Wazuh预警MYSQL

centos下去安装XAMPP，(一个php集成环境)

xampp官网 https://sourceforge.net/projects/xampp/files/XAMPP%20Linux/5.6.38/ (wget不管用，就去下载离线包)

安装XAMPPhttps://www.xjx100.cn/news/418926.html?action=onClick

安装完不能启动的问题：https://www.51c51.com/danpianji/xinxi/84/887073.html

为什么我每次都是wget下载连接超时后，下载离线包，离线包安装不上后，再次wget，又可以了，玩呢？

参考上述第三个链接，解决xampp启动、远程访问的问题

xampp相关命令：

启动 XAMPP

/opt/lampp/lampp start

停止 XAMPP

/opt/lampp/lampp stop

重启 XAMPP

/opt/lampp/lampp restart

安全设置

/opt/lampp/lampp security

使用php4

/opt/lampp/lampp php4

使用php5

/opt/lampp/lampp php5

查看php版本

/opt/lampp/lampp phpstatus

只启动 Apache

/opt/lampp/lampp startapache

停止 Apache

/opt/lampp/lampp stopapache

启动 Apache 的 SSL 支持

/opt/lampp/lampp startssl

停止 Apache 的 SSL 支持

/opt/lampp/lampp stopssl

只启动 MySQL 数据库

/opt/lampp/lampp startmysql

停止 MySQL 数据库

/opt/lampp/lampp stopmysql

启动 ProFTPD 服务器

/opt/lampp/lampp startftp

停止 ProFTPD 服务器

/opt/lampp/lampp stopftp

随系统自动启动

ln -s /opt/lampp/lampp /etc/rc.d/rc3.d/S99lampp

ln -s /opt/lampp/lampp /etc/rc.d/rc4.d/S99lampp

ln -s /opt/lampp/lampp /etc/rc.d/rc5.d/S99lampp

取消随系统自动运行

ln -s /opt/lampp/lampp K01lampp

卸载 XAMPP

rm -rf /opt/lampp

XAMPP 重要的文件和目录

XAMPP 命令库。例如 /opt/lampp/bin/mysql 可执行 MySQL 监视器

/opt/lampp/bin/

Apache 文档根目录

/opt/lampp/htdocs/

Apache 配制文件

/opt/lampp/etc/httpd.conf

MySQL 配制文件

/opt/lampp/etc/my.cnf

PHP 配制文件

/opt/lampp/etc/php.ini

ProFTPD 配制文件。(从 0.9.5 版开始)

/opt/lampp/etc/proftpd.conf

phpMyAdmin 配制文件

/opt/lampp/phpmyadmin/config.inc.php

主机访问虚拟机地址

配置mysql，默认的是没密码的

/opt/lampp/bin/mysqladmin -u root password “1234”

/opt/lampp/bin/mysql -u root -p1234 #进入mysql
CREATE USER 'yuleiyun'@'%' IDENTIFIED BY 'password'; #新建用户
GRANT ALL PRIVILEGES ON *.* TO 'yuleiyun'@'%' WITH GRANT OPTION; #为新用户授予远程访问权限

FLUSH PRIVILEGES;#刷新权限表并退出
EXIT;

1.mysql配置

1.mysql日志配置

vi /opt/lampp/etc/my.cnf下的[mysqld]结点添加以下三行

# Replication Master Server (default)
# binary logging is required for replication
# log-bin deactivated by default since XAMPP 1.4.11
#log-bin=mysql-bin

添加以下三行日志文件配置
general_log=ON
general_log_file=/opt/lampp/logs/mysql.log
log_output=file

# required unique id between 1 and 2^32 - 1
# defaults to 1 if master-host is not set
# but will not function as a master if omitted

保证logs目录有写权限

chmod o+w /opt/lampp/logs

重启lampp
cd /opt/lampp/logs/
存在mysql.log文件

然后嘞，

2.为虚拟机的mysql配置远程访问权限

MariaDB [(none)]> CREATE USER 'yuleiyun'@'%' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'yuleiyun'@'%' BY 'password' WITH GRANT OPTION;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'BY 'password' WITH GRANT OPTION' at line 1
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'yuleiyun'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> EXIT
Bye

用Xterm连接虚拟机，并输入

cd /opt/lampp/logs

tail -f mysql.log

用主机的cmd，进入mysql文件夹，去远程连接mysql

mysql -uyuleiyun -ppassword -h192.168.1.89

Xterm这边看到了

230921 11:50:05     3 Connect   yuleiyun@LAPTOP-0KTTC8K5 as anonymous on
                    3 Query     select @@version_comment limit 1

主机cmd端输入

select Host,Password,User from mysql.user;

%号呢，就是支持远程访问

Xterm日志捕捉到 查询，以及查询语句

21 11:53:50 3 Query select Host,Password,User from mysql.user

好，cmd退出，故意用错误密码连接

Xterm会捕捉到访问拒绝，(用户名，ip，是否使用密码)

… 4 Connect Access denied for user …

3.添加mysql.log到ossec

以上已经证明mysql.log可以正常运行，配置到ossec中实现监控

去ossec.conf末尾添加

<localfile>
    <log_format>syslog</log_format>
    <location>/opt/lampp/logs/mysql.log</location>
  </localfile>

重启下

Decoder下的文件，一般就是提取关键字段，正则获取对应的值

<decoder name="mysql_log">
  <prematch>^MySQL log:</prematch>
</decoder>

而0295-mysql-rules.xml中

<group name="mysql_log,">
  <rule id="50100" level="0">
    <decoded_as>mysql_log</decoded_as>
    <description>MySQL messages grouped.</description>
  </rule>

  <rule id="50105" level="3">
    <if_sid>50100</if_sid>
    <regex>^MySQL log: \d+ \S+ \d+ Connect</regex>
    <description>MySQL: authentication success.</description>
    <mitre>
      <id>T1078</id>
    </mitre>
    <group>authentication_success,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SC.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_PI1.4,tsc_PI1.5,</group>
  </rule>
  ...

都是依赖于 解码器为mysql_log的组的，匹配了之后，才会触发后续规则，如id=50105，进一步进行匹配

看下后面有一个规则

<rule id="50106" level="9">
    <if_sid>50100</if_sid>
    <match>Access denied for user</match>
    <description>MySQL: authentication failure.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SC.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_PI1.4,tsc_PI1.5,</group>
  </rule>

match部分，正好对应数据库远程连接失败时的字段，如果连接失败，ossec中的alerts.log可以捕捉到不嘞，其实不行

看正则部分

<regex>^MySQL log: \d+ \S+ \d+ Connect</regex>

^MySQL log: ，在前面我们mysql.log捕捉到的远程访问失败时，并没有出现 MySQL log的关键字吧，反而是一长串的空格部分，所以捕捉不到

实例1

Xterm新开窗口去重启ossec

systemctl restart wazuh-manager

tail -f /var/ossec/logs/alerts/alerts.log

主机cmd，去远程连接虚拟机的mysql，密码故意错误

在mysql.log中是可以捕捉到Access denied的日志的，但是呢，alerts.log没有反应

新增解码器

去 /etc/decoders/local_decoder.xml去添加mysql的解码器

<decoder name="mysql_log">
    <prematch>\d+ Connect</prematch>
</decoder>

匹配为任意数字+空格+Connect

因为mysql.log里的情况如下

然后注释掉自带decoder中mysql的解码器

<!-- <decoder name="mysql_log">
  <prematch>^MySQL log:</prematch>
</decoder> -->

当然了，将添加的规则加在这里也是可以的，**(好吧，就添加到这里，不然重启wazuh会报错的)**

将mysql_rules.xml内容更改如下：

<group name="mysql_log,">
  <rule id="50100" level="0">
    <decoded_as>mysql_log</decoded_as>
    <description>MySQL messages grouped.</description>
  </rule>

  <rule id="50105" level="3">
    <if_sid>50100</if_sid>
    <!-- <regex>^MySQL log: \d+ \S+ \d+ Connect</regex> -->
     <regex>\d+ Connect</regex>
    <description>MySQL: authentication success.</description>
    <mitre>
      <id>T1078</id>
    </mitre>
    <group>authentication_success,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SC.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_PI1.4,tsc_PI1.5,</group>
  </rule>

  <rule id="50106" level="9">
    <!-- <if_sid>50100</if_sid> -->
    <if_sid>50105</if_sid>
    <match>Access denied for user</match>
    <description>MySQL: authentication failure.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SC.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_PI1.4,tsc_PI1.5,</group>
  </rule>

重启ossec

实例2

来一次成功的mysql连接

alerts.log捕捉到了

来一次错误的，也捉到了

同时也触发了651规则，但不会被drop掉ip

因为ssh_decoder.xml提取的关键字段有srcip，mysql解码器没有提取

实例-新增爆破规则

去local_rules.xml加入

<group name="mysql,">
<!-- 检测暴力破解 -->
<rule id="561001" level="12" frequency="5" timeframe="30">
  <if_matched_sid>50106</if_matched_sid>
  <description>Too many fails,Maybe Force attack</description>
  <group>attack,</group>
</rule>
</group>

好的，restart->tail->cmd去多次试错mysql，触发5次

正则知识补充

Supported expressions

Expressions	Valid characters
\w	A-Z, a-z, 0-9, ‘-‘, ‘@’, ‘_’ characters
\d	0-9 character
\s	Spaces “ “
\t	Tabs
\p	()*+,-.:;<=>?[]!”‘#$%&|{}
\W	Anything not \w
\D	Anything not \d
\S	Anything not \s
.	Anything

Modifiers

Expressions	Actions
+	To match one or more times
*	To match zero or more times

Special characters

Expressions	Actions
^	To specify the beginning of the text
$	To specify the end of the text
|	To create a logical or between multiple patterns