Itx8071-task2

Allikas: Kursused
Redaktsioon seisuga 7. november 2018, kell 15:33 kasutajalt Risto (arutelu | kaastöö)
Mine navigeerimisribale Mine otsikasti

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) if netfilter firewall blocked packet events have been seen for the same host, so that the host has probed 5 distinct TCP and/or UDP ports within 2 minutes, memorize that host for the following 1 hour as suspicious host.

Note that ports must be distinguished not only by port number, but transport protocol should also be considered (for example, ports 53/tcp and 53/udp must be regarded different).

For example, if the following events appear for host 192.168.56.1, this host should be memorized as suspicious, since it has probed 5 distinct ports 161/udp, 21/tcp, 23/tcp, 25/tcp, and 123/udp within 2 minutes:

Nov  7 14:14:48 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=32591 DF PROTO=UDP SPT=46062 DPT=161 LEN=12 
Nov  7 14:15:06 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=34001 DF PROTO=UDP SPT=37036 DPT=161 LEN=12 
Nov  7 14:15:18 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37323 DF PROTO=TCP SPT=38954 DPT=21 
  WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:15:22 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3465 DF PROTO=TCP SPT=51418 DPT=23 
  WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:15:23 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3466 DF PROTO=TCP SPT=51418 DPT=23 
  WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:01 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60601 DF PROTO=TCP SPT=50250 DPT=25 
  WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:02 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60602 DF PROTO=TCP SPT=50250 DPT=25 
  WINDOW=29200 RES=0x00 SYN URGP=0 
Nov  7 14:16:46 localhost kernel: iptables: IN=enp0s8 OUT= MAC=08:00:27:ce:72:9a:0a:00:27:00:00:00:08:00 
  SRC=192.168.56.1 DST=192.168.56.103 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=39224 DF PROTO=UDP SPT=41553 DPT=123 LEN=12 

2) if a host has been previously memorized as suspicious, and from this host 3 distinct non-existing user accounts are probed over SSH within 1 minute, send an alert e-mail to the local root user (root@localhost). After e-mail has been sent, disable all further alert e-mails for the same host for the following 3 hours.

For example, suppose the host 192.168.57.13 has been memorized as suspicious less than 1 hour ago, and the following events are observed:

Nov  7 14:36:09 localhost sshd[1336]: Failed none for invalid user admin from 192.168.57.13 port 36404 ssh2
Nov  7 14:36:10 localhost sshd[1336]: Failed password for invalid user admin from 192.168.57.13 port 36404 ssh2
Nov  7 14:36:16 localhost sshd[1338]: Failed password for invalid user oracle from 192.168.57.13 port 36406 ssh2
Nov  7 14:36:50 localhost sshd[1340]: Failed none for invalid user sybase from 192.168.57.13 port 36412 ssh2
Nov  7 14:36:51 localhost sshd[1340]: Failed password for invalid user sybase from 192.168.57.13 port 36412 ssh2

Since 3 distinct non-existing user accounts admin, oracle, and sybase have been probed over SSH from suspicious host 192.168.57.13 within 1 minute, an alert message about this host (e.g., "SSH probing of non-existing user accounts from 192.168.57.13") must be sent to root@localhost via e-mail. Also, further alerting must be disabled for host 192.168.57.13 for 3 hours.