OSSEC日志泛化及告警規則配置
OSSEC是一款開源的多平臺的入侵檢測系統,可以運行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系統中。包括了日志分析,全面檢測,root-kit檢測。
1. 測試和驗證OSSEC泛化及告警規則
OSSEC默認具有一個ossec-logtest工具用于測試OSSEC的泛化及告警規則。該工具一般默認安裝于目錄 /var/ossec/bin 中。
使用示例:
- /var/ossec/bin/ossec-logtest
- 2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.
- 2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).
- ossec-testrule: Type one log per line.
- Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'
- hostname: '172.16.25.122/172.16.24.32'
- program_name: 'sshd'
- log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'
- **Phase 2: Completed decoding.
- decoder: 'sshd'
- dstuser: 'root'
- srcip: '172.16.24.121'
- **Phase 3: Completed filtering (rules).
- Rule id: '10100'
- Level: '4'
- Description: 'First time user logged in.'
- **Alert to be generated.
如上文所示,當輸入日志內容:
Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2
該條日志經過三步處理,生成了一條4級告警,規則ID為10100,內容為“First time user logged in.”
使用ossec-logtest–v命令,可獲取更詳細的日志分析邏輯。
- /var/ossec/bin/ossec-logtest -v
- 2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.
- 2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).
- ossec-testrule: Type one log per line.
- Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121'
- hostname: '172.16.25.122/172.16.24.32'
- program_name: 'sshd'
- log: 'Did not receive identification string from 172.16.24.121'
- **Phase 2: Completed decoding.
- decoder: 'sshd'
- srcip: '172.16.24.121'
- **Rule debugging:
- Trying rule: 1 - Generic template for all syslog rules.
- *Rule 1 matched.
- *Trying child rules.
- Trying rule: 5500 - Grouping of the pam_unix rules.
- Trying rule: 5700 - SSHD messages grouped.
- *Rule 5700 matched.
- *Trying child rules.
- Trying rule: 5709 - Useless SSHD message without an user/ip and context.
- Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.
- Trying rule: 5721 - System disconnected from sshd.
- Trying rule: 5722 - ssh connection closed.
- Trying rule: 5723 - SSHD key error.
- Trying rule: 5724 - SSHD key error.
- Trying rule: 5725 - Host ungracefully disconnected.
- Trying rule: 5727 - Attempt to start sshd when something already bound to the port.
- Trying rule: 5729 - Debug message.
- Trying rule: 5732 - Possible port forwarding failure.
- Trying rule: 5733 - User entered incorrect password.
- Trying rule: 5734 - sshd could not load one or more host keys.
- Trying rule: 5735 - Failed write due to one host disappearing.
- Trying rule: 5736 - Connection reset or aborted.
- Trying rule: 5707 - OpenSSH challenge-response exploit.
- Trying rule: 5701 - Possible attack on the ssh server (or version gathering).
- Trying rule: 5706 - SSH insecure connection attempt (scan).
- *Rule 5706 matched.
- **Phase 3: Completed filtering (rules).
- Rule id: '5706'
- Level: '6'
- Description: 'SSH insecure connection attempt (scan).'
- **Alert to be generated.
2. 自定義日志泛化規則
2.1 添加日志源
添加日志源的方式很簡單,通過修改/var/ossec/etc/ossec.conf 即可實現。
如果日志源是本地文件,可通過添加如下配置實現。
- <localfile>
- <log_format>syslog</log_format>
- <location>/path/to/log/file</location>
- </localfile>
如果日志源是遠程syslog,可通過添加如下配置實現。
- <remote>
- <connection>syslog</connection>
- <protocol>udp</protocol>
- <port>2514</port>
- <allowed-ips>172.16.24.0/24</allowed-ips>
- </remote>
2.2 創建自定義的日志泛化規則
假如有兩條日志如下文:
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]:
User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]:
User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .
該日志使用ossec-logtest分析之后結果如下:
Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'**Phase 2: Completed decoding.
No decoder matched
由此可知OSSEC在分析日志的時候,經過了兩個泛化過程:pre-decoding和 decoding。
pre-decoding過程是ossec內置的,只要是標準的syslog日志,都可以解析出如下4個基本信息。
Timestamp:Jun 11 22:06:30
Hostname: 172.17.153.38/172.16.24.32
Programe_name: /usr/bin/auditServerd
Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.
在decoding過程,用戶可以通過修改/var/ossec/etc/decoder.xml,實現自定義的泛化。例如在該文件中添加如下規則:
- <decoder name="auditServerd">
- <program_name>/usr/bin/auditServerd</program_name>
- </decoder>
再次執行/var/ossec/bin/ossec-logtest
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
發現,該條日志成功命中了名為auditServerd的規則,該條規則可以準確的將日志定位為是程序auditServerd所發出的。
除此之外,基于auditServerd這條規則,我們還可以添加更多的子規則,來識別出更多的信息。如:
- <decoder name="auditServerd">
- <program_name>/usr/bin/auditServerd</program_name>
- </decoder>
- <decoder name="auditServerd-login">
- <parent>auditServerd</parent>
- <regex offset="after_parent">^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$</regex>
- <order>user,status,srcip,dstip,dstport</order>
- </decoder>
再次執行/var/ossec/bin/ossec-logtest,可獲取更多的信息,如下:
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
- dstuser: 'blackrat'
- status:'SUCEESS'
- srcip: '172.17.153.36'
- dstip: '172.17.153.
用戶通過配置上述正則表達式,獲取特定字段,用于后續的關聯分析。OSSEC一共內置了14個用戶可解析的字段:
- location – where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user – an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol – protocol
- id – event id
- url - url of the event
- action – event action (deny, drop, accept, etc)
- status – event status (success, failure, etc)
- extra_data – Any extra data
3. 自定義日志告警規則
3.1 規則文件路徑配置
OSSEC的規則配置文件默認路徑為/var/ossec/rules/,要加載規則文件,需要在/var/ossec/etc/ossec.conf 中配置,默認的配置如下:
- <ossec_config> <!-- rules global entry -->
- <rules>
- <include>rules_config.xml</include>
- <include>pam_rules.xml</include>
- <include>sshd_rules.xml</include>
- <include>telnetd_rules.xml</include>
- <include>syslog_rules.xml</include>
- <include>arpwatch_rules.xml</include>
- ......
- <include>clam_av_rules.xml</include>
- <include>bro-ids_rules.xml</include>
- <include>dropbear_rules.xml</include>
- <include>local_rules.xml</include>
- </rules>
- </ossec_config> <!-- rules global entry -->
其實通過下列配置,可以實現加載/var/ossec/rules 下的所有規則文件:
- <ossec_config>
- <rules>
- <rule_dir pattern=".xml$">rules</rule_dir>
- </rules>
- </ossec_config>
于泛化規則,也可以通過配置decoder_dir域來實現,如:
- <ossec_config>
- <rules>
- <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir>
- </rules>
- </ossec_config>
上述配置可將/var/ossec/rules/plugins/plugins/decoders目錄下所有的xml文件都添加為OSSEC日志泛化規則。
對于更詳細的配置及語法,可參考下列文檔:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir
3.2 OSSEC告警規則配置
例如,我們需要增加對程序auditServerd的告警規則,我們需要針對auditServerd程序新建一個規則文件,對于OSSEC中已經存在的規則文件如sshd, openbsd, vsftpd等,我們只需要在對應的文件中進行新增或修改。
首先我們新建文件
/var/ossec/rules/auditServerd_rules.xml
添加如下內容:
- <group name="auditServer,">
- <rule id="80000" level="0" noalert="1">
- <decoded_as>auditServerd</decoded_as>
- <description>Grouping for the auditServerd rules.</description>
- </rule>
- <rule id="80001" level="10">
- <if_sid>80000</if_sid>
- <user>blackrat</user>
- <srcip>172.17.153.36</srcip>
- <description>User blackrat is not allowed login from 172.17.153.36!</description>
- </rule>
- </group>
上述規則中,規則id 80000 用于對日志進行分組計數,假如日志中出現了泛化為auditServerd的日志,則對該日志分組為auditServer,且狀態機計數加1.
規則80001描述了假如user為blackrat,srcip為172.17.153.36 則命中,并發出“User blackrat is not allowed login from 172.17.153.36!”的告警。
將該文件路徑加入到文件/var/ossec/etc/ossec.conf中
- …
- <include>dropbear_rules.xml</include>
- <include>local_rules.xml</include>
- <include>auditServerd_rules.xml</include>
- </ossec_config>
執行/var/ossec/bin/ossec-logtest,結果如下:
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
- dstuser: 'blackrat'
- status: 'SUCEESS'
- srcip: '172.17.153.36'
- dstip: '172.17.153.38'
- dstport: '3333'
- **Phase 3: Completed filtering (rules).
- Rule id: '80001'
- Level: '10'
- Description: 'User blackrat is not allowed login from 172.17.153.36!'
- **Alert to be generated.
3.3 關聯分析告警規則
OSSEC可以實現基于因果關系、事件頻次的關聯分析告警,具體實現方式如下。
假如我們想要實現當來自同一IP的用戶登陸auditServerd,在1分鐘內達到5次登錄失敗時,進行告警,我們可以配置規則如下:
- <group name="auditServer,">
- <rule id="80000" level="0" noalert="1">
- <decoded_as>auditServerd</decoded_as>
- <description>Grouping for the auditServerd rules.</description>
- </rule>
- <rule id="80001" level="10">
- <if_sid>80000</if_sid>
- <match>SUCEESS</match>
- <user>blackrat</user>
- <srcip>172.17.153.36</srcip>
- <description>User blackrat is not allowed login from 172.17.153.36!</description>
- </rule>
- <rule id="80002" level="1">
- <if_sid>80000</if_sid>
- <match>PWD_ERROR</match>
- <group>authServer_login_failures,</group>
- <description>login auditServerd password error.</description>
- </rule>
- <rule id="80003" level="15" frequency="5" timeframe="60" ignore="30">
- <if_matched_group>authServer_login_failures</if_matched_group>
- <description>auditServerd brute force trying to get access to </description>
- <description>the audit system.</description>
- <same_source_ip />
- <group>authentication_failures,</group>
- </rule>
- </group>
執行/var/ossec/bin/ossec-logtest,連續五次輸入日志:
結果如下:
- **Phase 1: Completed pre-decoding.
- full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- hostname: '172.17.153.38/172.16.24.32'
- program_name: '/usr/bin/auditServerd'
- log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
- **Phase 2: Completed decoding.
- decoder: 'auditServerd'
- dstuser: 'blackrat'
- status: 'PWD_ERROR'
- srcip: '172.17.153.36'
- dstip: '172.17.153.38'
- dstport: '3333'
- **Phase 3: Completed filtering (rules).
- Rule id: '80003'
- Level: '15'
- Description: 'auditServerd brute force trying to get access to the audit system.'
- **Alert to be generated.
對于OSSEC日志告警規則更詳細的語法,參見:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
對于OSSEC中正則表達式的語法,參加:
http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html
