Hello, I am Moto Kawasaki and I would like to write about my trip to Yangon, Myanmar from March 8th through 13th, 2015.
Koichiro "Sparky" Komiyama and I went there to conduct Apache Log Analysis training and “CSIRT in a Box” training for mmCERT/CC, Myanmar Computer Emergency Response Team / Coordination Center. It is the 5th time starting in 2011 that JPCERT/CC visits mmCERT/CC for technical training.
We had a total of 10 trainees from mmCERT/CC, academia and the government. They were all experts in computer and network field in general, but each of them had their own respective specialties.
Apache Log Analysis Training
Apache Log Analysis is a relatively recently developed training course at JPCERT/CC to demonstrate how to identify traces of attacks (such as XSS and SQL injection) from haystacks of Apache combined logs.
While working on the assignment, the trainees were requested to use good old UNIX commands like “grep” and “awk” only, since UNIX command line tools are, in our view, the best among many free and widely available tools for this kind of task. In order for the trainees to obtain the basic knowledge of the log analysis, they were also asked to grab the look and feel of such traces to write some regular expression to match with them.
I know some other powerful tools like Scalp, LORG or real-time log monitoring with swatch are also available for this task, but this training provides and fundamental skill set for security analysts as a cornerstone.
It seemed that some of trainees spent tough hours at this training because they were not very familiar with command line tools or even UNIX like OS. But for my happy surprise, they managed to catch up with my quick and rough cheat guides on the white board, which described some names and functionality of a minimum set of useful UNIX commands. I was quite impressed that they were extremely fast in familiarizing themselves with something new to them.
CSIRT in a Box Training
“CSIRT in a Box” is a small set of systems designed mainly for newly-established CSIRTs to gather and store as much of security information, analyse by narrowing and graphing, extract indicator/attribution and automate ticketing to handle such cases.
Current implementation of the CSIRT in a Box is composed of IFAS by HKCERT which can gather information from different sources, store and analyse them - we just need to fill the missing part: the ticketing system.
I'd like to appreciate HKCERT's kind assistance in using IFAS as a part of CSIRT in a Box. It is a great system for this purpose, but please don't forget to apply my patch ;-)
IFAS has three major functions: "Log Search", "Reporter" and "Dashboard", and I went through each of them by explaining and giving some exercise.
With Log Search we can search log entries which match to a given condition such as date-time, country name in which the IP address is located etc. Reporter enables to count the number of log entries matched to a given criteria during a specified time period.
Dashboard draws many graphs from the result of Reporter. The trainees seemed happier with IFAS GUI than the previous session in general, which made me happy, even though I like CUI much more.
One of the trainees surprised me during the Reporter exercise by creating a Reporter to count how many phishing sites existed in the log entries for some brand-new geek item or something. Actually, such phishing sites did exist in the log entries, so they proved that the system is really useful during the first training.
Like this, I had happy days in the tropical country 3,000 miles away from my home, with hearty hospitality of people. I felt like I had another home town there.
Thank you very much, mmCERT/CC and my dear trainees. We hope to visit again for another training session.
- Moto Kawasaki