COMP4040 Lab07 Report

Section A:
Use this (_sourceCategory="Linux/system" and ("invalid user" or "disconnected")) and write queries to: [-7d].
Extract these fields month,date,time,host_name,service,pid,user_name,src_ip,port_n for all rows using nodrop
option. (The nodrop option forces results also to include messages that don't match any segment of the parse
expression). All panels using this query, like filter initials:

(_sourceCategory="Linux/system" and ("invalid user" or "disconnected"))

| parse "* * * * *[*]: Invalid user * from * port *" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: Failed password for invalid user * from * port * ssh2" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: Disconnected from invalid user * * port * [preauth]" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: Disconnected from authenticating user * * port * [preauth]" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: Connection closed by invalid user * * port * [preauth]" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: Disconnecting invalid user * * port *:" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: error: maximum authentication attempts exceeded for invalid user * * port * ssh2" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: Failed none for invalid user * from * port * ssh2" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop
| parse "* * * * *[*]: Received disconnect from * port *:11: disconnected by * [preauth]" as month, date, time, host_name, service, pid, src_ip, port_n, user_name nodrop
| parse "* * * * *[*]: Connection reset by invalid user * * port * [preauth]" as month, date, time, host_name, service, pid, user_name, src_ip, port_n nodrop

Take 7 days interval dates:

a) Panel-1: The top 20 common tried usernames.

1
 Query

| count user_name | order by _count desc | top 20 user_name by _count

View

Analyze
This table show the top 20 most username tries to connect. I have downloaded the file and analyzed more
frames that may match the parsing. I have also verified that there were attempts to enter the system, but
the user could not be registered. Taking the date range of the 7 days as a range.

b) Download a list of all tried users.

2
c) Panel-2: Filter and find your tried usernames.
Query

| where !isBlank(port_n)
| count port_n | order by _count desc | top 10 port_n by _count

View

Analyze
This table show the top 10 tried port numbers. I have found some frames that do not match the frames,
which is why I am filtering out those ports that are different from blank.

d) Panel-3: graph to show the number of failed tries per source IP.
Query

| count src_ip | order by _count desc | limit 4

View

3
 Analyze
This panel shows the graph pie with the numbers of failed tries per source IP Address, with the limit 4
records in the visualizations.

e) Panel-4: List malicious confidence by source IP address

Query

| threatip src_ip
| where !(isNull(malicious_confidence))
| count src_ip | order by _count desc | limit 100

View

4
 Analyze
This panel show a table with the source IP address which are classified like malicious, using the function
threatip and the conditional malicious_confidence different of null.

f) Panel-5: Map with malicious confidence by source IP address

Query

| threatip src_ip
| where !(isNull(malicious_confidence))
| lookup latitude, longitude from geo://location on ip = src_ip | count by latitude, longitude

View

5
 Analyze
This panel show a table with the source IP address which are classified like malicious, using the function
threatip and the conditional malicious_confidence different of null. A map viewer displays the query's
result based on latitude and longitude.

Dashboard: J24C40Leonardo_Torres-L07-D1

6
Shared:

URL:
https://service.ca.sumologic.com/ui/#/dashboardv2/
eMDQ8caTfxeY4Wlc9coXmOZ31KhiFMxr3YLviWG7XJ4cPHpoohdQke0JSBjC?
from=1710993600000&to=1711598399000

7
Section B: Use (_source="klj23-03-apache-access")
nikto -h http://cslab.softether.net:8989/ -useragent "leonardotorres"

a) Panel-1: List user agents

Query
((_source="klj23-03-apache-access"))
| parse "* * * [*] \"* * *\" * * \"*\" *" as
ip,hyphen1,hyphen2,timestamp,method,url,version,status,bytes,referer,agent
| count agent | order by _count desc

View

8
 Analyze
This panel show the list of the user agents, taking the date range of the previous 12 hours as a range.

b) Panel-2: Graph by user agents

Query
((_source="klj23-03-apache-access"))
| parse "* * * [*] \"* * *\" * * \"*\" *" as
ip,hyphen1,hyphen2,timestamp,method,url,version,status,bytes,referer,agent
| count agent | order by _count desc | where _count>10

View

9
 Analyze
This panel shows the graph bar with a list of the user agents, taking the date range of the previous 12 hours
as a range. Also, adding only shows the agent counts greater than 10 for effects in the report graph.

c) Panel-3: List My User Agents Custom

Query
((_source="klj23-03-apache-access")) and ("ivantorres" or "leonardotorres" or "k6/0.40.0 (https://k6.io/)")
| parse "* * * [*] \"* * *\" * * \"*\" *" as
ip,hyphen1,hyphen2,timestamp,method,url,version,status,bytes,referer,agent
| count agent | order by _count desc | where _count>5

View

Analyze
This panel show the list of my user agents, for example I am using custom agent with my name
“leonardotorres” or “ivantorres”, also I using another test named k6s. Taking the date range of the
previous 12 hours as a range.

d) Panel-4: List successful accesses per user agent

Query
((_source="klj23-03-apache-access"))
| parse "* * * [*] \"* * *\" * * \"*\" *" as
ip,hyphen1,hyphen2,timestamp,method,url,version,status,bytes,referer,agent | where status=200
| count agent | order by _count desc | where _count>10

View

10
 Analyze
This panel shows the table with the list of the user agents with access status code equal 200, taking the
date range of the previous 12 hours as a range. Also, adding only shows the agent counts greater than 10
for effects in the report graph.

e) Panel-5: Map source IP locations

Query
((_source="klj23-03-apache-access"))
| parse "* * * [*] \"* * *\" * * \"*\" *" as
ip,hyphen1,hyphen2,timestamp,method,url,version,status,bytes,referer,agent
| lookup latitude, longitude from geo://location on ip = ip | count by latitude, longitude

View

Analyze
This panel shows a map with the target IP address locations. Taking the date range of the previous 12 hours
as a range.

f) Panel-6: List My User Agent Browser

Query
((_source="klj23-03-apache-access")) and ("Macintosh; Intel Mac OS X 10_15_7")
| parse "* * * [*] \"* * *\" * * \"*\" *" as
ip,hyphen1,hyphen2,timestamp,method,url,version,status,bytes,referer,agent

11
 | count agent | order by _count desc

View

Analyze
This panel show the list of my user agents using my browser, I’m using Mac OSX. Taking the date range of
the previous 12 hours as a range.

Dashboard: J24C40Leonardo_Torres-L6D2

12
URL shared:

URL:
https://service.ca.sumologic.com/ui/#/dashboardv2/
YIdvm56ImKwoBaG4EY3R7sDogGiCcZgVBEuqSSKj5gHqBVZzY8R0FviEv2DD?
from=1712026315508&to=1712069515508

13