Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Analyzing Failed Login Attempts in a Linux System, Thesis of Programming Abstractions

George Brown CollegeProgramming Abstractions

A series of queries and commands to analyze and visualize failed login attempts in a linux system. It covers various types of authentication failures such as 'authentication failure', 'failed su', 'input_userauth_request: invalid user', 'invalid user', 'failed publickey', and 'failed password'. The queries are designed to extract relevant information from system logs and visualize the data in the form of graphs and charts.

Typology: Thesis

2023/2024

Uploaded on 04/14/2024

deepika-verankki
deepika-verankki 🇨🇦

1 document

1 / 59

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Course:COMP 4040 – 101 INTRODUCTION
TO SOC
NAME: DEEPIKA VERANKKI
STUDENT ID: 100548781
DATE: October 29, 2023
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b

Partial preview of the text

Download Analyzing Failed Login Attempts in a Linux System and more Thesis Programming Abstractions in PDF only on Docsity!

Course:COMP 4040 – 101 INTRODUCTION

TO SOC

NAME: DEEPIKA VERANKKI

STUDENT ID: 100548781

DATE: October 29, 2023

Lab 5 Sumo Logic Screen shots Code: _sourceCategory="linux/system" -3d "Failed" prase "Failed" as _"user:*"

Code: _sourceCategory=linux/system -3d | where _raw contains "Failed" | fields month, date, time, service, pid, username, src_ip, port, protocol

  1. Create a Table (Panel01):

Code: _sourceCategory=linux/system -3d | where _raw contains "Failed" | count by username | sort by _count desc | limit 10 Build a query to count usernames.

| parse "input_userauth_request: invalid user *" as dest_user nodrop | parse "Invalid user * from * port *" as dest_user, src_host, src_port nodrop | parse "Failed publickey for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for invalid user * from * port * *" as dest_user, src_host, src_port, protocol nodrop | where dest_user!="" | count as Attempts by src_host, dest_user, dest_hostname | sort - Attempts | limit 10 | compare with timeshift 3d Create a table visualization.

Add a proper Panel Name and a detailed Panel Description.

File name: search-results-2023-10-25T09_48_27.049-0700.csv Find Top 5 Most Tried Usernames (Panel02):

Code: _sourceCategory=linux/system -3d | where _raw contains "Failed" | count by username | sort by _count desc | limit 5

Write a query to find the 5 most tried usernames.

Code: _source="Linux System" ("authentication failure" or "FAILED SU" or "input_userauth_request: invalid user" or "Invalid user" or "Failed publickey" or "Failed password") | parse regex "\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S+)\s(?<process_name>\w)(?:[|:)" nodrop | parse " user = * " as dest_user nodrop | parse "User : Authentication failure" as dest_user nodrop | parse " user=" as dest_user nodrop | parse regex "\S\s+\d+\s+\d+:\d+:\d+\s+(?<_sourceHost>\S)\s+" nodrop | parse regex "\S\s+\d+\s+\d+:\d+:\d+\s+(?<dest_hostname>\S)\s+(?[^;]+)" nodrop | parse "ruser= rhost=* user=" as src_user, src_host, dest_user nodrop | parse "ruser= rhost= user=" as src_host, dest_user nodrop | parse " user="" as dest_user nodrop | parse "Authentication failure for * from *" as dest_user, src_host nodrop | parse "FAILED SU (to *) * on" as dest_user, src_user nodrop | parse regex "FAILED LOGIN (?:SESSION|\d+) FROM (?<src_tty>\S+) FOR (?<dest_user>\S+)," nodrop | parse "input_userauth_request: invalid user *" as dest_user nodrop | parse "Invalid user * from * port *" as dest_user, src_host, src_port nodrop | parse "Failed publickey for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for invalid user * from * port * *" as dest_user, src_host, src_port, protocol nodrop | where dest_user!="" | count as Attempts by src_host, dest_user, dest_hostname | sort - Attempts | dedup dest_user |limit 5

Add a proper Panel Name and a detailed Panel Description.

Write a query to visualize failed attempts every 30 minutes. Code: _source="Linux System" ("authentication failure" or "FAILED SU" or "input_userauth_request: invalid user" or "Invalid user" or "Failed publickey" or "Failed password") | parse regex "\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S+)\s(?<process_name>\w)(?:[|:)" nodrop | parse " user = * " as dest_user nodrop | parse "User : Authentication failure" as dest_user nodrop | parse " user=" as dest_user nodrop | parse regex "\S\s+\d+\s+\d+:\d+:\d+\s+(?<_sourceHost>\S)\s+" nodrop | parse regex "\S\s+\d+\s+\d+:\d+:\d+\s+(?<dest_hostname>\S)\s+(?[^;]+)" nodrop | parse "ruser= rhost=* user=" as src_user, src_host, dest_user nodrop | parse "ruser= rhost= user=" as src_host, dest_user nodrop | parse " user="" as dest_user nodrop | parse "Authentication failure for * from *" as dest_user, src_host nodrop

| parse "FAILED SU (to *) * on" as dest_user, src_user nodrop | parse regex "FAILED LOGIN (?:SESSION|\d+) FROM (?<src_tty>\S+) FOR (?<dest_user>\S+)," nodrop | parse "input_userauth_request: invalid user *" as dest_user nodrop | parse "Invalid user * from * port *" as dest_user, src_host, src_port nodrop | parse "Failed publickey for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for * from * port * *" as dest_user, src_host, src_port, protocol nodrop | parse "Failed password for invalid user * from * port * *" as dest_user, src_host, src_port, protocol nodrop | where dest_user!="" |timeslice 30m | count as Attempts by src_host, dest_user, dest_hostname,_timeslice | sort - Attempts|dedup dest_user Create a line chart to represent this data.