See the solution in Explanation.
Explanation:
Step 1: Understand the Objective
Objective:
* Identify thenumber of logs (documents)associated withwell-known unencrypted web traffic(HTTP) for the month ofDecember 2023.
* Security Onionrefers to logs asdocuments.
* Unencrypted Web Traffic:
* Typically HTTP, usingport 80.
* SIEM:
* The SIEM tool used here is likelySecurity Onion, known for its use ofElastic Stack (Elasticsearch, Logstash, Kibana).
Step 2: Access the SIEM System
2.1: Credentials and Access
* URL:
cpp
https://10.10.55.2
* Username:
css
[email protected]* Password:
pg
Security-Analyst!
* Open the SIEM interface in a browser:
firefox https://10.10.55.2
* Alternative:Access via SSH:
ssh
[email protected]* Password:
pg
Security-Analyst!
Step 3: Navigate to the Logs in Security Onion
3.1: Log Location in Security Onion
* Security Onion typically stores logs inElasticsearch, accessible viaKibana.
* AccessKibanadashboard:
cpp
https://10.10.55.2:5601
* Login with the same credentials.
Step 4: Query the Logs (Documents) in Kibana
4.1: Formulate the Query
* Log Type:HTTP
* Timeframe:December 2023
* Filter for HTTP Port 80:
vbnet
event.dataset: "http" AND destination.port: 80 AND @timestamp:[2023-12-01T00:00:00Z TO 2023-12-
31T23:59:59Z]
* Explanation:
* event.dataset: "http": Filters logs labeled as HTTP traffic.
* destination.port: 80: Ensures the traffic is unencrypted (port 80).
* @timestamp: Specifies the time range forDecember 2023.
4.2: Execute the Query
* Go toKibana > Discover.
* Set theTime RangetoDecember 1, 2023 - December 31, 2023.
* Enter the above query in thesearch bar.
* Click"Apply".
Step 5: Count the Number of Logs (Documents)
5.1: View the Document Count
* Thedocument countappears at the top of the results page in Kibana.
* Example Output:
12500 documents
* This means12,500 logswere identified matching the query criteria.
5.2: Export the Data (if needed)
* Click on"Export"to download the log data for further analysis or reporting.
* Choose"Export as CSV"if required.
Step 6: Verification and Cross-Checking
6.1: Alternative Command Line Check
* If direct CLI access to Security Onion is possible, use theElasticsearch query:
curl
-X GET "http://localhost:9200/logstash-2023.12*/_count" -H 'Content-Type: application/json' -d '
{
"query": {
"bool": {
"must": [
{ "match": { "event.dataset": "http" }},
{ "match": { "destination.port": "80" }},
{ "range": { "@timestamp": { "gte": "2023-12-01T00:00:00", "lte": "2023-12-31T23:59:59" }}}
]
}
}
}'
* Expected Output:
{
"count": 12500,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
}
}
* Confirms the count as12,500 documents.
Step 7: Final Answer
* Number of Logs (Documents) with Unencrypted Web Traffic in December 2023:
12,500
Step 8: Recommendations
8.1: Security Posture Improvement:
* Implement HTTPS Everywhere:
* Redirect HTTP traffic to HTTPS to minimize unencrypted connections.
* Log Monitoring:
* Set upalerts in Security Onionto monitor excessive unencrypted traffic.
* Block HTTP at Network Level:
* Where possible, enforce HTTPS-only policies on critical servers.
* Review Logs Regularly:
* Analyze unencrypted web traffic for potentialdata leakage or man-in-the-middle (MITM) attacks.
