自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

OSSEC日志泛化及告警規(guī)則配置

作者:blackrat
安全
OSSEC是一款開源的多平臺的入侵檢測系統(tǒng),可以運行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系統(tǒng)中。包括了日志分析,全面檢測,root-kit檢測。

OSSEC是一款開源的多平臺的入侵檢測系統(tǒng),可以運行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系統(tǒng)中。包括了日志分析,全面檢測,root-kit檢測。

OSSEC日志泛化及告警規(guī)則配置

1. 測試和驗證OSSEC泛化及告警規(guī)則

OSSEC默認具有一個ossec-logtest工具用于測試OSSEC的泛化及告警規(guī)則。該工具一般默認安裝于目錄 /var/ossec/bin 中。

使用示例:

  1. /var/ossec/bin/ossec-logtest  
  2. 2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.  
  3. 2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).  
  4. ossec-testrule: Type one log per line.  
  5. Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2  
  6.  
  7. **Phase 1: Completed pre-decoding.  
  8.        full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'  
  9.        hostname: '172.16.25.122/172.16.24.32'  
  10.        program_name: 'sshd'  
  11.        log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'  
  12.  
  13. **Phase 2: Completed decoding.  
  14.        decoder: 'sshd'  
  15.        dstuser: 'root'  
  16.        srcip: '172.16.24.121'  
  17.  
  18. **Phase 3: Completed filtering (rules).  
  19.        Rule id: '10100'  
  20.        Level: '4'  
  21.        Description: 'First time user logged in.'  
  22. **Alert to be generated. 

如上文所示,當輸入日志內(nèi)容:

Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

該條日志經(jīng)過三步處理,生成了一條4級告警,規(guī)則ID為10100,內(nèi)容為“First time user logged in.”

使用ossec-logtest–v命令,可獲取更詳細的日志分析邏輯。

  1. /var/ossec/bin/ossec-logtest  -v  
  2. 2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.  
  3. 2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).  
  4. ossec-testrule: Type one log per line.  
  5.  
  6. Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121  
  7.  
  8. **Phase 1: Completed pre-decoding.  
  9.        full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121' 
  10.        hostname: '172.16.25.122/172.16.24.32' 
  11.        program_name: 'sshd' 
  12.        log: 'Did not receive identification string from 172.16.24.121' 
  13.  
  14. **Phase 2: Completed decoding.  
  15.        decoder: 'sshd' 
  16.        srcip: '172.16.24.121' 
  17.  
  18. **Rule debugging:  
  19.     Trying rule: 1 - Generic template for all syslog rules.  
  20.        *Rule 1 matched.  
  21.        *Trying child rules.  
  22.     Trying rule: 5500 - Grouping of the pam_unix rules.  
  23.     Trying rule: 5700 - SSHD messages grouped.  
  24.        *Rule 5700 matched.  
  25.        *Trying child rules.  
  26.     Trying rule: 5709 - Useless SSHD message without an user/ip and context.  
  27.     Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.  
  28.     Trying rule: 5721 - System disconnected from sshd.  
  29.     Trying rule: 5722 - ssh connection closed.  
  30.     Trying rule: 5723 - SSHD key error.  
  31.     Trying rule: 5724 - SSHD key error.  
  32.     Trying rule: 5725 - Host ungracefully disconnected.  
  33.     Trying rule: 5727 - Attempt to start sshd when something already bound to the port.  
  34.     Trying rule: 5729 - Debug message.  
  35.     Trying rule: 5732 - Possible port forwarding failure.  
  36.     Trying rule: 5733 - User entered incorrect password.  
  37.     Trying rule: 5734 - sshd could not load one or more host keys.  
  38.     Trying rule: 5735 - Failed write due to one host disappearing.  
  39.     Trying rule: 5736 - Connection reset or aborted.  
  40.     Trying rule: 5707 - OpenSSH challenge-response exploit.  
  41.     Trying rule: 5701 - Possible attack on the ssh server (or version gathering).  
  42.     Trying rule: 5706 - SSH insecure connection attempt (scan).  
  43.        *Rule 5706 matched.  
  44.  
  45. **Phase 3: Completed filtering (rules).  
  46.        Rule id: '5706' 
  47.        Level'6' 
  48.        Description: 'SSH insecure connection attempt (scan).' 
  49. **Alert to be generated. 

2. 自定義日志泛化規(guī)則

2.1 添加日志源

添加日志源的方式很簡單,通過修改/var/ossec/etc/ossec.conf 即可實現(xiàn)。

如果日志源是本地文件,可通過添加如下配置實現(xiàn)。

  1. <localfile> 
  2.   <log_format>syslog</log_format> 
  3.   <location>/path/to/log/file</location> 
  4. </localfile> 

如果日志源是遠程syslog,可通過添加如下配置實現(xiàn)。

  1. <remote> 
  2. <connection>syslog</connection> 
  3. <protocol>udp</protocol> 
  4. <port>2514</port> 
  5. <allowed-ips>172.16.24.0/24</allowed-ips> 
  6. </remote> 

2.2 創(chuàng)建自定義的日志泛化規(guī)則

假如有兩條日志如下文:

Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: 
User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: 
User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

該日志使用ossec-logtest分析之后結(jié)果如下:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
**Phase 2: Completed decoding.
       No decoder matched

由此可知OSSEC在分析日志的時候,經(jīng)過了兩個泛化過程:pre-decoding和 decoding。

pre-decoding過程是ossec內(nèi)置的,只要是標準的syslog日志,都可以解析出如下4個基本信息。

Timestamp:Jun 11 22:06:30
Hostname: 172.17.153.38/172.16.24.32
Programe_name: /usr/bin/auditServerd
Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

在decoding過程,用戶可以通過修改/var/ossec/etc/decoder.xml,實現(xiàn)自定義的泛化。例如在該文件中添加如下規(guī)則:

  1. <decoder name="auditServerd"> 
  2.   <program_name>/usr/bin/auditServerd</program_name> 
  3. </decoder> 

再次執(zhí)行/var/ossec/bin/ossec-logtest

  1. **Phase 1: Completed pre-decoding.  
  2.        full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  3.        hostname: '172.17.153.38/172.16.24.32'  
  4.        program_name: '/usr/bin/auditServerd'  
  5.        log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  6.  
  7. **Phase 2: Completed decoding.  
  8.        decoder: 'auditServerd' 

發(fā)現(xiàn),該條日志成功命中了名為auditServerd的規(guī)則,該條規(guī)則可以準確的將日志定位為是程序auditServerd所發(fā)出的。

除此之外,基于auditServerd這條規(guī)則,我們還可以添加更多的子規(guī)則,來識別出更多的信息。如:

  1. <decoder name="auditServerd">                                 
  2.   <program_name>/usr/bin/auditServerd</program_name>                          
  3. </decoder> 
  4. <decoder name="auditServerd-login">                                        
  5.   <parent>auditServerd</parent>                             
  6.   <regex offset="after_parent">^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$</regex>    
  7.   <order>user,status,srcip,dstip,dstport</order>                                  
  8. </decoder> 

再次執(zhí)行/var/ossec/bin/ossec-logtest,可獲取更多的信息,如下:

  1. **Phase 1: Completed pre-decoding.  
  2.       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'  
  3.       hostname: '172.17.153.38/172.16.24.32'  
  4.       program_name: '/usr/bin/auditServerd'  
  5.       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'  
  6.    
  7. **Phase 2: Completed decoding.  
  8.       decoder: 'auditServerd'  
  9.        dstuser: 'blackrat'  
  10.       status:'SUCEESS'  
  11.       srcip: '172.17.153.36'  
  12.        dstip: '172.17.153. 

用戶通過配置上述正則表達式,獲取特定字段,用于后續(xù)的關(guān)聯(lián)分析。OSSEC一共內(nèi)置了14個用戶可解析的字段:

 - location – where the log came from (only on FTS)
   - srcuser  - extracts the source username
   - dstuser  - extracts the destination (target) username
   - user     – an alias to dstuser (only one of the two can be used)
   - srcip    - source ip
   - dstip    - dst ip
   - srcport  - source port
   - dstport  - destination port
   - protocol – protocol
   - id       – event id 
   - url      - url of the event
   - action   – event action (deny, drop, accept, etc)
   - status   – event status (success, failure, etc)
   - extra_data     – Any extra data

3. 自定義日志告警規(guī)則

3.1 規(guī)則文件路徑配置

OSSEC的規(guī)則配置文件默認路徑為/var/ossec/rules/,要加載規(guī)則文件,需要在/var/ossec/etc/ossec.conf 中配置,默認的配置如下:

  1. <ossec_config>  <!-- rules global entry --> 
  2.   <rules> 
  3.     <include>rules_config.xml</include> 
  4.     <include>pam_rules.xml</include> 
  5.     <include>sshd_rules.xml</include> 
  6.     <include>telnetd_rules.xml</include> 
  7.     <include>syslog_rules.xml</include> 
  8.     <include>arpwatch_rules.xml</include> 
  9.      ......    
  10.     <include>clam_av_rules.xml</include>   
  11.     <include>bro-ids_rules.xml</include> 
  12.     <include>dropbear_rules.xml</include> 
  13.     <include>local_rules.xml</include>   
  14. </rules>   
  15. </ossec_config>  <!-- rules global entry --> 

其實通過下列配置,可以實現(xiàn)加載/var/ossec/rules 下的所有規(guī)則文件:

  1.  <ossec_config> 
  2.     <rules> 
  3.         <rule_dir pattern=".xml$">rules</rule_dir> 
  4.     </rules> 
  5. </ossec_config> 

于泛化規(guī)則,也可以通過配置decoder_dir域來實現(xiàn),如:

  1. <ossec_config> 
  2.     <rules> 
  3.         <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir> 
  4.     </rules> 
  5. </ossec_config> 

上述配置可將/var/ossec/rules/plugins/plugins/decoders目錄下所有的xml文件都添加為OSSEC日志泛化規(guī)則。

對于更詳細的配置及語法,可參考下列文檔:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

3.2 OSSEC告警規(guī)則配置

例如,我們需要增加對程序auditServerd的告警規(guī)則,我們需要針對auditServerd程序新建一個規(guī)則文件,對于OSSEC中已經(jīng)存在的規(guī)則文件如sshd, openbsd, vsftpd等,我們只需要在對應(yīng)的文件中進行新增或修改。

首先我們新建文件

/var/ossec/rules/auditServerd_rules.xml

添加如下內(nèi)容:

  1. <group name="auditServer,"> 
  2.    <rule id="80000" level="0" noalert="1"> 
  3.     <decoded_as>auditServerd</decoded_as> 
  4.     <description>Grouping for the auditServerd rules.</description> 
  5.   </rule> 
  6.  
  7.   <rule id="80001" level="10"> 
  8.     <if_sid>80000</if_sid> 
  9.     <user>blackrat</user> 
  10.     <srcip>172.17.153.36</srcip> 
  11.     <description>User blackrat is not allowed login from 172.17.153.36!</description> 
  12.   </rule> 
  13. </group> 

上述規(guī)則中,規(guī)則id 80000 用于對日志進行分組計數(shù),假如日志中出現(xiàn)了泛化為auditServerd的日志,則對該日志分組為auditServer,且狀態(tài)機計數(shù)加1.

規(guī)則80001描述了假如user為blackrat,srcip為172.17.153.36 則命中,并發(fā)出“User blackrat is not allowed login from 172.17.153.36!”的告警。

將該文件路徑加入到文件/var/ossec/etc/ossec.conf中

  1.  …  
  2. <include>dropbear_rules.xml</include>   
  3. <include>local_rules.xml</include>   
  4. <include>auditServerd_rules.xml</include>   
  5. </ossec_config> 

執(zhí)行/var/ossec/bin/ossec-logtest,結(jié)果如下:

  1. **Phase 1: Completed pre-decoding.  
  2.        full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  3.        hostname: '172.17.153.38/172.16.24.32'  
  4.        program_name: '/usr/bin/auditServerd'  
  5.        log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  6.  
  7. **Phase 2: Completed decoding.  
  8.        decoder: 'auditServerd'  
  9.        dstuser: 'blackrat'  
  10.        status: 'SUCEESS'  
  11.        srcip: '172.17.153.36'  
  12.        dstip: '172.17.153.38'  
  13.        dstport: '3333'  
  14.  
  15. **Phase 3: Completed filtering (rules).  
  16.        Rule id: '80001'  
  17.        Level: '10'  
  18.        Description: 'User blackrat is not allowed login from 172.17.153.36!'  
  19. **Alert to be generated. 

3.3 關(guān)聯(lián)分析告警規(guī)則

OSSEC可以實現(xiàn)基于因果關(guān)系、事件頻次的關(guān)聯(lián)分析告警,具體實現(xiàn)方式如下。

假如我們想要實現(xiàn)當來自同一IP的用戶登陸auditServerd,在1分鐘內(nèi)達到5次登錄失敗時,進行告警,我們可以配置規(guī)則如下:

  1. <group name="auditServer,"> 
  2.    <rule id="80000" level="0" noalert="1"> 
  3.     <decoded_as>auditServerd</decoded_as> 
  4.     <description>Grouping for the auditServerd rules.</description> 
  5.   </rule> 
  6.  
  7.   <rule id="80001" level="10"> 
  8.     <if_sid>80000</if_sid> 
  9.     <match>SUCEESS</match> 
  10.     <user>blackrat</user> 
  11.     <srcip>172.17.153.36</srcip> 
  12.     <description>User blackrat is not allowed login from 172.17.153.36!</description> 
  13.   </rule> 
  14.  
  15.   <rule id="80002" level="1"> 
  16.     <if_sid>80000</if_sid> 
  17.     <match>PWD_ERROR</match> 
  18.     <group>authServer_login_failures,</group> 
  19.     <description>login auditServerd password error.</description> 
  20.   </rule> 
  21.  
  22.   <rule id="80003" level="15" frequency="5" timeframe="60" ignore="30">   
  23.     <if_matched_group>authServer_login_failures</if_matched_group> 
  24.     <description>auditServerd brute force trying to get access to </description>         
  25.     <description>the audit system.</description> 
  26.     <same_source_ip /> 
  27.     <group>authentication_failures,</group> 
  28.   </rule> 
  29. </group> 

執(zhí)行/var/ossec/bin/ossec-logtest,連續(xù)五次輸入日志:

結(jié)果如下:

  1. **Phase 1: Completed pre-decoding.  
  2.        full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  3.        hostname: '172.17.153.38/172.16.24.32'  
  4.        program_name: '/usr/bin/auditServerd'  
  5.        log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  6. **Phase 2: Completed decoding.  
  7.        decoder: 'auditServerd'  
  8.        dstuser: 'blackrat'  
  9.        status: 'PWD_ERROR'  
  10.        srcip: '172.17.153.36'  
  11.        dstip: '172.17.153.38'  
  12.        dstport: '3333'  
  13.  
  14. **Phase 3: Completed filtering (rules).  
  15.        Rule id: '80003'  
  16.        Level: '15'  
  17.        Description: 'auditServerd brute force trying to get access to the audit system.'  
  18. **Alert to be generated. 

對于OSSEC日志告警規(guī)則更詳細的語法,參見:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

對于OSSEC中正則表達式的語法,參加:

http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html

責任編輯:藍雨淚 來源: FreeBuf
入侵檢測OSSEC日志分析
相關(guān)推薦

2025-04-09 08:05:00

運維告警Prometheus

2012-11-07 15:57:34

OSSECMYSQL

2021-08-27 07:06:10

應(yīng)用

2012-11-07 16:21:14

OSSECDECODE

2013-08-20 10:12:37

入侵檢測系統(tǒng)ossec

2024-07-31 08:02:26

Prometheus服務(wù)器代碼

2023-03-26 08:41:37

2023-01-18 08:32:13

2025-03-05 07:00:00

Grafana可視化Kubernetes

2017-01-20 09:43:12

日志告警挖掘

2012-11-14 11:09:14

OSSECactive-resp

2012-11-14 11:03:14

OSSEC文件檢查SYSCHECK

2017-01-09 15:09:45

Linux初始化配置

2010-11-19 13:59:25

oracle告警日志

2018-08-21 10:05:59

MySQLbinlog數(shù)據(jù)庫

2023-10-07 09:16:55

SpringBoot啟動流程

2022-11-08 15:49:28

Dubbovivo服務(wù)器

2020-04-01 15:11:36

Shell命令Linux

2010-10-29 15:07:33

oracle日志

2019-07-23 10:40:05

云原生云計算公共云
點贊
收藏

51CTO技術(shù)棧公眾號