Question-1 Log data offer clues about activities that have unexpected and possib

Question

Question-1 Log data offer clues about activities that have unexpected and possibly harmful consequences. The following parsed and normalized firewall log entries indicate a possible malware infection and data exfiltration. The entries show a workstation making connections to Internet address 93.177.168.141 and receiving and sending data over TCP port 16115.

id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:12 UTC” fw=255.255.255.1 pri=6 c=262144 m=98 msg=”Connection Opened” n=404916 src=10.1.1.1 (workstation) :49427:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:29 UTC” fw=255.255.255.1 pri=6 c=1024 m=537 msg=”Connection Closed” n=539640 src=10.1.1.1 (workstation) :49427:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 sent=735 rcvd=442 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:42 UTC” fw=255.255.255.1 pri=6 c=262144 m=98 msg=”Connection Opened” n=404949 src=10.1.1.1 (workstation) :49430:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:54:30 UTC” fw=255.255.255.1 pri=6 c=1024 m=537 msg=”Connection Closed” n=539720 src=10.1.1.1 (workstation) :49430:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 sent=9925 rcvd=639

a) Describe what is happening.

b) Is the log information useful? Why or why not?

c) Research the destination IP address (dst) and the protocol/port (proto) used for communication.

d) Can you find any information that substantiates a malware infection and data exfiltration?

e) What would you recommend as next steps?

Explanation / Answer

a. Describe what is happening.
   The log data describe that a connection was made and transfer of data took place twice.
id- denotes the application/rule id,
sn- socket info,
time- IN UTC when the request is processed/executed,
fw- Firewall WAN IP,
pri- priority of request,
c- Legacy category,
m- Message ID, (the bandwidth fields are 'rcvd=' and 'sent=')
msg- Description of m,
n- Message Count
src- source IP:port
dst- destination IP:port
proto- Protocol details i.e TCP/IP, FTP and so on.

b. Is the log information useful? Why or why not?
   Yes, the log information is usefull. It describe that the messages were received successfully at the destination. The system admin can figure out the problem and resolve by seeing the logs. Thats the reason all application maintain logs to backtrack and also for debugging any error and resolve it.
Example: "c=64" always coincides with "m=36" msg="TCP connection dropped." So admin will restablish the connection.
c=1024 m=537 msg=”Connection Closed”

c. Research the destination IP address (dst) and the protocol/port (proto) used for communication.
Destination IP=93.177.168.141
Port=16115
Application=X1

d. No, From the given log entries i din find any entries of a malware infection and data exfiltration. Though the sent and received ratio is imbalanced.

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.