Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
(Lehekülg asendatud tekstiga 'To be announced during the semester.')
Märgis: Asendamine
 
(ei näidata sama kasutaja 94 vahepealset redaktsiooni)
1. rida: 1. rida:
This homework assignment requires the knowledge from Modules 6 and 7.
+
To be announced during the semester.
 
 
=== Create SEC rules that accomplish the following event correlation task: ===
 
 
 
'''1) if netfilter firewall blocked packet events have been seen for the same host, so that the host has probed 5 distinct TCP and/or UDP ports within 2 minutes, memorize that host for the following 1 hour as suspicious host.'''
 
 
 
Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).
 
 
 
For example, if the following events appear for host '''192.168.56.1''', this host should be memorized as suspicious, since it has probed 5 distinct ports
 
'''161/udp''', '''21/tcp''', '''23/tcp''', '''25/tcp''', and '''123/udp''' within 2 minutes:
 
 
 
Nov  7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO='''UDP''' SPT=46062 DPT='''161''' LEN=12
 
Nov  7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO='''UDP''' SPT=37036 DPT='''161''' LEN=12
 
Nov  7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO='''TCP''' SPT=38954 DPT='''21'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO='''TCP''' SPT=51418 DPT='''23'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO='''TCP''' SPT=51418 DPT='''23'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO='''TCP''' SPT=50250 DPT='''25'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO='''TCP''' SPT=50250 DPT='''25'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO='''UDP''' SPT=41553 DPT='''123''' LEN=12
 
 
 
'''2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.'''
 
 
 
For example, suppose the host '''192.168.57.13''' has been memorized as suspicious less than 1 hour ago, and the following events are observed:
 
 
 
Nov  7 14:36:09 localhost sshd[1336]: Failed none for invalid user '''admin''' from '''192.168.57.13''' port 36404 ssh2
 
Nov  7 14:36:10 localhost sshd[1336]: Failed password for invalid user '''admin''' from '''192.168.57.13''' port 36404 ssh2
 
Nov  7 14:36:16 localhost sshd[1338]: Failed password for invalid user '''oracle''' from '''192.168.57.13''' port 36406 ssh2
 
Nov  7 14:36:50 localhost sshd[1340]: Failed none for invalid user '''sybase''' from '''192.168.57.13''' port 36412 ssh2
 
 
 
Since 3 distinct non-existing user accounts '''admin''', '''oracle''', and '''sybase''' have been probed over SSH from suspicious host '''192.168.57.13''' within 1 minute,  an alert message about this host (e.g., "SSH probing of non-existing user accounts from 192.168.57.13") must be sent to root@localhost via e-mail. Also, further alerting must be disabled for host '''192.168.57.13''' for 3 hours.
 

Viimane redaktsioon: 25. august 2025, kell 08:07

To be announced during the semester.

Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Itx8071-task2&oldid=11877"