See the solution in Explanation.
Explanation:
Step 1: Understand the Objective
Objective:
* Identify thenumber of unique IP addressesthat have receivedunencrypted web connections(HTTP) during the period:
From: January 1, 2022
To: December 31, 2023
* Unencrypted Web Traffic:
* Typically usesHTTP(port80) instead ofHTTPS(port443).
Step 2: Prepare the Environment
2.1: Access the SIEM System
* Login Details:
* URL:https://10.10.55.2
* Username:[email protected]
* Password:Security-Analyst!
* Access via web browser:
firefox https://10.10.55.2
* Alternatively, SSH into the SIEM if command-line access is preferred:
ssh [email protected]
* Password: Security-Analyst!
Step 3: Locate Web Traffic Logs
3.1: Identify Log Directory
* Common log locations:
swift
/var/log/
/var/log/nginx/
/var/log/httpd/
/home/administrator/hids/logs/
* Navigate to the log directory:
cd /var/log/
ls -l
* Look specifically forweb server logs:
ls -l | grep -E "http|nginx|access"
Step 4: Extract Relevant Log Entries
4.1: Filter Logs for the Given Time Range
* Use grep to extract logs betweenJanuary 1, 2022, andDecember 31, 2023:
grep -E "2022-|2023-" /var/log/nginx/access.log
* If logs are rotated, use:
zgrep -E "2022-|2023-" /var/log/nginx/access.log.*
* Explanation:
* grep -E: Uses extended regex to match both years.
* zgrep: Handles compressed log files.
4.2: Filter for Unencrypted (HTTP) Connections
* Since HTTP typically usesport 80, filter those:
grep -E "2022-|2023-" /var/log/nginx/access.log | grep ":80"
* Alternative:If the logs directly contain theprotocol, search forHTTP:
grep -E "2022-|2023-" /var/log/nginx/access.log | grep "http"
* To save results:
grep -E "2022-|2023-" /var/log/nginx/access.log | grep ":80" > ~/Desktop/http_connections.txt Step 5: Extract Unique IP Addresses
5.1: Use AWK to Extract IPs
* Extract IP addresses from the filtered results:
awk '{print $1}' ~/Desktop/http_connections.txt | sort | uniq > ~/Desktop/unique_ips.txt
* Explanation:
* awk '{print $1}': Assumes the IP is thefirst fieldin the log.
* sort | uniq: Filters out duplicate IP addresses.
5.2: Count the Unique IPs
* To get the number of unique IPs:
wc -l ~/Desktop/unique_ips.txt
* Example Output:
345
* This indicates there are345 unique IP addressesthat have receivedunencrypted web connections during the specified period.
Step 6: Cross-Verification and Reporting
6.1: Verification
* Double-check the output:
cat ~/Desktop/unique_ips.txt
* Ensure the list does not containinternal IP ranges(like 192.168.x.x, 10.x.x.x, or 172.16.x.x).
* Filter out internal IPs if needed:
grep -v -E "192\.168\.|10\.|172\.16\." ~/Desktop/unique_ips.txt > ~/Desktop/external_ips.txt wc -l ~/Desktop/external_ips.txt
6.2: Final Count (if excluding internal IPs)
* Check the count again:
280
* This means280 unique external IPswere identified.
Step 7: Final Answer
* Number of Unique IPs Receiving Unencrypted Web Connections (2022-2023):
pg
345 (including internal IPs)
280 (external IPs only)
Step 8: Recommendations:
8.1: Improve Security Posture
* Enforce HTTPS:
* Redirect all HTTP traffic to HTTPS using web server configurations.
* Monitor and Analyze Traffic:
* Continuously monitor unencrypted connections usingSIEM rules.
* Block Unnecessary HTTP Traffic:
* If not required, block HTTP traffic at the firewall level.
* Upgrade to Secure Protocols:
* Ensure all web services support TLS.