Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel
Mine navigeerimisribale
Mine otsikasti
| (ei näidata sama kasutaja 22 vahepealset redaktsiooni) | |||
| 1. rida: | 1. rida: | ||
| − | This homework assignment requires the knowledge from Modules 6 and 7. | + | This homework assignment requires the knowledge from Modules 6 and 7. |
| − | + | === Create SEC rules that accomplish the following event correlation task: === | |
| − | 1) | + | 1) the rules must process netfilter firewall syslog events about blocked |
| − | + | packets sent to local TCP and UDP ports. For example, the following two | |
| − | + | events represent accesses to local ports 23/tcp and 25/tcp which were blocked | |
| − | + | by the local firewall: | |
| − | |||
| − | |||
| − | + | Oct 25 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=20049 DF PROTO='''TCP''' SPT=44963 DPT='''23''' WINDOW=49640 RES=0x00 SYN URGP=0 | |
| − | + | Oct 25 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.104 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36362 DF PROTO='''TCP''' SPT=56918 DPT='''25''' WINDOW=29200 RES=0x00 SYN URGP=0 | |
| − | |||
| − | + | 2) if some port has been probed repeatedly during 15 minutes, so that time | |
| − | + | between two successive probes does not exceed 30 seconds, memorize that port | |
| − | + | for the following 1 hour as a "noisy port". For example, if at 18:30:06 | |
| − | + | the local netfilter firewall starts to log events about | |
| − | + | blocked access attempts to port 21/tcp, and such events continue to appear | |
| − | + | once in 3-4 seconds until 18:45:06, then the port 21/tcp should be memorized | |
| − | + | as a noisy port for 1 hour. | |
| − | + | On the other hand, if the following 5 events are seen in 15 minutes, | |
| + | the port 21/tcp must not be considered noisy, since the fourth and fifth | ||
| + | event are separated by more than 30 seconds. | ||
| − | 2 | + | Oct 25 18:30:06 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO='''TCP''' SPT=16333 DPT='''21''' WINDOW=5840 RES=0x00 SYN URGP=0 |
| − | + | Oct 25 18:30:27 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.2 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO='''TCP''' SPT=34342 DPT='''21''' WINDOW=29200 RES=0x00 SYN URGP=0 | |
| − | + | Oct 25 18:30:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.29 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO='''TCP''' SPT=47846 DPT='''21''' WINDOW=49640 RES=0x00 SYN URGP=0 | |
| − | + | Oct 25 18:31:04 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO='''TCP''' SPT=11652 DPT='''21''' WINDOW=7290 RES=0x00 SYN URGP=0 | |
| − | + | Oct 25 18:44:46 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.84 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO='''TCP''' SPT=31959 DPT='''21''' WINDOW=6280 RES=0x00 SYN URGP=0 | |
| − | + | 3) if some host probes 5 different ports within 60 seconds, so that none of | |
| − | + | the probed ports has been memorized as noisy within the last 1 hour, send | |
| + | an e-mail about the offending host to root@localhost. Note that ports | ||
| + | should be distinguished not only by port number but also by transport protocol | ||
| + | (in other words, ports 53/tcp and 53/udp must be considered different ports). | ||
| − | + | Also note that the detection should be done with a sliding window approach -- | |
| − | + | if the counting operation for some host has not seen enough events | |
| − | + | during 60 seconds, the 60 second detection window should be moved forward. | |
| − | |||
| − | |||
| − | + | After an e-mail alert has been issued about the host, disable further alerts | |
| − | + | for this host for 4 hours. | |
| − | an | ||
| − | |||
| − | Some hints for accomplishing this assignment: | + | For example, suppose the following events are observed and the port 21/tcp |
| − | * | + | has been previously memorized as noisy: |
| − | * consider the use of | + | |
| − | * | + | Oct 25 18:51:01 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO='''TCP''' SPT=16333 DPT='''25''' WINDOW=5840 RES=0x00 SYN URGP=0 |
| + | Oct 25 18:51:07 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO='''TCP''' SPT=34342 DPT='''80''' WINDOW=29200 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:51:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO='''TCP''' SPT=34342 DPT='''80''' WINDOW=29200 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:51:12 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO='''TCP''' SPT=47846 DPT='''21''' WINDOW=49640 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:51:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.93''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO='''TCP''' SPT=11652 DPT='''23''' WINDOW=7290 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:51:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO='''TCP''' SPT=47846 DPT='''445''' WINDOW=49640 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:52:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO='''TCP''' SPT=31959 DPT='''6000''' WINDOW=6280 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:52:03 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO='''TCP''' SPT=31959 DPT='''6001''' WINDOW=6280 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:52:05 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.7''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO='''TCP''' SPT=31959 DPT='''6002''' WINDOW=6280 RES=0x00 SYN URGP=0 | ||
| + | Oct 25 18:52:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC='''10.1.1.93''' DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO='''TCP''' SPT=11652 DPT='''23''' WINDOW=7290 RES=0x00 SYN URGP=0 | ||
| + | |||
| + | The event correlation rules must produce an alarm at Oct 25 18:52:05 about | ||
| + | offending host 10.1.1.7, since this host has accessed five distinct ports | ||
| + | 80/tcp, 445/tcp, 6000/tcp, 6001/tcp and 6002/tcp between Oct 25 18:51:07 | ||
| + | and Oct 25 18:52:05 (access attempt to noisy port 21/tcp at Oct 25 18:51:12 | ||
| + | must be ignored, while access attempt to port 25/tcp at Oct 25 18:51:01 does | ||
| + | not fit into the 60 second window). | ||
| + | |||
| + | === Some hints for accomplishing this assignment: === | ||
| + | |||
| + | * don't try to solve the whole assignment with just one rule, but rather write several rules which interact. | ||
| + | * in order to accomplish subtask 2 (detection of 15 minute event sequence with max 30 second intervals), use Single rules that set up two contexts with specific actions-on-expire. One context should have a fixed lifetime of 15 minutes, and the second one a rolling lifetime of 30 seconds that gets extended when an event from the event sequence is observed (see the slides 12-14 from module 7 for understanding this technique). For memorizing a noisy port, consider the creation of a context for this port (for example, NOISY_PORT_TCP_21 or NOISY_PORT_UDP_161). | ||
| + | * in order to accomplish subtask 3, consider the technique described in slides 17-18 from module 7. If you don't wish to use this technique, consider an alternative approach which has been described in Section 6.4 of the SEC tutorial (before reading Section 6.4, make sure you have understood the slides 34-38 from module 6). | ||
| + | * solution for subtask 3 must be fully functional even when port probing is conducted from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other). | ||
Apart from studying the examples from the course slides, have a look at the SEC | Apart from studying the examples from the course slides, have a look at the SEC | ||
| − | man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html). | + | man page (installed at the virtual machines or found at |
| + | https://simple-evcorr.github.io/man.html) and the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf) | ||
Viimane redaktsioon: 7. november 2023, kell 11:11
This homework assignment requires the knowledge from Modules 6 and 7.
Create SEC rules that accomplish the following event correlation task:
1) the rules must process netfilter firewall syslog events about blocked packets sent to local TCP and UDP ports. For example, the following two events represent accesses to local ports 23/tcp and 25/tcp which were blocked by the local firewall:
Oct 25 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=20049 DF PROTO=TCP SPT=44963 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.104 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36362 DF PROTO=TCP SPT=56918 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
2) if some port has been probed repeatedly during 15 minutes, so that time between two successive probes does not exceed 30 seconds, memorize that port for the following 1 hour as a "noisy port". For example, if at 18:30:06 the local netfilter firewall starts to log events about blocked access attempts to port 21/tcp, and such events continue to appear once in 3-4 seconds until 18:45:06, then the port 21/tcp should be memorized as a noisy port for 1 hour. On the other hand, if the following 5 events are seen in 15 minutes, the port 21/tcp must not be considered noisy, since the fourth and fifth event are separated by more than 30 seconds.
Oct 25 18:30:06 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 25 18:30:27 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.2 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0 Oct 25 18:30:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.29 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=21 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 18:31:04 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=21 WINDOW=7290 RES=0x00 SYN URGP=0 Oct 25 18:44:46 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.84 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=21 WINDOW=6280 RES=0x00 SYN URGP=0
3) if some host probes 5 different ports within 60 seconds, so that none of the probed ports has been memorized as noisy within the last 1 hour, send an e-mail about the offending host to root@localhost. Note that ports should be distinguished not only by port number but also by transport protocol (in other words, ports 53/tcp and 53/udp must be considered different ports).
Also note that the detection should be done with a sliding window approach -- if the counting operation for some host has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.
After an e-mail alert has been issued about the host, disable further alerts for this host for 4 hours.
For example, suppose the following events are observed and the port 21/tcp has been previously memorized as noisy:
Oct 25 18:51:01 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 25 18:51:07 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 Oct 25 18:51:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 Oct 25 18:51:12 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=21 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 18:51:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0 Oct 25 18:51:52 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=445 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 18:52:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6000 WINDOW=6280 RES=0x00 SYN URGP=0 Oct 25 18:52:03 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6001 WINDOW=6280 RES=0x00 SYN URGP=0 Oct 25 18:52:05 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7439 DF PROTO=TCP SPT=31959 DPT=6002 WINDOW=6280 RES=0x00 SYN URGP=0 Oct 25 18:52:14 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.93 DST=10.13.25.59 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=23 WINDOW=7290 RES=0x00 SYN URGP=0
The event correlation rules must produce an alarm at Oct 25 18:52:05 about offending host 10.1.1.7, since this host has accessed five distinct ports 80/tcp, 445/tcp, 6000/tcp, 6001/tcp and 6002/tcp between Oct 25 18:51:07 and Oct 25 18:52:05 (access attempt to noisy port 21/tcp at Oct 25 18:51:12 must be ignored, while access attempt to port 25/tcp at Oct 25 18:51:01 does not fit into the 60 second window).
Some hints for accomplishing this assignment:
- don't try to solve the whole assignment with just one rule, but rather write several rules which interact.
- in order to accomplish subtask 2 (detection of 15 minute event sequence with max 30 second intervals), use Single rules that set up two contexts with specific actions-on-expire. One context should have a fixed lifetime of 15 minutes, and the second one a rolling lifetime of 30 seconds that gets extended when an event from the event sequence is observed (see the slides 12-14 from module 7 for understanding this technique). For memorizing a noisy port, consider the creation of a context for this port (for example, NOISY_PORT_TCP_21 or NOISY_PORT_UDP_161).
- in order to accomplish subtask 3, consider the technique described in slides 17-18 from module 7. If you don't wish to use this technique, consider an alternative approach which has been described in Section 6.4 of the SEC tutorial (before reading Section 6.4, make sure you have understood the slides 34-38 from module 6).
- solution for subtask 3 must be fully functional even when port probing is conducted from several hosts in parallel (for example, contexts maintained by different counting operations must not interfere with each other).
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html) and the SEC tutorial (https://simple-evcorr.github.io/SEC-tutorial.pdf)