Assignment 7 - Preparing for Atatcks
docx
keyboard_arrow_up
School
Florida International University *
*We aren’t endorsed by this school
Course
4752
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
8
Uploaded by swill325
Sahqueen Williams
October 15, 2023
6095451
Assignment 7
Preparing for Attacks
Using alternate sources for information when conducting a network forensics investigation,
Netflow, log files and event monitors.
1)
Netflow
Netflow data or flow records can be generated by a routing or switching device as the traffic
naturally flows through the network.
The flow summary records are then ‘exported’ or sent over
the network to a collector for analysis and storage. Once netflow data has been exported to the
collector it is permanently discarded by the exporting device. The netflow collector is a service
that is listening on a remote server that collects, processes and stores the netflow records.
A typical network flow contains several pieces of information that would be of interest during a
digital forensic investigation.
The seven default fields that comprise a network flow are the
source and destination IP addresses, source and destination ports, IP protocol in use, ingress
interface and the IP type of service.
Once a unique netflow is detected by observing the above
seven attributes the exporter will also capture the start and finish time of the flow, as well as the
number of packets and bytes observed.
The netflow record itself does not contain any content of
the observed traffic; this could prove to be a sore point in a forensic investigation.
While the metadata provided does not provide an in-depth insight into the contents of the data, it
provides enterprise-wide visibility into all activities across a network. Also, the metadata
provided is invaluable in carrying out network forensics or investigations. The fact that NetFlow
is a built-in feature that can easily be switched on in most network devices buttresses its
effectiveness in providing end-to-end network visibility.
Another beauty of NetFlow in network monitoring and analysis is in its ability to provide
historical records. The historical records are essential in investigating persistent attacks. It makes
it easier to retrace where an attack came from initially, the command and control channels that
the attack initiated, the information that was extracted, as well as all other devices that were
affected. Also, real-time reports help analysts to react faster to incidence occurrence and proffer
instant solutions.
NETFLOW FILES
This file contains the bidirectional NetFlows generated by Argus.
TRAFFIC ANALYSIS
This dataset corresponds to a Neris botnet that run for 6.15 hours in a University network. The
botnet used an HTTP based C&C channel and not an IRC C&C. The actions of the botnet were
to communicate using several C&C channels and then to try to send SPAM, to actually send
SPAM and perform click-fraud using some advertisement services.
The following connection is an example of a real C&C channel that sent few flows and that is
not periodic. An example of the commands sent are:
POST /?c799959d9582d499959791949482d19995939782d2999790969182c699959c949c92
959c82c0999582d79995969c959d9d9482c199e79ef8f3edeae0ebf3f7f8f0e1e9f4f893ccd
dddcccad3c28ac1dcc182c399cdcacdd0a4 HTTP/1.1
HTTP/1.1 200 OK
Date: Wed, 10 Aug 2011 09:41:53 GMT
Server: Apache/2.2.8 (Fedora) DAV/2 PHP/5.2.6 mod\_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8
CB2=212.117.171.138:65500
The following connection is a not encrypted C&C were we can see the commands, and it is a
good representative of the C&C connections.
POST /snapbn/gate.php HTTP/1.0
Host: finalcortex.com
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
id=SARUMAN_610d402662842e9f&version=1337&os=2600&s5=6906
HTTP/1.1 200 OK
Date: Wed, 10 Aug 2011 09:08:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 3
Connection: close
Content-Type: text/plain; charset=UTF-8
With the given file netflow.dat
which of these flows would you think are suspicious and why?
These flows are suspicious due to the unusually high data transfer rates, along with the multiple
attempts to connect multiple ports from one IP address. There is also a high volume of port usage
for an extended period of time.
What IPs are associated with these flows?
147.32.84.229
74.125.232.194
147.32.80.9.53
2)
Syslog
To determine which log files are used on Linux to store information we need to find the names of
the log files. To determine these file, navigate to the /etc directory on Kali a Linux based system
and view the contents of the rsyslog.conf file.
cd /etc
sudo cat rsyslog.conf
Which of the log files is not actually record: Global directives; it is just setting the default
permissions
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Provide a list of the standard log file that are actually maintained: Modules & Rules
Now, that you know where and which log file are being generated and update, let see a few of
them.
Go to the directory cd /var/log
where all log file reside.
a)
Let see all of the authentication events. Enter
sudo cat auth.log
b)
Now, let’s see how many times sudo has been used since you started using kali to run
different command. Enter sudo cat auth.log | grep sudo
c)
To get an actual count try sudo cat auth.log | grep sudo | wc –l
13
(note: cat list the content of the file, grep sudo identifies all lines that contain sudo and displays
them and wc –l count the number of line, the | operator pipes or sends to output of one program
(on the left) to the input of another program (on the right)
d)
The kern.log file stores kernel related messages or events, enter the following to see the
last 20 lines in the file:
tail kern.log
what is the last line
e)
Now, let’s see the syslog file which stores all events, except auth events. Enter the
following: sudo more syslog
press enter to see the next page of information and type ctrl-
C to stop.
f)
Enter sudo cat syslog | grep NetworkManager | more
What is the address_ip used for this command, list them all
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
3)
Windows Event Manager
Open the Event Viewer (in the search, enter Event Viewer), once in the event viewer select
security from the left-hand panel and then search for the first event with the Security ID with
LOCAL SERVICE, then select details and indicate:
SubjectDomainName
:
NTAUTHORITY
4)
PowerShell
To use the powershell in admin mode and have access to the Security Event long, at the app
search box, enter Window PowerShell and instead of pressing enter, use ctrl-shift-enter and
select yes to admin mode, now you can view all files, to stop for long output enter ctrl-C
get-WInEvent –LogName “System”
get-WinEvent -logname “System” -MaxEvent 20
What is the code and name of the first event: Code 16, Name: Information