OSSEC日志泛化及告警规则配置


发布人:admin分类:网络安全浏览量:34发布时间:2017-12-12

OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析,全面检测,root-kit检测。

1. 测试和验证OSSEC泛化及告警规则

OSSEC默认具有一个ossec-logtest工具用于测试OSSEC的泛化及告警规则。该工具一般默认安装于目录 /var/ossec/bin 中。

使用示例:

/var/ossec/bin/ossec-logtest
2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.
2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).
ossec-testrule: Type one log per line.
Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2

**Phase 1: Completed pre-decoding.
       full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'
       hostname: '172.16.25.122/172.16.24.32'
       program_name: 'sshd'
       log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       dstuser: 'root'
       srcip: '172.16.24.121'

**Phase 3: Completed filtering (rules).
       Rule id: '10100'
       Level: '4'
       Description: 'First time user logged in.'
**Alert to be generated.

如上文所示,当输入日志内容:

Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

该条日志经过三步处理,生成了一条4级告警,规则ID为10100,内容为“First time user
logged in.”

使用ossec-logtest–v命令,可获取更详细的日志分析逻辑。

/var/ossec/bin/ossec-logtest  -v
2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.
2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).
ossec-testrule: Type one log per line.

Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121

**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121'
       hostname: '172.16.25.122/172.16.24.32'
       program_name: 'sshd'
       log: 'Did not receive identification string from 172.16.24.121'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcip: '172.16.24.121'

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.
    Trying rule: 5500 - Grouping of the pam_unix rules.
    Trying rule: 5700 - SSHD messages grouped.
       *Rule 5700 matched.
       *Trying child rules.
    Trying rule: 5709 - Useless SSHD message without an user/ip and context.
    Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.
    Trying rule: 5721 - System disconnected from sshd.
    Trying rule: 5722 - ssh connection closed.
    Trying rule: 5723 - SSHD key error.
    Trying rule: 5724 - SSHD key error.
    Trying rule: 5725 - Host ungracefully disconnected.
    Trying rule: 5727 - Attempt to start sshd when something already bound to the port.
    Trying rule: 5729 - Debug message.
    Trying rule: 5732 - Possible port forwarding failure.
    Trying rule: 5733 - User entered incorrect password.
    Trying rule: 5734 - sshd could not load one or more host keys.
    Trying rule: 5735 - Failed write due to one host disappearing.
    Trying rule: 5736 - Connection reset or aborted.
    Trying rule: 5707 - OpenSSH challenge-response exploit.
    Trying rule: 5701 - Possible attack on the ssh server (or version gathering).
    Trying rule: 5706 - SSH insecure connection attempt (scan).
       *Rule 5706 matched.

**Phase 3: Completed filtering (rules).
       Rule id: '5706'
       Level: '6'
       Description: 'SSH insecure connection attempt (scan).'
**Alert to be generated.

2. 自定义日志泛化规则

2.1 添加日志源

添加日志源的方式很简单,通过修改/var/ossec/etc/ossec.conf 即可实现。

如果日志源是本地文件,可通过添加如下配置实现。

<localfile>
  <log_format>syslog</log_format>
  <location>/path/to/log/file</location>
</localfile>

如果日志源是远程syslog,可通过添加如下配置实现。

<remote>
<connection>syslog</connection>
<protocol>udp</protocol>
<port>2514</port>
<allowed-ips>172.16.24.0/24</allowed-ips>
</remote>

2.2 创建自定义的日志泛化规则

假如有两条日志如下文:

Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

该日志使用ossec-logtest分析之后结果如下:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .


**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
       No decoder matched.

由此可知OSSEC在分析日志的时候,经过了两个泛化过程:pre-decoding和 decoding。

pre-decoding过程是ossec内置的,只要是标准的syslog日志,都可以解析出如下4个基本信息。

Timestamp:Jun 11 22:06:30

Hostname: 172.17.153.38/172.16.24.32

Programe_name: /usr/bin/auditServerd

Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

在decoding过程,用户可以通过修改/var/ossec/etc/decoder.xml,实现自定义的泛化。例如在该文件中添加如下规则:

<decoder name="auditServerd">
  <program_name>/usr/bin/auditServerd</program_name>
</decoder>

再次执行/var/ossec/bin/ossec-logtest

**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
       decoder: 'auditServerd'

发现,该条日志成功命中了名为auditServerd的规则,该条规则可以准确的将日志定位为是程序auditServerd所发出的。

除此之外,基于auditServerd这条规则,我们还可以添加更多的子规则,来识别出更多的信息。如:

<decoder name="auditServerd">                               
  <program_name>/usr/bin/auditServerd</program_name>                        
</decoder>                                                                                                                                                                                                                                       
<decoder name="auditServerd-login">                                      
  <parent>auditServerd</parent>                           
  <regex offset="after_parent">^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$</regex>  
  <order>user,status,srcip,dstip,dstport</order>                                
</decoder>

再次执行/var/ossec/bin/ossec-logtest,可获取更多的信息,如下:

**Phase 1: Completed pre-decoding.
      full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'
      hostname: '172.17.153.38/172.16.24.32'
      program_name: '/usr/bin/auditServerd'
      log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'
 
**Phase 2: Completed decoding.
      decoder: 'auditServerd'
       dstuser: 'blackrat'
      status:'SUCEESS'
      srcip: '172.17.153.36'
       dstip: '172.17.153.

用户通过配置上述正则表达式,获取特定字段,用于后续的关联分析。OSSEC一共内置了14个用户可解析的字段:

   - location – where the log came from (only on FTS)

   - srcuser  - extracts the source username

   - dstuser  - extracts the destination (target) username

   - user     – an alias to dstuser (only one of the two can be used)

   - srcip    - source ip

   - dstip    - dst ip

   - srcport  - source port

   - dstport  - destination port

   - protocol – protocol

   - id       – event id 

   - url      - url of the event

   - action   – event action (deny, drop, accept, etc)

   - status   – event status (success, failure, etc)

   - extra_data     – Any extra data

3. 自定义日志告警规则

3.1 规则文件路径配置

 OSSEC的规则配置文件默认路径为/var/ossec/rules/,要加载规则文件,需要在/var/ossec/etc/ossec.conf 中配置,默认的配置如下:

 <ossec_config>  <!-- rules global entry -->
  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>                                                                                                                                                                                                     
     ......                                                                                                                                                                                     
    <include>clam_av_rules.xml</include>                                                                                                                                                                                                      
    <include>bro-ids_rules.xml</include>                                                                                                                                                                                                      
    <include>dropbear_rules.xml</include>                                                                                                                                                                                                     
    <include>local_rules.xml</include>                                                                                                                                                                                                        
</rules>                                                                                                                                                                                                                                      
</ossec_config>  <!-- rules global entry -->

其实通过下列配置,可以实现加载/var/ossec/rules 下的所有规则文件:

   <ossec_config>
    <rules>
        <rule_dir pattern=".xml$">rules</rule_dir>
    </rules>
</ossec_config>

于泛化规则,也可以通过配置decoder_dir域来实现,如:

<ossec_config>
    <rules>
        <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir>
    </rules>
</ossec_config>

上述配置可将/var/ossec/rules/plugins/plugins/decoders目录下所有的xml文件都添加为OSSEC日志泛化规则。

对于更详细的配置及语法,可参考下列文档:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir 


3.2 OSSEC告警规则配置

例如,我们需要增加对程序auditServerd的告警规则,我们需要针对auditServerd程序新建一个规则文件,对于OSSEC中已经存在的规则文件如sshd, openbsd, vsftpd等,我们只需要在对应的文件中进行新增或修改。

首先我们新建文件

/var/ossec/rules/auditServerd_rules.xml

添加如下内容:

<group name="auditServer,">
   <rule id="80000" level="0" noalert="1">
    <decoded_as>auditServerd</decoded_as>
    <description>Grouping for the auditServerd rules.</description>
  </rule>

  <rule id="80001" level="10">
    <if_sid>80000</if_sid>
    <user>blackrat</user>
    <srcip>172.17.153.36</srcip>
    <description>User blackrat is not allowed login from 172.17.153.36!</description>
  </rule>
</group>

上述规则中,规则id 80000 用于对日志进行分组计数,假如日志中出现了泛化为auditServerd的日志,则对该日志分组为auditServer,且状态机计数加1.

规则80001描述了假如user为blackrat,srcip为172.17.153.36 则命中,并发出“User blackrat is not allowed login from 172.17.153.36!”的告警。

将该文件路径加入到文件/var/ossec/etc/ossec.conf中

  …
 <include>dropbear_rules.xml</include>                                                                                                                                                                                                     
<include>local_rules.xml</include> 
<include>auditServerd_rules.xml</include>                                                                                                                                                                                                       
</rules>                                                                                                                                                                                                                                      
</ossec_config>

执行/var/ossec/bin/ossec-logtest,结果如下:

**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
       decoder: 'auditServerd'
       dstuser: 'blackrat'
       status: 'SUCEESS'
       srcip: '172.17.153.36'
       dstip: '172.17.153.38'
       dstport: '3333'

**Phase 3: Completed filtering (rules).
       Rule id: '80001'
       Level: '10'
       Description: 'User blackrat is not allowed login from 172.17.153.36!'
**Alert to be generated.

3.3 关联分析告警规则

OSSEC可以实现基于因果关系事件频次的关联分析告警,具体实现方式如下。

假如我们想要实现当来自同一IP的用户登陆auditServerd,在1分钟内达到5次登录失败时,进行告警,我们可以配置规则如下:

<group name="auditServer,">
   <rule id="80000" level="0" noalert="1">
    <decoded_as>auditServerd</decoded_as>
    <description>Grouping for the auditServerd rules.</description>
  </rule>

  <rule id="80001" level="10">
    <if_sid>80000</if_sid>
    <match>SUCEESS</match>
    <user>blackrat</user>
    <srcip>172.17.153.36</srcip>
    <description>User blackrat is not allowed login from 172.17.153.36!</description>
  </rule>

  <rule id="80002" level="1">
    <if_sid>80000</if_sid>
    <match>PWD_ERROR</match>
    <group>authServer_login_failures,</group>
    <description>login auditServerd password error.</description>
  </rule>

  <rule id="80003" level="15" frequency="5" timeframe="60" ignore="30"> 
    <if_matched_group>authServer_login_failures</if_matched_group>
    <description>auditServerd brute force trying to get access to </description>       
    <description>the audit system.</description>
    <same_source_ip />
    <group>authentication_failures,</group>
  </rule>
</group>

执行/var/ossec/bin/ossec-logtest,连续五次输入日志:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .

结果如下:

**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
**Phase 2: Completed decoding.
       decoder: 'auditServerd'
       dstuser: 'blackrat'
       status: 'PWD_ERROR'
       srcip: '172.17.153.36'
       dstip: '172.17.153.38'
       dstport: '3333'

**Phase 3: Completed filtering (rules).
       Rule id: '80003'
       Level: '15'
       Description: 'auditServerd brute force trying to get access to the audit system.'
**Alert to be generated.

对于OSSEC日志告警规则更详细的语法,参见:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html 

对于OSSEC中正则表达式的语法,参加:

http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html 


被黑站点统计 - 文章版权1、本主题所有言论和图片纯属会员个人意见,与本文章立场无关
2、本站所有主题由该文章作者发表,该文章作者与被黑站点统计享有文章相关版权
3、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和被黑站点统计的同意
4、文章作者须承担一切因本文发表而直接或间接导致的民事或刑事法律责任
5、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责
6、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意
7、被黑站点统计管理员有权不事先通知发贴者而删除本文

免责声明

本站主要通过网络搜集国内被黑网站信息,统计分析数据,为部署安全型网络提供强有力的依据.本站所有工作人员均不参与黑站,挂马或赢利性行为,所有数据均为网民提供,提交者不一定是黑站人,所有提交采取不记名,先提交先审核的方式,如有任何疑问请及时与我们联系.

admin  的文章


微信公众号

微信公众号


Copyright © 2012-2022被黑网站统计系统All Rights Reserved
页面总访问量:21474574(PV) 页面执行时间:105.911(MS)
  • xml
  • 网站地图