当前位置: 首页 > 工具软件 > OSSEC > 使用案例 >

开源入侵检测系统OSSEC的搭建及使用

淳于健
2023-12-01

环境centos7

官网

http://www.ossec.net/

Linux下载地址

https://github.com/ossec/ossechids/archive/2.9.4.tar.gz

wget https://github.com/ossec/ossec-hids/archive/2.9.4.tar.gz

tar -xzvf 2.9.4.tar.gz

cd ossec-hids-2.9.4

./install.sh

选择语言 cn

确认安装好了gcc编译器按enter
选择单机模式,local

root@vultr:~/ossec-hids-2.9.4# ./install.sh

** Para instalação em português, escolha [br].

** 要使用中文进行安装, 请选择 [cn].

** Fur eine deutsche Installation wohlen Sie [de].

** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].

** For installation in English, choose [en].

** Para instalar en Español , eliga [es].

** Pour une installation en français, choisissez [fr]

** A Magyar nyelvű telepítéshez válassza [hu].

** Per l’installazione in Italiano, scegli [it].

** 日本語でインストールします.選択して下さい.[jp].

** Voor installatie in het Nederlands, kies [nl].

** Aby instalować w języku Polskim, wybierz [pl].

** Для инструкций по установке на русском ,введите [ru].

** Za instalaciju na srpskom, izaberi [sr].

** Türkçe kurulum için seçin [tr].

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn

OSSEC HIDS v2.9.4 安装脚本 - http://www.ossec.net

您将开始 OSSEC HIDS 的安装.

请确认在您的机器上已经正确安装了 C 编译器.

  • 系统类型: Linux vultr.guest 3.13.0-149-generic

  • 用户: root

  • 主机: vultr.guest

    – 按 ENTER 继续或 Ctrl-C 退出. –

1- 您希望哪一种安装 (server, agent, local or help)? local

  • 选择了 Local 类型的安装.

2- 正在初始化安装环境.

  • 请选择 OSSEC HIDS 的安装路径 [/var/ossec]:

    • OSSEC HIDS 将安装在 /var/ossec .

3- 正在配置 OSSEC HIDS.

3.1- 您希望收到e-mail告警吗? (y/n) [y]: n

— Email告警没有启用 .

3.2- 您希望运行系统完整性检测模块吗? (y/n) [y]: y

  • 系统完整性检测模块将被部署.

    3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y

  • rootkit检测将被部署.

strings: ‘/usr/bin/mail’: No such file

3.4- 关联响应允许您在分析已接收事件的基础上执行一个

   已定义的命令. 

   例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限. 

   更多的信息,您可以访问: 

   http://www.ossec.net/en/manual.html#active-response 
  • 您希望开启联动(active response)功能吗? (y/n) [y]:

接下来,全部选择默认

系统完整性检测模块将被部署.

3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y

  • rootkit检测将被部署.

strings: ‘/usr/bin/mail’: No such file

3.4- 关联响应允许您在分析已接收事件的基础上执行一个

   已定义的命令. 

   例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限. 

   更多的信息,您可以访问: 

   http://www.ossec.net/en/manual.html#active-response 
  • 您希望开启联动(active response)功能吗? (y/n) [y]: y

    • 关联响应已开启
  • 默认情况下, 我们开启了主机拒绝和防火墙拒绝两种响应.

    第一种情况将添加一个主机到 /etc/hosts.deny.

    第二种情况将在iptables(linux)或ipfilter(Solaris,

    FreeBSD 或 NetBSD)中拒绝该主机的访问.

  • 该功能可以用以阻止 SSHD 暴力攻击, 端口扫描和其他

    一些形式的攻击. 同样你也可以将他们添加到其他地方,

    例如将他们添加为 snort 的事件.

  • 您希望开启防火墙联动(firewall-drop)功能吗? (y/n) [y]: y

    • 防火墙联动(firewall-drop)当事件级别 >= 6 时被启动
  • 联动功能默认的白名单是:

    • 108.61.10.10
  • 您希望添加更多的IP到白名单吗? (y/n)? [n]: n

    3.6- 设置配置文件以分析一下日志:

    – /var/log/auth.log

    – /var/log/syslog

    – /var/log/dpkg.log

    – /var/log/snort/alert (snort-full file)

    – /var/log/nginx/access.log (apache log)

    – /var/log/nginx/error.log (apache log)

-如果你希望监控其他文件, 只需要在配置文件ossec.conf中

添加新的一项.

任何关于配置的疑问您都可以在 http://www.ossec.net 找到答案.

— 按 ENTER 以继续 —

然后安装成功

Ossec常用文件

报警日志

/var/ossec/logs/alerts

里面的alerts.log

就是检测到的入侵行为的告警日志

动态响应报警日志

/var/ossec/logs/active-responses.log

核心配置文件为:

/root/ossec-hids-2.9.4/etc/ossec.conf

文件结构为:

[root@vultr logs]# cat /root/ossec-hids-2.9.4/etc/ossec.conf

<email_notification>yes</email_notification> 

<email_to>daniel.cid@example.com</email_to> 

<smtp_server>smtp.example.com.</smtp_server> 

<email_from>ossecm@ossec.example.com.</email_from> 

<!-- <email_reply_to>replyto@ossec.example.com.</email_reply_to> --> 

<picviz_output>no</picviz_output> 

#这些就是各类规则

<include>rules_config.xml</include> 

<include>sshd_rules.xml</include> 

<include>syslog_rules.xml</include> 

<include>pix_rules.xml</include> 

<include>named_rules.xml</include> 

<include>pure-ftpd_rules.xml</include> 

<include>proftpd_rules.xml</include> 

<include>web_rules.xml</include> 

<include>web_appsec_rules.xml</include> 

<include>apache_rules.xml</include> 

<include>ids_rules.xml</include> 

<include>squid_rules.xml</include> 

<include>firewall_rules.xml</include> 

<include>postfix_rules.xml</include> 

<include>sendmail_rules.xml</include> 

<include>spamd_rules.xml</include> 
<include>msauth_rules.xml</include> 

<include>attack_rules.xml</include> 

<include>dropbear_rules.xml</include> 

<include>sysmon_rules.xml</include> 

<include>opensmtpd_rules.xml</include> 

<!-- Frequency that syscheck is executed -- default every 2 hours --> 

<frequency>7200</frequency> 



<!-- Directories to check  (perform all possible verifications) --> 

<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> 

<directories check_all="yes">/bin,/sbin,/boot</directories> 



<!-- Files/directories to ignore --> 

<ignore>/etc/mtab</ignore> 

<ignore>/etc/hosts.deny</ignore> 

<ignore>/etc/mail/statistics</ignore> 

<ignore>/etc/random-seed</ignore> 

<ignore>/etc/adjtime</ignore> 

<ignore>/etc/httpd/logs</ignore> 
<nodiff>/etc/ssl/private.key</nodiff> 

#Rookit检测

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> 

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> 

<white_list>127.0.0.1</white_list> 

<white_list>::1</white_list> 

<white_list>192.168.2.1</white_list>  #这些是白名单 

<white_list>192.168.2.190</white_list> 

<white_list>192.168.2.32</white_list> 

<white_list>192.168.2.10</white_list> 

<connection>secure</connection> 
 <!-- Active Response Config -->#动态响应配置 

<!-- This response is going to execute the host-deny 

   - command for every event that fires a rule with 

   - level (severity) >= 6. 

   - The IP is going to be blocked for  600 seconds. 

  --> 

<command>host-deny</command> 

<location>local</location> 

<level>6</level> 

<timeout>600</timeout> 


规则文件夹在

/var/ossec/rules

一共有这么多的规则,我们随便看几个

apache_rules.xml ms_ftpd_rules.xml sendmail_rules.xml

apparmor_rules.xml ms-se_rules.xml smbd_rules.xml

arpwatch_rules.xml mysql_rules.xml solaris_bsm_rules.xml

asterisk_rules.xml named_rules.xml sonicwall_rules.xml

attack_rules.xml netscreenfw_rules.xml spamd_rules.xml

cimserver_rules.xml nginx_rules.xml squid_rules.xml

cisco-ios_rules.xml nsd_rules.xml sshd_rules.xml

clam_av_rules.xml openbsd_rules.xml symantec-av_rules.xml

courier_rules.xml opensmtpd_rules.xml symantec-ws_rules.xml

dovecot_rules.xml ossec_rules.xml syslog_rules.xml

dropbear_rules.xml owncloud_rules.xml sysmon_rules.xml

exim_rules.xml pam_rules.xml systemd_rules.xml

firewalld_rules.xml php_rules.xml telnetd_rules.xml

firewall_rules.xml pix_rules.xml trend-osce_rules.xml

ftpd_rules.xml policy_rules.xml unbound_rules.xml

hordeimp_rules.xml postfix_rules.xml vmpop3d_rules.xml

ids_rules.xml postgresql_rules.xml vmware_rules.xml

imapd_rules.xml proftpd_rules.xml vpn_concentrator_rules.xml

local_rules.xml proxmox-ve_rules.xml vpopmail_rules.xml

mailscanner_rules.xml psad_rules.xml vsftpd_rules.xml

mcafee_av_rules.xml pure-ftpd_rules.xml web_appsec_rules.xml

msauth_rules.xml racoon_rules.xml web_rules.xml

ms_dhcp_rules.xml roundcube_rules.xml wordpress_rules.xml

ms-exchange_rules.xml rules_config.xml zeus_rules.xml

[root@vultr rules]# cat apache_rules.xml

<decoded_as>apache-errorlog</decoded_as> 

<description>Apache messages grouped.</description> 

<if_sid>30100</if_sid> 

<match>^[error] </match> 

<description>Apache error messages grouped.</description> 

<if_sid>30100</if_sid> 

<match>^[warn] </match> 

<description>Apache warn messages grouped.</description> 

<if_sid>30100</if_sid> 

<match>^[notice] </match> 

<description>Apache notice messages grouped.</description> 

<if_sid>30103</if_sid> 

<match>exit signal Segmentation Fault</match> 

<description>Apache segmentation fault.</description> 

<info type="link">http://www.securityfocus.com/infocus/1633</info> 

<group>service_availability,</group> 

<if_sid>30101</if_sid> 

<match>denied by server configuration</match> 

<description>Attempt to access forbidden file or directory.</description> 

<group>access_denied,</group> 

<if_sid>30101</if_sid> 

<match>Directory index forbidden by rule</match> 

<description>Attempt to access forbidden directory index.</description> 

<group>access_denied,</group> 

<if_sid>30101</if_sid> 

<match>Client sent malformed Host header</match> 

<description>Code Red attack.</description> 

<info type="link">http://www.cert.org/advisories/CA-2001-19.html</info> 

<info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info> 

<group>automatic_attack,</group> 

<if_sid>30102</if_sid> 

<match>authentication failed</match> 

<description>User authentication failed.</description> 

<group>authentication_failed,</group> 

<if_sid>30101</if_sid> 

<regex>user \S+ not found|user \S+ in realm \.* not found</regex> 

<description>Attempt to login using a non-existent user.</description> 

<group>invalid_login,</group> 

<if_sid>30101</if_sid> 

<match>authentication failure</match> 

<description>User authentication failed.</description> 

<group>authentication_failed,</group> 

<if_sid>30101</if_sid> 

<match>File does not exist: |</match> 

<match>failed to open stream: No such file or directory|</match> 

<match>Failed opening </match> 

<description>Attempt to access an non-existent file (those are reported on the access.log).</description> 

<group>unknown_resource,</group> 

<if_sid>30101</if_sid> 

<match>Invalid URI in request</match> 

<description>Invalid URI (bad client request).</description> 

<group>invalid_request,</group> 

<if_matched_sid>30115</if_matched_sid> 

<same_source_ip /> 

<description>Multiple Invalid URI requests from </description> 

<description>same source.</description> 

<group>invalid_request,</group> 

<if_sid>30101</if_sid> 

<match>File name too long|request failed: URI too long</match> 

<description>Invalid URI, file name too long.</description> 

<group>invalid_request,</group> 

<if_sid>30101</if_sid> 

<match>mod_security: Access denied|ModSecurity: Access denied</match> 

<description>Access attempt blocked by Mod Security.</description> 

<group>access_denied,</group> 

<if_matched_sid>30118</if_matched_sid> 

<same_source_ip /> 

<description>Multiple attempts blocked by Mod Security.</description> 

<group>access_denied,</group> 

<if_sid>30101</if_sid> 

<match>Resource temporarily unavailable:</match> 

<description>Apache without resources to run.</description> 

<group>service_availability,</group> 

<match>^mod_security-message: </match> 

<description>Modsecurity alert.</description> 

<if_sid>30200</if_sid> 

<match>^mod_security-message: Access denied </match> 

<description>Modsecurity access denied.</description> 

<group>access_denied,</group> 

<if_matched_sid>30201</if_matched_sid> 

<description>Multiple attempts blocked by Mod Security.</description> 

<group>access_denied,</group> 

<if_sid>30100</if_sid> 

<regex> [\S*:error] </regex> 

<description>Apache error messages grouped.</description> 

<if_sid>30100</if_sid> 

<regex> [\S+:warn] </regex> 

<description>Apache warn messages grouped.</description> 

<if_sid>30100</if_sid> 

<regex> [\S+:notice] </regex> 

<description>Apache notice messages grouped.</description> 

<if_sid>30303</if_sid> 

<match>exit signal Segmentation Fault</match> 

<description>Apache segmentation fault.</description> 

<info type="link">http://www.securityfocus.com/infocus/1633</info> 

<group>service_availability,</group> 

<if_sid>30301</if_sid> 

<id>AH01630</id> 

<description>Attempt to access forbidden file or directory.</description> 

<group>access_denied,</group> 

<if_sid>30301</if_sid> 

<id>AH01276</id> 

<description>Attempt to access forbidden directory index.</description> 

<group>access_denied,</group> 

<if_sid>30301</if_sid> 

<id>AH00550</id> 

<description>Client sent malformed Host header. Possible Code Red attack.</description> 

<info type="link">http://www.cert.org/advisories/CA-2001-19.html</info> 

<info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</info> 

<group>automatic_attack,</group> 

<if_sid>30301</if_sid> 

<id>AH01617|AH01807|AH01694|AH01695|AH02009|AH02010</id> 

<description>User authentication failed.</description> 

<group>authentication_failed,</group> 

<if_sid>30301</if_sid> 

<id>AH01618|AH01808|AH01790</id> 

<description>Attempt to login using a non-existent user.</description> 

<group>invalid_login,</group> 

<if_matched_sid>30309</if_matched_sid> 

<same_source_ip/> 

<description>Multiple authentication failures with invalid user.</description> 

<group>authentication_failures,</group> 

<if_sid>30301</if_sid> 

<match>File does not exist: |</match> 

<match>failed to open stream: No such file or directory|</match> 

<match>Failed opening </match> 

<description>Attempt to access an non-existent file (those are reported on the access.log).</description> 

<group>unknown_resource,</group> 

<if_sid>30301</if_sid> 

<id>AH00126</id> 

<description>Invalid URI (bad client request).</description> 

<group>invalid_request,</group> 

<if_matched_sid>30315</if_matched_sid> 

<same_source_ip /> 

<description>Multiple Invalid URI requests from </description> 

<description>same source.</description> 

<group>invalid_request,</group> 

<if_sid>30301</if_sid> 

<id>AH00565</id> 

<description>Invalid URI, file name too long.</description> 

<group>invalid_request,</group> 

<if_sid>30301</if_sid> 

<match>PHP Notice:</match> 

<description>PHP Notice in Apache log</description> 

<if_sid>30301</if_sid> 

<id>AH00036</id> 

<match>File name too long: </match> 

<description>File name too long.</description> 

<if_sid>30301</if_sid> 

<match>Permission denied: | client denied by server configuration: </match> 

<description>Permission denied.</description> 

<if_sid>30301</if_sid> 

<id>AH02811</id> 

<match>script not found </match> 

<description>A script cannot be accessed.</description> 

<if_sid>30301</if_sid> 

<match>ModSecurity: Warning</match> 

<description>ModSecurity Warning messages grouped</description> 

<if_sid>30301</if_sid> 

<match>ModSecurity: Access denied</match> 

<description>ModSecurity Access denied messages grouped</description> 

<if_sid>30301</if_sid> 

<match>ModSecurity: Audit log:</match> 

<description>ModSecurity Audit log messages grouped</description> 

<if_sid>30402</if_sid> 

<match>with code 403</match> 

<description>ModSecurity rejected a query</description> 

规则通过match匹配访问apache出现的关键字来定义规则的效果如:

<if_sid>30301</if_sid> 

<id>AH01630</id> 

<description>Attempt to access forbidden file or directory.</description> 

<group>access_denied,</group> 

rule id为30305,意为当用户试图访问一个不存在的文件或目录时,该规则生效,那么可能该用户就是一个攻击者

常用命令

启动

/var/ossec/bin/ossec-control start

/var/ossec/bin/ossec-control stop

客户端管理

/var/ossec/bin/manage_agents

测试规则

/var/ossec/bin/ossec-logtest

这里,演示添加一个检测ssh暴力破解的规则

Ssh登录日志的特征为:程序名称以sshd开头

vim syslog_rules.xml

找到这一部分

<match>FAILED LOGIN |authentication failure|</match> 

<match>Authentication failed for|invalid password for|</match> 

<match>LOGIN FAILURE|auth failure: |authentication error|</match> 

<match>authinternal failed|Failed to authorize|</match> 

<match>Wrong password given for|login failed|Auth: Login incorrect|</match> 

<match>Failed to authenticate user</match> 

<group>authentication_failed,</group> 

<description>User authentication failure.</description> 

<match>more authentication failures;|REPEATED login failures</match> 

<description>User missed the password more than one time</description> 

<group>authentication_failed,</group><ossec_config> 

<email_notification>no</email_notification> 

vim /var/ossec/etc/ossec.conf

<include>rules_config.xml</include> 

<include>pam_rules.xml</include> 

<include>sshd_rules.xml</include> 

<include>telnetd_rules.xml</include> 

<include>syslog_rules.xml</include> 

我们看下这个告警日志,就知道规则生效了

[root@vultr alerts]# cat alerts.log

** Alert 1531039434.0: mail - ossec,

2018 Jul 08 08:43:54 vultr->ossec-monitord

Rule: 502 (level 3) -> ‘Ossec server started.’

ossec: Ossec started.

** Alert 1531039489.151: - syslog,sshd,

2018 Jul 08 08:44:49 guest->/var/log/secure

Rule: 5702 (level 5) -> ‘Reverse lookup error (bad ISP or attack).’

Src IP: 118.212.136.13

Jul 8 08:44:49 guest sshd[8279]: reverse mapping checking getaddrinfo for 13.136.212.118.adsl-pool.jx.chinaunicom.com [118.212.136.13] failed - POSSIBLE BREAK-IN ATTEMPT!

** Alert 1531039491.499: - pam,syslog,authentication_failed,

2018 Jul 08 08:44:51 guest->/var/log/secure

Rule: 5503 (level 5) -> ‘User login failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:44:51 guest sshd[8279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.212.136.13 user=root

** Alert 1531039495.832: - syslog,sshd,authentication_failed,

2018 Jul 08 08:44:55 guest->/var/log/secure

Rule: 5716 (level 5) -> ‘SSHD authentication failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:44:53 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2

** Alert 1531039501.1121: - syslog,sshd,authentication_failed,

2018 Jul 08 08:45:01 guest->/var/log/secure

Rule: 5716 (level 5) -> ‘SSHD authentication failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:45:00 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2

** Alert 1531039503.1411: - syslog,sshd,authentication_failed,

2018 Jul 08 08:45:03 guest->/var/log/secure

Rule: 5716 (level 5) -> ‘SSHD authentication failed.’

Src IP: 118.212.136.13

User: root

Jul 8 08:45:03 guest sshd[8279]: Failed password for root from 118.212.136.13 port 8073 ssh2

** Alert 1531039505.1701: mail - syslog,access_control,authentication_failed,

2018 Jul 08 08:45:05 guest->/var/log/secure

Rule: 2502 (level 10) -> ‘User missed the password more than one time’

Src IP: 118.212.136.13

User: root

Jul 8 08:45:04 guest sshd[8279]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.212.136.13 user=root

** Alert 1531039674.2069: - syslog,sshd,

2018 Jul 08 08:47:54 guest->/var/log/secure

Rule: 5702 (level 5) -> ‘Reverse lookup error (bad ISP or attack).’

Src IP: 118.212.136.15

Jul 8 08:47:53 guest sshd[8452]: reverse mapping checking getaddrinfo for 15.136.212.118.adsl-pool.jx.chinaunicom.com [118.212.136.15] failed - POSSIBLE BREAK-IN ATTEMPT!

** Alert 1531039678.2418: mail - syslog,fts,authentication_success

2018 Jul 08 08:47:58 guest->/var/log/secure

Rule: 10100 (level 4) -> ‘First time user logged in.’

Src IP: 118.212.136.15

User: root

Jul 8 08:47:57 guest sshd[8452]: Accepted password for root from 118.212.136.15 port 48713 ssh2

** Alert 1531039678.2716: - pam,syslog,authentication_success,

2018 Jul 08 08:47:58 guest->/var/log/secure

Rule: 5501 (level 3) -> ‘Login session opened.’

Jul 8 08:47:57 guest sshd[8452]: pam_unix(sshd:session): session opened for user root by (uid=0)

 类似资料: