SecureState Blog

Read SecureState's award winning blog.

Logically Organizing FTP Logs

Begin Blog:  10:54am EST

I cannot remember the last time I actually reviewed FTP logs…. The layout of the ISS FTP log format (W3C) is well documented, but that was not the issue today. We are reviewing about two months’ worth of logs to try to organize and understand what happened, which was not intuitive at first. Here are my notes on how I went about parsing and presenting these logs:

The FTP Session Identifier

Each unique FTP session has a session identifier within the logs, annotated within the cs-method field within square brackets. For example, the below would show three unique sessions within a particular log:  860, 861, and 862. Ok, this is not particularly hard to figure out, every new FTP session increments the session identifier and the more session identifiers there are for a session, the more stuff was done:

05:05:00 63.97.221.43 [860]USER seahorse 331 0

05:05:00 63.97.221.43 [860]PASS – 230 0

05:05:00 63.97.221.43 [860]CWD W3SVC998877654 250 0

05:05:00 63.97.221.43 [860]QUIT – 226 0

05:07:00 63.97.221.43 [861]USER seahorse 331 0

05:07:00 63.97.221.43 [861]PASS – 230 0

05:07:00 63.97.221.43 [861]CWD W3SVC9988776545 250 0

05:07:03 63.97.221.43 [861]QUIT – 226 0

05:09:03 63.97.221.43 [862]USER seahorse 331 0

05:09:03 63.97.221.43 [862]PASS – 230 0

05:09:03 63.97.221.43 [862]CWD W3SVC998877654 250 0

05:09:03 63.97.221.43 [862]QUIT – 226 0

 

Group by Session and Then by FTP Method:

Next, parse out each unique FTP session. There are so many ways to accomplish this; I simply pulled out and sorted each session identifier and ran this through a bash script to extract each FTP session into its own directory – think of a while loop that takes session identifiers as input and for each unique value, dumps those entries into separate file and directory structures.

You can get as creative as you want when parsing. For example, my naming convention for each unique sessions was as follows: “SESSION COUNT-SESSION NUMBER-METHODS.LOG”. I chose this naming so I could quickly see which sessions were the heavy hitters and which had methods (user actions) that interested me:

“995-2661-sent.LOG”

“1625-2112-sent-dele.LOG”

“2341-2663-sent-dele.LOG”

“6757-2387-dele-created.LOG”

“7636-2113-sent-created.LOG”

 

Incorporate FTP Actions Into SIFT-Like Timeline

Now let’s take our output and integrate this into a worksheet that is color organized by user-action (the FTP method) and by session. This will give the analyst an idea, at a glance, of which sessions involved creation of files, or deletion of files, etc.

Can you kind of see what happened?

FTP actions into SIFT-Like Timeline

Conclusion:

End Blog:  10:59AM EST:  Time elapsed, 5 minutes.