Detection & Response Labs
Log analysis, SIEM basics, incident detection, and response exercises
Chapter 8: Detection & Response Labs
Lab Overview
These labs focus on defensive techniques: detecting attacks and responding to incidents.
Lab 8.1: Log Analysis Fundamentals
Objective
Analyze common log formats for security events.
Difficulty: Beginner | Time: 30 minutes
Instructions
Part 1: Auth Log Analysis
# View authentication logs (Linux)
sudo cat /var/log/auth.log | tail -50
# Failed SSH logins
grep "Failed password" /var/log/auth.log
# Successful logins
grep "Accepted" /var/log/auth.log
# Count failed by IP
grep "Failed password" /var/log/auth.log | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -rnPart 2: Web Log Analysis
# Apache/Nginx access log
cat /var/log/apache2/access.log | tail -50
# Find 404 errors (potential scanning)
grep " 404 " /var/log/apache2/access.log | wc -l
# Find large requests (potential attacks)
awk '{print $10}' /var/log/apache2/access.log | sort -rn | head
# Top IP addresses
awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | headPart 3: Key Patterns
Security Log Patterns to Monitor:
Authentication:
- Multiple failed logins (brute force)
- Login from unusual location/time
- Account lockouts
Web:
- 404 floods (scanning)
- SQL injection attempts ('UNION, SELECT)
- Path traversal (../)
System:
- sudo usage
- New user creation
- Service starts/stopsVerification
- Analyzed auth logs
- Analyzed web logs
- Identified attack patterns
Lab 8.2: Zeek (Bro) Analysis
Objective
Use Zeek for network security monitoring.
Difficulty: Intermediate | Time: 45 minutes
Instructions
Part 1: Generate Zeek Logs
# Process pcap with Zeek
zeek -r capture.pcap
# Generated logs:
ls *.log
# conn.log - Connections
# dns.log - DNS queries
# http.log - HTTP transactions
# ssl.log - TLS connectionsPart 2: Analyze Logs
# Connection summary
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto | sort | uniq -c | sort -rn | head
# DNS queries
cat dns.log | zeek-cut query | sort | uniq -c | sort -rn | head
# HTTP analysis
cat http.log | zeek-cut host uri | head
# TLS certificates
cat ssl.log | zeek-cut server_name issuer | headPart 3: Detection Queries
# Find potential beaconing (regular connections)
cat conn.log | zeek-cut id.orig_h id.resp_h | sort | uniq -c | sort -rn | head -20
# Long connections (possible C2)
cat conn.log | zeek-cut duration id.orig_h id.resp_h | sort -rn | head
# Large transfers (possible exfiltration)
cat conn.log | zeek-cut orig_bytes id.orig_h id.resp_h | sort -rn | headVerification
- Processed pcap with Zeek
- Analyzed connection logs
- Identified anomalies
Lab 8.3: SIEM Basics with ELK
Objective
Set up basic log aggregation and search.
Difficulty: Intermediate | Time: 60 minutes
Instructions
Part 1: Quick ELK Setup
# Using Docker for quick setup
docker-compose up -d
# docker-compose.yml example:
version: '3'
services:
elasticsearch:
image: elasticsearch:7.17.0
environment:
- discovery.type=single-node
ports:
- 9200:9200
kibana:
image: kibana:7.17.0
ports:
- 5601:5601Part 2: Ingest Logs
# Send logs to Elasticsearch
cat /var/log/auth.log | while read line; do
curl -X POST "localhost:9200/auth-logs/_doc" \
-H "Content-Type: application/json" \
-d "{\"message\": \"$line\", \"@timestamp\": \"$(date -Iseconds)\"}"
donePart 3: Search in Kibana
Navigate to: http://localhost:5601
1. Create index pattern: auth-logs*
2. Search queries:
- message: "Failed password"
- message: "Accepted" AND message: "root"
3. Create visualization:
- Failed logins over time
- Top source IPsVerification
- Set up ELK stack
- Ingested logs
- Created searches/visualizations
Lab 8.4: Attack Detection
Objective
Detect specific attacks in captured traffic.
Difficulty: Intermediate | Time: 45 minutes
Instructions
Part 1: Port Scan Detection
# In Zeek logs
# Many connections from single source to many ports
cat conn.log | zeek-cut id.orig_h id.resp_p | \
sort | uniq | cut -f1 | uniq -c | sort -rn | head
# Source with >20 different dest ports = likely scanPart 2: Brute Force Detection
# Many connections to same port from same source
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | \
grep ":22$\|:3389$" | sort | uniq -c | sort -rn | head
# High count = potential brute forcePart 3: C2 Detection
# Beaconing: Regular interval connections
# Use RITA for automated detection
rita import zeek_logs/ -i mydb
rita show-beacons mydb
# Manual check: connections at regular intervalsDetection Queries Summary
| Attack | Detection Method |
|---|---|
| Port Scan | Many dest ports from one source |
| Brute Force | Many connections to auth ports |
| C2 Beacon | Regular interval connections |
| Exfiltration | Large outbound transfers |
| DNS Tunnel | Long DNS queries, high volume |
Verification
- Detected port scan pattern
- Detected brute force pattern
- Analyzed for beaconing
Lab 8.5: Incident Response Simulation
Objective
Practice incident response procedures.
Difficulty: Intermediate | Time: 45 minutes
Instructions
Part 1: Scenario Setup
SCENARIO: Suspected Compromise
Alert: High volume of DNS queries to suspicious domain
System: workstation-42 (192.168.1.42)
Time: 2024-01-15 14:30 UTC
Initial indicators:
- 1000+ DNS queries to random.evil.com
- Queries contain long, encoded subdomains
- Pattern suggests DNS tunnelingPart 2: Investigation Steps
# 1. Preserve evidence
tcpdump -i eth0 host 192.168.1.42 -w evidence.pcap &
# 2. Check DNS queries
cat dns.log | grep 192.168.1.42 | zeek-cut query | head -50
# 3. Check connections
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | grep 192.168.1.42
# 4. Timeline
cat conn.log | zeek-cut ts id.orig_h id.resp_h | grep 192.168.1.42 | sortPart 3: Containment
# Block at firewall
iptables -A OUTPUT -d evil.com -j DROP
iptables -A INPUT -s 192.168.1.42 -j DROP
# Document actions
echo "$(date): Blocked evil.com, isolated 192.168.1.42" >> incident.logPart 4: Documentation
Incident Report Template:
Incident ID: INC-2024-001
Date/Time: 2024-01-15 14:30 UTC
Affected System: workstation-42
Type: DNS Tunneling / Possible C2
Timeline:
14:30 - Alert triggered
14:35 - Investigation started
14:45 - Confirmed DNS tunneling
14:50 - Host isolated
15:00 - Forensic capture initiated
Indicators:
- 1247 DNS queries to evil.com
- Average query length: 67 characters
- High entropy subdomains
Actions Taken:
1. Network isolation
2. DNS block
3. Evidence preservation
Next Steps:
1. Forensic analysis
2. Determine initial access
3. Scope assessmentVerification
- Followed investigation steps
- Documented findings
- Implemented containment
- Created incident report
Lab 8.6: Creating Detection Rules
Objective
Write custom detection rules.
Difficulty: Intermediate | Time: 30 minutes
Instructions
Part 1: Sigma Rule
# dns_tunneling.yml
title: DNS Tunneling Detection
status: experimental
description: Detects potential DNS tunneling based on query characteristics
logsource:
category: dns
detection:
selection:
query|re: '.{50,}\.' # Long subdomain
condition: selection
fields:
- query
- src_ip
falsepositives:
- CDN domains
level: medium
tags:
- attack.command_and_control
- attack.t1071.004Part 2: Snort/Suricata Rule
# DNS tunneling
alert dns any any -> any any (msg:"Possible DNS Tunneling - Long Query";
dns.query; content:"."; offset:50;
threshold:type threshold, track by_src, count 10, seconds 60;
classtype:trojan-activity; sid:1000100; rev:1;)
# Port scan
alert tcp any any -> any any (msg:"Port Scan Detected";
flags:S; threshold:type both, track by_src, count 20, seconds 10;
classtype:attempted-recon; sid:1000101; rev:1;)Part 3: Test Rules
# Test Sigma rule
sigmac -t splunk dns_tunneling.yml
# Test Suricata rule
suricata -T -c /etc/suricata/suricata.yaml -S custom.rulesVerification
- Wrote Sigma rule
- Wrote IDS rule
- Tested rule syntax
Lab Summary
Skills Acquired
- Log analysis techniques
- Zeek network analysis
- SIEM basics
- Attack detection patterns
- Incident response procedures
- Detection rule creation
Defense Toolbox
| Tool | Purpose |
|---|---|
| Zeek | Network monitoring |
| RITA | Beacon detection |
| ELK | Log aggregation |
| Sigma | Detection rules |
| Suricata | Network IDS |