Syslog
layer 7 Syslog
Contents
Introduction
This tutorial discusses the plugin syslogDecode. It extracts relevant information from the Syslog protocol which is used to convey any sort of of message logging.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow syslogDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: syslog.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing Syslog traffic!
syslogDecode
Let’s look at the plugin configuration first:
syslogDecode
vi src/syslogDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SYSL_FSN 0 // Format for Syslog severity/facility messages:
// 0: Numbers
// 1: Names
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for syslogDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Let’s configure human readable Names in the output.
Recompile and run t2 on the supplied pcap.
t2conf syslogDecode -D SYSL_FSN=1 && t2build syslogDecode
t2 -r ~/data/syslog.pcap -w ~/results/ -s
So the aggregated syslogStat currently has only one bit which states, there is syslog.
The syslogStat column with value 0x01 is to be interpreted as follows:
bit | syslogStat | Description
=============================================================================
0 | 0x01 | Syslog detected
If you look into the flow file, you will see the severity and facility counts and the number of distinct severity,facility pair counts. Note that the severity and facility is human readable.
tcol ~/results/syslog_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto syslogStat syslogMCnt syslogSev_Fac_Cnt
A 4 0x0400000200004000 1049480707.053999 1049480707.053999 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 198.209.154.254 us "University of Missouri - dba t" 7636 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Debug_local7_2
A 5 0x0400000200004000 1049480707.685000 1049480707.685000 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 204.184.55.252 us "University of Missouri - dba t" 4657 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Notice_local7_2
A 3 0x0408000200004000 1049480704.761000 1049480708.256000 3.495000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us "University of Missouri - dba t" 52553 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Notice_local7_14
A 6 0x0400000200004000 1049480708.476000 1049480708.476000 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.67.254 us "University of Missouri - dba t" 52553 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Notice_local7_2
A 1 0x0408000200004000 1049480704.380000 1049480709.386999 5.006999 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 150.199.14.10 us "University of Missouri-Columbi" 49392 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 2 Error_local7_2;Notice_local7_2
A 2 0x0408000200004000 1049480704.390000 1049480709.416999 5.026999 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us "University of Missouri - dba t" 50654 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 3 Error_local7_2;Warning_local7_2;Notice_local7_2
A 7 0x0400000200004000 1049480709.437000 1049480709.437000 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.249 us "University of Missouri - dba t" 6638 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Warning_local7_2And the same for the packet mode including the whole message in the l7Content:
tcol ~/results/syslog_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto syslogStat syslogSev syslogFac syslogMsg l7Content
1 1 0x0400000200004000 1049480704.380000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 150.199.14.10 us University of Missouri-Columbi 49392 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>127487: Apr 4 11:25:03: %LINK-5-CHANGED: Interface Async44, changed state to r
2 2 0x0400000200004000 1049480704.390000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us University of Missouri - dba t 50654 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>186456: Apr 4 11:25:03: %LINK-5-CHANGED: Interface Async75, changed state to r
3 3 0x0400000200004000 1049480704.761000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432551: *May 11 00:38:12: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
4 3 0x0400000200004000 1049480704.761000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432552: *May 11 00:38:12: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
5 3 0x0400000200004000 1049480706.083000 1.322000 1.322000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432553: *May 11 00:38:13: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
6 3 0x0400000200004000 1049480706.092999 0.009999 1.331999 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432554: *May 11 00:38:14: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
7 3 0x0400000200004000 1049480706.103000 0.010001 1.342000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432555: *May 11 00:38:14: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
8 4 0x0400000200004000 1049480707.053999 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 198.209.154.254 us University of Missouri - dba t 7636 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Debug local7 <191>1284891: 9w5d: IP-EIGRP: Neighbor 198.209.154.1 not on common subnet for Etherne
9 3 0x0400000200004000 1049480707.204000 1.101000 2.443000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432556: *May 11 00:38:15: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
10 5 0x0400000200004000 1049480707.685000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 204.184.55.252 us University of Missouri - dba t 4657 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>310583: Apr 4 11:25:06: %LINK-5-CHANGED: Interface Async14, changed state to r
11 3 0x0400000200004000 1049480708.256000 1.052000 3.495000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432557: *May 11 00:38:16: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
12 2 0x0400000200004000 1049480708.426000 4.036000 4.036000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us University of Missouri - dba t 50654 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Error local7 <187>186457: Apr 4 11:25:08: %LINK-3-UPDOWN: Interface Async75, changed state to
13 6 0x0400000200004000 1049480708.476000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.67.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>73830: *Mar 9 18:05:26: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
14 1 0x0400000200004000 1049480709.386999 5.006999 5.006999 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 150.199.14.10 us University of Missouri-Columbi 49392 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Error local7 <187>127488: Apr 4 11:25:08: %LINK-3-UPDOWN: Interface Async44, changed state to
15 2 0x0400000200004000 1049480709.416999 0.990999 5.026999 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us University of Missouri - dba t 50654 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Warning local7 <188>186458: Apr 4 11:25:08: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/0 (not full duplex), with Houston-AS3.tain.barkingd.abc FastEthernet0/0 (full dupl
...If you reset SYSL_FSN=0 the severity and facility are printed in number format.
This is the default version which is better to be interpreted in post processing.
t2conf syslogDecode --reset && t2build syslogDecode
Execute the pcap now and look into the files.
Conclusion
Have fun analyzing.