Itx8071-task2

Allikas: Kursused
Redaktsioon seisuga 7. november 2014, kell 11:55 kasutajalt Risto (arutelu | kaastöö) (Uus lehekülg: 'This homework assignment requires the knowledge from Modules 6 and 7. Create SEC rules that accomplish the following event correlation task: 1) monitor sshd log events and det...')
(erin) ←Vanem redaktsioon | Viimane redaktsiooni (erin) | Uuem redaktsioon→ (erin)
Mine navigeerimisribale Mine otsikasti

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

1) monitor sshd log events and detect SSH probing from remote hosts, where the same non-existing user account is probed over SSH from 3 distinct IP addresses within 60 seconds or less.

For example, if the following events appear in the log

Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2 Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2 Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2 Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2 Nov 7 12:54:01 myhost sshd[10527]: Failed password for invalid user admin2 from 10.1.2.52 port 40106 ssh2 Nov 7 12:54:02 myhost sshd[10527]: Failed password for invalid user admin2 from 10.1.2.52 port 40106 ssh2 Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2

your SEC rule should detect SSH probing for non-existing use admin2, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9.

Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.

2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.

Some hints for accomplishing this assignment: - don't try to solve the whole assignment with just one rule, but rather write 

 several rules which interact,

- if SSH probing for some non-existing user account is detected (as described 

 in the first subtask), you could generate a relevant synthetic event for this
 user, in order to provide input for further event correlation rules.

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.sourceforge.net/man.html).

Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Itx8071-task2&oldid=989"