国产精品香蕉在线观看网,亚洲欧美精品综合在线观看,亚洲不卡av一区二区无码不卡,亚洲日本精品国产第一区二区

移動(dòng)安全 安全管理 應(yīng)用案例 網(wǎng)絡(luò)威脅系統(tǒng)安全 應(yīng)用安全 數(shù)據(jù)安全 云安全
當(dāng)前位置: 主頁(yè) > 信息安全 > 系統(tǒng)安全 >

OSSEC日志泛化及告警規(guī)則配置

時(shí)間:2014-06-27 16:34來(lái)源:TuZhiJiaMi企業(yè)信息安全專(zhuān)家 點(diǎn)擊:
OSSEC是一款開(kāi)源的多平臺(tái)的入侵檢測(cè)系統(tǒng),可以運(yùn)行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系統(tǒng)中。包括了日志分析,全面檢測(cè),root-kit檢測(cè)。 1. 測(cè)試和驗(yàn)證OSSEC泛化及告警規(guī)則 OSSEC默認(rèn)具
Tags系統(tǒng)安全(735)OSSEC(1)  

  OSSEC是一款開(kāi)源的多平臺(tái)的入侵檢測(cè)系統(tǒng),可以運(yùn)行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系統(tǒng)中。包括了日志分析,全面檢測(cè),root-kit檢測(cè)。

OSSEC日志泛化及告警規(guī)則配置

  1. 測(cè)試和驗(yàn)證OSSEC泛化及告警規(guī)則

  OSSEC默認(rèn)具有一個(gè)ossec-logtest工具用于測(cè)試OSSEC的泛化及告警規(guī)則。該工具一般默認(rèn)安裝于目錄 /var/ossec/bin 中。

  使用示例:

  /var/ossec/bin/ossec-logtest 2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file. 2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740). ossec-testrule: Type one log per line. Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2 **Phase 1: Completed pre-decoding. full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2' hostname: '172.16.25.122/172.16.24.32' program_name: 'sshd' log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2' **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '172.16.24.121' **Phase 3: Completed filtering (rules). Rule id: '10100' Level: '4' Description: 'First time user logged in.' **Alert to be generated.

  如上文所示,當(dāng)輸入日志內(nèi)容:

  Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

  該條日志經(jīng)過(guò)三步處理,生成了一條4級(jí)告警,規(guī)則ID為10100,內(nèi)容為“First time user logged in.”

  使用ossec-logtest–v命令,可獲取更詳細(xì)的日志分析邏輯。

  /var/ossec/bin/ossec-logtest -v 2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file. 2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091). ossec-testrule: Type one log per line. Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121 **Phase 1: Completed pre-decoding. full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121' hostname: '172.16.25.122/172.16.24.32' program_name: 'sshd' log: 'Did not receive identification string from 172.16.24.121' **Phase 2: Completed decoding. decoder: 'sshd' srcip: '172.16.24.121' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 5500 - Grouping of the pam_unix rules. Trying rule: 5700 - SSHD messages grouped. *Rule 5700 matched. *Trying child rules. Trying rule: 5709 - Useless SSHD message without an user/ip and context. Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip. Trying rule: 5721 - System disconnected from sshd. Trying rule: 5722 - ssh connection closed. Trying rule: 5723 - SSHD key error. Trying rule: 5724 - SSHD key error. Trying rule: 5725 - Host ungracefully disconnected. Trying rule: 5727 - Attempt to start sshd when something already bound to the port. Trying rule: 5729 - Debug message. Trying rule: 5732 - Possible port forwarding failure. Trying rule: 5733 - User entered incorrect password. Trying rule: 5734 - sshd could not load one or more host keys. Trying rule: 5735 - Failed write due to one host disappearing. Trying rule: 5736 - Connection reset or aborted. Trying rule: 5707 - OpenSSH challenge-response exploit. Trying rule: 5701 - Possible attack on the ssh server (or version gathering). Trying rule: 5706 - SSH insecure connection attempt (scan). *Rule 5706 matched. **Phase 3: Completed filtering (rules). Rule id: '5706' Level: '6' Description: 'SSH insecure connection attempt (scan).' **Alert to be generated.

  2. 自定義日志泛化規(guī)則

  2.1 添加日志源

  添加日志源的方式很簡(jiǎn)單,通過(guò)修改/var/ossec/etc/ossec.conf 即可實(shí)現(xiàn)。

  如果日志源是本地文件,可通過(guò)添加如下配置實(shí)現(xiàn)。

   syslog /path/to/log/file

  如果日志源是遠(yuǎn)程syslog,可通過(guò)添加如下配置實(shí)現(xiàn)。

   syslog udp 2514 172.16.24.0/24

  2.2 創(chuàng)建自定義的日志泛化規(guī)則

  假如有兩條日志如下文:

  Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

  該日志使用ossec-logtest分析之后結(jié)果如下:

  Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .**Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'**Phase 2: Completed decoding. No decoder matched

  由此可知OSSEC在分析日志的時(shí)候,經(jīng)過(guò)了兩個(gè)泛化過(guò)程:pre-decoding和 decoding。

  pre-decoding過(guò)程是ossec內(nèi)置的,只要是標(biāo)準(zhǔn)的syslog日志,都可以解析出如下4個(gè)基本信息。

  Timestamp:Jun 11 22:06:30Hostname: 172.17.153.38/172.16.24.32Programe_name: /usr/bin/auditServerdLog: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

  在decoding過(guò)程,用戶(hù)可以通過(guò)修改/var/ossec/etc/decoder.xml,實(shí)現(xiàn)自定義的泛化。例如在該文件中添加如下規(guī)則:

   /usr/bin/auditServerd

  再次執(zhí)行/var/ossec/bin/ossec-logtest

  **Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd'

  發(fā)現(xiàn),該條日志成功命中了名為auditServerd的規(guī)則,該條規(guī)則可以準(zhǔn)確的將日志定位為是程序auditServerd所發(fā)出的。

  除此之外,基于auditServerd這條規(guī)則,我們還可以添加更多的子規(guī)則,來(lái)識(shí)別出更多的信息。如:

   /usr/bin/auditServerd auditServerd ^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$ user,status,srcip,dstip,dstport

  再次執(zhí)行/var/ossec/bin/ossec-logtest,可獲取更多的信息,如下:

  **Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd' dstuser: 'blackrat' status:'SUCEESS' srcip: '172.17.153.36' dstip: '172.17.153.

  用戶(hù)通過(guò)配置上述正則表達(dá)式,獲取特定字段,用于后續(xù)的關(guān)聯(lián)分析。OSSEC一共內(nèi)置了14個(gè)用戶(hù)可解析的字段:

  - location – where the log came from (only on FTS) - srcuser - extracts the source username - dstuser - extracts the destination (target) username - user – an alias to dstuser (only one of the two can be used) - srcip - source ip - dstip - dst ip - srcport - source port - dstport - destination port - protocol – protocol - id – event id - url - url of the event - action – event action (deny, drop, accept, etc) - status – event status (success, failure, etc) - extra_data – Any extra data

  3. 自定義日志告警規(guī)則

  3.1 規(guī)則文件路徑配置

  OSSEC的規(guī)則配置文件默認(rèn)路徑為/var/ossec/rules/,要加載規(guī)則文件,需要在/var/ossec/etc/ossec.conf 中配置,默認(rèn)的配置如下:

   rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml ...... clam_av_rules.xml bro-ids_rules.xml dropbear_rules.xml local_rules.xml

  其實(shí)通過(guò)下列配置,可以實(shí)現(xiàn)加載/var/ossec/rules 下的所有規(guī)則文件:

   rules

  于泛化規(guī)則,也可以通過(guò)配置decoder_dir域來(lái)實(shí)現(xiàn),如:

   rules/plugins/decoders

  上述配置可將/var/ossec/rules/plugins/plugins/decoders目錄下所有的xml文件都添加為OSSEC日志泛化規(guī)則。

  對(duì)于更詳細(xì)的配置及語(yǔ)法,可參考下列文檔:

  http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

  3.2 OSSEC告警規(guī)則配置

  例如,我們需要增加對(duì)程序auditServerd的告警規(guī)則,我們需要針對(duì)auditServerd程序新建一個(gè)規(guī)則文件,對(duì)于OSSEC中已經(jīng)存在的規(guī)則文件如sshd, openbsd, vsftpd等,我們只需要在對(duì)應(yīng)的文件中進(jìn)行新增或修改。

  首先我們新建文件

  /var/ossec/rules/auditServerd_rules.xml

  添加如下內(nèi)容:

   auditServerd Grouping for the auditServerd rules. 80000 blackrat 172.17.153.36 User blackrat is not allowed login from 172.17.153.36!

  上述規(guī)則中,規(guī)則id 80000 用于對(duì)日志進(jìn)行分組計(jì)數(shù),假如日志中出現(xiàn)了泛化為auditServerd的日志,則對(duì)該日志分組為auditServer,且狀態(tài)機(jī)計(jì)數(shù)加1.

  規(guī)則80001描述了假如user為blackrat,srcip為172.17.153.36 則命中,并發(fā)出“User blackrat is not allowed login from 172.17.153.36!”的告警。

  將該文件路徑加入到文件/var/ossec/etc/ossec.conf中

  … dropbear_rules.xml local_rules.xml auditServerd_rules.xml

  執(zhí)行/var/ossec/bin/ossec-logtest,結(jié)果如下:

  **Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd' dstuser: 'blackrat' status: 'SUCEESS' srcip: '172.17.153.36' dstip: '172.17.153.38' dstport: '3333' **Phase 3: Completed filtering (rules). Rule id: '80001' Level: '10' Description: 'User blackrat is not allowed login from 172.17.153.36!' **Alert to be generated.

  3.3 關(guān)聯(lián)分析告警規(guī)則

  OSSEC可以實(shí)現(xiàn)基于因果關(guān)系、事件頻次的關(guān)聯(lián)分析告警,具體實(shí)現(xiàn)方式如下。

  假如我們想要實(shí)現(xiàn)當(dāng)來(lái)自同一IP的用戶(hù)登陸auditServerd,在1分鐘內(nèi)達(dá)到5次登錄失敗時(shí),進(jìn)行告警,我們可以配置規(guī)則如下:

   auditServerd Grouping for the auditServerd rules. 80000 SUCEESS blackrat 172.17.153.36 User blackrat is not allowed login from 172.17.153.36! 80000 PWD_ERROR authServer_login_failures, login auditServerd password error. authServer_login_failures auditServerd brute force trying to get access to the audit system. authentication_failures,

  執(zhí)行/var/ossec/bin/ossec-logtest,連續(xù)五次輸入日志:

  結(jié)果如下:

  **Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd' dstuser: 'blackrat' status: 'PWD_ERROR' srcip: '172.17.153.36' dstip: '172.17.153.38' dstport: '3333' **Phase 3: Completed filtering (rules). Rule id: '80003' Level: '15' Description: 'auditServerd brute force trying to get access to the audit system.' **Alert to be generated.

------分隔線----------------------------

推薦內(nèi)容