Itx8071-task2
Mine navigeerimisribale
Mine otsikasti
This homework assignment requires the knowledge from Modules 6 and 7.
Create SEC rules that accomplish the following event correlation task:
1) The rules must process netfilter firewall syslog events about blocked packets. For example, the following two events represent two packets from host 192.168.1.67 which were blocked by the local firewall:
Oct 25 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=20049 DF PROTO=TCP SPT=44963 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0 Oct 25 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36362 DF PROTO=TCP SPT=56918 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
The rules must also process Apache web server syslog events with status codes 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), and 405 (Method Not Allowed). For example, the following event represents GET request from client 192.168.1.101 to URL /banner.png that was not found (status code is 404):
Nov 6 19:05:37 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:05:37 +0200] "GET /banner.png HTTP/1.1" 404 208 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"