Scribd
Upload
108 views3 pages

Observables Exercise1

Uploaded by

Yoeurn Sonita
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
108 views3 pages

Observables Exercise1

Uploaded by

Yoeurn Sonita
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Events, Observables, and Indicators

Exercise 1 – Log File Observables


Introduction
The information that follows provides reference data for this exercise. Following this
information are log file excerpts. These logs are documentation of events. For this exercise,
consider the log file records to be observables.

Background
Here is some background information to consider:
1. From a low-level network perspective, TCP and UDP packets have 16-bit source and
destination port values.
2. From an application perspective, the destination port of the initiating TCP packet
identifies the service being requested. Remember that port numbers are conventions,
not rules. Common ports are SMTP which uses port 25 and DNS which uses port 53.
More common ports are listed after this section.
3. An instance of a service request counts as an observable. One example would be a DNS
resolution request.

Reference Data
Port Numbers
1. Port numbers are registered with the Internet Assigned Numbers Authority (IANA).
• well known ports 0 - 1023
• registered ports 1024 - 49151
• dynamic ports 49152 - 65535
2. On UNIX systems, running a service on a well-known port requires privileged access.
3. To see what service the intruder is probing for, look up the port number.

Version 2 Beta Page 1 of 3


Events, Observables, and Indicators Log File Observables

Common Port Targets


Common Name Port Number Protocol Comments
ftp 21 TCP File Transfer
SSH 22 TCP Secure Shell
SMTP 25 TCP Simple Mail Transfer Protocol
DNS 53 TCP/UDP Domain Name Service
Finger 79 TCP List logged in users
EPmap 135 TCP/UDP DCE Endpoint Resolution
Netbios 137 TCP/UDP Windows Systems
IMAP 143 TCP/UDP Internet Mail Access Protocol
NNTP 119 TCP Network News Transfer Protocol
HTTP 80 TCP WWW
HTTPS 443 TCP Secure HTTP
SIP 5060 TCP/UDP Session Initiation Protocol
SNMP 161 UDP Simple Network Management Protocol

Instructions
For each log file that follows, identify the observable.
The first is done for you. SSH

1. 20:28:01.198577 example.com.1023 >


Por
a.example.net.22: S 517152336:517152336(0)
20:28:02.271166
20:28:03.344298
example.com.1023
example.com.1023
>
>
t 22
a.example.net.22:
a.example.net.22:
S 517351951:517351951(0)
S 517711967:517711967(0)
20:28:04.428806 example.com.1023 > a.example.net.22: S 517935335:517935335(0)
20:28:55.371812 example.com.1023 > l.example.net.22: S 524499706:524499706(0)
20:29:07.584478 example.com.1023 > l.example.net.22: S 524499706:524499706(0)
20:29:31.944330 example.com.1023 > l.example.net.22: S 524499706:524499706(0)
20:30:20.727871 example.com.1023 > l.example.net.22: S 524499706:524499706(0)
20:31:16.960384 example.com.1023 > l.example.net.22: S 524499706:524499706(0)
20:33:21.358015 example.com.1023 > s.example.net.22: S 558075754:558075754(0)
20:33:22.417999 example.com.1023 > s.example.net.22: S 558349983:558349983(0)
20:33:23.478315 example.com.1023 > s.example.net.22: S 558646050:558646050(0)
20:33:24.566630 example.com.1023 > s.example.net.22: S 558885784:558885784(0)

SSH
2. 03:03:07.118921 www.probing.example.com.2314 > 10.83.15.0.53: 46008 notify (40)
03:03:10.124541 www.probing.example.com.2314 > 10.83.15.0.53: 46012 notify (34)
03:03:10.465196 www.probing.example.com.2314 > 10.83.15.0.53: 46008 notify (40)
03:03:13.484387 www.probing.example.com.2314 > 10.83.15.0.53: 46012 notify (34)
03:03:18.444671 www.probing.example.com.2314 > 10.83.15.0.53: 46008 notify (40)
03:03:21.444537 www.probing.example.com.2314 > 10.83.15.0.53: 46012 notify (34)
03:04:04.762280 www.probing.example.com.2316 > 10.83.15.0.53: 46015 notify (34)
03:04:08.441675 www.probing.example.com.2316 > 10.83.15.0.53: 46015 notify (34)
03:04:13.772096 www.probing.example.com.2316 > 10.83.15.0.53: 46019 notify (37)
03:04:13.811907 www.probing.example.com.2316 > 10.83.15.0.53: 46022 notify (40)
03:04:16.441507 www.probing.example.com.2316 > 10.83.15.0.53: 46015 notify (34)
03:04:17.461841 www.probing.example.com.2316 > 10.83.15.0.53: 46022 notify (40)
03:04:17.491276 www.probing.example.com.2316 > 10.83.15.0.53: 46019 notify (37)
03:04:25.441088 www.probing.example.com.2316 > 10.83.15.0.53: 46019 notify (37)
03:04:25.481712 www.probing.example.com.2316 > 10.83.15.0.53: 46022 notify (40)

DNS port 53

Version 2 Beta Page 2 of 3


Events, Observables, and Indicators Log File Observables

3. Aug 19 15:05:23.286232 218.104.174.228.4561 > xxx.xxx.xxx.32.143: S


(src OS: unknown) 3082067565:3082067565(0) win 60352
Aug 19 15:05:23.286301 218.104.174.228.4605 > xxx.xxx.xxx.57.143: S
(src OS: unknown) 1864450085:1864450085(0) win 60352
Aug 19 15:05:23.287354 218.104.174.228.4604 > xxx.xxx.xxx.56.143: S
(src OS: unknown) 2398490779:2398490779(0) win 60352
Aug 19 15:05:23.289349 218.104.174.228.4607 > xxx.xxx.xxx.59.143: S
(src OS: unknown) 1838665869:1838665869(0) win 60352
Aug 19 15:05:23.296608 218.104.174.228.4586 > xxx.xxx.xxx.42.143: S
(src OS: unknown) 3676298323:3676298323(0) win 60352
Aug 19 15:43:30.633208 218.104.174.228.1853 > xxx.xxx.xxx.82.143: S
(src OS: unknown) 3963384164:3963384164(0) win 60352
Aug 19 15:43:32.646103 218.104.174.228.1864 > xxx.xxx.xxx.93.143: S
(src OS: unknown) 158896055:158896055(0) win 60352
Aug 19 15:43:32.648599 218.104.174.228.1860 > xxx.xxx.xxx.89.143: S
(src OS: unknown) 1137124313:1137124313(0) win 60352
Aug 19 15:43:33.455173 218.104.174.228.1864 > xxx.xxx.xxx.93.143: S
(src OS: unknown) 158896055:158896055(0) win 60352

IMAP port 143

4. U 2010/09/30 23:50:21.236653 67.21.82.4:45018 -> network_server:5060


INVITE sip:96626653000@network_server SIP/2.0..Via: SIP/2.0/UDP 67.21.82.4:
45018;rport;branch=z9hG4bK051C0283E05B4BF182275668E1F3BD15..From: 102 <sip:
102@network_server>;tag=129156506..To: <sip:96626653000@network_server>..Co
ntact: <sip:102@67.21.82.4:45018>..Call-ID: 3A1309F9-9FAC-4BE3-8B7E-9294496
D1E08@192.168.1.3..CSeq: 9999 INVITE..Max-Forwards: 70..Content-Type: appli
cation/sdp..User-Agent: X-PRO build 1101..Content-Length: 312....v=0..o=102
4272671 4272671 IN IP4 67.21.82.4..s=X-PRO..c=IN IP4 67.21.82.4..t=0 0..m=
audio 45020 RTP/AVP 0 8 3 18 98 97 101..a=rtpmap:0 pcmu/8000..a=rtpmap:8 pc
ma/8000..a=rtpmap:3 gsm/8000..a=rtpmap:18 G729/8000..a=rtpmap:98 iLBC/8000.
.a=rtpmap:97 speex/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-15

SIP 5060 suspicous

Version 2 Beta Page 3 of 3

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy