BlumensteinElliott_CST610_Project2 (3)
docx
keyboard_arrow_up
School
University of Maryland *
*We aren’t endorsed by this school
Course
610
Subject
Information Systems
Date
Jan 9, 2024
Type
docx
Pages
17
Uploaded by afeeblemind
CST 610 Project 2
Cyberspace and Cybersecurity Foundations
Security Detective Monitoring Data Analysis Template
Prepared By: Elliott Blumenstein
Version 1.0
Table of Contents
Introduction
....................................................................................................................................
3
Objectives
....................................................................................................................................
3
Definitions
...................................................................................................................................
3
Predictions
..................................................................................................................................
3
Methodology
...............................................................................................................................
3
Reflections
...................................................................................................................................
3
Introduction
The Security Assessment Report exposed FICBank’s services and vulnerability. At the owner's request, this report will be a deep dive into the ability of FICBank's IT Infrastructure to detect, analyze, and assess potential threats. We will use various tools to access the logs of the machine and systems to provide a preliminary analysis of the results. Objectives
1.
Prepare to assess FICBANK’s security monitoring infrastructure.
2.
Conduct a preliminary security monitoring data analysis.
Definitions
During our analysis, there will be some keywords that the client will need help understanding. Below, we will explain some essential words that will provide what we are analyzing.
“Log files – or simply ›logs‹ – are automatically generated text files that record specific technical information of a broad range of events taking place in a computer system or software application such as date, time, and type of event or executed action” (Strippel, 2020, p. 320).
GET request in the log file- “HTTP communication consists of a retrieval request” (Roy T. Fielding, 2014).
HTTP status code- three-digit numbers generated by a server to respond to a browser’s request
(A, 2023). (XX portion of the status represents the more status than just 200, 300, and 400) -
2XX code request was successful
-
3XX code indicates that the request has more than one possible response.
-
4XX code indicates that the server cannot or will not process the request due to something perceived to be a client error.
Secure Sockets Layer (SSL) - “a standard security technology for establishing an encrypted link between a server and a client” (SSL Security Definition, n.d.).
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Transport Layer Security (TLS) – “one of the most widely used security protocols on the web for ensuring secured network communication” (Chen, 2019, p. 1). Predictions
When looking at these log files, we should expect to find lines of code regarding IP addresses used to browse URLs. We should see the IP address, the time the URL was accessed, what URL was browsed, and the status code if it was successful or if it was an error. There should
be an HTTP response size in bytes. In the lines of the log file, the URL should be present as well. These are the kinds of information we should see when we analyze the log files, but there is some information we might need to see in the log files.
Log files much valuable information for monitoring and troubleshooting, but they may not always contain every piece of information. When visiting URLs, the user might be accessing visual or graphic information; we will not see that since log files are text-based and audio or multimedia content. The log files capture actions as they occur and might not provide historical information, so we do not expect to see all the historical information, which might need additional
resources. When discussing resources, we must use specific resources to analyze the log files. We should use a text editor to find certain aspects of the code. Also, using the program Spider to write
Python code to produce specific outputs, which we will discuss later in the analysis portion. Methodology
Access-1.log
The "GET" requests were easy to figure out how many there were. Using the program NotePad++, using the command CTRL+F, you could go into the find window
and search for GET and receive a count of 127.
Above is a Python program called Spider; I had done some research and played with the code, but the code allowed me to have an output that gave the amount of how many unique status codes there were. In
the code, the element counts how
many spaces it took to find it. Also, using specific programs that allow
me to get the correct code helped.
With that, I got an output of five unique status codes.
The largest response
body in bytes that the Spider gave me was 561 bytes. The number of bytes is usually after the unique status code. Example:
64.233.172.114 - -
[02/May/2020:08:23:11 +0000] "GET /favicon.ico HTTP/1.1" 404 561 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon"
The highlighted section is the status code, and right after is how big the response was.
HTTP tunneling is
used to create a network between two computers. Using the code, we were able to see that ten attempts were made. HTTP Tunneling is “used
to create a network link between two computers in conditions of restricted network connectivity including firewalls, NATs, and ACLs among other restrictions” (Shyam, 2019). One hundred fifty-
six entries have invalid request lines containing raw binary data.
An invalid request
line is an HTTP request line that does not conform to the format of an
HTTP request.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Of those 156, ten requests are possibly attempts to establish an SSL or TLS connection. The answer is that it is a possibility that invalid entries could be attempts. Those attempts could be found by “CONNECT” which is an HTTP request method. User agents are computer programs that represent a browser. Using Notepad ++, Mozilla is the browser being used and there were 82 unique user agents. Firefox Mozilla is a type of browser like Google Chrome or Microsoft Edge. Using the code in the image, eleven made requests. Also using text view programs, searching for Mozilla will provide you with how many requests were made using that browser.
There were two attempts made to exploit CVE-2020-8515. CVE-2020-8515 was a vulnerability, listed in the National Vulnerability Database, that allowed remote code execution without authentication. Using Notepad ++, I was able to search cgi-bin/mainfunction and that was how I found the two attempts.
Apache_logs.txt
Using NotePad ++, we opened the log file and saw 10000 lines worth of log data. Each line in the log corresponded with a number in the text editor program.
There were a total of 1788 unique IP addresses. In the log file, it will show numerous IP addresses
but most of those IP addresses are duplicates of the 1788. Using this code, we were able to get an accurate output of how many unique IP addresses there were.
The IP address that received the most traffic was 66.249.73.135. The IP address received 482 requests. An IP receiving a request means that
a request to a website has been made, and the computer where that request is coming needs to know where the website resides. The URL that was visited the most was http://semicomplete.com/presentations/logstash-
puppetconf-2012/. This site was visited 689 times. Two programs had to be used in order to find this out. LogViewPlus was used to sort out the URLs and Notepad++ was to get the count of the most viewed URL. HTTP status codes are responses from the server to
a browser.
2XX- Successful request and browser received information.
3XX- Redirected, and more action is required.
4XX- The page could not be reached.
5XX- Server error.
Within this log file, 9126 requests have a 200
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
response, which means the requests were successful.
Access-2.log
The “GET” requests were easy to figure out how many there were. Using the program NotePad+
+, using the command CTRL+F, I could go into the find window and search for GET and receive a count of 60.
There are 47 unique IP addresses specific to your domain or multiple domains that made requests to URLs.
47 IP addresses reached the server. This means 47 IP addresses established a network communication between a device and a server. 19 requests yielded a 200 status, which means a Successful request and browser
received information.
16 requests yielded a 400 status, which means the page could not be reached, and there
was an error.
The IP address 186.64.69.141 rang the doorbell. It was challenging to find a code to use, so the next option was to manually search. In Notepad++, the find function was great for using
keywords in order to find the IP.
The version Googlebot/2.1 visited the website, which was found using the program Notepad++ and CTRL+F command. “Googlebot is the generic name for google’s two types of web crawlers”
(Googlebot, n.d.). IP address 61.161.130.241 attempted to exploit the shellshock vulnerability. “Shellshock is a critical vulnerability due to the escalated privileges afforded to attackers, which allow them to compromise systems at will” (Stone, 2020)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
The most frequent version of Firefox was Mozilla 5.0. Using the code in the image, it scanned the log file to match Mozilla and counted how often it had occurred, which was 31 times.
GET was the most common HTTP method used with 60 occurrences. The code in the first image allowed the program to see which method was used the most and then Notepad++ was used to verify the amounts. Reflections
General:
1.
What tools did you use to collect and query security monitoring data?
The tools that used were Spyder Python, Notepad++, and LogView Plus. Spyder is an
open source scientific environment written in Python. This program allowed me to input codes to output certain answers for FICBank needed. For example, finding GET in the log files, the code looked through the log file to get an accurate count. Now, using Notepad++ I was able to verify the count with GET requests. Notepad++ was an excellent source to get an accurate and fast count of how many times IP address was requested or what version of googlebot was used. LogViewPlus was another great tool to use to separate data into a data table. The tables from LogViewPlus allowed to analyze the data more thoroughly.
2.
What data sources did you analyze during the project?
Three log files, two access and one apache, were provided from FICBank. “An access log is a list of all requests for individual files -- such as Hypertext Markup Language files, their embedded graphic images and other associated files that get transmitted -- that people or bots have made from a website” (Zola, 2022)
. Access log files are a type of apache log files.
3.
How did you validate the accuracy of the security monitoring data?
Through research, I validated the data by first checking what is in a log line. For
example, checking to see there were IP addresses, date and time, and HTTP source codes were there. Also, gathered information about what a log file was and what it was used for. With that in mind, I gained an understanding of how an HTTP request is made. But, there were some anomalies in the files. There was raw binary data which was invalid requests as
well as attempts to exploit CVE.
4.
What challenges did you face when analyzing the security monitoring data?
The ability to analyze the data can come with some challenges. First challenge would be figuring out what kind of software to use. There are a lot of
different programs we could use in order to analyze the data. Notepad++ and LogViewPlus are essentially the same kind of text editing programs but they each have their difference. Then using a python program in order to output certain information can be difficult which leads to another challenge. Inputting the correct code in order to get an output that is desired. One might have to play with the coding in order to get the correct output. But, once the challenges have been resolved, analyzing the data can be easy.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
References
A, J. (2023, Jan 04). What Are HTTP Status Codes + Full List of Status Code Explanations
. Retrieved from Hostinger Tutorials: https://www.hostinger.com/tutorials/http-status-codes
Chen, J. A.-K. (2019). Detecting Proper SSL/TLS Implementation with. Journal of Physics: Conference Series
, 1.
Googlebot
. (n.d.). Retrieved from Google: https://developers.google.com/search/docs/crawling-indexing/googlebot
Roy T. Fielding, J. F. (2014, June). Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
. Retrieved from HTTPWG: https://httpwg.org/specs/rfc7230.html
Shyam, P. (2019, June 7). What is HTTP Tunneling and how do we achieve that
. Retrieved from Linked In: https://www.linkedin.com/pulse/what-http-tunneling-how-do-we-achieve-priyanka-kumari/
SSL Security Definition
. (n.d.). Retrieved from avinetworks: https://avinetworks.com/glossary/ssl-security/
Stone, M. (2020, August 06). Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away
. Retrieved from Security Intelligence: https://securityintelligence.com/articles/shellshock-vulnerability-in-
depth/
Strippel, C. (2020). Measuring Media Use and Exposure: Recent Developments an Challenges .
Herbert von Halem.
Zola, A. (2022, Jan 4). access lof
. Retrieved from tech target: https://www.techtarget.com/searchsecurity/definition/access-log