king

OSSEC日志泛化及告警规则配置

king 安全防护 2022-12-25 459浏览 0

OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析,全面检测,root-kit检测。

OSSEC日志泛化及告警规则配置

1. 测试和验证OSSEC泛化及告警规则

OSSEC默认具有一个ossec-logtest工具用于测试OSSEC的泛化及告警规则。该工具一般默认安装于目录 /var/ossec/bin 中。

使用示例:

/var/ossec/bin/ossec-logtest 
2014/06/1113:15:36ossec-testrule:INFO:Readinglocaldecoderfile. 
2014/06/1113:15:36ossec-testrule:INFO:Started(pid:26740). 
ossec-testrule:Typeonelogperline. 
Jun1021:29:33172.16.25.122/172.16.24.32sshd[24668]:Acceptedpublickeyforrootfrom172.16.24.121port38720ssh2 

**Phase1:Completedpre-decoding. 
fullevent:'Jun1021:29:33172.16.25.122/172.16.24.32sshd[24668]:Acceptedpublickeyforrootfrom172.16.24.121port38720ssh2' 
hostname:'172.16.25.122/172.16.24.32' 
program_name:'sshd' 
log:'Acceptedpublickeyforrootfrom172.16.24.121port38720ssh2' 

**Phase2:Completeddecoding. 
decoder:'sshd' 
dstuser:'root' 
srcip:'172.16.24.121' 

**Phase3:Completedfiltering(rules). 
Ruleid:'10100' 
Level:'4' 
Description:'Firsttimeuserloggedin.' 
**Alerttobegenerated.

如上文所示,当输入日志内容:

Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

该条日志经过三步处理,生成了一条4级告警,规则ID为10100,内容为“First time user logged in.”

使用ossec-logtest–v命令,可获取更详细的日志分析逻辑。

/var/ossec/bin/ossec-logtest-v 
2014/06/1113:44:52ossec-testrule:INFO:Readinglocaldecoderfile. 
2014/06/1113:44:52ossec-testrule:INFO:Started(pid:27091). 
ossec-testrule:Typeonelogperline. 

Jun1121:44:41172.16.25.122/172.16.24.32sshd[27743]:Didnotreceiveidentificationstringfrom172.16.24.121 

**Phase1:Completedpre-decoding. 
fullevent:'Jun1121:44:41172.16.25.122/172.16.24.32sshd[27743]:Didnotreceiveidentificationstringfrom172.16.24.121'
hostname:'172.16.25.122/172.16.24.32'
program_name:'sshd'
log:'Didnotreceiveidentificationstringfrom172.16.24.121'

**Phase2:Completeddecoding. 
decoder:'sshd'
srcip:'172.16.24.121'

**Ruledebugging: 
Tryingrule:1-Generictemplateforallsyslogrules. 
*Rule1matched. 
*Tryingchildrules. 
Tryingrule:5500-Groupingofthepam_unixrules. 
Tryingrule:5700-SSHDmessagesgrouped. 
*Rule5700matched. 
*Tryingchildrules. 
Tryingrule:5709-UselessSSHDmessagewithoutanuser/ipandcontext. 
Tryingrule:5711-Useless/DuplicatedSSHDmessagewithoutauser/ip. 
Tryingrule:5721-Systemdisconnectedfromsshd. 
Tryingrule:5722-sshconnectionclosed. 
Tryingrule:5723-SSHDkeyerror. 
Tryingrule:5724-SSHDkeyerror. 
Tryingrule:5725-Hostungracefullydisconnected. 
Tryingrule:5727-Attempttostartsshdwhensomethingalreadyboundtotheport. 
Tryingrule:5729-Debugmessage. 
Tryingrule:5732-Possibleportforwardingfailure. 
Tryingrule:5733-Userenteredincorrectpassword. 
Tryingrule:5734-sshdcouldnotloadoneormorehostkeys. 
Tryingrule:5735-Failedwriteduetoonehostdisappearing. 
Tryingrule:5736-Connectionresetoraborted. 
Tryingrule:5707-OpenSSHchallenge-responseexploit. 
Tryingrule:5701-Possibleattackonthesshserver(orversiongathering). 
Tryingrule:5706-SSHinsecureconnectionattempt(scan). 
*Rule5706matched. 

**Phase3:Completedfiltering(rules). 
Ruleid:'5706'
Level:'6'
Description:'SSHinsecureconnectionattempt(scan).'
**Alerttobegenerated.

2. 自定义日志泛化规则

2.1 添加日志源

添加日志源的方式很简单,通过修改/var/ossec/etc/ossec.conf 即可实现。

如果日志源是本地文件,可通过添加如下配置实现。

<localfile>
<log_format>syslog</log_format>
<location>/path/to/log/file</location>
</localfile>

如果日志源是远程syslog,可通过添加如下配置实现。

<remote>
<connection>syslog</connection>
<protocol>udp</protocol>
<port>2514</port>
<allowed-ips>172.16.24.0/24</allowed-ips>
</remote>

2.2 创建自定义的日志泛化规则

假如有两条日志如下文:

Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: 
User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: 
User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

该日志使用ossec-logtest分析之后结果如下:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .

**Phase 1: Completed pre-decoding.
 full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
 hostname: '172.17.153.38/172.16.24.32'
 program_name: '/usr/bin/auditServerd'
 log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
 No decoder matched

由此可知OSSEC在分析日志的时候,经过了两个泛化过程:pre-decoding和 decoding。

pre-decoding过程是ossec内置的,只要是标准的syslog日志,都可以解析出如下4个基本信息。

Timestamp:Jun 11 22:06:30
Hostname: 172.17.153.38/172.16.24.32
Programe_name: /usr/bin/auditServerd
Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

在decoding过程,用户可以通过修改/var/ossec/etc/decoder.xml,实现自定义的泛化。例如在该文件中添加如下规则:

<decodername="auditServerd">
<program_name>/usr/bin/auditServerd</program_name>
</decoder>

再次执行/var/ossec/bin/ossec-logtest

**Phase1:Completedpre-decoding. 
fullevent:'Jun1122:06:30172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]:UserblackratloginSUCEESSfrom172.17.153.36to172.17.153.38distport3333.' 
hostname:'172.17.153.38/172.16.24.32' 
program_name:'/usr/bin/auditServerd' 
log:'UserblackratloginSUCEESSfrom172.17.153.36to172.17.153.38distport3333.' 

**Phase2:Completeddecoding. 
decoder:'auditServerd'

发现,该条日志成功命中了名为auditServerd的规则,该条规则可以准确的将日志定位为是程序auditServerd所发出的。

除此之外,基于auditServerd这条规则,我们还可以添加更多的子规则,来识别出更多的信息。如:

<decodername="auditServerd"> 
<program_name>/usr/bin/auditServerd</program_name> 
</decoder>
<decodername="auditServerd-login"> 
<parent>auditServerd</parent> 
<regexoffset="after_parent">^User(\S+)login(\S+)from(\S+)to(\S+)distport(\S+)\.$</regex> 
<order>user,status,srcip,dstip,dstport</order> 
</decoder>

再次执行/var/ossec/bin/ossec-logtest,可获取更多的信息,如下:

**Phase1:Completedpre-decoding. 
fullevent:'Jun1122:06:30172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]:UserblackratloginSUCEESSfrom172.17.153.36to172.17.153.38distport3333.' 
hostname:'172.17.153.38/172.16.24.32' 
program_name:'/usr/bin/auditServerd' 
log:'UserblackratloginSUCEESSfrom172.17.153.36to172.17.153.38distport3333.' 
 
**Phase2:Completeddecoding. 
decoder:'auditServerd' 
dstuser:'blackrat' 
status:'SUCEESS' 
srcip:'172.17.153.36' 
dstip:'172.17.153.

用户通过配置上述正则表达式,获取特定字段,用于后续的关联分析。OSSEC一共内置了14个用户可解析的字段:

- location – where the log came from (only on FTS)
 - srcuser - extracts the source username
 - dstuser - extracts the destination (target) username
 - user – an alias to dstuser (only one of the two can be used)
 - srcip - source ip
 - dstip - dst ip
 - srcport - source port
 - dstport - destination port
 - protocol – protocol
 - id – event id 
 - url - url of the event
 - action – event action (deny, drop, accept, etc)
 - status – event status (success, failure, etc)
 - extra_data – Any extra data

3. 自定义日志告警规则

3.1 规则文件路径配置

OSSEC的规则配置文件默认路径为/var/ossec/rules/,要加载规则文件,需要在/var/ossec/etc/ossec.conf 中配置,默认的配置如下:

<ossec_config><!--rulesglobalentry-->
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
...... 
<include>clam_av_rules.xml</include> 
<include>bro-ids_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>local_rules.xml</include> 
</rules> 
</ossec_config><!--rulesglobalentry-->

其实通过下列配置,可以实现加载/var/ossec/rules 下的所有规则文件:

<ossec_config>
<rules>
<rule_dirpattern=".xml$">rules</rule_dir>
</rules>
</ossec_config>

于泛化规则,也可以通过配置decoder_dir域来实现,如:

<ossec_config>
<rules>
<decoder_dirpattern=".xml$">rules/plugins/decoders</decoder_dir>
</rules>
</ossec_config>

上述配置可将/var/ossec/rules/plugins/plugins/decoders目录下所有的xml文件都添加为OSSEC日志泛化规则。

对于更详细的配置及语法,可参考下列文档:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

3.2 OSSEC告警规则配置

例如,我们需要增加对程序auditServerd的告警规则,我们需要针对auditServerd程序新建一个规则文件,对于OSSEC中已经存在的规则文件如sshd, openbsd, vsftpd等,我们只需要在对应的文件中进行新增或修改。

首先我们新建文件

/var/ossec/rules/auditServerd_rules.xml

添加如下内容:

<groupname="auditServer,">
<ruleid="80000"level="0"noalert="1">
<decoded_as>auditServerd</decoded_as>
<description>GroupingfortheauditServerdrules.</description>
</rule>

<ruleid="80001"level="10">
<if_sid>80000</if_sid>
<user>blackrat</user>
<srcip>172.17.153.36</srcip>
<description>Userblackratisnotallowedloginfrom172.17.153.36!</description>
</rule>
</group>

上述规则中,规则id 80000 用于对日志进行分组计数,假如日志中出现了泛化为auditServerd的日志,则对该日志分组为auditServer,且状态机计数加1.

规则80001描述了假如user为blackrat,srcip为172.17.153.36 则命中,并发出“User blackrat is not allowed login from 172.17.153.36!”的告警。

将该文件路径加入到文件/var/ossec/etc/ossec.conf中

… 
<include>dropbear_rules.xml</include> 
<include>local_rules.xml</include> 
<include>auditServerd_rules.xml</include> 
</ossec_config>

执行/var/ossec/bin/ossec-logtest,结果如下:

**Phase1:Completedpre-decoding. 
fullevent:'Jun1122:06:30172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]:UserblackratloginSUCEESSfrom172.17.153.36to172.17.153.38distport3333.' 
hostname:'172.17.153.38/172.16.24.32' 
program_name:'/usr/bin/auditServerd' 
log:'UserblackratloginSUCEESSfrom172.17.153.36to172.17.153.38distport3333.' 

**Phase2:Completeddecoding. 
decoder:'auditServerd' 
dstuser:'blackrat' 
status:'SUCEESS' 
srcip:'172.17.153.36' 
dstip:'172.17.153.38' 
dstport:'3333' 

**Phase3:Completedfiltering(rules). 
Ruleid:'80001' 
Level:'10' 
Description:'Userblackratisnotallowedloginfrom172.17.153.36!' 
**Alerttobegenerated.

3.3 关联分析告警规则

OSSEC可以实现基于因果关系、事件频次的关联分析告警,具体实现方式如下。

假如我们想要实现当来自同一IP的用户登陆auditServerd,在1分钟内达到5次登录失败时,进行告警,我们可以配置规则如下:

<groupname="auditServer,">
<ruleid="80000"level="0"noalert="1">
<decoded_as>auditServerd</decoded_as>
<description>GroupingfortheauditServerdrules.</description>
</rule>

<ruleid="80001"level="10">
<if_sid>80000</if_sid>
<match>SUCEESS</match>
<user>blackrat</user>
<srcip>172.17.153.36</srcip>
<description>Userblackratisnotallowedloginfrom172.17.153.36!</description>
</rule>

<ruleid="80002"level="1">
<if_sid>80000</if_sid>
<match>PWD_ERROR</match>
<group>authServer_login_failures,</group>
<description>loginauditServerdpassworderror.</description>
</rule>

<ruleid="80003"level="15"frequency="5"timeframe="60"ignore="30"> 
<if_matched_group>authServer_login_failures</if_matched_group>
<description>auditServerdbruteforcetryingtogetaccessto</description> 
<description>theauditsystem.</description>
<same_source_ip/>
<group>authentication_failures,</group>
</rule>
</group>

执行/var/ossec/bin/ossec-logtest,连续五次输入日志:

结果如下:

**Phase1:Completedpre-decoding. 
fullevent:'Jun1122:06:30172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]:UserblackratloginPWD_ERRORfrom172.17.153.36to172.17.153.38distport3333.' 
hostname:'172.17.153.38/172.16.24.32' 
program_name:'/usr/bin/auditServerd' 
log:'UserblackratloginPWD_ERRORfrom172.17.153.36to172.17.153.38distport3333.' 
**Phase2:Completeddecoding. 
decoder:'auditServerd' 
dstuser:'blackrat' 
status:'PWD_ERROR' 
srcip:'172.17.153.36' 
dstip:'172.17.153.38' 
dstport:'3333' 

**Phase3:Completedfiltering(rules). 
Ruleid:'80003' 
Level:'15' 
Description:'auditServerdbruteforcetryingtogetaccesstotheauditsystem.' 
**Alerttobegenerated.

对于OSSEC日志告警规则更详细的语法,参见:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

对于OSSEC中正则表达式的语法,参加:

http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html

转载请注明:IT运维空间 » 安全防护 » OSSEC日志泛化及告警规则配置

你可能喜欢:
继续浏览有关 安全 的文章
发表评论
最新文章
热门文章
热评文章
Powered By Z-BlogPHP Theme By B5编程