Tracking Users Through Logs and Network Activity

Tenable's research group has released a TASL correlation script for the Log Correlation Engine (LCE) that automatically associates learned user accounts with IP addresses. This enables historical tracking of users in organizations that do not have centralized authentication and access control such as university environments or campus-wide networks.

The script is named "New Network User" (new_nw_usr.tasl). It accepts normalized logs from several dozen different authentication log sources, extracts the user name and originating IP address and then creates a log if the user identity is new, or if an existing "user to IP address" relationship has changed.

Current supported log sources include:

• Windows system and active directory logins
• UNIX SSH logins
• RADIUS Authentications
• Application logs for authenticated email (POP, IMAP, .etc)
• Application logs for a variety of FTP servers
• Passively sniffed gmail, MySpace and other web applications
• Passively sniffed chat and IM login processes

Logs from the Passive Vulnerability Scanner (PVS) which generate user name or identity information are unique in that this information is passively determined. Unlike the other applications supported by this script which send logs of authentication users accessing a domain or checking email, the PVS obtains this information through protocol analysis. We've  previously blogged about this capability in the PVS.

Tracking "New User" Identities

From this TASL script's point of view, a new user is any recognized account that hasn't been previously tracked. For example, the first time a network user connects to their Gmail account, the PVS will recognize this and send a syslog message to the LCE. This TASL scipt will extract the user name from the PVS syslog message and then will generate a new log such as this one shown below:

New Network User - user [email protected] has logged on from IP address 192.168.56.254

The script looks at many different types of "identities" that can be passively obtained or extracted from log files. A given user might likely have different names and identities for their public email, domain and chat accounts. An identity might be a full email address (such as [email protected]) or if the log or traffic came from an authenticated email it might be just an account name like 'bsmith'.

Tracking When Users Move Around

As these logs occur, the script builds a table of user accounts and the IP address they have originated from. If this pairing ever changes, a new log is generated which looks like this:

Network user IP address change, user [email protected] IP address has changed from 192.168.56.254 to 192.168.159.71

Users can get new IP addresses for many different reasons including DHCP lease expirations, moving around a campus network or even obtaining a new computer.

In environments where centralized authentication (like RADIUS or LDAP) or network access control (NAC) isn't implemented, the ability to passively associate user names with the PVS to an IP address can be very useful for incident response and compliance monitoring.

Once these logs are stored in the LCE, trying to find out which users had access to certain IP addresses or networks at any given time is something that can be queried for.

If one wanted to find out which network users originated from IP address 192.168.20.67 on April 10, 2007, they would perform a query for the "New_Network_User" and "Network_User_IP_change" events on such a day.

Below is an obscured screen shot of these logs from a university environment. The main source of the user identities has come from the PVS's ability to track unique Gmail accounts.

This information can also be saved as a spread sheet.

Installing the new Script

Log Correlation Engine customers should download the new_nw_usr.tasl script from the TASL homepage to their /usr/thunder/daemons/plugins directory. They should also download an updated lce_tasl.prm and tenable_pvs.prm libraries to the same directory and then restart the thunderd process.

These following UNIX command lines can be used to obtain and restart the LCE and should be run as user 'thunder'.

cd /usr/thunder/daemons/plugins
rm ./lce_tasl.prm
wget http://www.tenablesecurity.com/lce_tasl.prm
rm ./tenable_pvs.prm
wget http://www.tenablesecurity.com/tenable_pvs.prm
wget http://cgi.tenablesecurity.com/tasl/new_nw_usr.tasl
/etc/rc.d/init.d/thunder restart

Other Types of User Tracking with the LCE

If this sort of user tracking is of interest to you, several other LCE TASL scripts should be considered:

• invalid_user_logon.tasl -- Automatically learns a list of invalid or deleted logins and then alerts if those accounts are used again in the future.
• new_user.tasl -- Automatically tracks all SSH, Windows and other application logins to build up a list of unique valid user accounts for each logged server and alerts when a new user account is used.
• user_to_mac.tasl -- Tracks authentication logs along with DHCP logs to build automatic match es between user names to Ethernet addresses. Generates an alert when a user has a new Ethernet address. Previously blogged about here.

For More Information

To learn more about TASL scripting, please consider the TASL documentation as well as the example TASL scripts. Tenable also offers a free webinar about Network Based Anomaly Detection which uses TASL scripting to process netflow and sniffed network sessions to look for leapfrog attacks, network backdoors and other types of host and crowd behaviors.