Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
 
(ei näidata sama kasutaja 120 vahepealset redaktsiooni)
1. rida: 1. rida:
 
This homework assignment requires the knowledge from Modules 6 and 7.  
 
This homework assignment requires the knowledge from Modules 6 and 7.  
  
Create SEC rules that accomplish the following event correlation task:
+
==== Create SEC rules that accomplish the following event correlation task: ====
  
1) The rules must process netfilter firewall syslog events about blocked packets.
+
1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds.
For example, the following two events represent two packets from host 192.168.1.67
 
which were blocked by the local firewall:
 
  
Oct 25 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107
+
For example, suppose the following events appear in the log:
  LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=20049 DF PROTO=TCP SPT=44963 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0
 
Oct 25 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107
 
  LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36362 DF PROTO=TCP SPT=56918 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
 
  
The rules must also process Apache web server syslog events with status codes
+
Nov  7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
401 (Unauthorized), 403 (Forbidden), 404 (Not Found), and 405 (Method Not Allowed).  
+
Nov  7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
For example, the following event represents GET request from client 192.168.1.101 to
+
Nov  7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
URL /banner.png that was not found (status code is 404):  
+
Nov  7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
 +
Nov  7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2
 +
Nov  7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
 +
Nov  7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
 +
Nov  7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2
  
Nov  6 19:05:37 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:05:37 +0200] "GET /banner.png HTTP/1.1" 404 208 "-"
+
When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses.  
  "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
 
  
2) if netfilter firewall blocked packet events and/or Apache events with 401 status codes
+
Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.
have been seen from the same host repeatedly during 5 minutes, so that time between two
 
successive events does not exceed 60 seconds, memorize that host for the following 1 hour
 
as suspicious host (the time between the last event and the end of the 5-minute window
 
must also not exceed 60 seconds).
 
  
For example, if the following events appear for host 10.1.1.7, this host should be
+
2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.
memorized as suspicious, since in 5-minute window from 12:30:06 to 12:35:06 six events
 
have been seen which are separated from each other by no more than 60 seconds
 
(time gaps between events are 59, 55, 52, 58, and 51 seconds, while the gap between
 
the last event and the end of the 5-minute window is 25 seconds).
 
  
Nov 15 12:30:06 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59
+
-----
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
 
Nov 15 12:31:05 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59
 
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov 15 12:32:00 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59
 
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=25 WINDOW=49640 RES=0x00 SYN URGP=0
 
Nov 15 12:32:52 localhost apache: 10.1.1.7 - - [15/Nov/2017:12:32:52 +0200] "GET / HTTP/1.1" 401 489
 
Nov 15 12:33:50 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59
 
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=143 WINDOW=7290 RES=0x00 SYN URGP=0
 
Nov 15 12:34:41 localhost apache: 10.1.1.7 - - [15/Nov/2017:12:34:41 +0200] "GET / HTTP/1.1" 401 489
 
 
 
3) if some host has been previously memorized as suspicious, and 3 Apache events with
 
status codes 403, 404 and/or 405 are observed from this host within 60 seconds, so that
 
HTTP method is different for all events, send an e-mail about the offending host to
 
root@localhost.
 
 
 
Note that the detection should be done with a sliding window approach --
 
if the counting operation for some host has not seen enough events
 
during 60 seconds, the 60 second detection window should be moved forward.
 
 
 
After an e-mail alert has been issued about the host, disable further alerts
 
for this host for 3 hours.
 
 
 
For example, suppose the following events are observed and the host 192.168.56.1
 
has been previously memorized as suspicious:
 
 
 
Nov 15 13:46:12 localhost apache: 192.168.56.1 - - [15/Nov/2017:13:46:12 +0200] "GET / HTTP/1.1" 200 4897 "-" "curl/7.29.0"
 
Nov 15 13:46:31 localhost apache: 192.168.56.1 - - [15/Nov/2017:13:46:31 +0200] "GET /test.html HTTP/1.1" 404 207 "-" "curl/7.29.0"
 
Nov 15 13:46:33 localhost apache: 192.168.56.1 - - [15/Nov/2017:13:46:33 +0200] "GET /test.html HTTP/1.1" 404 207 "-" "curl/7.29.0"
 
Nov 15 13:46:41 localhost apache: 192.168.56.1 - - [15/Nov/2017:13:46:41 +0200] "PUT /test.html HTTP/1.1" 405 230 "-" "curl/7.29.0"
 
Nov 15 13:46:42 localhost apache: 10.1.17.3 - - [15/Nov/2017:13:46:42 +0200] "GET / HTTP/1.1" 200 4897 "-"
 
  "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
 
Nov 15 13:46:47 localhost apache: 192.168.56.1 - - [15/Nov/2017:13:46:47 +0200] "DELETE /index.html HTTP/1.1" 405 234 "-" "curl/7.29.0"
 
 
 
The event correlation rules must produce an alarm at Nov 15 13:46:47 about offending
 
host 192.168.56.1, since this host has used three different HTTP methods (GET, PUT,
 
and DELETE) within 60 seconds, so that HTTP status codes are either 403, 404, or 405.
 
  
 
Some hints for accomplishing this assignment:
 
Some hints for accomplishing this assignment:
- don't try to solve the whole assignment with just one rule, but rather write  
+
* don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
  several rules which interact,
+
* if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
- in order to accomplish subtask 2 (detection of 5 minute event sequence
+
* all parts of the solution must be fully functional even when several non-existing user accounts are probed from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).
  with max 60 second intervals), use Single rules that set up contexts
 
  with specific actions-on-expire.
 
  
Apart from studying the examples from the course slides, have a look at the SEC
+
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html). Also, consider the examples from SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).
man page (installed at the virtual machines or found at  
 
http://simple-evcorr.github.io/man.html).
 

Viimane redaktsioon: 1. november 2024, kell 21:46

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) Monitor sshd log events for SSH probing of non-existing user accounts, and detect non-existing user accounts that have been probed over SSH from 3 distinct IP addresses within 60 seconds.

For example, suppose the following events appear in the log:

Nov  7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov  7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2
Nov  7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov  7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2
Nov  7 12:53:55 myhost sshd[10499]: Failed password for invalid user oracle from 10.2.9.99 port 6133 ssh2
Nov  7 12:54:01 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov  7 12:54:02 myhost sshd[10527]: Failed publickey for invalid user admin2 from 10.1.2.52 port 40106 ssh2
Nov  7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2

When above events appear, SSH probing for non-existing user admin2 should be reported, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9. However, SSH probing for non-existing user oracle should not be reported, since this user was probed from only 2 distinct IP addresses.

Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.

2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.


Some hints for accomplishing this assignment:

  • don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
  • if SSH probing for some non-existing user account is detected (as described in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
  • all parts of the solution must be fully functional even when several non-existing user accounts are probed from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html). Also, consider the examples from SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).