Module 03 Incidents, Events and Loggin
Snort Configuration
end of classification.config
config classification: TCP-Scan,TCP Scan Attempted,1
config classification: Xmas-Scan,Xmas Scan Attempted,1
config classification: FIN-Scan,FIN Scan Attempted,1
At the end of the file type the following rules in file icmp-info.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "NMAP TCP Scan";sid:10000005; rev:2; classtype:TCP-Scan)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap XMAS Scan"; flags:FPU; sid:1000006; rev:1; classtype:Xmas-Scan)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap FIN Scan"; flags:F; sid:1000008; rev:1;classtype:FIN-Scan)
snort -i1 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -A full
Splunk Configuration
C:\Program Files\SplunkUniversalForwarder\etc\system\local right-click inputs.conf
[monitor://C:\inetpub\logs\logfiles]
sourcetype=iis
ignoreOlderThan =14d
host = WinServer2012
C:\Program Files\SplunkUniversalForwarder\etc\system\local right-click outputs.conf
[iis*]
Pulldown_type=true
MAXTIMESTAMPLOOKAHEAD =32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER
REPORT – iis2 =iis2
C:\Program Files\SplunkUniversalForwarder\etc\system\local and search for props.conf
[iis*]
Pulldown_type=true
MAXTIMESTAMPLOOKAHEAD =32
SHOULD_LINEMERGE =False
CHECK_FOR_HEADER
REPORT -iis2 =iis2
C:\Program Files\SplunkUniversalForwarder\etc\system\local right-click transforms.conf
[default]
host -WinServer2012
[ignore_comments]
REGEX = ^# .*
DEST_KEY =queue
FORMAT =nullQueue
[iis2]
DELIMS =” ”
FIELDS = date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local, right-click inputs.conf
[monitor://C:\Snort\log\*]
disabled = false
source= ids
sourcetype = snort_ids
C:\Snort
snort -i1 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -A full
end of classification.config
config classification: TCP-Scan,TCP Scan Attempted,1
config classification: Xmas-Scan,Xmas Scan Attempted,1
config classification: FIN-Scan,FIN Scan Attempted,1
At the end of the file type the following rules in file icmp-info.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "NMAP TCP Scan";sid:10000005; rev:2; classtype:TCP-Scan)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap XMAS Scan"; flags:FPU; sid:1000006; rev:1; classtype:Xmas-Scan)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap FIN Scan"; flags:F; sid:1000008; rev:1;classtype:FIN-Scan)
snort -i1 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -A full
Splunk Configuration
C:\Program Files\SplunkUniversalForwarder\etc\system\local right-click inputs.conf
[monitor://C:\inetpub\logs\logfiles]
sourcetype=iis
ignoreOlderThan =14d
host = WinServer2012
C:\Program Files\SplunkUniversalForwarder\etc\system\local right-click outputs.conf
[iis*]
Pulldown_type=true
MAXTIMESTAMPLOOKAHEAD =32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER
REPORT – iis2 =iis2
C:\Program Files\SplunkUniversalForwarder\etc\system\local and search for props.conf
[iis*]
Pulldown_type=true
MAXTIMESTAMPLOOKAHEAD =32
SHOULD_LINEMERGE =False
CHECK_FOR_HEADER
REPORT -iis2 =iis2
C:\Program Files\SplunkUniversalForwarder\etc\system\local right-click transforms.conf
[default]
host -WinServer2012
[ignore_comments]
REGEX = ^# .*
DEST_KEY =queue
FORMAT =nullQueue
[iis2]
DELIMS =” ”
FIELDS = date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local, right-click inputs.conf
[monitor://C:\Snort\log\*]
disabled = false
source= ids
sourcetype = snort_ids
C:\Snort
snort -i1 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -A full
04 Incident Detection with Security Information and Event Management (SIEM)
Exercise 01
index=* (EventCode=4624 OR EventCode=4625) | bin time span=5m as minute | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success by minute AccountName | where Attempts>=5 AND Success>0 AND Failed>=2 | eval minute=strftime(minute,"%H:%M")
Exercise 02
host=WinServer2012 sourcetype=iis | eval csuriquery = urldecode(csuriquery) | regex csuriquery ="/(\%27)|(\')|(--)|(\%23)|(# )/ix" | iplocation c_ip | table _time csuriquery csUserAgent c_ip
Exercise 03
host=WinServer2012 sourcetype=iis "%3CSCRIPT" OR “Javascript” OR "Alert" OR "3C%2Fscript"
Exercise 04
host=WinServer2012 source=ids 10.10.1.12 “Xmas Scan Attempted”
host=WinServer2012 source=ids 10.10.1.12 “FIN Scan Attempted”
-i1 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -A full
index=* (EventCode=4624 OR EventCode=4625) | bin time span=5m as minute | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success by minute AccountName | where Attempts>=5 AND Success>0 AND Failed>=2 | eval minute=strftime(minute,"%H:%M")
Exercise 02
host=WinServer2012 sourcetype=iis | eval csuriquery = urldecode(csuriquery) | regex csuriquery ="/(\%27)|(\')|(--)|(\%23)|(# )/ix" | iplocation c_ip | table _time csuriquery csUserAgent c_ip
Exercise 03
host=WinServer2012 sourcetype=iis "%3CSCRIPT" OR “Javascript” OR "Alert" OR "3C%2Fscript"
Exercise 04
host=WinServer2012 source=ids 10.10.1.12 “Xmas Scan Attempted”
host=WinServer2012 source=ids 10.10.1.12 “FIN Scan Attempted”
-i1 -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -A full