Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel
Mine navigeerimisribale
Mine otsikasti
(Lehekülg asendatud tekstiga 'To be announced.') |
|||
1. rida: | 1. rida: | ||
− | + | This homework assignment requires the knowledge from Modules 6 and 7. | |
+ | |||
+ | ==== Create SEC rules that accomplish the following event correlation task: ==== | ||
+ | |||
+ | 1) if netfilter firewall blocked packet events have been seen for the same | ||
+ | host repeatedly during 2 minutes, so that the host has probed at least 5 | ||
+ | distinct TCP and/or UDP ports, memorize that host for the following 1 hour | ||
+ | as suspicious host. Note that ports must be distinguished not only by port | ||
+ | number, but transport protocol should also be considered (for example, ports | ||
+ | 53/tcp and 53/udp must be regarded different). | ||
+ | |||
+ | For example, if the following events appear for host 192.168.56.1, this host | ||
+ | should be memorized as suspicious, since it has probed 5 distinct ports | ||
+ | 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes: | ||
+ | |||
+ | Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12 | ||
+ | Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12 | ||
+ | Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0 | ||
+ | Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 | ||
+ | Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 | ||
+ | Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 | ||
+ | Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 | ||
+ | Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12 |
Redaktsioon: 28. oktoober 2022, kell 23:01
This homework assignment requires the knowledge from Modules 6 and 7.
Create SEC rules that accomplish the following event correlation task:
1) if netfilter firewall blocked packet events have been seen for the same host repeatedly during 2 minutes, so that the host has probed at least 5 distinct TCP and/or UDP ports, memorize that host for the following 1 hour as suspicious host. Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).
For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:
Nov 7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12 Nov 7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12 Nov 7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12