Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
(Lehekülg asendatud tekstiga 'To be announced.')
1. rida: 1. rida:
This homework assignment requires the knowledge from Modules 6 and 7.
+
To be announced.
 
 
Create SEC rules that accomplish the following event correlation task:
 
 
 
1) monitor sshd log events and detect SSH probing from remote hosts, where
 
the same non-existing user account is probed over SSH from 3 distinct IP
 
addresses within 60 seconds or less.
 
 
 
For example, if the following events appear in the log
 
 
 
  Nov  7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
 
  Nov  7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
 
  Nov  7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
 
  Nov  7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
 
  Nov  7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
 
  Nov  7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
 
  Nov  7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2''
 
 
 
your SEC rule(s) should detect SSH probing for non-existing use admin2, since
 
this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses
 
10.3.6.22, 10.1.2.52 and 10.17.8.9.
 
 
 
Also note that the detection should be done with a sliding window approach --
 
if the counting operation for some non-existing user has not seen enough events
 
during 60 seconds, the 60 second detection window should be moved forward.
 
 
 
2) if the previous condition has been detected for 3 distinct non-existing users
 
during 900 seconds (for example, admin2, oracle and testuser3 have been probed
 
within 900 seconds), report this event to the local root-user via e-mail. After
 
an e-mail has been sent, ensure than no repeated e-mails are generated during
 
the following 3600 seconds.
 
 
 
Some hints for accomplishing this assignment:
 
 
 
* don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
 
 
 
* if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
 
 
 
Apart from studying the examples from the course slides, have a look at the SEC
 
man page (installed at the virtual machines or found at
 
http://simple-evcorr.sourceforge.net/man.html).
 

Redaktsioon: 26. august 2015, kell 19:32

To be announced.

Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Itx8071-task2&oldid=2663"