Itx8071-task2

Allikas: Kursused
Redaktsioon seisuga 15. november 2017, kell 12:08 kasutajalt Risto (arutelu | kaastöö)
Mine navigeerimisribale Mine otsikasti

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) The rules must process netfilter firewall syslog events about blocked packets. For example, the following two events represent two packets from host 192.168.1.67 which were blocked by the local firewall: 

Oct 25 01:13:02 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 
  LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=20049 DF PROTO=TCP SPT=44963 DPT=23 WINDOW=49640 RES=0x00 SYN URGP=0 
Oct 25 01:13:08 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=192.168.1.67 DST=192.168.1.107 
  LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=36362 DF PROTO=TCP SPT=56918 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0

The rules must also process Apache web server syslog events with status codes 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), and 405 (Method Not Allowed). For example, the following event represents GET request from client 192.168.1.101 to URL /banner.png that was not found (status code is 404): 

Nov  6 19:05:37 localhost apache: 192.168.1.101 - - [06/Nov/2016:19:05:37 +0200] "GET /banner.png HTTP/1.1" 404 208 "-" 
  "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"

2) if netfilter firewall blocked packet events and/or Apache events with 401 status codes have been seen from the same host repeatedly during 5 minutes, so that time between two successive events does not exceed 60 seconds, memorize that host for the following 1 hour as suspicious host (the time between the last event and the end of the 5-minute window must also not exceed 60 seconds).

For example, if the following events appear for host 10.1.1.7, this host should be memorized as suspicious, since in 5-minute window from 12:30:06 to 12:35:06 six events have been seen which are separated from each other by no more than 60 seconds (time gaps between events are 59, 55, 52, 58, and 51 seconds, while the gap between the last event and the end of the 5-minute window is 25 seconds). 

Nov 15 12:30:06 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=16333 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 15 12:31:05 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=23421 DF PROTO=TCP SPT=34342 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 15 12:32:00 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31442 DF PROTO=TCP SPT=47846 DPT=25 WINDOW=49640 RES=0x00 SYN URGP=0
Nov 15 12:32:52 localhost apache: 10.1.1.7 - - [15/Nov/2017:12:32:52 +0200] "GET / HTTP/1.1" 401 489
Nov 15 12:33:50 localhost kernel: iptables: IN=eth0 OUT= MAC=X SRC=10.1.1.7 DST=10.13.25.59 
  LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=17209 DF PROTO=TCP SPT=11652 DPT=143 WINDOW=7290 RES=0x00 SYN URGP=0
Nov 15 12:34:41 localhost apache: 10.1.1.7 - - [15/Nov/2017:12:34:41 +0200] "GET / HTTP/1.1" 401 489
Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Itx8071-task2&oldid=6076"