CST 610 Project 2

docx

School

University of Maryland, Baltimore *

*We aren’t endorsed by this school

Course

415

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

9

Uploaded by ColonelElkPerson955

Report
CST 610 Project 2 Cyberspace and Cybersecurity Foundations Security Detective Monitoring Data Analysis Template Prepared By: Nikita Cooper Version 1.0
Table of Contents Introduction .................................................................................................................................... 3 Objectives ............................................................................................................................................... 3 Definitions .............................................................................................................................................. 3 Predictions ............................................................................................................................................. 3 Methodology .......................................................................................................................................... 3 Reflections .............................................................................................................................................. 3
Introduction The purpose of this work is to interact with plaintext log files, efficiently search plaintext log files and identify any trends and anomalies in plaintext log files that have been provided by FICBANK . Objectives 1. Prepare to assess FICBANK’s security monitoring infrastructure. 2. Conduct a preliminary security monitoring data analysis. Definitions 1. HTTP : HTTP, or HyperText Transfer Protocol, is the foundation of data communication on the internet. It's a set of rules that allows your web browser to request and receive information from web servers. 2. Binary data : Binary data is information represented using only two options: 0s and 1s. Think of it like a language where you can only say "yes" (1) or "no" (0). Computers use binary code to store and process data, with each 0 or 1 being a binary digit or "bi. 3. GET request is like asking for information on the internet. When you type a website address into your browser and press enter, your browser sends a GET request to the server hosting that website. 4. IP address: An IP address, or Internet Protocol address, is like a digital label assigned to each device connected to a computer network. It serves two main purposes: host or network interface identification and location addressing. 5. URL : A URL, or Uniform Resource Locator, is like a web address that helps you find things on the internet. Predictions Document the predictions you made before starting the hands-on activity here. 1. What kinds of information do you think will be in the log file(s)? Network traffic information of the devicie / Client being used to access the server as as well as the requests made and the responses provided . 2. What information might not be in the log file(s)?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Data / information encrypted and transmitted securely may not be included in thelog files/ 3. What tools, techniques, and practices might be best suited to analyzing security monitoring data? Methodology 1. ACCESS-1.LOG A. How many GET requests were logged? 127 Command used : grep -c '"GET ' access-1.log B. How many unique status codes were returned by the server? 6 Command used : awk '{print $9}' access-1.log | sort -u | wc –l C. How large was the largest response body in bytes? 18 Command used: awk '$9 == 200 {print $10}' access-1.log | sort -nr | head -n 1 D. How many HTTP tunneling attempts were made? 10 Command used: grep -c 'CONNECT ' access-1.log
E . How many entries have completely invalid request lines containing raw binary data? 1 Command used : E. [PS] (Get-Content -Raw -Path .\access-1.log) -match "[^\x09\x0A\x0D\x20-\x7E]" -match "SSL|TLS" | Measure-Object | Select-Object -ExpandProperty Count F. Of those invalid entries, how many likely the result of an attempt to establish an SSL or TLS connection? 1 Command used : [PS] (Get-Content -Raw -Path .\access-1.log) -match "[^\x09\x0A\x0D\x20-\x7E]" -match "SSL|TLS" | Measure-Object | Select-Object -ExpandProperty Count G. How many unique user agents were observed, excluding empty or missing user agents? 108 Command used: Get-Content -Path .\access-1.log | ForEach-Object { $fields = $_ -split '"' $userAgent = $fields[-2].Trim() if ($userAgent -like '*Firefox*') { $userAgent } } | Measure-Object | Select-Object -ExpandProperty Count H . How many requests were made by Firefox? 11 Command used: Get-Content -Path .\access-1.log | ForEach-Object { $fields = $_ -split '"' $userAgent = $fields[-2].Trim() if ($userAgent -like '*Firefox*') { $userAgent } } | Measure-Object | Select-Object -ExpandProperty Count I. How many attempts were made to exploit CVE-2020-8515? 2 Command used: I.grep -c 'cgi-bin/mainfunction.cgi' access-1.log 2. APACHE LOGS
A. How many lines are there in the log file in total? 10,000 Command used : wc -l apache_logs B. How many unique IPs are there in the log file? 1753 Command used: awk '{print $1}' apache_logs | sort | uniq -c | wc -l C. What is the IP address from which the server got more traffic from? (482times) 66.249.73.135 Command used: awk '{print $1}' apache_logs | sort | uniq -c | sort -nr | head -n 1 D. What is the URL which was most visited? (807 times) /favicon.ico Command used: awk '{print $7}' apache_logs | sort | uniq -c | sort -nr | head -n 1 E. What is the total count of requests which got a 200 response? 9126 Command used: awk '$9 == 200 {print}' apache_logs | wc -l Reflections
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
3. ACCESS-2.LOG A. How many GET requests were made? 60 Command used: grep -c 'GET' access-2.log B. How many unique IP addresses made requests? 48 Command used: awk '{print $1}' access-2.log | sort | uniq | wc -l C . How many different IP addresses reached the server? 48 Command used : awk '{print $1}' access-2.log | sort | uniq | wc -l D. How many requests yielded a 200 status? 19 Command used: awk '$9 == 200 {print}' access-2.log | wc -l E. How many requests yielded a 400 status? 16 Command used: awk '$9 == 400 {print}' access-2.log | wc -l F. What IP address rang at the doorbell? 0 Command used : grep 'doorbell' access-2.log | awk '{print $1}' | sort | uniq G. What version of the Googlebot visited the website? Googlebot/2.1
Command Used: grep 'Googlebot' access-2.log | awk '{print $14}' | sort | uniq H. Which IP address attempted to exploit the shellshock vulnerability? 61.161.130.241 Command used: grep 'Firefox' access-2.log | awk '{print $14}' | sort | uniq -c | sort -nr | head -n 1 I. What was the most frequent version of Firefox used for browsing the website? 12 NT Command used: awk '{print $6}' access-2.log | sort | uniq -c | sort -nr | head -n 1 J. What is the most common HTTP method used? (60) "GET Command used : 905 grep 'bash' access-2.log | awk '{print $1}' | sort | uniq Provide a thorough and critical analysis for each of the following questions. Everyone must answer the General questions. If you want a challenge, take on the Technical questions too! General: 1. What tools did you use to collect and query security monitoring data? The tools that I used to collect and query data are i. Basic text editor with search capability ie Notepad ++. This made me get a general look at the log files and see the type of data they contain. Although not much information could be searched. ii. WSL Linux. Windows Linux provided me with the best platform to upload and query all the commands to answer the questions asked for this task. It is easy to query and obtain the desired results. 2. What data sources did you analyze during the project? During the project, I analyzed three Log files from FICBANK to identify any trends and anomalies in plaintext log files. 3. How did you validate the accuracy of the security monitoring data? I validated the accuracy of the security monitoring data by using different command lines platform and referencing logs with established baselines, using checksums and digital signatures, and employing anomaly detection. What challenges did you face when analyzing the security monitoring data? There were several challenges I faced when analyzing the security monitoring data. First the basic text editors had limited search capabilities and this was rather annoying. Some log files contained many lines and this made it a little difficult to obtain results on time. Technical: 1. What insights did you gain about the types of attacks that FICBANK may face based on the security monitoring data analysis?
2. How did you approach identifying patterns and anomalies in the security monitoring data? 3. What methodologies did you use to conduct the practice analysis of the security monitoring data?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

case 6.4.pdf
IT-200 Project One Paige Rakoczy.docx
Dicovery Draft.docx
IT-200 8-2 Project Three Paige Rakoczy.docx
Assignement 2.docx
IB.docx
MIS637_MIDTERM_Saumil.pdf
Case 2 Facebook Privacy.docx
Posts-on-Biometrics-storage-locally-or-Cloud.docx
Posts-on-Indiana-Cyber-Law.docx
Week-5-Practical-Connection.docx
Managing_Windows_Accounts_and_Organizational_Units_3e_-_Francis_Osaji.pdf