For log analysis ELK(ElasticSearch-LogStash-Kibana) stack is a
powerful tool for Zimbra Mail Server logs, you can search logs and
easliy create visually appealing graphics with Kibana interface.
In this post we will analyze the logs to find out which ip addresses abusing logins or brute forcing to Zimbra mail server.
So we first assume that if a single ip interacts with at least 5 different accounts we will count it as malicious usage. You should baseline your system accordingly otherwise there will be false positive decisions.
Now let's create the pie chart that will tell us these IP addresses visually
Then choose the following index
Now we will see whole number of logs to divide pie click Split Slices
Then
Now we should add sub-bucket to see how many accounts these ip addresses interact.
So click Add sub-buckets, click Split-Slices and configure the sub-bucket as below
Now you should see the following pie chart where the inner slices shows the source ip addresses and outer slices shows usernames that individual ip addresses interact.
Now lets describe what the pie chart tells us.
If you see an inner slice sweeping one outer slice in 1 day or 1 hour period that is we can safely assume that this is not a malicious ip address.
But if you see an inner slice sweeping more than 5 outer slice than we can conclude that there is a malicious activity either brute force or logged in with multiple accounts from one ip addresses.
So to find out a brute-force we should add a filter with the string "invalid credentials".
In this post we will analyze the logs to find out which ip addresses abusing logins or brute forcing to Zimbra mail server.
So we first assume that if a single ip interacts with at least 5 different accounts we will count it as malicious usage. You should baseline your system accordingly otherwise there will be false positive decisions.
Now let's create the pie chart that will tell us these IP addresses visually
Then choose the following index
Now we will see whole number of logs to divide pie click Split Slices
Then
- Choose Terms as for the Aggregation
- Choose src_ip for the Field
- Write top number of ip addresses you want to see in the Size
section
Now we should add sub-bucket to see how many accounts these ip addresses interact.
So click Add sub-buckets, click Split-Slices and configure the sub-bucket as below
Now you should see the following pie chart where the inner slices shows the source ip addresses and outer slices shows usernames that individual ip addresses interact.
Now lets describe what the pie chart tells us.
If you see an inner slice sweeping one outer slice in 1 day or 1 hour period that is we can safely assume that this is not a malicious ip address.
But if you see an inner slice sweeping more than 5 outer slice than we can conclude that there is a malicious activity either brute force or logged in with multiple accounts from one ip addresses.
So to find out a brute-force we should add a filter with the string "invalid credentials".
Profesjonalne szkolenia dla administratorów? Stawiamy na https://www.intalio.pl/pl!
YanıtlaSil