|
|
(ei näidata sama kasutaja 131 vahepealset redaktsiooni) |
1. rida: |
1. rida: |
− |
| |
| This homework assignment requires the knowledge from Modules 6 and 7. | | This homework assignment requires the knowledge from Modules 6 and 7. |
| | | |
− | === Create SEC rules that accomplish the following event correlation task: === | + | ==== Create SEC rules that accomplish the following event correlation task: ==== |
− | | |
− | '''1) The rules must process netfilter firewall syslog events about blocked packets sent to local TCP and UDP ports. '''
| |
− | | |
− | For example, the following two events represent accesses to local ports 23/tcp and 25/tcp which were blocked
| |
− | by the local firewall:
| |
− | | |
− | Nov 6 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''192.168.1.67''' DST=192.168.1.107 LEN=60 TOS=0x10
| |
− | PREC=0x00 TTL=64 ID=20049 DF PROTO='''TCP''' SPT=44963 DPT='''23''' WINDOW=49640 RES=0x00 SYN URGP=0
| |
− | Nov 6 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''192.168.1.104''' DST=192.168.1.107 LEN=60 TOS=0x10
| |
− | PREC=0x00 TTL=64 ID=36362 DF PROTO='''TCP''' SPT=56918 DPT='''25''' WINDOW=29200 RES=0x00 SYN URGP=0
| |
− | | |
− | '''The rules must also process Apache web server syslog events with status codes 403 (Forbidden) and 404 (Not Found).'''
| |
− | | |
− | For example, the following event represents GET request from client 192.168.1.101 to URL /banner.png that was
| |
− | not found (status code is 404):
| |
− | | |
− | Nov 6 19:05:37 localhost apache: '''192.168.1.101''' - - [06/Nov/2016:19:05:37 +0200]
| |
− | "GET '''/banner.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | | |
− | '''2) If some URL is requested from 5 different clients within 5 minutes with status codes 403 and/or 404, this URL must be memorized as false positive for the following 15 minutes.'''
| |
− | | |
− | For example, if the following events appear in the log, the URL /offers/sales-offer.html must be memorized as false positive
| |
− | at Nov 6 19:06:17 for 15 minutes, since it has been accessed by 5 different clients 192.168.1.101, 192.168.1.103, 192.168.1.104, 192.168.2.16, and 192.168.7.33 within 5 minutes (between Nov 6 19:03:49 and Nov 6 19:06:17):
| |
− | | |
− | Nov 6 19:03:48 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:03:48 +0200]
| |
− | "GET /images/poweredby.png HTTP/1.1" 200 3956 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:03:49 localhost apache: '''192.168.1.101''' - - [06/Nov/2016:19:03:49 +0200]
| |
− | "GET '''/offers/sales-offer.html''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:03:59 localhost apache: '''192.168.1.101''' - - [06/Nov/2016:19:03:59 +0200]
| |
− | "GET '''/offers/sales-offer.html''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:04:07 localhost apache: 192.168.1.102 - - [06/Nov/2016:19:04:07 +0200]
| |
− | "GET /banner.png HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:04:22 localhost apache: 192.168.1.103 - - [06/Nov/2016:19:04:22 +0200]
| |
− | "GET /banner.png HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:04:29 localhost apache: '''192.168.1.103''' - - [06/Nov/2016:19:04:29 +0200]
| |
− | "GET '''/offers/sales-offer.html''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:04:40 localhost apache: '''192.168.1.104''' - - [06/Nov/2016:19:04:40 +0200]
| |
− | "GET '''/offers/sales-offer.html''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:05:01 localhost apache: '''192.168.2.16''' - - [06/Nov/2016:19:05:01 +0200]
| |
− | "GET '''/offers/sales-offer.html''' HTTP/1.1" '''403''' 225 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:06:17 localhost apache: '''192.168.7.33''' - - [06/Nov/2016:19:06:17 +0200]
| |
− | "GET '''/offers/sales-offer.html''' HTTP/1.1" '''403''' 225 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 19:26:16 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:26:16 +0200]
| |
− | "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
| | | |
| + | 1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds. |
| | | |
− | '''3) If some host does the following within the 60 second window:'''
| + | For example, suppose the following events appear in the log: |
− | * '''probes at least 3 different ports that are protected by firewall, AND'''
| |
− | * '''accesses at least 3 different URLs, so that status codes for URL accesses are 403 and/or 404 and none of the URLs has been previously memorized as false positive, '''
| |
− | '''send an e-mail to root@localhost about offending activities from this host. After an e-mail alert has been issued about the host, disable further alerts for this host for 2 hours.'''
| |
| | | |
− | Note that ports in netfilter firewall messages must be distinguished not
| + | Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2 |
− | only by port number but also by transport protocol (in other words, ports
| + | Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2 |
− | 53/tcp and 53/udp must be considered different ports). | + | Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2 |
− | Also note that the detection should be done with a sliding window approach --
| + | Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2 |
− | if the counting operation for some host has not seen enough events
| + | Nov 7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2 |
− | during 60 seconds, the 60 second detection window should be moved forward.
| + | Nov 7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2 |
| + | Nov 7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2 |
| + | Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2 |
| | | |
− | For example, suppose the following events are observed and the URL
| + | When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses. |
− | /offers/sales-offer.html has been previously memorized as false positive:
| |
| | | |
− | Nov 6 18:51:01 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
| + | Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward. |
− | PREC=0x00 TTL=62 ID=1881 DF PROTO='''TCP''' SPT=16333 DPT='''25''' WINDOW=5840 RES=0x00 SYN URGP=0
| |
− | Nov 6 18:51:07 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
| |
− | PREC=0x00 TTL=62 ID=23421 DF PROTO='''TCP''' SPT=34342 DPT='''80''' WINDOW=29200 RES=0x00 SYN URGP=0
| |
− | Nov 6 18:51:08 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:51:08 +0200]
| |
− | "GET '''/banner.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 18:51:08 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:51:08 +0200]
| |
− | "GET '''/banner2.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 18:51:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
| |
− | PREC=0x00 TTL=62 ID=23421 DF PROTO='''TCP''' SPT=34342 DPT='''80''' WINDOW=29200 RES=0x00 SYN URGP=0
| |
− | Nov 6 18:51:09 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:51:09 +0200]
| |
− | "GET '''/banner.png''' HTTP/1.1" '''404''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 18:51:11 localhost apache: 10.1.1.7 - - [06/Nov/2016:18:51:11 +0200]
| |
− | "GET /offers/sales-offer.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 18:51:12 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
| |
− | PREC=0x00 TTL=62 ID=31442 DF PROTO='''TCP''' SPT=47846 DPT='''21''' WINDOW=49640 RES=0x00 SYN URGP=0
| |
− | Nov 6 18:51:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00
| |
− | PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0
| |
− | Nov 6 18:51:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00
| |
− | PREC=0x00 TTL=62 ID=31442 DF PROTO='''TCP''' SPT=47846 DPT='''445''' WINDOW=49640 RES=0x00 SYN URGP=0
| |
− | Nov 6 18:52:05 localhost apache: '''10.1.1.7''' - - [06/Nov/2016:18:52:05 +0200]
| |
− | "GET '''/docs/report.doc''' HTTP/1.1" '''403''' 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
| |
− | Chrome/54.0.2840.71 Safari/537.36"
| |
− | Nov 6 18:52:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00
| |
− | PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0
| |
| | | |
− | The event correlation rules must produce an alarm at Nov 6 18:52:05 about
| + | 2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds. |
− | offending host 10.1.1.7, since between Nov 6 18:51:07 and Nov 6 18:52:05
| |
− | this host has:
| |
− | * probed 3 distinct ports 80/tcp, 21/tcp, and 445/tcp,
| |
− | * accessed 3 distinct URLs /banner.png, /banner2.png, and /docs/report.doc with status codes 404 and 403.
| |
| | | |
− | Note that although event correlation operation for host 10.1.1.7 should be started at Nov 6 18:51:01, the window has to slide forward after 60 seconds,
| + | ----- |
− | since only 2 distinct URLs have been observed for 10.1.1.7 (access to /offers/sales-offer.html must be ignored, since it has been
| |
− | previously memorized as false positive). Therefore, the port probe at Nov 6 18:51:01 will be left out of the window when it slides.
| |
− | Finally, note that another event correlation operation should be started for host 10.1.1.93 at Nov 6 18:51:14.
| |
| | | |
| Some hints for accomplishing this assignment: | | Some hints for accomplishing this assignment: |
| * don't try to solve the whole assignment with just one rule, but rather write several rules which interact, | | * don't try to solve the whole assignment with just one rule, but rather write several rules which interact, |
− | * in order to accomplish subtask 3 (detection of port probes and URL accesses from the same host within 60 second window), use EventGroup2 rule. | + | * if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules. |
| + | * all parts of the solution must be fully functional even when several non-existing user accounts are probed from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other). |
| | | |
− | Apart from studying the examples from the course slides, have a look at the SEC | + | Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html). Also, consider the examples from SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf). |
− | man page (installed at the virtual machines or found at | |
− | http://simple-evcorr.github.io/man.html).
| |
This homework assignment requires the knowledge from Modules 6 and 7.
Create SEC rules that accomplish the following event correlation task:
1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds.
For example, suppose the following events appear in the log:
Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov 7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2
Nov 7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2
When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses.
Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.
2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.
Some hints for accomplishing this assignment:
- don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
- if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
- all parts of the solution must be fully functional even when several non-existing user accounts are probed from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html). Also, consider the examples from SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).