer for an Intrusion Detection System called Snort.

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using LogNormalizer;

namespace LogNormalizer
{
class IDS_SNORT_NORMALIZER : SuperNormalizer
{

static string searchNormalizeAttack(string attackMessage)
{
int bCheck = 0;
string readLine, attackNotFound = “OTHERS”;
int checkComma, checkCompare;
string checkOriginal, normalizedAttackMessage;
StreamReader sr = new StreamReader(“c:\\AdLCIM_SnortNormalizedAttacks.txt”);
while (bCheck == 0)
{
readLine = sr.ReadLine();
Console.WriteLine(readLine);
checkComma = readLine.IndexOf(‘,’);
checkOriginal = readLine.Substring(0, checkComma);
Console.WriteLine(checkOriginal);
checkCompare = String.Compare(attackMessage, checkOriginal);
//Console.WriteLine(checkCompare);
if (checkCompare == 0)
{
normalizedAttackMessage = readLine.Remove(0, checkComma + 2);
Console.WriteLine(normalizedAttackMessage);
Console.WriteLine(“END”);
bCheck = 1;
sr.Close();
return normalizedAttackMessage;
}
else if (sr.EndOfStream)
{
bCheck = 1;
sr.Close();
return attackNotFound;
}

}
sr.Close();
return attackNotFound;
}

public static string parseSyslog(string SnortMessage)
{
try
{
string normalizedSnortMessage;
string getNormalizeAttackNow;
int result, result2, result3, result4, result5, result6, result7, result8, result9;
string message, message2, message3, message4, message5, message6;
string attackMessage, protocol, srcIP, srcPort, destIP, destPort;
string returnMe = “OTHERS”;

result = SnortMessage.IndexOf(‘]’);
// Console.WriteLine(result);
message = SnortMessage.Remove(0, result);
//Console.WriteLine(message);
result2 = message.IndexOf(‘ ‘);
message2 = message.Remove(0, result2 + 1);
//Console.WriteLine(message2);
result3 = message2.IndexOf(‘[‘);
attackMessage = message2.Substring(0, result3);
attackMessage = attackMessage.Substring(0, attackMessage.Length – 1);
Console.WriteLine(attackMessage);
// Console.WriteLine(message2);
result9 = message2.IndexOf(‘{‘);
message3 = message2.Remove(0, result9);
Console.WriteLine(message3);
result4 = message3.IndexOf(‘}’);
protocol = message3.Substring(1, result4 – 1);
Console.WriteLine(protocol);

if (protocol == “TCP” || protocol == “UDP”)
{

message4 = message3.Remove(0, result4 + 2);
//Console.WriteLine(message4);
result5 = message4.IndexOf(‘:’);
srcIP = message4.Substring(0, result5);
//Console.WriteLine(srcIP);
message5 = message4.Remove(0, result5);
//Console.WriteLine(message5);
result6 = message5.IndexOf(‘ ‘);
result7 = message5.IndexOf(‘>’);
srcPort = message5.Substring(1, result6 – 1);
//Console.WriteLine(srcPort);
message6 = message5.Remove(0, result7 + 2);
//Console.WriteLine(message6);
result8 = message6.IndexOf(‘:’);
destIP = message6.Substring(0, result8);
//Console.WriteLine(destIP);
destPort = message6.Remove(0, result8 + 1);
//Console.WriteLine(destPort);
getNormalizeAttackNow = searchNormalizeAttack(attackMessage);
normalizedSnortMessage = getNormalizeAttackNow + “, ” + protocol + “, ” + srcIP + “, ” + srcPort + “, ” + destIP + “, ” + destPort;
Console.WriteLine(“Attack found: ” + normalizedSnortMessage);

EventSnipe(destIP, destPort);
return normalizedSnortMessage;
}
else if (protocol == “ICMP”)
{
message4 = message3.Remove(0, result4 + 2);
Console.WriteLine(message4);
result5 = message4.IndexOf(‘-‘);
srcIP = message4.Substring(0, result5 – 1);
Console.WriteLine(srcIP);
result6 = message4.IndexOf(‘>’);
destIP = message4.Remove(0, result6 + 2);
Console.WriteLine(destIP);
getNormalizeAttackNow = searchNormalizeAttack(attackMessage);
normalizedSnortMessage = getNormalizeAttackNow + “, ” + protocol + “, ” + srcIP + “, X, ” + destIP + “, X”;
Console.WriteLine(normalizedSnortMessage);
return normalizedSnortMessage;
}
return SnortMessage;
}
catch (Exception er)
{
Console.WriteLine(“Cannot parse logs. ” + er.Message);
return SnortMessage;
}

}
public static void Normalize(DateTime timestamp, string hostname, int facility, int severity, string message)
{
string DeviceType;
string DeviceSpec;
string Facility;
string Severity;
string Message;
string Impact;
string Priority;
string ParseMessage;

Console.WriteLine(“\nNormalizing Syslog Message now…”);
Facility = getFacility(facility);
Severity = getSeverity(severity);
Priority = getPriority(facility, severity);

Impact = getImpact(facility, severity);
DeviceType = GetDeviceTypeFromHostname(hostname);
DeviceSpec = GetDeviceSpecFromHostname(hostname);
ParseMessage = parseSyslog(message);

Console.WriteLine(“\nLog successfully normalized. Sending to consolidator…”);
checkNormalizedMessageIfAlreadyExists(timestamp, hostname, DeviceType, DeviceSpec, Facility, Severity, ParseMessage, Priority);

}

} // END OF IDS_SNORT_NORMALIZER CLASS
}

The second code you see is a normalizer for a device with a device type IDS and device specification SNORT. The program is dynamically invoked once a hostname with a type IDS and specification SNORT tries to send a log.  The Normalize method has 5 parameters which will all be used for normalization. The ParseSyslog method is responsible for fixing the logs into a standardized format. The searchNormalizeAttack method on the other hand has a text file where in all possible attacks are seen and its standardized naming convention is found. An example log coming from a SNORT IDS is:

snort: [1:100000:0] THE BACKDOOR TINI HAS BEEN DETECTED [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 172.16.4.106:1050 -> 172.16.4.101:7777

After passing through the IDS_SNORT_NORMALIZER.dll, the log becomes:

TINI, TCP, 172.16.4.106, 1050, 172.16.4.101, 7777

The log is now standardized into a format with- Attack Name, Protocol Type, Src IP, Src Port, Dest IP, Dest Port. This is the standardized log format for all IDS may it be SNORT or other IDS. So for instance, there’s a new IDS called “YATCO IDS” and it has different format, then an IDS_YATCO_NORMALIZER.dll must be created in order to make the log look like the standardized log. For other device types, there are different standardization methods made so it’s up to the administrator to follow it.

I hope this article is able to help you understand how to create a device normalizer and more importantly, make you realize how important it is to normalize logs. And of course, dynamically load assemblies without recompiling the whole program.


namespace AdLCIM.Logic
{
public class SuperNormalizer

public static string GetNormalizerType(string hostname)
{
string sqlCommand1=”SELECT devicetype from identified_device where hostname='”+hostname+”‘”;
string sqlCommand2=”SELECT devicespec from identified_device where hostname='” + hostname + “‘”;
string devicetype, devicespec;
devicetype = AdLCIM.Data.DataAccess.GetValueFromDatabase(sqlCommand1, “devicetype”);
devicespec = AdLCIM.Data.DataAccess.GetValueFromDatabase(sqlCommand2, “devicespec”);
Console.WriteLine(“Normalizer:” + devicetype + “_” + devicespec + “_” + “NORMALIZER”);
return devicetype + “_” + devicespec + “_” + “NORMALIZER”;
}
public static Object FindNormalizer(string AssemblyName,
string ClassName, string MethodName, Object[] args)

{
// Load Assembly
Assembly assembly = Assembly.LoadFrom(AssemblyName);

// Get Class
foreach (Type type in assembly.GetTypes())
{
if (type.IsClass == true)
{
if (type.FullName.EndsWith(“.” + ClassName))
{
// Activate Class
object ClassObj = Activator.CreateInstance(type);

// Dynamically Invoke the method
object Result = type.InvokeMember(MethodName,
BindingFlags.Default | BindingFlags.InvokeMethod,
null,
ClassObj,
args);
return (Result);
}
}
}
throw (new System.Exception(“Could not invoke method”));
}

} // END OF CLASS: public class SuperNormalizer
}