Cross Match

Top - Help

Copyright(c) Management Analytics, 1995 - All Rights Reserved

Here are some examples of a run of CrossMatch that helped track down attackers in the recent incident at all.net:

====================================================
Tracer Starting Engines on all.net by fc.
     Sun Mar 17 21:57:23 EST 1996
The system type is SunOS Unix
Copyright (c), 1985-6 Management Analytics
          All Rights Reserved
====================================================

======>> Start:Crossmatching audit files.
 In the following analysis, organizational policy dictates how to respond
 to the indicated items.  Refer to your standards and procedures manuals for
 details on proper response, or contact your incident response team for detailed
 analysis of these indications.

Reformatting /var/log/syslog to standard.
Reformatting /u/www/log to standard.
Reformatting /u/www/gopher/log to standard.
Sorting combined logfile
Analyzing combined and sorted log file
Total records = 16585 ignored 15523 and used 1062 (6.40337654507085%)
<<=== End:Done crossmatching audit files.

Here's a simple example of multiple attempted telnets:

*** Host 192.187.128.141 has exceeded detection threshold: host total = 7
*192.187.128.141 unknown 1996/03/13 15:21:26 in.telnetd 25481 all refused connect from 192.187.128.141
*192.187.128.141 unknown 1996/03/13 15:21:33 in.telnetd 25506 all refused connect from 192.187.128.141
*192.187.128.141 unknown 1996/03/13 15:21:58 in.telnetd 25576 all refused connect from 192.187.128.141
*192.187.128.141 unknown 1996/03/13 15:22:16 in.telnetd 25624 all refused connect from 192.187.128.141
*192.187.128.141 unknown 1996/03/13 15:22:39 in.telnetd 25706 all refused connect from 192.187.128.141
*192.187.128.141 unknown 1996/03/13 15:25:59 in.telnetd 26249 all refused connect from 192.187.128.141
*192.187.128.141 unknown 1996/03/13 15:26:04 in.telnetd 26272 all refused connect from 192.187.128.141

Here's a more complicated example where the user telnetted twice, read that this access was not authorized, looked at our Web pages, and then tried to telnet again. Only the items marked with a "*" are indicate potentially malicious behavior, but Cross Check combines the audit trails together to give the whole picture of what happened.

*** Host 129.252.29.98 has exceeded detection threshold: host total = 5
*129.252.29.98 unknown 1996/03/17 10:39:25 in.telnetd 17439 all twist 129.252.29.98 to (/bin/cat /etc/telmess)&
*129.252.29.98 unknown 1996/03/17 10:39:35 in.telnetd 17451 all twist 129.252.29.98 to (/bin/cat /etc/telmess)&
 129.252.29.98 unknown 1996/03/17 10:43:12 in.thttpd 17735 all twist 129.252.29.98 to /usr/etc/in.thttpd 129.252.29.98 unknown
 129.252.29.98 unknown 1996/03/17 10:43:12 thttpd 17735 all cat /index.html
 129.252.29.98 unknown 1996/03/17 10:43:15 in.thttpd 17737 all twist 129.252.29.98 to /usr/etc/in.thttpd 129.252.29.98 unknown
 129.252.29.98 unknown 1996/03/17 10:43:15 thttpd 17737 all cat /allnet.gif
*129.252.29.98 unknown 1996/03/17 10:43:30 in.telnetd 17752 all twist 129.252.29.98 to (/bin/cat /etc/telmess)&
*129.252.29.98 unknown 1996/03/17 10:43:45 in.telnetd 17779 all twist 129.252.29.98 to (/bin/cat /etc/telmess)&
*129.252.29.98 unknown 1996/03/17 10:44:00 in.telnetd 17805 all twist 129.252.29.98 to (/bin/cat /etc/telmess)&

Here's an example of a coordinated attack from multiple hosts. Even though no single host exceeded the threshold of detection, the network as a whole was detected as trying to enter. In a busy site, even a really good systems administrator has a lot of problems picking this sort of thing up.

*** Network crl.com has exceeded detection threshold: net total = 15
*crl.com unknown 1996/03/14 17:44:37 in.telnetd 28248 all twist crl.com to (/bin/cat /etc/telmessage)&
*crl10.crl.com unknown 1996/03/14 17:44:46 in.telnetd 28298 all twist crl10.crl.com to (/bin/cat /etc/telmessage)&
*crl11.crl.com unknown 1996/03/14 17:44:46 in.telnetd 28304 all twist crl11.crl.com to (/bin/cat /etc/telmessage)&
*crl11.crl.com unknown 1996/03/16 17:36:20 in.telnetd 10025 all twist crl11.crl.com to (/bin/cat /etc/telmess)&
 crl11.crl.com unknown 1996/03/16 17:36:55 in.thttpd 10118 all twist crl11.crl.com to /usr/etc/in.thttpd crl11.crl.com unknown
 crl11.crl.com unknown 1996/03/16 17:36:56 thttpd 10118 all cat /index.html
 crl11.crl.com unknown 1996/03/16 17:37:13 in.thttpd 10161 all twist crl11.crl.com to /usr/etc/in.thttpd crl11.crl.com unknown
 crl11.crl.com unknown 1996/03/16 17:37:13 thttpd 10161 all cat /journal/netsec/9604.html
 crl11.crl.com unknown 1996/03/16 17:37:24 in.thttpd 10190 all twist crl11.crl.com to /usr/etc/in.thttpd crl11.crl.com unknown
 crl11.crl.com unknown 1996/03/16 17:37:24 thttpd 10190 all cat /journal/netsec/audits/background.html
 crl11.crl.com unknown 1996/03/16 17:38:38 in.thttpd 10332 all twist crl11.crl.com to /usr/etc/in.thttpd crl11.crl.com unknown
 crl11.crl.com unknown 1996/03/16 17:38:41 thttpd 10332 all cat /journal/netsec/audits/morning.html
*crl12.crl.com unknown 1996/03/14 17:44:49 in.telnetd 28310 all twist crl12.crl.com to (/bin/cat /etc/telmessage)&
*crl2.crl.com unknown 1996/03/14 17:44:37 in.telnetd 28249 all twist crl2.crl.com to (/bin/cat /etc/telmessage)&
*crl13.crl.com unknown 1996/03/14 17:44:50 in.telnetd 28321 all twist crl13.crl.com to (/bin/cat /etc/telmessage)&
*crl3.crl.com unknown 1996/03/14 17:44:39 in.telnetd 28250 all twist crl3.crl.com to (/bin/cat /etc/telmessage)&
*crl14.crl.com unknown 1996/03/14 17:44:52 in.telnetd 28322 all twist crl14.crl.com to (/bin/cat /etc/telmessage)&
*crl4.crl.com unknown 1996/03/14 17:44:40 in.telnetd 28259 all twist crl4.crl.com to (/bin/cat /etc/telmessage)&
 crl4.crl.com unknown 1996/03/16 18:19:24 in.thttpd 13104 all twist crl4.crl.com to /usr/etc/in.thttpd crl4.crl.com unknown
...
 crl4.crl.com unknown 1996/03/16 18:43:11 in.thttpd 14769 all twist crl4.crl.com to /usr/etc/in.thttpd crl4.crl.com unknown
 crl4.crl.com unknown 1996/03/16 18:43:11 thttpd 14769 all cat /heaven.html
*crl5.crl.com unknown 1996/03/14 17:44:41 in.telnetd 28269 all twist crl5.crl.com to (/bin/cat /etc/telmessage)&
*crl6.crl.com unknown 1996/03/14 17:44:41 in.telnetd 28271 all twist crl6.crl.com to (/bin/cat /etc/telmessage)&
*crl7.crl.com unknown 1996/03/14 17:44:43 in.telnetd 28275 all twist crl7.crl.com to (/bin/cat /etc/telmessage)&
*crl8.crl.com unknown 1996/03/14 17:44:44 in.telnetd 28285 all twist crl8.crl.com to (/bin/cat /etc/telmessage)&
*crl9.crl.com unknown 1996/03/14 17:44:45 in.telnetd 28291 all twist crl9.crl.com to (/bin/cat /etc/telmessage)&
 mail.crl.com unknown 1996/03/14 20:22:06 sendmail 10052 all connect from mail.crl.com
 mail.crl.com unknown 1996/03/14 22:14:32 sendmail 17133 all connect from mail.crl.com
 mail.crl.com unknown 1996/03/14 23:19:54 sendmail 20935 all connect from mail.crl.com
 mail.crl.com unknown 1996/03/15 00:24:53 sendmail 24818 all connect from mail.crl.com
 mail.crl.com unknown 1996/03/16 23:39:40 sendmail 5058 all connect from mail.crl.com

Here's an even less obvious attack. This is an example of detecting a port scan of a system that takes place under the cover of Web access. Because it gathers audit trails from diverse sources, it also picks up the fact that this user started out by doing a "finger" that clearly states that there are no user accounts on this system. This establishes proof of notice followed by multiple attempts at entry using different possible entry points.

*** Host pentell.hip.berkeley.edu has exceeded detection threshold: host total = 4
 pentell.hip.berkeley.edu unknown 1996/03/14 19:00:48 in.fingerd 3571 all connect from pentell.HIP.Berkeley.EDU
 pentell.hip.berkeley.edu unknown 1996/03/14 19:01:43 in.thttpd 3620 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
 pentell.hip.berkeley.edu unknown 1996/03/14 19:01:43 thttpd 3620 all cat /index.html
 pentell.hip.berkeley.edu unknown 1996/03/14 19:01:49 in.thttpd 3638 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
...
 pentell.hip.berkeley.edu unknown 1996/03/14 19:06:14 thttpd 3967 all cat /tests/top.html
*pentell.hip.berkeley.edu unknown 1996/03/14 19:07:11 in.ftpd 4067 all refused connect from pentell.HIP.Berkeley.EDU
*pentell.hip.berkeley.edu unknown 1996/03/14 19:07:24 in.readonly 4088 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.readonly pentell.HIP.Berkeley.EDU unknown
 pentell.hip.berkeley.edu unknown 1996/03/14 19:07:26 thttpd 4088 all ls 
*pentell.hip.berkeley.edu unknown 1996/03/14 19:07:49 in.telnetd 4125 all twist pentell.HIP.Berkeley.EDU to (/bin/cat /etc/telmessage)&
 pentell.hip.berkeley.edu unknown 1996/03/14 19:08:18 in.identd 4170 all connect from pentell.HIP.Berkeley.EDU
 pentell.hip.berkeley.edu unknown 1996/03/14 19:08:26 in.identd 4190 all connect from pentell.HIP.Berkeley.EDU
 pentell.hip.berkeley.edu unknown 1996/03/14 19:16:06 sendmail 4657 all connect from pentell.HIP.Berkeley.EDU
 pentell.hip.berkeley.edu unknown 1996/03/14 19:16:42 sendmail 4699 all connect from pentell.HIP.Berkeley.EDU
*pentell.hip.berkeley.edu unknown 1996/03/14 19:18:41 in.rlogind 4811 all refused connect from pentell.HIP.Berkeley.EDU
 pentell.hip.berkeley.edu unknown 1996/03/14 19:18:44 in.identd 4829 all connect from pentell.HIP.Berkeley.EDU
 pentell.hip.berkeley.edu unknown 1996/03/14 19:18:51 in.identd 4839 all connect from pentell.HIP.Berkeley.EDU

An finally, it finds a coordinated attack from a whole series of sites in the same network where individually, none of these attempts would trigger a detection.

*** Network net.berkeley.edu has exceeded detection threshold: net total = 67
 grendel-230.berkeley.edu unknown 1996/03/15 22:19:02 in.thttpd 22603 all twist grendel-230.Berkeley.EDU to /usr/etc/in.thttpd grendel-230.Berkeley.EDU unknown
 grendel-230.berkeley.edu unknown 1996/03/15 22:19:02 thttpd 22603 all cat /index.html
 grendel-230.berkeley.edu unknown 1996/03/15 22:19:05 in.thttpd 22615 all twist grendel-230.Berkeley.EDU to /usr/etc/in.thttpd grendel-230.Berkeley.EDU unknown
 grendel-230.berkeley.edu unknown 1996/03/15 22:19:05 thttpd 22615 all cat /allnet.gif
...
 beer.csua.berkeley.edu unknown 1996/03/14 14:27:21 in.thttpd 15041 all twist beer.CSUA.Berkeley.EDU to /usr/etc/in.thttpd beer.CSUA.Berkeley.EDU unknown
 beer.csua.berkeley.edu unknown 1996/03/14 14:27:22 thttpd 15041 all cat /admin/downtime.html
*scam.xcf.berkeley.edu unknown 1996/03/13 21:57:55 in.telnetd 5023 all refused connect from scam.XCF.Berkeley.EDU
 scam.xcf.berkeley.edu unknown 1996/03/13 22:10:48 sendmail 6088 all connect from scam.XCF.Berkeley.EDU
 scam.xcf.berkeley.edu unknown 1996/03/14 01:38:59 in.thttpd 21103 all twist scam.XCF.Berkeley.EDU to /usr/etc/in.thttpd scam.XCF.Berkeley.EDU unknown
 scam.xcf.berkeley.edu unknown 1996/03/14 01:38:59 thttpd 21103 all cat /index.html
*othello.sph.berkeley.edu unknown 1996/03/13 16:34:02 in.telnetd 4881 all refused connect from othello.SPH.Berkeley.EDU
 ack.berkeley.edu unknown 1996/03/15 23:41:40 sendmail 28219 all connect from ack.Berkeley.EDU
...
 ack.berkeley.edu unknown 1996/03/17 15:39:15 sendmail 6707 all connect from ack.Berkeley.EDU
 ack.berkeley.edu unknown 1996/03/17 16:00:02 sendmail 8009 all connect from ack.Berkeley.EDU
*fhe35.reshall.berkeley.edu unknown 1996/03/14 02:23:11 in.telnetd 24265 all refused connect from fhe35.ResHall.Berkeley.EDU
*fhe35.reshall.berkeley.edu unknown 1996/03/14 02:23:38 in.telnetd 24316 all refused connect from fhe35.ResHall.Berkeley.EDU
*monsoon.berkeley.edu ahm 1996/03/14 18:25:25 in.telnetd 1162 all twist ahm@monsoon.Berkeley.EDU to (/bin/cat /etc/telmessage)&
 monsoon.berkeley.edu unknown 1996/03/14 18:25:55 in.identd 1205 all connect from monsoon.Berkeley.EDU
 jcraig.hip.berkeley.edu unknown 1996/03/14 22:00:52 in.thttpd 16361 all twist jcraig.HIP.Berkeley.EDU to /usr/etc/in.thttpd jcraig.HIP.Berkeley.EDU unknown
...
 jcraig.hip.berkeley.edu unknown 1996/03/14 22:01:32 thttpd 16404 all cat /journal/netsec/9604.html
*sushi.hip.berkeley.edu unknown 1996/03/15 20:50:36 in.telnetd 16627 all twist sushi.HIP.Berkeley.EDU to (/bin/cat /etc/telmess)&
 sushi.hip.berkeley.edu unknown 1996/03/15 20:52:06 sendmail 16726 all connect from sushi.HIP.Berkeley.EDU
 broken.hip.berkeley.edu unknown 1996/03/13 22:02:15 in.thttpd 5353 all twist broken.HIP.Berkeley.EDU to /usr/etc/in.thttpd broken.HIP.Berkeley.EDU unknown
 broken.hip.berkeley.edu unknown 1996/03/13 22:02:16 thttpd 5353 all cat /index.html
...
 barnos.hip.berkeley.edu unknown 1996/03/14 20:01:14 in.thttpd 8569 all twist barnos.HIP.Berkeley.EDU to /usr/etc/in.thttpd barnos.HIP.Berkeley.EDU unknown
 barnos.hip.berkeley.edu unknown 1996/03/14 20:02:56 thttpd 8569 all cat /journal/netsec/9604.html
*gwythaint.hip.berkeley.edu unknown 1996/03/14 13:07:14 in.telnetd 9796 all twist gwythaint.HIP.Berkeley.EDU to (/bin/cat /etc/telmessage)&
 gwythaint.hip.berkeley.edu unknown 1996/03/14 13:08:17 in.identd 9877 all connect from gwythaint.HIP.Berkeley.EDU
 haas.berkeley.edu unknown 1996/03/13 19:23:03 in.identd 20900 all connect from haas.Berkeley.EDU
...

---

In this case, Cross Match examined over 16,000 records generated by about 15 different programs in 6 minutes, found the 1,062 records of interest, cross correlated events in hosts and networks, and produced detailed reports of noteworthy attempts. Doing this by hand would not only take a very long time, but it probably wouldn't even detect many of the things Cross Match finds.

Total records = 16585 ignored 15523 and used 1062 (6.40337654507085%)
====================================================
Tracer done - Sun Mar 17 22:03:22 EST 1996
====================================================