Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
(Lehekülg asendatud tekstiga 'To be announced.')
1. rida: 1. rida:
This homework assignment requires the knowledge from Modules 6 and 7.
+
To be announced.
 
 
=== Create SEC rules that accomplish the following event correlation task: ===
 
 
 
'''1) if netfilter firewall blocked packet events have been seen for the same host, so that the host has probed 5 distinct TCP and/or UDP ports within 2 minutes, memorize that host for the following 1 hour as suspicious host.'''
 
 
 
Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).
 
 
 
For example, if the following events appear for host '''192.168.56.1''', this host should be memorized as suspicious, since it has probed 5 distinct ports
 
'''161/udp''', '''21/tcp''', '''23/tcp''', '''25/tcp''', and '''123/udp''' within 2 minutes:
 
 
 
Nov  7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO='''UDP''' SPT=46062 DPT='''161''' LEN=12
 
Nov  7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO='''UDP''' SPT=37036 DPT='''161''' LEN=12
 
Nov  7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO='''TCP''' SPT=38954 DPT='''21'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO='''TCP''' SPT=51418 DPT='''23'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO='''TCP''' SPT=51418 DPT='''23'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO='''TCP''' SPT=50250 DPT='''25'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO='''TCP''' SPT=50250 DPT='''25'''
 
  WINDOW=29200 RES=0x00 SYN URGP=0
 
Nov  7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00
 
  SRC='''192.168.56.1''' DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO='''UDP''' SPT=41553 DPT='''123''' LEN=12
 
 
 
'''2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.'''
 
 
 
For example, suppose the host '''192.168.57.13''' has been memorized as suspicious less than 1 hour ago, and the following events are observed:
 
 
 
Nov  7 14:36:07 localhost sshd[1330]: Failed none for invalid user '''ftp''' from '''192.168.6.4''' port 36402 ssh2
 
Nov  7 14:36:09 localhost sshd[1336]: Failed none for invalid user '''admin''' from '''192.168.57.13''' port 36404 ssh2
 
Nov  7 14:36:10 localhost sshd[1336]: Failed password for invalid user '''admin''' from '''192.168.57.13''' port 36404 ssh2
 
Nov  7 14:36:16 localhost sshd[1338]: Failed password for invalid user '''oracle''' from '''192.168.57.13''' port 36406 ssh2
 
Nov  7 14:36:18 localhost sshd[1338]: Failed password for invalid user '''oracle''' from '''192.168.57.13''' port 36406 ssh2
 
Nov  7 14:36:21 localhost sshd[1338]: Failed password for invalid user '''oracle''' from '''192.168.57.13''' port 36406 ssh2
 
Nov  7 14:36:37 localhost sshd[1340]: Failed none for invalid user '''admin''' from '''192.168.6.4''' port 36408 ssh2
 
Nov  7 14:36:50 localhost sshd[1342]: Failed none for invalid user '''sybase''' from '''192.168.57.13''' port 36412 ssh2
 
 
 
Since 3 distinct non-existing user accounts '''admin''', '''oracle''', and '''sybase''' have been probed over SSH from suspicious host '''192.168.57.13''' within 1 minute,  an alert message about this host (e.g., "SSH probing of non-existing user accounts from 192.168.57.13") must be sent to root@localhost via e-mail. Also, further alerting must be disabled for host '''192.168.57.13''' for 3 hours.
 
 
 
Some hints for accomplishing this assignment:
 
* consider the use of contexts for memorizing suspicious hosts and e-mail alerts that have been already sent,
 
* consider the use of contexts for memorizing already observed network ports and user names,
 
* all parts of the solution must be fully functional even when port probing or user account probing is conducted from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).
 
 
 
Apart from studying the examples from the course slides, have a look at the SEC
 
man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html).
 

Redaktsioon: 29. august 2019, kell 10:37

To be announced.