日志分析

一、IDPS

IDS

Instrusion Detection System 检测恶意行为，并预警

第一类：基于交换机或服务器流量(NIDS，基于网络流量的IDS)

关注通信流量，对加密流量存在检测难题(但还是有特征/指纹，尽可能识别)

一般C语言编写的，懂得都懂；

规则库算法设计，对于该条流量，先进行分类，比如SSH的流量、Oracle的流量、MYSQL流量、DNS流量，那分完类了，比如是MYSQL，去http找该规则即可

第二类：基于操作系统文件或日志(HIDS，基于主机的IDS)

只关心主机行为与日志信息

关注文件的特征，有没有被修改之类的

IPS

…Protection..不仅检测攻击，还防御

第一类：基于网络流量的IPS

不能旁挂，必须串联，发现非法流量，直接阻断

第二类：基于Web服务器的或各类应用服务器

如Apache、Nginx、PHP语言的WAF

假设有一条配置线路为：

路由器/交换机->防火墙->操作系统->应用服务器->

越靠前的设备或系统呢，性能和通用性要求越高

相反越靠后，是针对性越强，专注度越高，效率越高

开源产品

HIDS：OSSEC(很久没维护)、**Wazuh（Unix系统）**

NIDS：Snort(没办法支持应用层)、**Suricata**、Zeek

难点：规则库的建立和编写：黑名单

规则有三大点

分类(具体协议及特有行为)

具体特征行为

连续性的事件，如果有上百个404，上百个Failed，有理由怀疑是被扫描

Elastic Stack 可视化，至少消耗6个G运存起步，我反正带不动

拓展-基于AI的IDPS

让AI学习大量的合法访问数据(白名单)，一旦扫描到的流量或日志与已学习的特征库不匹配，认为是异常流量

EDR

endpoint detection and response，端点检测与响应，端点：与网络有关的设备(移动设备，台式机，服务器)

日志分析与流量分析

• 两种方式：在线实时分析、离线分析(事后去看，比如取证、溯源)
• 规则是核心：基于日志或者是流量的 特征去识别和编写规则，是在线实时分析的重点
• 安全和性能本质上无法兼得

二、产品安装与使用

安装cenos虚拟机

国内源镜像分享(下载速度快一点)

centos安装

桥接网络固定ip，如果是xhell等工具连接要网段一致

vi   /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=”Ethernet”
PROXY_METHOD=”none”
BROWSER_ONLY=”no”
BOOTPROTO=”dhcp”
DEFROUTE=”yes”
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_FAILURE_FATAL=”no”
IPV6_ADDR_GEN_MODE=”stable-privacy”
NAME=”ens33”
UUID=”f2612a57-835d-4f4d-8f18-9beeb7901113”
DEVICE=”ens33”
ONBOOT=”yes”

修改如下

TYPE=”Ethernet” # 网络类型为以太网
BOOTPROTO=”static” # 手动分配ip
NAME=”ens33” # 网卡设备名，设备名一定要跟文件名一致
DEVICE=”ens33” # 网卡设备名，设备名一定要跟文件名一致
ONBOOT=”yes” # 该网卡是否随网络服务启动
IPADDR=”192.168.220.101” # 该网卡ip地址就是你要配置的固定IP，如果你要用xshell等工具连接，220这个网段最好和你自己的电脑网段一致，否则有可能用xshell连接失败
GATEWAY=”192.168.220.2” # 网关
NETMASK=”255.255.255.0” # 子网掩码
DNS1=”8.8.8.8” # DNS，8.8.8.8为Google提供的免费DNS服务器的IP地址

配置静态ip为了ping通百度

root-root123

xg-test123

1.安装Wazuh

安装wazuh参考

1.1安装必要的库

yum install curl unzip wget libcap net-tools

1.2安装RPM源

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

1.3添加Repo文件

cat > /etc/yum.repos.d/wazuh.repo <<\EOF

[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

1.4安装服务器端

yum install wazuh-manager

1.5 启动

systemctl start wazuh-manager

2.Wazuh系统框架

Wazuh客户端(采集信息)->Wazuh服务端(分析信息)<-Elastick Stack(可视化)

3.基础使用

1.文档结构

默认路径: /var/ossec

主要关注文件为：etc(配置文件)、logs(日志文件夹)、ruleset

[root@xinguang ossec]# cd active-response
[root@xinguang active-response]# ls
bin
[root@xinguang active-response]# cd bin
[root@xinguang bin]# ls
default-firewall-drop  firewall-drop   ipfw          npf         restart-wazuh
disable-account        host-deny       kaspersky     pf          route-null
firewalld-drop         ip-customblock  kaspersky.py  restart.sh  wazuh-slack

[root@xinguang ossec]# cd etc
[root@xinguang etc]# ls
client.keys            lists                        ossec.conf  shared
decoders               local_internal_options.conf  rootcheck   sslmanager.cert
internal_options.conf  localtime                    rules       sslmanager.key

ossec/etc呈现出来的decoders(识别分类)和、rules是用户自定义的规则

[root@xinguang ossec]# ls
active-response  api     bin  framework     lib   queue    stats  var
agentless        backup  etc  integrations  logs  ruleset  tmp    wodles
[root@xinguang ossec]# cd ruleset
[root@xinguang ruleset]# ls
decoders  rules  sca
[root@xinguang ruleset]# cd rules
[root@xinguang rules]# ls
0010-rules_config.xml            0410-imperva_rules.xml
0015-ossec_rules.xml             0415-sophos_rules.xml
0016-wazuh_rules.xml             0420-freeipa_rules.xml
...

自带了很多不同的规则

2.查看日志

/var/ossec/logs/alerts/alerts.json #不适合直接查看，适合分析和展示
/var/ossec/logs/alerts/alerts.log #适用于直接查看

3.vscode连接linux

由于那个 vi，对文件内容修改不方便啊，所以呢，用vscode去连接到linux，在windows上操作，会方便很多啊

vscode安装了 Remote ssh扩展，然后点击左下角两个相对的箭头，去连接主机

Host 随便一个名字
Hostname 虚拟机ip
#Port 443
User root

最好还是设置免密登录，生成密钥和公钥什么的吧

http://t.csdn.cn/ihDDP

4.实例

SSH登录

看下sshd_rules.xml的内容

149	  <rule id="5716" level="5">
  150	    <if_sid>5700</if_sid>
  151	    <match>^Failed|^error: PAM: Authentication</match>
  152	    <description>sshd: authentication failed.</description>
  153	    <mitre>
  154	      <id>T1110</id>
  155	    </mitre>
  156	    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  157	  </rule>

启动manager

systemctl start wazuh-manager

1.ssh登录失败

用ssh连接工具，我用的Mobaxterm，ssh连接到这台有服务的Centos后，

输入

tail -f /var/ossec/logs/alerts/alerts.log

[root@xinguang ~]# tail -f /var/ossec/logs/alerts/alerts.log
User: root
Sep 20 16:49:07 xinguang sshd[55273]: Accepted password for root from xxxxxxx(发起ssh的ip地址) port 64868 ssh2

** Alert 1695199758.565483: - pam,syslog,authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Sep 20 16:49:18 xinguang->/var/log/secure
Rule: 5501 (level 3) -> 'PAM: Login session opened.'
User: root
Sep 20 16:49:18 xinguang sshd[55273]: pam_unix(sshd:session): session opened for user root by (uid=0)
uid: 0

新开一个ssh窗口

tail /var/log/secure

Sep 20 16:54:28 xinguang sshd[55388]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 20 16:54:33 xinguang sshd[55400]: Accepted password for root from xxxxx port 65005 ssh2
Sep 20 16:54:44 xinguang sshd[55400]: pam_unix(sshd:session): session opened for user root by (uid=0)

我用主机的cmd窗口去尝试ssh该centos，故意输错密码，在log中出现

** Alert 1695200473.573148: - syslog,sshd,authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Sep 20 17:01:13 xinguang->/var/log/secure
Rule: 5760 (level 5) -> 'sshd: authentication failed.'
Src IP: 我的主机ip
Src Port: 65145
User: root
Sep 20 17:01:13 xinguang sshd[55559]: Failed password for root from 我的主机ip port 65145 ssh2

然后另一个窗口输入 tail /var/log/secure

...
Sep 20 19:09:29 xinguang sshd[55784]: Failed password for root from 我主机ip port 60205 ssh2

如果是普通用户嘞，故意输错密码

** Alert 1695208536.583519: - syslog,sshd,authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Sep 20 19:15:36 xinguang->/var/log/secure
Rule: 5760 (level 5) -> 'sshd: authentication failed.'
Src IP: 我ip
Src Port: 60313
User: xg
Sep 20 19:15:35 xinguang sshd[55856]: Failed password for xg from 我ip port 60313 ssh2

触发了5716规则，

2.ssh连续登录失败

看一下规则

在/var/ossec/ruleset/rules中

cat 0095*

<rule id="5720" level="10" frequency="8">
  <if_matched_sid>5716</if_matched_sid>
  <same_source_ip />
  <description>sshd: Multiple authentication failures.</description>
  <mitre>
    <id>T1110</id>
  </mitre>
  <group>authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

frequency 8：触发频率

触发ip

相同ip尝试，且失败了8次

所以主机的cmd不停地故意连接失败

emmmm反而触发了爆破规则

Rule: 5763 (level 10) -> ‘sshd: brute force trying to get access to the system. Authentication failed.’

5.核心配置文件

看下

/var/ossec/etc/ossec.conf的部分内容

还有系统检查，漏洞检查，敏感目录检查、主动响应，启用命令等

还可以去忽略目录、文件类型等

具体的设置，搭配 使用手册https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format

操作系统自带审计日志 audit

执行命令

<localfile>
   <log_format>command</log_format>
   <command>df -P</command>
   <frequency>360</frequency>
 </localfile>

监控文件

<localfile>
   <log_format>syslog</log_format>
   <location>/var/log/secure</location>
 </localfile>

白名单

<global>
   <white_list>127.0.0.1</white_list>
   <white_list>^localhost.localdomain$</white_list>
   <white_list>192.168.1.1</white_list>
 </global>

主动响应

<command>
  <name>host-deny</name>
  <executable>host-deny</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>

6.主动响应

工作原理

linux

/var/ossec/active-response/bin directory.

Name of script	Description
disable-account	Disables a user account
firewall-drop	Adds an IP address to the iptables deny list.
firewalld-drop	Adds an IP address to the firewalld drop list. Requires firewalld installed on the endpoint.
host-deny	Adds an IP address to the /etc/hosts.deny file.
ip-customblock	Custom Wazuh block, easily modifiable for a custom response.
ipfw	Firewall-drop response script created for IPFW. Requires IPFW installed on the endpoint.
npf	Firewall-drop response script created for NPF. Requires NPF installed on the endpoint.
wazuh-slack	Posts notifications on Slack. Requires a slack hook URL passed as an extra_args.
pf	Firewall-drop response script created for PF. Requires PF installed on the endpoint.
restart.sh	Restarts the Wazuh agent or manager.
restart-wazuh	Restarts the Wazuh agent or manager.
route-null	Adds an IP address to a null route.
kaspersky	Integration of Wazuh agents with Kaspersky endpoint security. This uses Kaspersky Endpoint Security for Linux CLI to execute relevant commands based on a trigger.

windows

C:\Program Files (x86)\ossec-agent\active-response\bin directory.

Name of script	Description
netsh.exe	Blocks an IP address using netsh.
restart-wazuh.exe	Restarts the Wazuh agent.
route-null.exe	Adds an IP address to null route.

主动响应手册https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

实例

添加如下

<!--
 <active-response>
   active-response options here
 </active-response>
 -->

 <active-response>
 <command>firewall-drop</command>
 <location>local</location>
 <level>7</level>
 <timeout>600</timeout>
 </active-response>

看下自带的规则

<rule id="5710" level="5">
   <if_sid>5700</if_sid>
   <match>illegal user|invalid user</match>
   <description>sshd: Attempt to login using a non-existent user</description>
   <mitre>
     <id>T1110.001</id>
     <id>T1021.004</id>
     <id>T1078</id>
   </mitre>
   <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
 </rule>
 
 ...
 
  <rule id="5712" level="10" frequency="8" timeframe="120" ignore="60">
   <if_matched_sid>5710</if_matched_sid>
   <same_source_ip />
   <description>sshd: brute force trying to get access to the system. Non existent user.</description>
   <mitre>
     <id>T1110</id>
   </mitre>
   <group>authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
 </rule>
 

使用主机的cmd 去 ssh一个无效的用户名rtrt，登录错误的密码

触发效果：

触发了5710

Rule: 5710 (level 5) -> 'sshd: Attempt to login using a non-existent user'
Src IP: xxxxx
Sep 20 22:01:29 xinguang sshd[60200]: Failed password for invalid user rtrt fro

触发了5712

Rule: 5712 (level 10) -> 'sshd: brute force trying to get access to the system. Non existent user.'
...

触发了主动响应

Rule: 651 (level 3) -> 'Host Blocked by firewall-drop Active Response'

还额外触发了2502的规则

** Alert 1695218499.673513: - syslog,access_control,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Sep 20 22:01:39 xinguang->/var/log/secure
Rule: 2502 (level 10) -> 'syslog: User missed the password more than one time'
Sep 20 22:01:39 xinguang sshd[60200]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=laptop-0kttc8k5


这是后来在/var/log/secure找到的
Sep 20 22:01:39 xinguang sshd[60200]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=laptop-0kttc8k5

之后甚至断开退出了alerts.log，断开了ssh链接。

重新连接，也连不上嘞

去虚拟机

[root@xinguang rules]# systemctl status iptables
Unit iptables.service could not be found.
[root@xinguang rules]# iptables -nL

发现了我的主机IP被DROP了
iptables -F 清空

为了了解额外的规则，可以在

rules下时，ls | xarg grep 2502 进行查看其规则位置

[root@xinguang ossec]# cd ruleset
[root@xinguang ruleset]# ls
decoders  rules  sca
[root@xinguang ruleset]# cd rules
[root@xinguang rules]# ls | xargs grep 2502
0020-syslog_rules.xml:  <rule id="2502" level="10">