OSSEC日志泛化及告警规则配置

安全
OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析,全面检测,root-kit检测。

OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析,全面检测,root-kit检测。

OSSEC日志泛化及告警规则配置

1. 测试和验证OSSEC泛化及告警规则

OSSEC默认具有一个ossec-logtest工具用于测试OSSEC的泛化及告警规则。该工具一般默认安装于目录 /var/ossec/bin 中。

使用示例:

  1. /var/ossec/bin/ossec-logtest  
  2. 2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.  
  3. 2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).  
  4. ossec-testrule: Type one log per line.  
  5. Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2  
  6.  
  7. **Phase 1: Completed pre-decoding.  
  8.        full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'  
  9.        hostname: '172.16.25.122/172.16.24.32'  
  10.        program_name: 'sshd'  
  11.        log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'  
  12.  
  13. **Phase 2: Completed decoding.  
  14.        decoder: 'sshd'  
  15.        dstuser: 'root'  
  16.        srcip: '172.16.24.121'  
  17.  
  18. **Phase 3: Completed filtering (rules).  
  19.        Rule id: '10100'  
  20.        Level: '4'  
  21.        Description: 'First time user logged in.'  
  22. **Alert to be generated. 

如上文所示,当输入日志内容:

Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

该条日志经过三步处理,生成了一条4级告警,规则ID为10100,内容为“First time user logged in.”

使用ossec-logtest–v命令,可获取更详细的日志分析逻辑。

  1. /var/ossec/bin/ossec-logtest  -v  
  2. 2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.  
  3. 2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).  
  4. ossec-testrule: Type one log per line.  
  5.  
  6. Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121  
  7.  
  8. **Phase 1: Completed pre-decoding.  
  9.        full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121' 
  10.        hostname: '172.16.25.122/172.16.24.32' 
  11.        program_name: 'sshd' 
  12.        log: 'Did not receive identification string from 172.16.24.121' 
  13.  
  14. **Phase 2: Completed decoding.  
  15.        decoder: 'sshd' 
  16.        srcip: '172.16.24.121' 
  17.  
  18. **Rule debugging:  
  19.     Trying rule: 1 - Generic template for all syslog rules.  
  20.        *Rule 1 matched.  
  21.        *Trying child rules.  
  22.     Trying rule: 5500 - Grouping of the pam_unix rules.  
  23.     Trying rule: 5700 - SSHD messages grouped.  
  24.        *Rule 5700 matched.  
  25.        *Trying child rules.  
  26.     Trying rule: 5709 - Useless SSHD message without an user/ip and context.  
  27.     Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.  
  28.     Trying rule: 5721 - System disconnected from sshd.  
  29.     Trying rule: 5722 - ssh connection closed.  
  30.     Trying rule: 5723 - SSHD key error.  
  31.     Trying rule: 5724 - SSHD key error.  
  32.     Trying rule: 5725 - Host ungracefully disconnected.  
  33.     Trying rule: 5727 - Attempt to start sshd when something already bound to the port.  
  34.     Trying rule: 5729 - Debug message.  
  35.     Trying rule: 5732 - Possible port forwarding failure.  
  36.     Trying rule: 5733 - User entered incorrect password.  
  37.     Trying rule: 5734 - sshd could not load one or more host keys.  
  38.     Trying rule: 5735 - Failed write due to one host disappearing.  
  39.     Trying rule: 5736 - Connection reset or aborted.  
  40.     Trying rule: 5707 - OpenSSH challenge-response exploit.  
  41.     Trying rule: 5701 - Possible attack on the ssh server (or version gathering).  
  42.     Trying rule: 5706 - SSH insecure connection attempt (scan).  
  43.        *Rule 5706 matched.  
  44.  
  45. **Phase 3: Completed filtering (rules).  
  46.        Rule id: '5706' 
  47.        Level'6' 
  48.        Description: 'SSH insecure connection attempt (scan).' 
  49. **Alert to be generated. 

2. 自定义日志泛化规则

2.1 添加日志源

添加日志源的方式很简单,通过修改/var/ossec/etc/ossec.conf 即可实现。

如果日志源是本地文件,可通过添加如下配置实现。

  1. <localfile> 
  2.   <log_format>syslog</log_format> 
  3.   <location>/path/to/log/file</location> 
  4. </localfile> 

如果日志源是远程syslog,可通过添加如下配置实现。

  1. <remote> 
  2. <connection>syslog</connection> 
  3. <protocol>udp</protocol> 
  4. <port>2514</port> 
  5. <allowed-ips>172.16.24.0/24</allowed-ips> 
  6. </remote> 

2.2 创建自定义的日志泛化规则

假如有两条日志如下文:

Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: 
User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]:
User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

该日志使用ossec-logtest分析之后结果如下:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .

**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
       No decoder matched

由此可知OSSEC在分析日志的时候,经过了两个泛化过程:pre-decoding和 decoding。

pre-decoding过程是ossec内置的,只要是标准的syslog日志,都可以解析出如下4个基本信息。

Timestamp:Jun 11 22:06:30
Hostname: 172.17.153.38/172.16.24.32
Programe_name: /usr/bin/auditServerd
Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

在decoding过程,用户可以通过修改/var/ossec/etc/decoder.xml,实现自定义的泛化。例如在该文件中添加如下规则:

  1. <decoder name="auditServerd"> 
  2.   <program_name>/usr/bin/auditServerd</program_name> 
  3. </decoder> 

再次执行/var/ossec/bin/ossec-logtest

  1. **Phase 1: Completed pre-decoding.  
  2.        full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  3.        hostname: '172.17.153.38/172.16.24.32'  
  4.        program_name: '/usr/bin/auditServerd'  
  5.        log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  6.  
  7. **Phase 2: Completed decoding.  
  8.        decoder: 'auditServerd' 

发现,该条日志成功命中了名为auditServerd的规则,该条规则可以准确的将日志定位为是程序auditServerd所发出的。

除此之外,基于auditServerd这条规则,我们还可以添加更多的子规则,来识别出更多的信息。如:

  1. <decoder name="auditServerd">                                 
  2.   <program_name>/usr/bin/auditServerd</program_name>                          
  3. </decoder> 
  4. <decoder name="auditServerd-login">                                        
  5.   <parent>auditServerd</parent>                             
  6.   <regex offset="after_parent">^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$</regex>    
  7.   <order>user,status,srcip,dstip,dstport</order>                                  
  8. </decoder> 

再次执行/var/ossec/bin/ossec-logtest,可获取更多的信息,如下:

  1. **Phase 1: Completed pre-decoding.  
  2.       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'  
  3.       hostname: '172.17.153.38/172.16.24.32'  
  4.       program_name: '/usr/bin/auditServerd'  
  5.       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'  
  6.    
  7. **Phase 2: Completed decoding.  
  8.       decoder: 'auditServerd'  
  9.        dstuser: 'blackrat'  
  10.       status:'SUCEESS'  
  11.       srcip: '172.17.153.36'  
  12.        dstip: '172.17.153. 

用户通过配置上述正则表达式,获取特定字段,用于后续的关联分析。OSSEC一共内置了14个用户可解析的字段:

 - location – where the log came from (only on FTS)
   - srcuser  - extracts the source username
   - dstuser  - extracts the destination (target) username
   - user     – an alias to dstuser (only one of the two can be used)
   - srcip    - source ip
   - dstip    - dst ip
   - srcport  - source port
   - dstport  - destination port
   - protocol – protocol
   - id       – event id
   - url      - url of the event
   - action   – event action (deny, drop, accept, etc)
   - status   – event status (success, failure, etc)
   - extra_data     – Any extra data

3. 自定义日志告警规则

3.1 规则文件路径配置

OSSEC的规则配置文件默认路径为/var/ossec/rules/,要加载规则文件,需要在/var/ossec/etc/ossec.conf 中配置,默认的配置如下:

  1. <ossec_config>  <!-- rules global entry --> 
  2.   <rules> 
  3.     <include>rules_config.xml</include> 
  4.     <include>pam_rules.xml</include> 
  5.     <include>sshd_rules.xml</include> 
  6.     <include>telnetd_rules.xml</include> 
  7.     <include>syslog_rules.xml</include> 
  8.     <include>arpwatch_rules.xml</include> 
  9.      ......    
  10.     <include>clam_av_rules.xml</include>   
  11.     <include>bro-ids_rules.xml</include> 
  12.     <include>dropbear_rules.xml</include> 
  13.     <include>local_rules.xml</include>   
  14. </rules>   
  15. </ossec_config>  <!-- rules global entry --> 

其实通过下列配置,可以实现加载/var/ossec/rules 下的所有规则文件:

  1.  <ossec_config> 
  2.     <rules> 
  3.         <rule_dir pattern=".xml$">rules</rule_dir> 
  4.     </rules> 
  5. </ossec_config> 

于泛化规则,也可以通过配置decoder_dir域来实现,如:

  1. <ossec_config> 
  2.     <rules> 
  3.         <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir> 
  4.     </rules> 
  5. </ossec_config> 

上述配置可将/var/ossec/rules/plugins/plugins/decoders目录下所有的xml文件都添加为OSSEC日志泛化规则。

对于更详细的配置及语法,可参考下列文档:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

3.2 OSSEC告警规则配置

例如,我们需要增加对程序auditServerd的告警规则,我们需要针对auditServerd程序新建一个规则文件,对于OSSEC中已经存在的规则文件如sshd, openbsd, vsftpd等,我们只需要在对应的文件中进行新增或修改。

首先我们新建文件

/var/ossec/rules/auditServerd_rules.xml

添加如下内容:

  1. <group name="auditServer,"> 
  2.    <rule id="80000" level="0" noalert="1"> 
  3.     <decoded_as>auditServerd</decoded_as> 
  4.     <description>Grouping for the auditServerd rules.</description> 
  5.   </rule> 
  6.  
  7.   <rule id="80001" level="10"> 
  8.     <if_sid>80000</if_sid> 
  9.     <user>blackrat</user> 
  10.     <srcip>172.17.153.36</srcip> 
  11.     <description>User blackrat is not allowed login from 172.17.153.36!</description> 
  12.   </rule> 
  13. </group> 

上述规则中,规则id 80000 用于对日志进行分组计数,假如日志中出现了泛化为auditServerd的日志,则对该日志分组为auditServer,且状态机计数加1.

规则80001描述了假如user为blackrat,srcip为172.17.153.36 则命中,并发出“User blackrat is not allowed login from 172.17.153.36!”的告警。

将该文件路径加入到文件/var/ossec/etc/ossec.conf中

  1.  …  
  2. <include>dropbear_rules.xml</include>   
  3. <include>local_rules.xml</include>   
  4. <include>auditServerd_rules.xml</include>   
  5. </ossec_config> 

执行/var/ossec/bin/ossec-logtest,结果如下:

  1. **Phase 1: Completed pre-decoding.  
  2.        full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  3.        hostname: '172.17.153.38/172.16.24.32'  
  4.        program_name: '/usr/bin/auditServerd'  
  5.        log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  6.  
  7. **Phase 2: Completed decoding.  
  8.        decoder: 'auditServerd'  
  9.        dstuser: 'blackrat'  
  10.        status: 'SUCEESS'  
  11.        srcip: '172.17.153.36'  
  12.        dstip: '172.17.153.38'  
  13.        dstport: '3333'  
  14.  
  15. **Phase 3: Completed filtering (rules).  
  16.        Rule id: '80001'  
  17.        Level: '10'  
  18.        Description: 'User blackrat is not allowed login from 172.17.153.36!'  
  19. **Alert to be generated. 

3.3 关联分析告警规则

OSSEC可以实现基于因果关系、事件频次的关联分析告警,具体实现方式如下。

假如我们想要实现当来自同一IP的用户登陆auditServerd,在1分钟内达到5次登录失败时,进行告警,我们可以配置规则如下:

  1. <group name="auditServer,"> 
  2.    <rule id="80000" level="0" noalert="1"> 
  3.     <decoded_as>auditServerd</decoded_as> 
  4.     <description>Grouping for the auditServerd rules.</description> 
  5.   </rule> 
  6.  
  7.   <rule id="80001" level="10"> 
  8.     <if_sid>80000</if_sid> 
  9.     <match>SUCEESS</match> 
  10.     <user>blackrat</user> 
  11.     <srcip>172.17.153.36</srcip> 
  12.     <description>User blackrat is not allowed login from 172.17.153.36!</description> 
  13.   </rule> 
  14.  
  15.   <rule id="80002" level="1"> 
  16.     <if_sid>80000</if_sid> 
  17.     <match>PWD_ERROR</match> 
  18.     <group>authServer_login_failures,</group> 
  19.     <description>login auditServerd password error.</description> 
  20.   </rule> 
  21.  
  22.   <rule id="80003" level="15" frequency="5" timeframe="60" ignore="30">   
  23.     <if_matched_group>authServer_login_failures</if_matched_group> 
  24.     <description>auditServerd brute force trying to get access to </description>         
  25.     <description>the audit system.</description> 
  26.     <same_source_ip /> 
  27.     <group>authentication_failures,</group> 
  28.   </rule> 
  29. </group> 

执行/var/ossec/bin/ossec-logtest,连续五次输入日志:

结果如下:

  1. **Phase 1: Completed pre-decoding.  
  2.        full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  3.        hostname: '172.17.153.38/172.16.24.32'  
  4.        program_name: '/usr/bin/auditServerd'  
  5.        log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
  6. **Phase 2: Completed decoding.  
  7.        decoder: 'auditServerd'  
  8.        dstuser: 'blackrat'  
  9.        status: 'PWD_ERROR'  
  10.        srcip: '172.17.153.36'  
  11.        dstip: '172.17.153.38'  
  12.        dstport: '3333'  
  13.  
  14. **Phase 3: Completed filtering (rules).  
  15.        Rule id: '80003'  
  16.        Level: '15'  
  17.        Description: 'auditServerd brute force trying to get access to the audit system.'  
  18. **Alert to be generated. 

对于OSSEC日志告警规则更详细的语法,参见:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

对于OSSEC中正则表达式的语法,参加:

http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html

责任编辑:蓝雨泪 来源: FreeBuf
相关推荐

2012-11-07 15:57:34

OSSECMYSQL

2021-08-27 07:06:10

应用

2012-11-07 16:21:14

OSSECDECODE

2013-08-20 10:12:37

入侵检测系统ossec

2023-03-26 08:41:37

2023-01-18 08:32:13

2017-01-20 09:43:12

日志告警挖掘

2010-11-19 13:59:25

oracle告警日志

2017-01-09 15:09:45

Linux初始化配置

2012-11-14 11:03:14

OSSEC文件检查SYSCHECK

2012-11-14 11:09:14

OSSECactive-resp

2022-11-08 15:49:28

Dubbovivo服务器

2018-08-21 10:05:59

MySQLbinlog数据库

2020-04-01 15:11:36

Shell命令Linux

2023-10-07 09:16:55

SpringBoot启动流程

2017-03-06 16:51:52

Java泛型实现

2010-10-29 15:07:33

oracle日志

2019-07-23 10:40:05

云原生云计算公共云

2011-04-26 10:00:17

2023-11-17 08:23:10

Android开发
点赞
收藏

51CTO技术栈公众号