Evaluación de docentes por parte de los padres de familia o

The events extracted from the managed enterprise environment are collected from two main sources. For the purposes of this research, these two sources provide the test area for the misuse cases identified in the corresponding managed enterprise scenario as the prevalent attacks of that environment. These sources are; data events collected from the McAfee ePolicy Orchestrator and from Windows Servers 2003/2008.

6.1.1 Event Set A: Windows Server 2003/2008

This source event data focuses on all account logon activities, its attribution is focused towards simulating the following attack misuse cases:

• MC 5.5.1 An Unauthorised Login to a computer system, network or application

• MC 5.5.2 Brute force attack for attempted login

Listing 6.1-1 extracted from the month of May is a sample Windows event. The data pseudonymisation on user names and identities must be noted and the CSV format it was output in after procedures of normalisation (for field descriptions see subsection 5.2.1).

Listing 6.1-1: An example MESI Windows event

1 TBS;;1124490656;1325200062;1306496120083;1306496120000;500f7b56f8805d3fd2e4

2 8e36;;Windows EventLog;Security.Failure Audit;66;failed , failed , login ,

3 user;91734d39b55cb189ffc47c27;e0559ee6821fb98336ece5a5;;70.58.17.106;;;;39.

4 91470000000001;−105.0809;0;70.38.124.46;;;;45.5;−73.5833;0;66;66;S−6.1;U−6.

5 1.17;680;Logon attempt by;;WIN−XP/WIN−2003;;;;;;;;;;;;;;;;MICROSOFT AUTHENT

6 ICATION PACKAGE V1 0;;;;;;;;0xC0000064;;;;

71

The first consideration on the analysis of the event information is to determine which elements of the event are relevant for processing and collection by the SIEM. A SIEM processes huge volumes of information with a typical collection rate reaching around 20 000 events per second.

This mandates the need to ensure only required information is collected to aid the processing utility of the SIEM. The relevant fields deemed necessary for further analysis through MASSIF and OSSIM from the windows events are listed in Table 6.1.

Field Type Value

InternalTimeStamp TimeStamp 1325184445 The time the event was received in the normalisation

SensorName String fb2f0416b09c5e0611ee5319

The name of the sensor that orginated the event(example shown is in pseudonymised format)

EventType String SE AUDITID UNKNOWN USER OR PWD Event type as defined, if possible, by the device generating the event. The type is otherwise derived from the reported event.

UserName String 675aa07dbab86489548c99c8

The username associated with the event(example shown is pseudonymised format)

SourceIP String x.x.x.x

The IP address of the source host)

SourcePort Integer 4958

The port of the origin of the event from the source host DestinationIP String y.y.y.y

The IP address of the destination host DestinationPort Integer 0 Port on the host at which the event was directed

EventID Integer 529

The unique ID of an event

SourceIPGeoLat Integer 529

Latitude of<SourceIP>or empty string if it is a private IP address.

SourceIPGeoLong Integer 529

Longitude of<SourceIP>or empty string if it is a private IP address.

DestinationIPGeoLat Integer 529

Latitude of<DestinationIP>or empty string if it is a private IP address.

DestinationIPGeoLongInteger 529

Longitude of<DestinationIP>or empty string if it is a private IP address.

Table 6.1: Windows Event required fields

In the Windows domain architecture, the procedure of logon and the process of authentication are treated as separate concepts. A workstation logon through a domain account requires the

workstation to then authenticate with the Authentication Server (AS) on the domain con-troller. Two categories of security events allow the tracking of these events for both activities;

the Logon/Logoff category records logon activity, and Account Logon track all authentica-tion events. These are the nature of the events that will be analysed in the SIEM environment.

Taking a look at the chosen fields, it is necessary to point out theEventID field is the only event field, along withEventType, extracted of all the provided threat information fields. This is because SIEM managers like OSSIM permit storage of event rule ID and their information within databases, the log data sent through requires just the ID, while the rest of the data, such as event descriptions can be pulled through from an request to the database. This allows and lessening of stress in the volumes retrieved within the collection process of the analysis cycle.

6.1.2 Event Set B: McAfee ePolicy Orchestrator

The McAfee event data contains threat information identified by McAfee such as threat type, severity, name, action taken. This information applies mostly to assist detecting the following attack misuse case;

• MC 5.5.5 Worm propagation

Listing 6.1-2 is an example event from the data set, note the pseudonymisation effects and the McAfee event information regarding the action to be taken and identified threat.

Listing 6.1-2: An example MESI McAfee event

1 6370207;{BCD22761−E4B7−42AF−8063−DF6CB341A55A};460bfe9ebd6978c9bb94bd44;2011−11−22 00:00:08.887000000;2011−11−21 23:55:46;{4DA35B52−AEB5−47DD−9454−3F821F75F3B8};

VIRUSCAN8700;VirusScanEnterprise;8.7;c1c731a7a6cd59e353936196;x.x.x.x;1;1918;;;;;;;OAS;;;;;;;;x.x.x.x

;0;ZA;3741;−33.9167;18.4167;;;ba6071f5f175251b2877fdb6;;c1c731a7a6cd59e353936196;y.y.y.y;1;1918;;;;;

e0559ee6821fb98336ece5a5;;;;;;;25;;;;fw.detect;1096;5;Anti−virus Standard Protection:Prevent mass mailing worms from sending mail;access protection;would block;True;00000000028749EF;

Using threat information from Mcafee propagations can be traced in efforts to tracing the source of the malicious spread within the network. We select the relevant fields from the data that apply to the required information needs:

Field Type Value

AutoID Long 6370207

The unique id of an event(primary key)

ThreatEventID String 460bfe9ebd6978c9bb94bd44 Unique event ID of the logged threat.

SourceIPv4 String x.x.x.x The ip address of the source computer)

TargetIPv4 String y.y.y.y The ip address of the targeted computer

TargetUserName String e0559ee6821fb98336ece5a5

Username on the computer the threat targeted (example shown in pseudonymised format)

TargetPort Integer 25 The port targeted by the threat

EventID Integer 529

The unique ID of an event

SourceIPV4GeoLat Integer 529

Latitude of<SourceIPV4>or empty string if it is a private IP address.

SourceIPV4GeoLong Integer 529

Longitude of<SourceIPV4>or empty string if it is a private IP address.

TargetIPV4GeoLat Integer 529

Latitude of<TargetIPV4>or empty string if it is a private IP address.

TargetIPV4GeoLon Integer 529

Latitude of<TargetIPV4>or empty string if it is a private IP address.

The same applies to theThreatEventIDfield in the McAfee events, the event identifier is linked to its information which is stored in a lookup table within OSSIM. This provision enables the less parsing and handling of event information, minimising the parsing and collection time effort, particularly beneficial optimisation for a framework handling data collection at such great scales. Both event sets pull through IP sources, targets, ports and all geographical information from event sources as the critical identification information.