Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
 
(ei näidata sama kasutaja 88 vahepealset redaktsiooni)
3. rida: 3. rida:
 
=== Create SEC rules that accomplish the following event correlation task: ===
 
=== Create SEC rules that accomplish the following event correlation task: ===
  
# The ruleset must track SSH login failures and su authentication failures for targeted users, so that all suspicious events for each user would be stored into a separate SEC context. Events that must be stored into the context are described below (see points (2) and (3)). Before the first event is added to the context, the context must be created with the lifetime of 120 seconds.
+
1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).
# If user X fails to log in over SSH from client host Y, and there will be no successful SSH login for user X from client Y during the following 20 seconds, add the following event into the context for user X: "User X failed to log in from Y over SSH".
 
# If user Y fails to switch to user X with su utility, and user Y will not manage to successfully switch to user X during the following 20 seconds, add the following event into the context for user X: "User Y failed to switch to user X with su".
 
# When the lifetime of the context for user X expires, all events stored into this context must be e-mailed to user X. After that, all event recording for user X must be disabled for the following 1 hour (3600 seconds).  
 
  
For example, consider the following events:
+
For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:
  
  Nov  6 17:13:03 localhost sshd[3914]: Failed password for root from 192.168.56.1 port 37326 ssh2
+
  Nov  7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12
  Nov  6 17:13:33 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost= user=root
+
  Nov  7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12
  Nov  6 17:13:43 localhost su: pam_unix(su:session): session opened for user root by student(uid=1000)
+
  Nov  7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0
Nov  6 17:14:12 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2
+
  Nov  7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov  6 17:14:13 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2
+
  Nov  7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
  Nov  6 17:14:48 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost= user=chrony
+
  Nov  7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
  Nov  6 17:15:01 localhost sshd[4115]: Failed password for chrony from 192.168.56.7 port 37388 ssh2
+
  Nov  7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
  Nov  6 17:23:29 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost= user=root
+
  Nov  7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12
  Nov  6 17:28:19 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2
 
  Nov  6 17:28:23 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2
 
Nov  6 17:28:26 localhost sshd[4318]: Accepted password for student from 192.168.56.1 port 37724 ssh2
 
  
Since the SSH login failure event for user ''root'' from client ''192.168.56.1'' at 17:13:03 is not followed by successful login for ''root'' from ''192.168.56.1'' during 20 seconds, reporting context must be created at 17:13:24 for user ''root'' with the lifetime of 120 seconds. After that, event ''User root failed to log in from 192.168.56.1 over SSH'' must be stored into newly created context. Note that no event must be stored into the context of user ''root'' when user ''student'' fails to switch to user ''root'' at 17:13:33, since this failure is followed by successful switch from ''student'' to ''root'' at 17:13:43 (i.e., within 20 seconds since initial failure).
+
2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.
  
Because the SSH login failure event for user ''chrony'' from client ''192.168.56.7'' at 17:14:12 is not followed by successful login for ''chrony'' from ''192.168.56.7'' during 20 seconds, another reporting context must be created at 17:14:33 for user ''chrony'', and event ''User chrony failed to log in from 192.168.56.7 over SSH'' must be stored into this context (note that previously created context for ''root'' must not be used for storing this event, since the event concerns a different user). Because user ''student'' fails to switch to ''chrony'' at 17:14:48 without successful switch during 20 seconds, event ''User student failed to switch to user chrony with su'' must be appended to reporting context for ''chrony'' at 17:15:09. Finally, event ''User chrony failed to log in from 192.168.56.7 over SSH'' must be appended to the context at 17:15:22, since SSH login failure at 17:15:01 was not followed by successful login.
+
For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed:
  
When reporting context for ''root'' expires at 17:15:25, all stored events from this context must be e-mailed to root@localhost (the context contains one event ''User root failed to log in from 192.168.56.1 over SSH''). After that, reporting of following events for ''root'' user should be disabled for 1 hour, and therefore the event from 17:23:29 must not be stored into any reporting context.
+
Nov  7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
 +
Nov  7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
 +
Nov  7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
 +
Nov  7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
 +
Nov  7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2
  
When reporting context for ''chrony'' expires at 17:16:34, all stored events from this context must be e-mailed to chrony@localhost:
+
Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.
  
User chrony failed to log in from 192.168.56.7 over SSH
+
Note that all parts of the solution must be '''fully functional''' even when port probing or user account probing is conducted from '''several hosts in parallel''' (for example, contexts maintained by different counting operations must '''not''' interfere with each other).
User student failed to switch to user chrony with su
 
User chrony failed to log in from 192.168.56.7 over SSH
 
  
After that, reporting of following events for ''chrony'' user should be disabled for 1 hour.
+
=== Some hints for accomplishing this assignment: ===
  
Finally, no reporting context must be created for user ''student'', since SSH login failure events at 17:28:19 and 17:28:23 for client ''192.168.56.1'' and user ''student'' are followed by successful login at 17:28:26 for the same client and user.
+
* consider the technique outlined on slides 17-18 of Module 7,
 +
* as an alternative, consider the technique described in section 6.4 of the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf).

Viimane redaktsioon: 29. oktoober 2025, kell 14:50

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes: 

Nov  7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12 
Nov  7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12 
Nov  7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.56.1 has been memorized as suspicious less than 1 hour ago, and the following events are observed: 

Nov  7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov  7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.56.1 port 36404 ssh2
Nov  7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.56.1 port 36406 ssh2
Nov  7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.56.1 port 36412 ssh2
Nov  7 14:36:53 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.56.1 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.56.1 within 1 minute, an alert e-mail about this host must be sent to root@localhost at 14:36:50. Also, further alerting must be disabled for 192.168.56.1 for 3 hours.

Note that all parts of the solution must be fully functional even when port probing or user account probing is conducted from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).

Some hints for accomplishing this assignment:

Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Itx8071-task2&oldid=11979"