Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Using Log Data to Identify Indicators of Compromise Log data offer clues about a

ID: 3573368 • Letter: U

Question

Using Log Data to Identify Indicators of Compromise Log data offer clues about activities that have unexpected—and possibly harmful—consequences. The following parsed and normalized firewall log entries indicate a possible malware infection and data exfiltration. The entries show a workstation making connections to Internet address 93.177.168.141 and receiving and sending data over TCP port 16115.

id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:12 UTC” fw=255.255.255.1 pri=6 c=262144 m=98 msg=”Connection Opened” n=404916 src=10.1.1.1 (workstation) :49427:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:29 UTC” fw=255.255.255.1 pri=6 c=1024 m=537 msg=”Connection Closed” n=539640 src=10.1.1.1 (workstation) :49427:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 sent=735 rcvd=442 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:42 UTC” fw=255.255.255.1 pri=6 c=262144 m=98 msg=”Connection Opened” n=404949 src=10.1.1.1 (workstation) :49430:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:54:30 UTC” fw=255.255.255.1 pri=6 c=1024 m=537 msg=”Connection Closed” n=539720 src=10.1.1.1 (workstation) :49430:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 sent=9925 rcvd=639

1. Describe what is happening.

2. Is the log information useful? Why or why not?

3. Research the destination IP address (dst) and the protocol/port (proto) used for communication.

4. Can you find any information that substantiates a malware infection and data exfiltration?

5. What would you recommend as next steps?

Explanation / Answer

1. Here affected Source computer is 10.1.1.1 and port number is 49430 which is a private port.

2. Destination IP address 93.177.168.141 belongs to Tbilisi,Georgia and owner of this IP is Caucasus Online LLC, One of the largest internet service provider of georgia.

Related Questions

Using JavaScript create the following functions: E. A function called median, th
Question #3847921
Using Javascript and HTML in JSFiddle. I need to create a Class called CHAIN. My
Question #668811
Using Javascript, Create a function called build person. It will not have any in
Question #3788262
Using Jave and JOptionPane I. INTRODUCTION: This project applies the concepts of
Question #3847062
Using Jeliot, execute the following tree algorithm: import Prog1Tools.IOTools; c
Question #3917540
Using Jgrasp Please help me create a new class (new file) \"ShoppingCart\" Instr
Question #3827920
Using Jgrasp program i need to make a JAVA program that: Develop a simple Trivia
Question #3920797
Using Jgrasp, create this class, no imports, besides scanner, just simple stuff
Question #3837005
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Using Linux, write a C program that forks a child process that ultimately become
Next
Using Logicworks, design and implement a state machine whose output is the 3-bit

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.