OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析,全面检测,root-kit检测。
10年的南皮网站建设经验,针对设计、前端、开发、售后、文案、推广等六对一服务,响应快,48小时及时工作处理。全网营销推广的优势是能够根据用户设备显示端的尺寸不同,自动调整南皮建站的显示方式,使网站能够适用不同显示终端,在浏览器中调整网站的宽度,无论在任何一种浏览器上浏览网站,都能展现优雅布局与设计,从而大程度地提升浏览体验。成都创新互联从事“南皮网站设计”,“南皮网站推广”以来,每个客户项目都认真落实执行。
1. 测试和验证OSSEC泛化及告警规则
OSSEC默认具有一个ossec-logtest工具用于测试OSSEC的泛化及告警规则。该工具一般默认安装于目录 /var/ossec/bin 中。
使用示例:
- /var/ossec/bin/ossec-logtest
- 2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.
- 2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).
- ossec-testrule: Type one log per line.
- Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'
- hostname: '172.16.25.122/172.16.24.32'
- program_name: 'sshd'
- log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'
- **Phase 2: Completed decoding.
- decoder: 'sshd'
- dstuser: 'root'
- srcip: '172.16.24.121'
- **Phase 3: Completed filtering (rules).
- Rule id: '10100'
- Level: '4'
- Description: 'First time user logged in.'
- **Alert to be generated.
如上文所示,当输入日志内容:
Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2
该条日志经过三步处理,生成了一条4级告警,规则ID为10100,内容为“First time user logged in.”
使用ossec-logtest–v命令,可获取更详细的日志分析逻辑。
- /var/ossec/bin/ossec-logtest -v
- 2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.
- 2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).
- ossec-testrule: Type one log per line.
- Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121'
- hostname: '172.16.25.122/172.16.24.32'
- program_name: 'sshd'
- log: 'Did not receive identification string from 172.16.24.121'
- **Phase 2: Completed decoding.
- decoder: 'sshd'
- srcip: '172.16.24.121'
- **Rule debugging:
- Trying rule: 1 - Generic template for all syslog rules.
- *Rule 1 matched.
- *Trying child rules.
- Trying rule: 5500 - Grouping of the pam_unix rules.
- Trying rule: 5700 - SSHD messages grouped.
- *Rule 5700 matched.
- *Trying child rules.
- Trying rule: 5709 - Useless SSHD message without an user/ip and context.
- Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.
- Trying rule: 5721 - System disconnected from sshd.
- Trying rule: 5722 - ssh connection closed.
- Trying rule: 5723 - SSHD key error.
- Trying rule: 5724 - SSHD key error.
- Trying rule: 5725 - Host ungracefully disconnected.
- Trying rule: 5727 - Attempt to start sshd when something already bound to the port.
- Trying rule: 5729 - Debug message.
- Trying rule: 5732 - Possible port forwarding failure.
- Trying rule: 5733 - User entered incorrect password.
- Trying rule: 5734 - sshd could not load one or more host keys.
- Trying rule: 5735 - Failed write due to one host disappearing.
- Trying rule: 5736 - Connection reset or aborted.
- Trying rule: 5707 - OpenSSH challenge-response exploit.
- Trying rule: 5701 - Possible attack on the ssh server (or version gathering).
- Trying rule: 5706 - SSH insecure connection attempt (scan).
- *Rule 5706 matched.
- **Phase 3: Completed filtering (rules).
- Rule id: '5706'
- Level: '6'
- Description: 'SSH insecure connection attempt (scan).'
- **Alert to be generated.
2. 自定义日志泛化规则
2.1 添加日志源
添加日志源的方式很简单,通过修改/var/ossec/etc/ossec.conf 即可实现。
如果日志源是本地文件,可通过添加如下配置实现。
syslog /path/to/log/file
如果日志源是远程syslog,可通过添加如下配置实现。
syslog udp 2514 172.16.24.0/24
2.2 创建自定义的日志泛化规则
假如有两条日志如下文:
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]:
User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]:
User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .
该日志使用ossec-logtest分析之后结果如下:
Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'**Phase 2: Completed decoding.
No decoder matched
由此可知OSSEC在分析日志的时候,经过了两个泛化过程:pre-decoding和 decoding。
pre-decoding过程是ossec内置的,只要是标准的syslog日志,都可以解析出如下4个基本信息。
Timestamp:Jun 11 22:06:30
Hostname: 172.17.153.38/172.16.24.32
Programe_name: /usr/bin/auditServerd
Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.
在decoding过程,用户可以通过修改/var/ossec/etc/decoder.xml,实现自定义的泛化。例如在该文件中添加如下规则:
/usr/bin/auditServerd
再次执行/var/ossec/bin/ossec-logtest
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
发现,该条日志成功命中了名为auditServerd的规则,该条规则可以准确的将日志定位为是程序auditServerd所发出的。
除此之外,基于auditServerd这条规则,我们还可以添加更多的子规则,来识别出更多的信息。如:
/usr/bin/auditServerd auditServerd ^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$ user,status,srcip,dstip,dstport
再次执行/var/ossec/bin/ossec-logtest,可获取更多的信息,如下:
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
- dstuser: 'blackrat'
- status:'SUCEESS'
- srcip: '172.17.153.36'
- dstip: '172.17.153.
用户通过配置上述正则表达式,获取特定字段,用于后续的关联分析。OSSEC一共内置了14个用户可解析的字段:
- location – where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user – an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol – protocol
- id – event id
- url - url of the event
- action – event action (deny, drop, accept, etc)
- status – event status (success, failure, etc)
- extra_data – Any extra data
3. 自定义日志告警规则
3.1 规则文件路径配置
OSSEC的规则配置文件默认路径为/var/ossec/rules/,要加载规则文件,需要在/var/ossec/etc/ossec.conf 中配置,默认的配置如下:
rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml - ......
clam_av_rules.xml bro-ids_rules.xml dropbear_rules.xml local_rules.xml
其实通过下列配置,可以实现加载/var/ossec/rules 下的所有规则文件:
rules
于泛化规则,也可以通过配置decoder_dir域来实现,如:
rules/plugins/decoders
上述配置可将/var/ossec/rules/plugins/plugins/decoders目录下所有的xml文件都添加为OSSEC日志泛化规则。
对于更详细的配置及语法,可参考下列文档:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir
3.2 OSSEC告警规则配置
例如,我们需要增加对程序auditServerd的告警规则,我们需要针对auditServerd程序新建一个规则文件,对于OSSEC中已经存在的规则文件如sshd, openbsd, vsftpd等,我们只需要在对应的文件中进行新增或修改。
首先我们新建文件
/var/ossec/rules/auditServerd_rules.xml
添加如下内容:
auditServerd Grouping for the auditServerd rules. 80000 blackrat 172.17.153.36 User blackrat is not allowed login from 172.17.153.36!
上述规则中,规则id 80000 用于对日志进行分组计数,假如日志中出现了泛化为auditServerd的日志,则对该日志分组为auditServer,且状态机计数加1.
规则80001描述了假如user为blackrat,srcip为172.17.153.36 则命中,并发出“User blackrat is not allowed login from 172.17.153.36!”的告警。
将该文件路径加入到文件/var/ossec/etc/ossec.conf中
- …
dropbear_rules.xml local_rules.xml auditServerd_rules.xml
执行/var/ossec/bin/ossec-logtest,结果如下:
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
- dstuser: 'blackrat'
- status: 'SUCEESS'
- srcip: '172.17.153.36'
- dstip: '172.17.153.38'
- dstport: '3333'
- **Phase 3: Completed filtering (rules).
- Rule id: '80001'
- Level: '10'
- Description: 'User blackrat is not allowed login from 172.17.153.36!'
- **Alert to be generated.
3.3 关联分析告警规则
OSSEC可以实现基于因果关系、事件频次的关联分析告警,具体实现方式如下。
假如我们想要实现当来自同一IP的用户登陆auditServerd,在1分钟内达到5次登录失败时,进行告警,我们可以配置规则如下:
auditServerd Grouping for the auditServerd rules. 80000 SUCEESS blackrat 172.17.153.36 User blackrat is not allowed login from 172.17.153.36! 80000 PWD_ERROR authServer_login_failures, login auditServerd password error. authServer_login_failures auditServerd brute force trying to get access to the audit system. authentication_failures,
执行/var/ossec/bin/ossec-logtest,连续五次输入日志:
结果如下:
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
- dstuser: 'blackrat'
- status: 'PWD_ERROR'
- srcip: '172.17.153.36'
- dstip: '172.17.153.38'
- dstport: '3333'
- **Phase 3: Completed filtering (rules).
- Rule id: '80003'
- Level: '15'
- Description: 'auditServerd brute force trying to get access to the audit system.'
- **Alert to be generated.
对于OSSEC日志告警规则更详细的语法,参见:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
对于OSSEC中正则表达式的语法,参加:
http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html
分享文章:OSSEC日志泛化及告警规则配置
标题路径:http://www.csdahua.cn/qtweb/news8/487508.html
网站建设、网络推广公司-快上网,是专注品牌与效果的网站制作,网络营销seo公司;服务项目有等
声明:本网站发布的内容(图片、视频和文字)以用户投稿、用户转载内容为主,如果涉及侵权请尽快告知,我们将会在第一时间删除。文章观点不代表本网站立场,如需处理请联系客服。电话:028-86922220;邮箱:631063699@qq.com。内容未经允许不得转载,或转载时需注明来源: 快上网