you're reading...
INFOSEC, Lockheed Martin Hacked, Monitor RSA Brute Force, RSA Breach, RSA HACK

Monitoring RSA Brute Force Attempts

So, today I got news that Lockheed Martin had been hacked from a vulnerability stemming from the RSA breach in March. I was a bit taken aback by this as I have always known the folks at LHM to be pretty stout when it came to INFOSEC. There are quite a few INFOSEC pundits that are saying that this may be just the beginning. While, I am not a hard core INFOSEC type, at least not a Red-Team guy, I wanted to post a quick and easy way you can monitor for brute force attempts on your RSA environment. I have a number of queries that I have set up to monitor our RSA environment but this one was pretty low hanging fruit so I thought I would share it.

I am making the following assumptions: (this is not as hard as you think if you are doing this for the first time)

  • You have a SQL Server (2005 or better)
    • You have a Syslog Database or the ability to create one.
    • DBO Access or better to your Syslog Database
    • DBCreate Privilages if you do not yet have a Syslog Database.
  • You know how to set up a connect string in KIWI.
  • You have SQL Mail set up or you know how to set it up.
  • You know how to set up a SQL Agent job or you have a DBA on staff who will do it for you.
  • You know how to set up Sysloging on your RSA Server (my team does not host the RSA environment so I have no idea how they set it up but I assume they just pointed at my KIWI Server).

Getting the Data:
So, for $245 you can get a full copy of KIWI Syslog Server. Before you start chuckling, I have worked with the six figure Event Correlation Products and frankly, I don’t find them to be as flexible as KIWI logging to SQL. At any rate, if you can get a copy of KIWI Syslog Server you can start sending your logs to your SQL Server and begin the process of reporting on them. You can download a 30 day full version that you can prove works then ask your boss for the money as well.

The first thing you will need to set up is a rule for collecting your RSA Logs and filter on the IP Address of your RSA Server that will be sending the logs. As you can see below, I have set up a filter for the RSA Server at to capture all syslog data coming from that box.

Next, we will need to set up a custom DB Format, in KIWI you only get ten so use them wisely, this is a generic Custom DB Format using no custom fields. We are copying to the database MsgUnique, MsgDateTime, MsgHostAddress, MsgHostname and MsgText with the latter three being switched from “text” to “varchar” (Very important step, will not work if this is skipped)

Once we have set up our custom DB format we will go back to the rule and select an Action called “Log Event to Database” using the “Log to ODBC Database” option from the Action combo box. From here, you will select your custom format in the Database Type/Field format dropdown box and press the “Create Table” button. Once this is done you can click “Apply” and you should start seeing logs immediately.

Now comes the fun part:
While I understand RSA is a major security player, I have to say, I am disappointed in their logs, they look like shit! Parsing them was really, really tough for me (I am not a programmer) but I did get a substring Query that should yield some results.

Once you are writing data to the database, use this query to check for pin failures. From SQL Management Studio type the following Query:

select distinct right(convert(varchar(20),msgdatetime,100),7), replace(substring(msgtext,419,5),‘,’,),
msgtext = case when msgtext like ‘%BAD_PIN_GOOD_TOKENCODE%  then ‘Bad Pin Good Token’
                        when msgtext like ‘%BAD_TOKENCODE_GOOD_PIN%’  then ‘Bad Token Good Pin’
when msgtext like ‘%BAD_PIN_PREVIOUS_TOKENCODE%’  then  ‘Bad Pin Previous Token’
                        end, count(distinct msgtext) as “Total Failures”
from rsa_logs
where (MsgText like ‘%error%’
or MsgText like ‘%Fail%’)
and msgtext like ‘%pin%’
and msgdatetime > getdate()-1
group by right(convert(varchar(20),msgdatetime,100),7),replace(substring(msgtext,419,5),‘,’,),msgtext
order by right(convert(varchar(20),msgdatetime,100),7) desc

Monitoring for Brute Force Attempts:
So after getting the data where I needed it I set up a monitor to watch for brute force attempts on RSA Accounts.

Below is an example of the email I receive when the number of pin related failures goes beyond a set threshold. If I were to get one of these and see one user account with 10-20 failures, that could indicate a brute force attempt.

To get this email set up, I have written a SQL Stored Procedure that will monitor the table every five minutes and report back to me if someone has more than 3 failed RSA attempts within a 15 minute period.

To set up the stored procedure you will need to copy the following SQL Into your Management Studio and execute it. You will then need to set up SQL Mail and SQLAgent to be able to execute the job.

Stored Procedure:

/****** Object:  StoredProcedure [dbo].[SP_CTX_RSA_BRUTEFORCE]    Script Date: 05/30/2011 15:05:17 ******/






      — Add the parameters for the stored procedure here
      — SET NOCOUNT ON added to prevent extra result sets from
      — interfering with SELECT statements.
      –Condition to execute the script,
IF (select top 1 fail.Failures
   from rsa_logs,
               (select  distinct  replace(substring(msgtext,419,5),‘,’,)  as “UserID”, count(distinct  msgtext) as “Failures” 
        from rsa_logs
        where (MsgText like ‘%error%’
or MsgText like ‘%Fail%’)
        and msgtext like ‘%pin%’
and msgdatetime > getdate()-.009
    group by replace(substring(msgtext,419,5),‘,’,)
having count(distinct msgtext) > 2) fail )> 2
–If the condition is met, the script below will execute
— This is the actual table that gets emailed instead of the worthless ASCII data
SET @tableHTML =
    N'<style type=”text/css”>h2, body {font-family: Arial, verdana;} table{font-size:10px;     border-collapse:collapse;} td{background-color:#F1F1F1; border:1px solid black;     padding:3px;}th{background-color:#99CCFF;}</style>’+
    N'<table border=0 width=60% cellspacing=0 cellpadding=3>+
    select distinct td = right(convert(varchar(20),msgdatetime,100),7),               ‘               ‘,
                                      td = replace(substring(msgtext,419,5),‘,’,),          ‘               ‘,
td = case when msgtext like ‘%BAD_PIN_GOOD_TOKENCODE%’ then ‘Bad Pin Good Token’
                                                       when msgtext like ‘%BAD_TOKENCODE_GOOD_PIN%’  then ‘Bad Token Good Pin’
                                                       when msgtext like ‘%BAD_PIN_PREVIOUS_TOKENCODE%’  then ‘Bad Pin Previous Token’
                                                       end,          ,
                                      td = count(distinct msgtext),           ‘              
            from rsa_logs
     where (MsgText like ‘%error%’
                        or MsgText like ‘%Fail%’)
         and msgtext like ‘%pin%’
                        and msgdatetime > getdate()-.0360
          group by right(convert(varchar(20),msgdatetime,100),7), replace(substring(msgtext,419,5),‘,’,),msgtext
          order by right(convert(varchar(20),msgdatetime,100),7) desc



EXEC msdb.dbo.sp_send_dbmail
                  @profile_name = ‘SQLMail’,
                  @recipients = %YOUREMAILADDRESS%,
                  @body = @tableHTML,
                  @body_format = ‘HTML’,
                  @Subject = ‘RSA Brute Force Watch’,
                  @importance = ‘High’;
The LHM Hack was a shot across everyone’s bow. This isn’t some smug-tard at GAWKER, this is an major player in the Information Security scene. Until this RSA Breach is fully understood and mitigated it is possible that all we can do is monitor our logs and make sure specific accounts do not get compromised. If you have any issues with either the query or stored procedure please let me know and I may be able to walk you through it. (I have a gotomeeting account)


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: