Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
(Lehekülg asendatud tekstiga 'To be announced.')
1. rida: 1. rida:
To be announced.
+
 
 +
This homework assignment requires the knowledge from Modules 6 and 7.
 +
 
 +
Create SEC rules that accomplish the following event correlation task:
 +
 
 +
1) the rules must process netfilter firewall syslog events about blocked
 +
packets sent to local TCP and UDP ports. For example, the following two
 +
events represent accesses to local ports 23/tcp and 25/tcp which were blocked
 +
by the local firewall:
 +
 
 +
Oct 25 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=20049 DF PROTO=TCP SPT=44963 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0
 +
Oct 25 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.104 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36362 DF PROTO=TCP SPT=56918 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
 +
 
 +
2) if some port has been probed repeatedly during 15 minutes, so that time
 +
between two successive probes does not exceed 30 seconds, memorize that port
 +
for the following 1 hour as a "noisy port". For example, if at 18:30:06
 +
the local netfilter firewall starts to log events about
 +
blocked access attempts to port 21/tcp, and such events continue to appear
 +
once in 3-4 seconds until 18:45:06, then the port 21/tcp should be memorized
 +
as a noisy port for 1 hour.
 +
On the other hand, if the following 5 events are seen in 15 minutes,
 +
the port 21/tcp must not be considered noisy, since the fourth and fifth
 +
event are separated by more than 30 seconds.
 +
 
 +
Oct 25 18:30:06 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
 +
Oct 25 18:30:27 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.2 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
 +
Oct 25 18:30:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.29 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=21 WINDOW=49640 RES=0x00 SYN URGP=0
 +
Oct 25 18:31:04 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=21 WINDOW=7290 RES=0x00 SYN URGP=0
 +
Oct 25 18:44:46 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.84 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=21 WINDOW=6280 RES=0x00 SYN URGP=0
 +
 
 +
3) if some host probes 5 different ports within 60 seconds, so that none of
 +
the probed ports has been memorized as noisy within the last 1 hour, send
 +
an e-mail about the offending host to root@localhost. Note that ports
 +
should be distinguished not only by port number but also by transport protocol
 +
(in other words, ports 53/tcp and 53/udp must be considered different ports).
 +
 
 +
Also note that the detection should be done with a sliding window approach --
 +
if the counting operation for some host has not seen enough events
 +
during 60 seconds, the 60 second detection window should be moved forward.
 +
 
 +
After an e-mail alert has been issued about the host, disable further alerts
 +
for this host for 4 hours.
 +
 
 +
For example, suppose the following events are observed and the port 21/tcp
 +
has been previously memorized as noisy:
 +
 
 +
Oct 25 18:51:01 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
 +
Oct 25 18:51:07 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
 +
Oct 25 18:51:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
 +
Oct 25 18:51:12 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=21 WINDOW=49640 RES=0x00 SYN URGP=0
 +
Oct 25 18:51:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0
 +
Oct 25 18:51:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=445 WINDOW=49640 RES=0x00 SYN URGP=0
 +
Oct 25 18:52:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6000 WINDOW=6280 RES=0x00 SYN URGP=0
 +
Oct 25 18:52:03 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6001 WINDOW=6280 RES=0x00 SYN URGP=0
 +
Oct 25 18:52:05 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6002 WINDOW=6280 RES=0x00 SYN URGP=0
 +
Oct 25 18:52:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0
 +
 
 +
The event correlation rules must produce an alarm at Oct 25 18:52:05 about
 +
offending host 10.1.1.7, since this host has accessed five distinct ports
 +
80/tcp, 445/tcp, 6000/tcp, 6001/tcp and 6002/tcp between Oct 25 18:51:07
 +
and Oct 25 18:52:05 (access attempt to noisy port 21/tcp at Oct 25 18:51:12
 +
must be ignored, while access attempt to port 25/tcp at Oct 25 18:51:01 does
 +
not fit into the 60 second window).
 +
 
 +
Some hints for accomplishing this assignment:
 +
- don't try to solve the whole assignment with just one rule, but rather write
 +
  several rules which interact,
 +
- in order to accomplish subtask 2 (detection of 15 minute event sequence
 +
  with max 30 second intervals), use Single rules that set up contexts
 +
  with specific actions-on-expire.
 +
 
 +
Apart from studying the examples from the course slides, have a look at the SEC
 +
man page (installed at the virtual machines or found at
 +
http://simple-evcorr.github.io/man.html).

Redaktsioon: 3. november 2015, kell 17:26

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) the rules must process netfilter firewall syslog events about blocked packets sent to local TCP and UDP ports. For example, the following two events represent accesses to local ports 23/tcp and 25/tcp which were blocked by the local firewall:

Oct 25 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=20049 DF PROTO=TCP SPT=44963 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.104 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36362 DF PROTO=TCP SPT=56918 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0

2) if some port has been probed repeatedly during 15 minutes, so that time between two successive probes does not exceed 30 seconds, memorize that port for the following 1 hour as a "noisy port". For example, if at 18:30:06 the local netfilter firewall starts to log events about blocked access attempts to port 21/tcp, and such events continue to appear once in 3-4 seconds until 18:45:06, then the port 21/tcp should be memorized as a noisy port for 1 hour. On the other hand, if the following 5 events are seen in 15 minutes, the port 21/tcp must not be considered noisy, since the fourth and fifth event are separated by more than 30 seconds.

Oct 25 18:30:06 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 25 18:30:27 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.2 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0 Oct 25 18:30:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.29 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=21 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 18:31:04 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=21 WINDOW=7290 RES=0x00 SYN URGP=0 Oct 25 18:44:46 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.84 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=21 WINDOW=6280 RES=0x00 SYN URGP=0

3) if some host probes 5 different ports within 60 seconds, so that none of the probed ports has been memorized as noisy within the last 1 hour, send an e-mail about the offending host to root@localhost. Note that ports should be distinguished not only by port number but also by transport protocol (in other words, ports 53/tcp and 53/udp must be considered different ports).

Also note that the detection should be done with a sliding window approach -- if the counting operation for some host has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.

After an e-mail alert has been issued about the host, disable further alerts for this host for 4 hours.

For example, suppose the following events are observed and the port 21/tcp has been previously memorized as noisy:

Oct 25 18:51:01 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 25 18:51:07 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 Oct 25 18:51:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 Oct 25 18:51:12 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=21 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 18:51:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0 Oct 25 18:51:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=445 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 18:52:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6000 WINDOW=6280 RES=0x00 SYN URGP=0 Oct 25 18:52:03 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6001 WINDOW=6280 RES=0x00 SYN URGP=0 Oct 25 18:52:05 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6002 WINDOW=6280 RES=0x00 SYN URGP=0 Oct 25 18:52:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0

The event correlation rules must produce an alarm at Oct 25 18:52:05 about offending host 10.1.1.7, since this host has accessed five distinct ports 80/tcp, 445/tcp, 6000/tcp, 6001/tcp and 6002/tcp between Oct 25 18:51:07 and Oct 25 18:52:05 (access attempt to noisy port 21/tcp at Oct 25 18:51:12 must be ignored, while access attempt to port 25/tcp at Oct 25 18:51:01 does not fit into the 60 second window).

Some hints for accomplishing this assignment: - don't try to solve the whole assignment with just one rule, but rather write

 several rules which interact,

- in order to accomplish subtask 2 (detection of 15 minute event sequence

 with max 30 second intervals), use Single rules that set up contexts
 with specific actions-on-expire.

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html).