UNIX:

The data file is comprised of a header, followed by lines containing firewall events. You can

view the head of the file with the following command;

cat firewall.log | head

OUTPUT OF COMMAND: #Version 1.5 #Software: Microsoft Windows Firewall #Time Format: local #Fields: date time action protocol src-ip dst-ip src-port dst-port size

2018-05-25 11:47:02 FORWARD TCP 11.100.6.64 10.202.41.103 2176 7 953880 2018-02-22 03:34:00 FORWARD UDP 11.102.7.64 10.202.40.101 2075 65 116445 2018-03-20 04:47:11 REJECT UDP 9.102.8.65 10.202.41.101 2189 97 985631 2018-11-08 14:14:47 REJECT TCP 10.101.8.64 10.202.40.103 2158 63 164259 2018-07-24 22:46:54 REJECT TCP 11.100.6.65 10.202.41.103 2089 61 991882

TIP:

If you find yourself with a massive number of lines printing to the terminal; pressing

CTRL-C will stop the output of the file

QUESTION 1:

(10 points)

Write a command to count the number of firewall events in the file.

Your command should exclude the header using a simple regular

expression.

Notice that the firewall event fields are delineated by a single space and contain the following

data points; date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size

QUESTION 2:

(10 points)

Write a command to count the number of unique values in the src-ip

field.

The date field follows the format YYYY-MM-DD; the month and day values are padded to 2

characters.

QUESTION 3:

(20 points)

Write a command to count the number of events that match these

conditions;

-

The event occurred in August, 2018 OR on July 4th 2018

2018-08-xx OR 2018-07-04

-

The dst-port field is either 80 or 443

-

the action field is ACCEPT

The time field follows the format of; HH:MM:SS

QUESTION 4:

(20 points)

Write a command to count the number of events that meet this

criteria;

-

The event occurred between midnight and 3 AM

00:00:00 to 03:00:00

-

The dst-port is 22

-

The action is DROP

-

The protocol is TCP

For the last remaining question in part 1; recall that man pages provide details on available

arguments for the majority of programs on a Linux computer.

QUESTION 5:

(20 points)

Write a command to display the src-ip value for events that match

the following criteria;

-

The size field is less than or equal to 500

-

the dst-ip field starts with 10.202.40

Part 2 - 20 points

For this part, you will need to make use of the

sort

,

tail

and/or

head

programs. Study the man

pages for these programs to assist you with answering this question.

QUESTION 6:

(10 points Each)

Write a command to print the date and time of the earliest event in

the firewall.log file.

Create a second command to print the date and time of the latest

event in the file.