Ways Of Monitoring Syslog And NTP Protocols Effectively



Various protocols that commonly appear on networks have features that make them of special interest in security monitoring. For example, Syslog and Network Time Protocol (NTP) are essential to the work of the cybersecurity analyst. In this article, I will be talking about how to use Syslog and NTP protocols effectively.
The Syslog standard is used for logging event messages from network devices and endpoints, as shown in the figure. The standard allows for a system-neutral means of transmitting, storing, and analyzing messages. Many types of devices from many different vendors can use Syslog to send log entries to central servers that run a Syslog daemon. This centralization of log collection helps to make security monitoring practical. Servers that run Syslog typically listen on UDP port 514.


Because Syslog is so important to security monitoring, Syslog servers may be a target for threat actors. Some exploits, such as those involving data exfiltration, can take a long time to complete due to the very slow ways in which data is secretly stolen from the network. Some attackers may try to hide the fact that exfiltration is occurring.

They attack Syslog servers that contain the information that could lead to detection of the exploit. Hackers may attempt to block the tractor of data from Syslog clients to servers, tamper with or destroy log data, or tamper with the software that creates and transmits log messages. The next generation (ng) Syslog implementation, known as Syslog-ng, offers enhancements that can help prevent some of the exploits that target Syslog.

Search the internet for more information about Syslog-ng..
The figure shows a cloud of network devices on the right with two event messages arrow pointing to a compiled logs syslog server. To the right of this server is a security monitoring station that has a viewed arrow also pointing to the server.


Syslog messages are usually timestamped. This allows messages from different sources to be organized by time to provide a view of network communication processes. Because the messages can come from many devices, it is important that the devices share a consistent time clock. One way that this can be achieved is for the devices to use Network Time Protocol (NTP).
NTP uses a hierarchy of authoritative time sources to share time information between devices on the network, as shown in the figure. In this way, device messages that share consistent time information can be submitted to the syslog server. NTP operates on UDP port 123.
Because events that are connected to an exploit can leave traces across every network device on there path to the target system, timestamps are essential for detection. Threat actors may attempt to attack the NTP infrastructure in order to corrupt time information used to correlate logged network events.
This can serve to obfuscate traces of ongoing exploits.
In addition, threat actors have been known to use NTP systems to direct DDoS attacks through vulnerabilities in client or server software. While these attacks do not necessarily result in corrupted security monitoring data, they can disrupt network availability.


The figure shows a cloud with an authoritative time source icon and an arrow pointing to a local n t p server. The server has individual arrows pointing to a firewall, layer 3 switch, layer 2 switch, and router. Each device has a clock icon beside it.


Domain Name Service (DNS) is used by millions of people daily. Because of this, many organizations have less stringent policies in place to protect against DNS-based threats than they have to protect against other types of exploits. Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.
DNS is now used by many types of malware. Some varieties of malware use DNS to communicate with command-and-control (CnC) servers and to exfiltrate data in traffic disguised as normal DNS queries. Various types of encoding, such as Base64, 8-bit binary, and Hex can be used to camouflage the data and evade basic data loss prevention (DLP) measures.


For example, malware could encode stolen data as the subdomain portion of a DNS lookup for a domain where the nameserver is under control of an attacker. A DNS lookup for ‘long-string-of-exfiltrated-data.example.com’ would be forwarded to the nameserver of example.com, which would record ‘long-string-of-exfiltrated-data’ and reply back to the malware with a coded response.
The exfiltrated data is the encoded text shown in the box. The threat actor collects this encoded data, decodes and combines it, and now has access to an entire data file, such as a username/password database.
It is likely that the subdomain part of such requests would be much longer than usual requests. Cyber analysts can use the distribution of the lengths of subdomains within DNS requests to construct a mathematical model that describes normality.
They can than use this to compare there observations and identify abuse of the DNS query process. For example, it would not be normal to see a host on your network sending a query to aW4gcGxhY2UgdG8gcHJvdGVjdC.example.com.
DNS queries for randomly generated domain names, or extremely long random-appearing subdomains, should be considered suspicious, especially if there occurrence spikes dramatically on the network. DNS proxy logs can be analyzed to detect these conditions. Alternatively, services such as the Cisco Umbrella passive DNS service can be used to block requests to suspected CnC and exploit domains.


The figure shows a computer with a bug on it with an arrow pointing to four separated n s queries all going to example.com. words under the queries: base 64 coded exfiltrated data disguised as subdomains. An arrow goes from the queries to a cloud with a compromised d n s server inside it.


Hypertext Tractor Protocol (HTTP) is the backbone protocol of the World Wide Web. However, all information carried in HTTP is transmitted in plaintext from the source computer to the destination on the internet. HTTP does not protect data from alteration or interception by malicious parties, which is a serious threat to privacy, identity, and information security. All browsing activity should be considered to be at risk.
A common exploit of HTTP is called iFrame (inline frame) injection. Most web-based threats consist of malware scripts that have been planted on webservers. These webservers than direct browsers to infected servers by loading iframes. In iFrame injection, a threat actor compromises a webserver and plants malicious code which creates an invisible iFrame on a commonly visited webpage.
When the iFrame loads, malware is downloaded, frequently from a different URL than the webpage that contains the iFrame code. Network security services, such as Cisco Web Reputation filtering, can detect when a website attempts to send content from an untrusted website to the host, even when sent from an iFrame.
The client p c on the left has a green, purple, and orange line going to a trusted website. The green line has a magnifying glass with the letter I inside it. Words under the lines: Cisco web reputation filtering applies to the requested webpage and all frames. Words under website icon: accessed webpage calls frames from other sites. Three are the same coloured lines leaving the website going to three servers with the words web servers not affiliated with the trusted site may house malicious software.

HTTP iFrame Injection Exploit

To address the alteration or interception of confidential data, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to there websites and services.
HTTPS adds a layer of encryption to the HTTP protocol by using secure socket layer (SSL), as shown in the figure. This makes the HTTP data unreadable as it leaves the source computer until it reaches the server. Note that HTTPS is not a mechanism for web server security. It only secures HTTP protocol traffic while it is in transit.


The figure shows has three major columns with a source client laptop over the left column, h t t p s protocols over the middle column, and a destination server icon over the right column. Each column has five text boxes. Left column: application, highlighted s s l / t l s, transport, network, and data link. In the centre column: h t t p, encryption, t c p, IP, and ethernet. In the final column: application, highlighted s s l / t l s, transport, network, data link.
An arrow goes from the source client through the boxes on the left down to a network media textbox at the bottom. An arrow goes from this same textbox through all the boxes within the right column to the destination server.
Unfortunately, the encrypted HTTPS traffic complicates network security monitoring. Some security devices include SSL decryption and inspection; however, this can present processing and privacy issues. In addition, HTTPS adds complexity to packet captures due to the additional messaging involved in establishing the encrypted connection. This process is summarized in the figure and represents additional overhead on top of HTTP.
A p c on the left has an arrow that goes to a server in the cloud on the right: client browser requests a secure page with https://. An arrow goes from the server to the p c: the web server sends it’s public key with it’s certificate. The next section: client browser ensures that the certificate is unexpired or unrevoked and was issued by a trusted party.

An arrow goes from the client pc to a server in a cloud: the client browser creates a symmetric key and sends it to the server. Next section: web server decrypts the symmetric key using it’s private key. An arrow goes from the cloud server to the p c:web server uses the symmetric key to encrypt the page and sends it to the client. At the bottom: the client browser uses the symmetric key to decrypt the page and display the information to the user.


HTTPS Transactions

Email Protocols

Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to spread malware, exfiltrate data, or provide channels to malware CnC servers.
SMTP sends data from a host to a mail server and between mail servers. Like DNS and HTTP, it is a common protocol to see leaving the network. Because there is so much SMTP traffic, it is not always monitored.
However, SMTP has been used in the past by malware to exfiltrate data from the network. In the 2014 hack of Sony Pictures, one of the exploits used SMTP to exfiltrate user details from compromised hosts to CnC servers.
This information may have been used to help develop exploits of secured resources within the Sony Pictures network. Security monitoring could reveal this type of traffic based on features of the email message.


IMAP and POP3 are used to download email messages from a mail server to the host computer. For this reason, they are the application protocols that are responsible for bringing malware to the host. Security monitoring can identify when a malware attachment entered the network and which host it first infected. Retrospective analysis can than track the behaviour of the malware from that point forward.


In this way, the malware behaviour can better be understood and the threat identified. Security monitoring tools may also allow recovery of infected file attachments for submission to malware sandboxes for analysis.


The figure shows an infected host on the left and an arrow pointing to two servers in a cloud labelled C n C servers and a threat actor by them. The arrow is labeled s m t p data exfiltration. Another arrow goes from the servers back to the infected host labelled pop 3 /  imap malware infection.

Email Protocol Threats


ICMP has many legitimate uses, however, ICMP functionality has also been used to craft a number of types of exploits. ICMP can be used to identify hosts on a network, the structure of a network, and determine the operating systems at use on the network. It can also be used as a vehicle for various types of DoS attacks.
ICMP can also be used for data exfiltration. Because of the concern that ICMP can be used to surveil or deny service from outside of the network, ICMP traffic from inside the network is sometimes overlooked. However, some varieties of malware use crafted ICMP packets to tractor files from infected hosts to threat actors using this method, which is known as ICMP tunnelling.
Search the internet for a detailed explanation of the well-known LOKI exploit.
Note: This site might be blocked by your institution’s firewall.
A number of tools exist for crafting tunnels. Search the internet for Ping Tunnel to explore one such tool.
CRMNuggets Whatsapp Channel

Leave a Reply

Your email address will not be published. Required fields are marked *