基础概念

wazuh是一个开源免费的HIDS(主机入侵检测),用于漏洞扫描,完整性校验,异常流量捕获,shellshock、rootkit检测等

组件

Wazuh server: 通过agent端传过来的数据使用解码器和规则对其进行处理,管理agent配置等
Wazuh agent:安装在节点上的代理,用于检测,采集等
Elastic Stack: 索引数据及展示

集群架构图如下:

auzuh-overview

代理架构图如下: auzuh-overview

架构图说明:

1: Wazuh代理具有模块化架构,其中不同组件负责各自的任务:监视文件系统,读取日志消息,收集清单数据,扫描系统配置,查找恶意软件等,用户可以通过配置启用或禁用代理模块设置

2: agent和server间通过密钥进行数据加密和通信

Log collector: 收集系统和应用程序日志及windows事件等日志
Command execution: 代理周期性运行命令并将输出结果发送到server端进行分析(比如监控磁盘等指标使用率等)
File integrity monitoring (FIM): 文件信息监控,在文件修改时将相关信息发送给server端进行分析(比如谁何时做了什么,包括文件自身信息等)
Security configuration assessment (SCA): 根据CIS标准来检查现有的安全策略,也可以自定义SCA
System inventory: 定期扫描系统信息(比如系统版本,网卡,运行的进场,已安装的程序,打开的端口等信息)
Malware detection: 恶意软件扫描,基于non-signature检测异常的程序或rootkit的存在,通过监视系统调用,它将查找隐藏的进程,隐藏的文件和隐藏的端口等
Active response: 检测到威胁时,此模块将自动执行相关操作,比如阻止网络连接,停止正在运行的进程或删除恶意文件,用户也可以在必要时创建自定义响应
Containers security monitoring: 此代理模块与Docker Engine API集成在一起以监视容器化环境中的更改,例如它检测到容器镜像,网络配置或数据量的更改,它还会警告以特权模式运行的容器以及正在运行的容器中执行命令的用户
Cloud security monitoring: 云提供商安全检测,它能够检测到云基础架构的更改(例如,创建新用户,修改安全组,停止云实例等),并收集云服务日志数据(AWS Cloudtrail,AWS Macie,AWS GuardDuty,Azure Active Directory等)

server架构图如下:

Wazuh server组件负责分析从代理接收的数据,并在检测到威胁或异常时触发警报,它还用于远程管理代理配置并监视其状态

auzuh-overview

组件说明:

Agents registration service: 给每个代理分配一个唯一的预共享身份验证密钥来注册新代理,并支持通过TLS/SSL证书或提供固定密码进行身份验证
Agents connection service: 该组件用于接受agent发送来的数据,利用预共享密钥来验证代理身份和加密代理与Wazuh服务器之间的通信及此将配置推送给远程的agent
Analysis engine: 进行数据分析,将agent传送过来的数据进行分析,利用解码器来识别正在处理的信息的类型,通过使用规则,它可以识别解码事件中的特定模式,从而触发警报,甚至可能要求采取自动对策(比如防火墙禁止ip等)
Wazuh RESTful API: 管理代理和服务器配置设置,监视基础结构状态和整体运行状况,管理和编辑Wazuh解码器和规则等
Wazuh cluster daemon: 此服务用于水平扩展Wazuh server,将它们部署为群集,这种配置与网络负载平衡器相结合,可提供高可用性和负载平衡(Wazuh server用来相互通信并保持同步的工具)
Filebeat: 用于将事件和警报发送到es,它读取Wazuh分析引擎的输出并实时发送事件,当连接到多节点Elasticsearch集群时,它还提供负载平衡

部署

服务器说明

192.168.19.104  server,es,kibana,filebeat
192.168.19.105  agent

下载jdk及其他工具

export JAVA_HOME=/usr/ && yum install curl unzip wget libcap -y && yum install java-11-openjdk-devel -y

安装Wazuh

server端 导入GPG密钥:

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

添加存储库:


cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

安装wazuh-manager

yum install wazuh-manager -y
systemctl daemon-reload
systemctl enable wazuh-manager
systemctl start wazuh-manager
systemctl status wazuh-manager

安装及配置es

yum install opendistroforelasticsearch
curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

创建证书

删除演示证书

rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

创建证书并部署

mkdir /etc/elasticsearch/certs
cd /etc/elasticsearch/certs
curl -so ~/search-guard-tlstool-1.8.zip https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip
unzip ~/search-guard-tlstool-1.8.zip -d ~/searchguard
curl -so ~/searchguard/search-guard.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/searchguard/search-guard-aio.yml
~/searchguard/tools/sgtlstool.sh -c ~/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/
rm /etc/elasticsearch/certs/client-certificates.readme /etc/elasticsearch/certs/elasticsearch_elasticsearch_config_snippet.yml ~/search-guard-tlstool-1.8.zip ~/searchguard -rf

启动es

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key
curl -XGET https://localhost:9200 -u admin:admin -k
{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "KQWcwl9SS0m-_h85tM5Liw",
  "version" : {
    "number" : "7.10.0",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
    "build_date" : "2020-11-09T21:30:33.964949Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

可以看到Done with success等字样

默认情况下,Open Distro for Elasticsearch性能分析器插件已安装,若需卸载则执行/usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro_performance_analyzer

安装Filebeat

server端安装,将信息处理完后发送到es中

安装及配置

yum install filebeat -y
curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module
mkdir /etc/filebeat/certs
cp /etc/elasticsearch/certs/root-ca.pem /etc/filebeat/certs/
mv /etc/elasticsearch/certs/filebeat* /etc/filebeat/certs/

启动及测试服务

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat
filebeat test output

test后输出一下信息则正常

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.0

安装Kibana

安装及配置

yum install opendistroforelasticsearch-kibana -y
curl -so /etc/kibana/kibana.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/kibana/7.x/kibana_all_in_one.yml
mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data
cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.1.0_7.10.0-1.zip
mkdir /etc/kibana/certs
cp /etc/elasticsearch/certs/root-ca.pem /etc/kibana/certs/
mv /etc/elasticsearch/certs/kibana_http.key /etc/kibana/certs/kibana.key
mv /etc/elasticsearch/certs/kibana_http.pem /etc/kibana/certs/kibana.pem
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

启动服务

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

打开浏览器192.168.10.104访问kibana输入admin:admin 登录

auzuh-overview auzuh-overview

添加agent可在图中的add agents,然后按照他步骤进行安装

auzuh-overview

部署agent端

添加yum源并安装

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
yum install wazuh-agent -y
WAZUH_MANAGER="192.168.19.104" yum install wazuh-agent

修改/var/ossec/etc/ossec.conf

      <address>192.168.19.104</address>
      <port>1514</port>
      <protocol>tcp</protocol>

MANAGER_IP修改为server的地址

启动服务

systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

禁用wazuh自动更新,sed -i “s/^enabled=1/enabled=0/” /etc/yum.repos.d/wazuh.repo

此时打开web界面可看到一个agent

auzuh-overview

操作实战

检测SSH暴力破解

server端查看日志

tail -f /var/ossec/logs/alerts/alerts.log

agent端尝试登录

ssh 192.168.10.105

此时,会发现server端输出登录失败日志

** Alert 1614579705.3583: - pam,syslog,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 01 14:21:45 (iZwz9d8jytkbtflyjb8ochZ) any->/var/log/secure
Rule: 5503 (level 5) -> 'PAM: User login failed.'
Src IP: 192.168.19.105
User: root
Mar  1 14:21:44 iZwz9d8jytkbtflyjb8ochZ sshd[3140]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.19.105  user=root
uid: 0
euid: 0
tty: ssh

** Alert 1614579707.4147: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 01 14:21:47 (iZwz9d8jytkbtflyjb8ochZ) any->/var/log/secure
Rule: 5716 (level 5) -> 'sshd: authentication failed.'
Src IP: 192.168.19.105
Src Port: 52300
User: root
Mar  1 14:21:47 iZwz9d8jytkbtflyjb8ochZ sshd[3140]: Failed password for root from 192.168.19.105 port 52300 ssh2

wazuh写入的报警文件是/var/ossec/logs/alerts/alerts.json,比/var/ossec/logs/alerts/alerts.log的日志更加详细一点,这些json信息通过filebeat传到es,然后kibana进行索引展示

此时,也可以在kibana界面上查看刚才的events

auzuh-overview

检测RDP暴力攻击

修改server的配置文件

vim /var/ossec/etc/ossec.conf

<syscheck>
    <disabled>no</disabled>
    <scan_on_start>yes</scan_on_start>
    <frequency>300</frequency>
    <directories check_all="yes" realtime="yes" report_changes="yes">/etc/test1</directories>
</syscheck>

说明

directories: 需要监视的目录
frequency: 扫描周期(每300秒扫描一次)
realtime:是否实时监控(若没有该选项,则只进行定期扫描,对有更改的文件进行监控)
report_changes: 汇报详细的变化信息(比如增加或修改哪些数据)
保存并重启server,systemctl restart wazuh-manager.  echo 88888888 >/etc/test/test1  echo 999999999 >/etc/test/test1

可以看到server端的日志输出如下

** Alert 1614581292.18501: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 01 14:48:12 iZwz97ve1io47sjggb3obsZ->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/etc/test1/test1' added
Mode: realtime

Attributes:
 - Size: 11
 - Permissions: rw-r--r--
 - Date: Mon Mar  1 14:48:12 2021
 - Inode: 1320935
 - User: root (0)
 - Group: root (0)
 - MD5: 104aca4ee09e69946ecc0d683bb9c1ba
 - SHA1: 62b76475944800a46a3857011ca53ff510f0a6ff
 - SHA256: 5ca31ce46771f7fd1a3c81632dfc3795bd5992370ce9ef8450aa0cf629fc9188

** Alert 1614581310.19191: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 01 14:48:30 iZwz97ve1io47sjggb3obsZ->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/etc/test1/test1' modified
Mode: realtime
Changed attributes: size,mtime,md5,sha1,sha256
Size changed from '11' to '8'
Old modification time was: '1614581292', now it is '1614581310'
Old md5sum was: '104aca4ee09e69946ecc0d683bb9c1ba'
New md5sum is : 'ebc0fbec637adff84a560dd005abf2ae'
Old sha1sum was: '62b76475944800a46a3857011ca53ff510f0a6ff'
New sha1sum is : '781571ac5eb6d2def713bf457b73c6fac4470127'
Old sha256sum was: '5ca31ce46771f7fd1a3c81632dfc3795bd5992370ce9ef8450aa0cf629fc9188'
New sha256sum is : 'dd150abe8be382e446fc333e19dcc2e82c05b85a49c9f00d933720c9fe4cfb6e'

Attributes:
 - Size: 8
 - Permissions: rw-r--r--
 - Date: Mon Mar  1 14:48:30 2021
 - Inode: 1320935
 - User: root (0)
 - Group: root (0)
 - MD5: ebc0fbec637adff84a560dd005abf2ae
 - SHA1: 781571ac5eb6d2def713bf457b73c6fac4470127
 - SHA256: dd150abe8be382e446fc333e19dcc2e82c05b85a49c9f00d933720c9fe4cfb6e

What changed:
1c1
< 8888888888
---
> 9999999

以上日志输出则具体汇报了文件的前后md5值,大小,权限,操作用户,变化值等各信息,在kibana中也可以查询到具体的Security events信息

检测并应对Shellshock攻击

安装nginx并修改agent配置

yum install nginx -y
vim /var/ossec/etc/ossec.conf
    <localfile>
        <log_format>apache</log_format>
        <location>/var/log/nginx/access.log</location>
    </localfile>
</ossec_config>
systemctl restart nginx
systemctl restart wazuh-agent

模拟Shellshock攻击

ShellshockTarget="192.168.19.105"
curl --insecure $ShellshockTarget -H "User-Agent: () { :; }; /bin/cat /etc/passwd"

查看server端日志

** Alert 1614582713.36596: mail  - web,accesslog,attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 01 15:11:53 (iZwz9d8jytkbtflyjb8ochZ) any->/var/log/nginx/access.log
Rule: 31168 (level 15) -> 'Shellshock attack detected'
Src IP: 192.168.19.105
192.168.19.105 - - [01/Mar/2021:15:11:53 +0800] "GET / HTTP/1.1" 200 4833 "-" "() { :; }; /bin/cat /etc/passwd" "-"

使用AR(Active Response)主动采取防止措施,根据匹配的Wazuh规则的特定条件采取脚本操作

修改server配置: /var/ossec/etc/ossec.conf

<active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <location>all</location>
    <rules_id>31168</rules_id>
    <timeout>300</timeout>
</active-response>

<active-response>
    <disabled>no</disabled>
    <command>firewall-drop</command>
    <location>server</location>
    <rules_id>31168</rules_id>
    <timeout>300</timeout>
</active-response>

若location为local则只为本地agent阻止,all则会发送到所有agent端阻止,若也希望在manager端阻止,则使用server字段

这里一定要注意一个点,server端的rule为31168,则在AR字段配置为对应的id

systemctl restart wazuh-manager

再次执行一下攻击命令curl –insecure $ShellshockTarget -H “User-Agent: () { :; }; /bin/cat /etc/passwd” ,则在server端显示以下日志

** Alert 1614590073.61452: mail  - web,accesslog,attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 01 17:14:33 (iZwz9d8jytkbtflyjb8ochZ) any->/var/log/nginx/access.log
Rule: 31168 (level 15) -> 'Shellshock attack detected'
Src IP: 1.1.1.1
1.1.1.1 - - [01/Mar/2021:17:14:31 +0800] "GET / HTTP/1.1" 200 4833 "-" "() { :; }; /bin/cat /etc/passwd" "-"

** Alert 1614590073.61867: - ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,
2021 Mar 01 17:14:33 (iZwz9d8jytkbtflyjb8ochZ) any->/var/ossec/logs/active-responses.log
Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
Src IP: 1.1.1.1
Mon Mar  1 17:14:33 CST 2021 /var/ossec/active-response/bin/firewall-drop.sh add - 1.1.1.1 1614590073.61191 31168
script: firewall-drop.sh
type: add

从上日志可看出,1.1.1.1这个进行了一次攻击,并且被iptables进行了拦截,加入了黑名单(你也可以使用其他脚本来进行处理)

漏洞扫描

使用vd模块进行扫描,通过整合由Canonical,Debian,Red Hat和National Vulnerability Database索引的漏洞源来执行

在agent的共享配置文件中添加以下配置(所有agent端的配置都可以写在里面,/var/ossec/etc/shared/default/agent.conf)

<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <os>yes</os>
  <packages>yes</packages>
</wodle>

启用用于检测漏洞的管理器模块(server端,也可以在web界面进行配置,/var/ossec/etc/ossec.conf)

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>30s</interval>
    <ignore_time>120s</ignore_time>
    <run_on_start>yes</run_on_start>
    <provider name="redhat">
      <enabled>yes</enabled>
      <os path="/var/ossec/feeds/redhat/rhel-7-including-unpatched.oval.xml.bz2">7</os>
      <update_interval>1h</update_interval>
    </provider>
    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability-detector>
检测可分为离线和在线,离线更新需从https://www.redhat.com/security/data/oval/v2/RHEL7/rhel-7-including-unpatched.oval.xml.bz2处下载文件,在线的使用默认的配置即可

重启server: systemctl restart wazuh-manager,查看server端日志可查看以下内容:

2021/03/05 16:56:35 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2021/03/05 16:56:35 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2021/03/05 16:56:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/03/05 16:56:42 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2021/03/05 16:56:42 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2021/03/05 16:56:42 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2021/03/05 16:56:50 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Red Hat Enterprise Linux 7' feed finished successfully.
2021/03/05 16:56:50 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
2021/03/05 16:57:06 rootcheck: INFO: Ending rootcheck scan.
2021/03/05 16:58:43 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'JSON Red Hat Enterprise Linux' feed finished successfully.
2021/03/05 16:58:43 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2021/03/05 17:04:57 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2021/03/05 17:04:57 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2021/03/05 17:05:03 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2021/03/05 17:05:03 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2021/03/05 17:05:03 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2021/03/05 17:08:06 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '000'
2021/03/05 17:08:06 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '001' vulnerabilities.
2021/03/05 17:11:05 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '001'
2021/03/05 17:11:05 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.

当漏洞库更新完成后才开始扫描,扫描完成后,去web界面上即可看到扫描结果(整个过程大概需要半个小时左右)

auzuh-overview

监控系统调用

使用linux上的auditd进行审计,修改代理上ossec.conf

<localfile>
  <log_format>audit</log_format>
  <location>/var/log/audit/audit.log</location>
</localfile>

Audit 使用一组规则来定义日志文件中捕获到的内容,可指定以下三种审核内容

控制规则:允许修改Audit系统的行为及其某些配置
文件系统规则: 允许Audit对特定文件或目录的访问
系统调用规则: 允许记录指定程序进行的系统调用

Audit相关的命令都需要root权限执行

auditctl -b :设置内核中现有审计缓冲区的最大数量
auditctl -e :启用/禁用审核系统或锁定其配置
auditctl -s :报告审核系统的状态
auditctl -l :列出所有当前加载的审核规则
auditctl -D :删除所有当前加载的审核规则

定义文件系统规则

要定义文件系统规则,请使用以下语法:

-w <path> -p <permissions> -k <key_name>

注释:

-w :指定需要审核的路径
-p :指定审核的权限,rwxa(r:文件或目录只读,w:文件或目录写入,x: 文件或目录执行,a: 更改文件或目录的属性)
-k :可选字段,用于描述规则生成特定的日志行,wazuh要求使用此选项以便更好的分析日志

定义一个监视/etc/test目录的规则

auditctl -w /etc/test -p w -k audit-wazuh-w
auditctl -w /etc/test -p a -k audit-wazuh-a
auditctl -w /etc/test -p r -k audit-wazuh-r
auditctl -w /etc/test -p x -k audit-wazuh-x

在/etc/test目录下创建一个文件: touch 1 则server端输出以下日志:

** Alert 1614846537.1198080: - audit,audit_watch_write,audit_watch_create,gdpr_II_5.1.f,gdpr_IV_30.1.g,
2021 Mar 04 16:28:57 (wauzh-agent1) any->/var/log/audit/audit.log
Rule: 80790 (level 3) -> 'Audit: Created: 1'
type=SYSCALL msg=audit(1614846535.945:222): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc7247386a a1=941 a2=1b6 a3=7ffc72471da0 items=2 ppid=1406 pid=21932 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="touch" exe="/usr/bin/touch" key="audit-wazuh-w" type=CWD msg=audit(1614846535.945:222):  cwd="/etc/test" type=PATH msg=audit(1614846535.945:222): item=0 name="/etc/test" inode=1313507 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1614846535.945:222): item=1 name="1" inode=1313455 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1614846535.945:222): proctitle=746F7563680031
audit.type: SYSCALL
audit.id: 222
audit.arch: c000003e
audit.syscall: 2
audit.success: yes
audit.exit: 3
audit.ppid: 1406
audit.pid: 21932
audit.auid: 0
audit.uid: 0
audit.gid: 0
audit.euid: 0
audit.suid: 0
audit.fsuid: 0
audit.egid: 0
audit.sgid: 0
audit.fsgid: 0
audit.tty: pts0
audit.session: 2
audit.command: touch
audit.exe: /usr/bin/touch
audit.key: audit-wazuh-w
audit.cwd: /etc/test
audit.directory.name: /etc/test
audit.directory.inode: 1313507
audit.directory.mode: 040755
audit.file.name: 1
audit.file.inode: 1313455
audit.file.mode: 0100644

只要该目录下文件属性发生任何改变都会进行报警(创建文件,修改属主,写入数据等等)

auditctl -w /etc/test/audit -p wa -k audit_file_change
echo "audit_test" >/etc/test/audit 

此时,可在server端看到如下日志:

** Alert 1614650733.37739: - audit,audit_configuration,gpg13_10.1,gdpr_IV_30.1.g,
2021 Mar 02 10:05:33 (iZwz9d8jytkbtflyjb8ochZ) any->/var/log/audit/audit.log
Rule: 80705 (level 3) -> 'Auditd: Configuration changed'
type=CONFIG_CHANGE msg=audit(1614650732.419:7437): auid=0 ses=867 op=add_rule key="audit_file_change" list=4 res=1
audit.type: CONFIG_CHANGE
audit.id: 7437
audit.key: audit_file_change
audit.list: 4
audit.res: 1

定义系统调用规则

要定义系统调用规则,请使用以下语法:

-a action,filter -S system_call -F field=value -k key_name

命令说明:

-a  <action> <filter>: 告诉内核的规则匹配引擎在规则列表的末尾附加一个规则,必须指定要附加到哪个规则列表,以及在触发时要执行的操作
    <action>: always(文件或目录的读权限),never(文件或目录的写权限)
    <filter>: 值指定将哪个内核规则匹配过滤器应用于事件,task(仅审核事件可以fork或clone系统调用),exit(对所有的系统调用或文件系统规则进行评估),
              user(用于删除一些源自用户空间的事件,默认情况下,允许源于用户空间的任何事件),exclude(用于从记录中排除某些事件
              msgtype用于告诉内核要过滤掉哪个消息,要更精细地控制要审核的事件,使用用户过滤器并退出过滤器)
-S <system_call>: 这指定要审核的system_call,可以在单个规则中指定多个系统调用, ausyscall --dump:找到所有系统调用的列表
-F <field=value>: 使用field = value可以指定其他条件来缩小要审核的事件的范围:系统架构,group id, process id等,单个规则可以使用多个-F选项
-k <key_name>: 可选字符串,用于描述规则生成特定的日志行,Wazuh要求使用此参数,以便更准确地分析日志

定义一个监测ID为1000的系统用户,指定系统架构为64位的规则

auditctl -a exit,always -F euid=1000 -F arch=b64 -S execve -k audit-wazuh-c
su - test&&mkdir 1

此时,在server的日志可看到以下日志

** Alert 1614846844.1229705: - audit,audit_command,gdpr_IV_30.1.g,
2021 Mar 04 16:34:04 (wauzh-agent1) any->/var/log/audit/audit.log
Rule: 80792 (level 3) -> 'Audit: Command: /usr/bin/mkdir'
type=SYSCALL msg=audit(1614846843.067:255): arch=c000003e syscall=59 success=yes exit=0 a0=2334b30 a1=233de40 a2=2339b10 a3=7ffea1af48e0 items=2 ppid=22237 pid=22278 auid=0 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm="mkdir" exe="/usr/bin/mkdir" key="audit-wazuh-c" type=EXECVE msg=audit(1614846843.067:255): argc=2 a0="mkdir" a1="2" type=CWD msg=audit(1614846843.067:255):  cwd="/home/test" type=PATH msg=audit(1614846843.067:255): item=0 name="/bin/mkdir" inode=658864 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1614846843.067:255): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=657069 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1614846843.067:255): proctitle=6D6B6469720032
audit.type: SYSCALL
audit.id: 255
audit.arch: c000003e
audit.syscall: 59
audit.success: yes
audit.exit: 0
audit.ppid: 22237
audit.pid: 22278
audit.auid: 0
audit.uid: 1000
audit.gid: 1000
audit.euid: 1000
audit.suid: 1000
audit.fsuid: 1000
audit.egid: 1000
audit.sgid: 1000
audit.fsgid: 1000
audit.tty: pts0
audit.session: 2
audit.command: mkdir
audit.exe: /usr/bin/mkdir
audit.key: audit-wazuh-c
audit.execve.a0: mkdir
audit.execve.a1: 2
audit.cwd: /home/test
audit.file.name: /bin/mkdir
audit.file.inode: 658864
audit.file.mode: 0100755

audit-wazuh-c: 默认的CDB列表,可在cat /var/ossec/etc/lists/audit-keys下查看

监控恶意命令的执行

在linux-agent上打开程序调用审核

echo "-a exit,always -F auid=1000  -F arch=b64 -S execve -k audit-wazuh-c" >> /etc/audit/rules.d/audit.rules

重新加载规则

auditctl -R /etc/audit/rules.d/audit.rules

此时用uid为1000的用户登录则server端的alert(/var/ossec/logs/alerts/alerts.log)会显示如下日志:

** Alert 1615263057.141233451: - syslog,sshd,authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 09 12:10:57 (wauzh-agent1) any->/var/log/secure
Rule: 5715 (level 3) -> 'sshd: authentication success.'
Src IP: 192.168.19.85
User: test1
Mar  9 12:10:56 wauzh-agent1 sshd[31457]: Accepted password for test1 from 192.168.19.85 port 58544 ssh2

** Alert 1615263059.141233902: - audit,audit_command,gdpr_IV_30.1.g,
2021 Mar 09 12:10:59 (wauzh-agent1) any->/var/log/audit/audit.log
Rule: 80792 (level 3) -> 'Audit: Command: /usr/bin/ls'
type=SYSCALL msg=audit(1615263059.593:29742): arch=c000003e syscall=59 success=yes exit=0 a0=1ca0640 a1=1c9db60 a2=1ca6fa0 a3=7ffdc82451a0 items=2 ppid=31460 pid=31483 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=656 comm="ls" exe="/usr/bin/ls" key="audit-wazuh-c" type=EXECVE msg=audit(1615263059.593:29742): argc=2 a0="ls" a1="--color=auto" type=CWD msg=audit(1615263059.593:29742):  cwd="/home/test1" type=PATH msg=audit(1615263059.593:29742): item=0 name="/usr/bin/ls" inode=658862 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1615263059.593:29742): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=657069 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1615263059.593:29742): proctitle=6C73002D2D636F6C6F723D6175746F
audit.type: SYSCALL
audit.id: 29742
audit.arch: c000003e
audit.syscall: 59
audit.success: yes
audit.exit: 0
audit.ppid: 31460
audit.pid: 31483
audit.auid: 1000
audit.uid: 1000
audit.gid: 1000
audit.euid: 1000
audit.suid: 1000
audit.fsuid: 1000
audit.egid: 1000
audit.sgid: 1000
audit.fsgid: 1000
audit.tty: pts2
audit.session: 656
audit.command: ls
audit.exe: /usr/bin/ls
audit.key: audit-wazuh-c
audit.execve.a0: ls
audit.execve.a1: --color=auto
audit.cwd: /home/test1
audit.file.name: /usr/bin/ls
audit.file.inode: 658862
audit.file.mode: 0100755

定义一个清单和规则来监视指定的命令

在manager上创建一个文件并输入以下内容:/var/ossec/etc/lists/suspicious-programs

rm:red
ping:yellow

在manager将添加到ossec.conf中:

<ruleset>
  <list>etc/lists/suspicious-programs</list>
  ....

创建一个普通规则和red规则,在执行red标记的命令时处罚报警:/var/ossec/etc/rules/local_rules.xml

<group name="audit">
  <rule id="100200" level="8">
      <if_sid>80792</if_sid>
      <list field="audit.command" lookup="match_key">etc/lists/suspicious-programs</list>
      <description>Audit: Suspicious Command: $(audit.exe)</description>
      <group>audit_command,</group>
  </rule>
  <rule id="100210" level="12">
    <if_sid>80792</if_sid>
    <list field="audit.command" lookup="match_key_value" check_value="red">etc/lists/suspicious-programs</list>
    <description>Audit: Highly Suspicious Command executed: $(audit.exe)</description>
    <group>audit_command,</group>
  </rule>
</group>

重启manager并在agent的id为1000的用户登录并执行以下命令:mkdir 1 &&rm -rf 1 &&ls,此时,去kibana上即可看到相关的警报信息

auzuh-overview

若想忽略某些操作,则新建规则:

<rule id="100220" level="0">
    <if_sid>80792</if_sid>
    <description>Ignore rm -rf tmp</description>
    <field name="audit.command">^ping$</field>
    <match>="tmp"</match>
    <group>audit_command,</group>
</rule>

监控命令的执行结果

配置agent接受来自server端的远程命令

修改agent配置文件:/var/ossec/etc/local_internal_options.conf

logcollector.remote_commands=1

server端配置命令的监视: /var/ossec/etc/shared/default/agent.conf

<localfile>
     <log_format>full_command</log_format>
     <command>df -h</command>
</localfile>

定义一个规则: /var/ossec/etc/rules/local_rules.xml

<rule id="531" level="7" ignore="7200">
  <if_sid>530</if_sid>
  <match>ossec: output: 'df -h': /data</match>
  <regex>80%</regex>
  <description>Partition usage reached 80% (disk space monitor).</description>
  <group>low_diskspace,pci_dss_10.6.1,</group>
</rule>

重启manager和agent,当触发报警条件时,即可看到相关定义的日志

文件完整性监控

对指定文件进行监控,修改时进行报警,负责此任务的组件称为syscheck

配置server端的agent.conf(/var/ossec/etc/shared/default/agent.conf),也可以再agent自身的ossec.conf中配置

<syscheck>
  <frequency>10</frequency>
  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories>
</syscheck>

使用directorys选项的realtime属性配置实时监视,此属性仅适用于目录,不适用于单个文件

<syscheck>
  <directories check_all="yes" whodata="yes">/etc</directories>
</syscheck>

忽略某些文件的监控

<syscheck>
  <ignore>/etc/random-seed</ignore>
  <ignore>/root/dir</ignore>
  <ignore type="sregex">.log$|.tmp</ignore>
</syscheck>

agent测试:touch filecheck&&echo filecheck-test >filecheck,则server端输出以下日志

** Alert 1614672979.120998: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 02 16:16:19 (iZwz9d8jytkbtflyjb8ochZ) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/etc/test/filecheck' added
Mode: whodata

Attributes:
 - Size: 0
 - Permissions: rw-r--r--
 - Date: Tue Mar  2 16:16:19 2021
 - Inode: 1314490
 - User: root (0)
 - Group: root (0)
 - MD5: d41d8cd98f00b204e9800998ecf8427e
 - SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
 - SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 - (Audit) User name: root
 - (Audit) Audit name: root
 - (Audit) Effective name: root
 - (Audit) Group name: root
 - (Audit) Process id: 21646
 - (Audit) Process name: /usr/bin/touch
 - (Audit) Process cwd: /etc/test
 - (Audit) Parent process name: /usr/bin/bash
 - (Audit) Parent process id: 3117
 - (Audit) Parent process cwd: /etc/test

** Alert 1614672991.122036: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Mar 02 16:16:31 (iZwz9d8jytkbtflyjb8ochZ) any->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/etc/test/filecheck' modified
Mode: whodata
Changed attributes: size,mtime,inode,md5,sha1,sha256
Size changed from '0' to '15'
Old modification time was: '1614672979', now it is '1614672991'
Old inode was: '1314490', now it is '1314492'
Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'
New md5sum is : '2a62a755a6eda98c4acc5ff6a02207bf'
Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
New sha1sum is : '9ec072b864b19f84e1c9ec202606ec58f3e1a4ea'
Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
New sha256sum is : '15cd4a9a9ba1e3a0e4ab7144ee4cff2f61178688fb967e3f45796a09df3edb85'

Attributes:
 - Size: 15
 - Permissions: rw-r--r--
 - Date: Tue Mar  2 16:16:31 2021
 - Inode: 1314492
 - User: root (0)
 - Group: root (0)
 - MD5: 2a62a755a6eda98c4acc5ff6a02207bf
 - SHA1: 9ec072b864b19f84e1c9ec202606ec58f3e1a4ea
 - SHA256: 15cd4a9a9ba1e3a0e4ab7144ee4cff2f61178688fb967e3f45796a09df3edb85
 - (Audit) User name: root
 - (Audit) Audit name: root
 - (Audit) Effective name: root
 - (Audit) Group name: root
 - (Audit) Process id: 21649
 - (Audit) Process name: /usr/bin/vim
 - (Audit) Process cwd: /etc/test
 - (Audit) Parent process name: /usr/bin/bash
 - (Audit) Parent process id: 3117
 - (Audit) Parent process cwd: /etc/test

监视docker

pip安装docker库

pip install docker

python2.x版本的需要用pip来安装,Python3.x版本的必须用pip3来安装

添加docker监听模块(shared目录下):/var/ossec/etc/shared/default/agent.conf

<wodle name="docker-listener">
    <disabled>no</disabled>
</wodle>

重启manager,systemctl restart wazuh-manager

运行测试

docker run -itd --name nginx nginx

此时,查看server端alert的日志(/var/ossec/logs/alerts/alerts.log)如下:

** Alert 1615275553.25305: - docker,
2021 Mar 09 15:39:13 (wauzh-agent1) any->Wazuh-Docker
Rule: 87928 (level 3) -> 'Docker: Network bridge connected'
{"docker": {"timeNano": 1615275553933927290, "Actor": {"Attributes": {"type": "bridge", "container": "33dcc4b89f7f71f89f43de5eb799df26ec342454e18e83c1d43d9fc235f389e4", "name": "bridge"}, "ID": "
6eef637bcdda1fda751ad21ce615d0e7e416273e7549bab63b8b3c833156773c"}, "time": 1615275553, "Action": "connect", "scope": "local", "Type": "network"}, "integration": "docker"}
docker.timeNano: 1615275553933927168.000000
docker.Actor.Attributes.type: bridge
docker.Actor.Attributes.container: 33dcc4b89f7f71f89f43de5eb799df26ec342454e18e83c1d43d9fc235f389e4
docker.Actor.Attributes.name: bridge
docker.Actor.ID: 6eef637bcdda1fda751ad21ce615d0e7e416273e7549bab63b8b3c833156773c
docker.time: 1615275553
docker.Action: connect
docker.scope: local
docker.Type: network
integration: docker

** Alert 1615275554.26232: - docker,
2021 Mar 09 15:39:14 (wauzh-agent1) any->Wazuh-Docker
Rule: 87903 (level 3) -> 'Docker: Container brave_bhabha started'
{"docker": {"status": "start", "timeNano": 1615275554282022982, "from": "nginx", "Actor": {"Attributes": {"image": "nginx", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "name": "brave_bhabha"}, "ID": "33dcc4b89f7f71f89f43de5eb799df26ec342454e18e83c1d43d9fc235f389e4"}, "time": 1615275554, "Action": "start", "scope": "local", "Type": "container", "id": "33dcc4b89f7f71f89f43de5eb799df26ec342454e18e83c1d43d9fc235f389e4"}, "integration": "docker"}
docker.status: start
docker.timeNano: 1615275554282022912.000000
docker.from: nginx
docker.Actor.Attributes.image: nginx
docker.Actor.Attributes.maintainer: NGINX Docker Maintainers <docker-maint@nginx.com>
docker.Actor.Attributes.name: brave_bhabha
docker.Actor.ID: 33dcc4b89f7f71f89f43de5eb799df26ec342454e18e83c1d43d9fc235f389e4
docker.time: 1615275554
docker.Action: start
docker.scope: local
docker.Type: container
docker.id: 33dcc4b89f7f71f89f43de5eb799df26ec342454e18e83c1d43d9fc235f389e4
integration: docker

删除容器:docker stop nginx&&docker rm nginx ,此时去kibana上面可看到相关信息

auzuh-overview

auzuh-overview

与NIDS(网络入侵检测)结合使用

Suricata是一个开源免费的NIDS(网络入侵检测),能够进行实时入侵检测(IDS),内联入侵防御(IPS),网络安全监控(NSM)和离线pcap处理Suricata使用强大而广泛的规则和签名语言来检查网络流量,并具有强大的Lua脚本支持来检测复杂的威胁,借助YAML和JSON之类的标准输入和输出格式,以及可与现有SIEM,Splunk,Logstash/Elasticsearch,Kibana和其他数据库之类的工具的集成

在agent端安装及设置Suricata

cd /root
yum -y install epel-release wget jq
curl -so /etc/yum.repos.d/jasonish-suricata-6.0-epel-7.repo https://copr.fedorainfracloud.org/coprs/jasonish/suricata-6.0/repo/epel-7/jasonish-suricata-6.0-epel-7.repo
yum -y install suricata
wget https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
rm /etc/suricata/rules/* -f
mv rules/*.rules /etc/suricata/rules/
rm -f /etc/suricata/suricata.yaml
wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
systemctl daemon-reload
systemctl enable suricata
systemctl start suricata

6.0也是使用5.0的规则集,执行以下命令进行测试:

ShellshockTarget="192.168.19.105"
curl --insecure $ShellshockTarget -H "User-Agent: () { :; }; /bin/cat /etc/passwd"

此时在代理上查看Suricata警报日志和JSON警报日志

tail -n1 /var/log/suricata/fast.log
tail -n1 /var/log/suricata/eve.json | jq .

fast.log的日志非常简单

03/09/2021-16:27:30.449786  [**] [1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.19.105:46848 -> 192.168.19.105:80

json日志则较为详细:

{
  "timestamp": "2021-03-09T16:27:30.449786+0800",
  "flow_id": 198804128319180,
  "in_iface": "eth0",
  "event_type": "alert",
  "src_ip": "192.168.19.105",
  "src_port": 46848,
  "dest_ip": "192.168.19.105",
  "dest_port": 80,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2022028,
    "rev": 2,
    "signature": "ET WEB_SERVER Possible CVE-2014-6271 Attempt",
    "category": "Attempted Administrator Privilege Gain",
    "severity": 1,
    "metadata": {
      "created_at": [
        "2015_11_03"
      ],
      "updated_at": [
        "2019_10_07"
      ]
    }
  },
  "http": {
    "hostname": "192.168.19.105",
    "url": "/",
    "http_user_agent": "() { :; }; /bin/cat /etc/passwd",
    "http_content_type": "text/html",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "length": 1208
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 6,
    "bytes_toserver": 370,
    "bytes_toclient": 5477,
    "start": "2021-03-09T16:27:30.444108+0800"
  }
}

NIDS的实际规则处于/etc/suricata/rules/emerging-attack_response.rules中

将json格式的日志传入wazuh中

有两种方式,使用agent.conf中添加或者使用manager的集中式代理配置工具

1: 使用配置文件方式:在server端的share目录下添加以下信息(/var/ossec/etc/shared/default/agent.conf)
<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

重启manager和agent,systemctl restart wazuh-manager systemctl restart wazuh-agent

2:使用集中式代理配置工具

在manager中添加一个代理程序组并查看

/var/ossec/bin/agent_groups -a -g nids -q
/var/ossec/bin/manage_agents -l

通过代理的id号将代理添加到该组内

/var/ossec/bin/agent_groups -a -i 001 -g nids -q

将agent的配置放入组的共享配置目录下:/var/ossec/etc/shared/nids/agent.conf

<agent_config> <log_format>json</log_format> /var/log/suricata/eve.json </agent_config>

确认配置文件正确,正确则输出以下日志

/var/ossec/bin/verify-agent-conf
verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK

verify-agent-conf: Verifying [/var/ossec/etc/shared/nids/agent.conf]
verify-agent-conf: OK

再次运行上面的命令后去kibana上面搜索rule.id:86601查看:curl –insecure $ShellshockTarget -H “User-Agent: () { :; }; /bin/cat /etc/passwd”

auzuh-overview

从上图中可看到,攻击地址,agent地址,server地址,攻击方式等等信息,但没有Suricata事件的Geolocation字段,默认地理位置仅在data.srcip字段

/usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json添加新IP字段到processors,以及其他Geolocation字段
{
   "geoip": {
     "field": "data.src_ip",
     "target_field": "GeoLocation",
     "properties": ["city_name", "country_name", "region_name", "location"],
     "ignore_missing": true,
     "ignore_failure": true
   }
 },

在kibana中删除索引:DELETE _ingest/pipeline/filebeat-7.10.0-wazuh-alerts-pipeline(没有直接重启filebeat就行了systemctl restart filebeat),再次执行入侵命令可看到如下信息:

auzuh-overview

主机入侵检查到此暂时告别一段落,wazuh还可以日志采集,安全配置评估,系统资源清单获取,rootrokit检测,防洪配置等等,后续有时间在更新NIDS的详细使用,(若图片看不清,则在新标签打开即可)