University of Central Florida STARS Electronic Theses and Dissertations, 2004-2019 2016 MongoDB Incidence Response Cory Morales University of Central Florida Part of the Forensic Science and Technology Commons Find similar works at: https://stars.library.ucf.edu/etd University of Central Florida Libraries http://library.ucf.edu This Masters Thesis (Open Access) is brought to you for free and open access by STARS. It has been accepted for inclusion in Electronic Theses and Dissertations, 2004-2019 by an authorized administrator of STARS. For more information, please contact [email protected]. STARS Citation Morales, Cory, "MongoDB Incidence Response" (2016). Electronic Theses and Dissertations, 2004-2019. 5327. https://stars.library.ucf.edu/etd/5327 MONGODB INCIDENCE RESPONSE by CORY MORALES University of Central Florida, 2016 A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in the Department of Computer Science in the College of Engineering and Computer Science at the University of Central Florida Orlando, Florida Spring Term 2016 Major Professor: Cliff Zou © 2016 Cory Morales ii ABSTRACT NoSQL (Not only SQL) databases have been gaining some popularity over the last few years. Such big companies as Expedia, Shutterfly, MetLife, and Forbes use NoSQL databases to manage data on different projects. These databases can contain a variety of information ranging from nonproprietary data to personally identifiable information like social security numbers. Databases run the risk of cyber intrusion at all times. This paper gives a brief explanation of NoSQL and thoroughly explains a method of Incidence Response with MongoDB, a NoSQL database provider. This method involves an automated process with a new self-built software tool that analyzing MongoDB audit log’s and generates an html page with indicators to show possible intrusions and activities on the instance of MongoDB. When dealing with NoSQL databases there is a lot more to consider than with the traditional RDMS's, and since there is not a lot of out of the box support forensics tools can be very helpful. iii This thesis is dedicated to my wife Lilia and new born son Maksim whose support inspired be to pursue and complete this project. iv ACKNOWLEDGMENTS I would like to thank my thesis advisor, Dr. Sheau-Dong Lang, for pushing my project to higher levels. Without his continuous guidance this thesis would have not been possible. v TABLE OF CONTENTS LIST OF FIGURES .................................................................................................................................. viii CHAPTER ONE: INTRODUCTION ......................................................................................................... 1 CHAPTER TWO: BACKGROUND AND RELATED WORKS ............................................................. 3 MongoDB Auditing Sytem ..................................................................................................................... 3 Evaluating Boolean expressions .......................................................................................................... 4 Related Works – Articles ....................................................................................................................... 7 Murugesan, P, Ray, I. (2014). Audit Log Management in MongoDB ......................................... 7 Kent, K, Souppaya, M. (Sep. 2006). Guide to Computer Security Log Management. ............ 8 Okman, L, Gal-Oz, N, Abramov, J. (2011). Security Issues in NoSql Databases .................. 12 King, J. (2013). Measuring the Forensic-Ability of Audit Logs for Nonrepudiation ................ 13 Related Works - Tools ......................................................................................................................... 13 Edda: a log visualizer for MongoDB .............................................................................................. 14 mtools ................................................................................................................................................. 15 Idp Audit Log Analysis Tool ............................................................................................................ 18 Splunk Light....................................................................................................................................... 19 CHAPTER THREE: METHODOLOGY ................................................................................................. 22 Home page ............................................................................................................................................ 22 Latest Events ........................................................................................................................................ 23 General Stats ........................................................................................................................................ 23 Failed Attempts ..................................................................................................................................... 23 vi Log Analysis/Alerts............................................................................................................................... 23 User Activity Reports ........................................................................................................................... 24 Export Report ........................................................................................................................................ 24 Search .................................................................................................................................................... 24 Useful Queries ...................................................................................................................................... 25 Timing and Optimization of the Search Algorithm ........................................................................... 29 Algorithm that loops through log once .......................................................................................... 30 Using Selectivity to Enhance Expression Short Circuiting ......................................................... 36 CHAPTER FOUR: CASE STUDIES...................................................................................................... 39 Scope ..................................................................................................................................................... 39 Case Information .................................................................................................................................. 39 Method ................................................................................................................................................... 39 Steps .................................................................................................................................................. 40 PHP injection vulnerability .................................................................................................................. 47 CHAPTER FIVE: RESULTS AND OUTCOME .................................................................................... 51 CHAPTER SIX: CONCLUSION ............................................................................................................. 53 LIST OF REFERENCES ......................................................................................................................... 55 vii LIST OF FIGURES Figure 1: Figure 2 from "Efficiently Evaluating Complex Boolean Expressions", displaying an example of a BE tree with Dewey ID labels. The special symbol * indicates the last child of an AND node. .......................................................................... 5 Figure 2: Search query expressed in a tree format ......................................................... 7 Figure 3: User interface of Edda ................................................................................... 14 Figure 4: Mplotqueries command line and visual representation .................................. 16 Figure 5: Idp Audit Log Analysis command line ............................................................ 18 Figure 6: Search page of Splunk Light .......................................................................... 20 Figure 7: Shutdowns query being used in the tool. Design inspired by Angular Query Builder (Fauveau, 2014) ................................................................................................ 27 Figure 8: Plot chart for simple query.............................................................................. 33 Figure 9: Plot chart two condition query against logs of different sizes ......................... 34 Figure 10: Plot chart of short circuiting vs. no short circuiting on a large log ................. 35 Figure 11: Zenmap checking that the mongoDB port is open ...................................... 40 Figure 12: Zenmap trying to retrieve build information and system information ............ 41 Figure 13: Zenmap retrieving service information on port 27017 .................................. 42 Figure 14: Zenmap checking if mongo simple http interface is runnning ....................... 42 Figure 15: Attacker connecting to mongoDB server and failing to list databases .......... 43 Figure 16: Html/Javacript Malware that was written to build attacking script ................. 44 Figure 17: Attacker