5.2网安学习第五阶段第二周回顾(个人学习记录使用)

本周重点

①HIDS的基本应用(suricata)

②Suricata的基本应用

③Suricata的流量检测

④Suricata的https流量检测

⑤利用Elastic整合Suricata日志

⑥利用Wazuh对Suricata主动响应

本周主要内容

①HIDS的基本应用(suricata)

1、NIDS

1、定义:网络入侵检测系统

2、工作机制:网络流量需要经过NIDS系统,如果通过NIDS的检测规则,没有发现问题,则可以进入后续的设备。类似于在服务器的前面加入一层过滤器。

2、suricata的安装

1、安装:按照官方文档的提示,使用提供的命令进行在线安装

bash 复制代码
yum install epel-release yum-plugin-copr
yum copr enable @oisf/suricata-6.0
yum install suricata

# 安装完成后,对应的路径如下:
Suricata主程序路径:/usr/sbin/suricata
Suricata核心配置目录:/etc/suricata/
Suricata日志目录:/var/log/suricata/
Suricata附属程序目录:/usr/bin

# 日志目录下的4个文件的功能
eve.json:以JSON格式存储预警信息或附加信息
fast.log:预警核心文件,只用于存储警告信息,非结构化数据
stats.log:Suricata的统计信息
suricata.log:Suricata程序的运行日志

#Linux安装
# yum install libjansson, libpcap, libpcre2, libmagic, zlib, libyaml, gcc, pkg-config,libgeoip, liblua5.1, libhiredis, libevent

2、修改基础配置信息

直接编辑/etc/suricata/suricata.yaml

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"
    HOME_NET: "[192.168.112.0/24]"     # 指定192.168.112.0/24网段属于本地网络
    #EXTERNAL_NET: "!$HOME_NET"           # 指定非HOME_NET的IP为外部网络
    EXTERNAL_NET: "any"                   # 指定任意IP地址,只要是源IP,均视为外部网络

3、手工创建一个规则文件(没有规则文件启动会报错)

touch /etc/suricata/rules/suricata.rules
再指定 default-rule-path: /etc/suricata/rules  或   /var/lib/suricata/rules 均可

#加入一条规则
alert http $EXTERNAL_NET any <> $HOME_NET 80 (msg:"出现404错误"; content: "404"; http_stat_code; sid:561001;)

4、启动

cd /etc/suricata && suricata -c suricata.yaml -i ens33

-c <path> 指定配置文件的路径
-i  ens33  指定网络接口,凡是拦截网络流量的工具,都需要设定网卡
-D daemon 守护线程,所以这里的-D就是将suricata切到守护模式(后台启动)
-r <path>  作用就是导入离线的流量包,比如用wireshake抓包,然后保存成一个pcap文件, 可以用  -r  ../../xxx.pcap

3、规则语法基础

  1. 预警规则

()中的内容,使用key:value的方式来设置元素,元素之间使用";"隔开。如果规则中存在特色字符,使用转移字符\来解决

alert  http  $External_net  any  <> $HOME_NET 80 (msg:"提示信息";content:"404";target;sid:1232;rev:123)

action: 比如alert,drop,reject

协议字符:http,tcp,ssh

src_ip: $External_net

src_port: any 代表任意,一般来说源端口是任意的

方向:请求流量使用-> , 既有请求流量又需要响应流量,使用 <> ; 只有这么两种

dest_ip:$HOME_NET

dest_port: 80 目标端口

  1. IP地址的规则

    ../.. IP范围 , 192.168.211.1/24
    !IP 代表取反,比如 !192.168.211.10 表示除掉192.168.211.10的地址
    [...,...,....] 分组IP地址,[172.12.2.2,192.168.211.0/24]
    IP 指定IP地址,就是写死IP地址

  2. 端口规则

    [80,81,82] 分组写法,表示在[]中存在IP即可,类似SQL中的 in
    [80:100] 表示从80到100的范围
    [80:] 从80端口开始到最高的端口65535
    !80 取反,排除80端口
    [80:100,!99] 复合写法,表示80到100的端口,去掉99号端口

  3. meta keyword 元关键字

msg:预警描述信息

sid:规则编号:唯一

rev:规则的版本,默认为0,可以自由设定

classtype:规则的归类,在文件classification.config中定义

reference:引用参考,一般用于引用CVE编号

priority:优先级,如果设定了优先级,则可能会覆盖classtype中定义的优先级,这个关键字的取值范围1~255,建议设定为 1-4,1级最高

metadata:元素据,用于添加非功能性的数据

target:允许指定警报的是那一侧的攻击目标,target:[src_ip | dest_ip]

②Suricata的基本应用

1、识别HTTP攻击

1、定义攻击类型

修改类型定义文件classification.config

# custom define web classtype
config classification: web_status_error,WEB服务器状态异常,4
config classification: web_scan_attack,WEB页面扫描攻击,2
config classification: web_sql_injection,SQL注入攻击,1
config classification: web_shell_attack,木马植入攻击,1

2、编写检查的规则

检查规则在文件/var/lib/suricata/rules目录下面,文件名suricata.rules;/var/log/suricata

## Configure Suricata to load Suricata-Update managed rules.
##
default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

3、编写规则

alert http any any <> $HOME_NET 80 (msg:"WEB服务器404异常";content:"404";http_stat_code;classtype:web_status_error;sid:5610001;rev:1;)
alert http any any <> $HOME_NET 80 (msg:"SQL注入攻击-union";content:"union";http_uri;classtype:web_sql_injection;sid:5610002;rev:1;)

4、重启suricata,验证规则是否生效

在浏览器中输入:[http://192.168.230.138/dashboard/phpinfo.php?id=1 union select 1,2,3,4 #\](http://192.168.230.138/dashboard/phpinfo.php?id=1 union select 1,2,3,4 #)

监控日志:/var/log/suricata/fast.log

05/20/2024-11:39:51.470394  [**] [1:5610002:1] SQL注入攻击-union [**] [Classification: SQL注入攻击] [Priority: 1] {TCP} 192.168.230.1:59589 -> 192.168.230.138:80

5、练习:

  1. SQL注入检测:database(),version(),char()
  2. web403异常,web 500异常

2、识别频率类的攻击的规则

404错误,当在一个时间范围内,连续多次的出现404,判定可能存在路径扫描

规则编写:

alert http any any <> $HOME_NET 80 (msg:"频繁出现404,疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)

threshold: 阈值

  • 类型:type threshold 达到阈值则生成报警,limit 达到阈值后,最多生成多少次报警,这里的多少次由count决定,both照顾前面两种情况
  • 追踪方向:track \
  • 阈值:count \ 设定匹配规则的次数
  • 时间窗口: seconds \ 设定n秒

练习:

1、识别登录的暴力破解密码的攻击

规则编写

alert http any any <> $HOME_NET 8080 (msg:"疑似登录爆破攻击";http.response_body;content:"login-fail";classtype:web_brute_attack;threshold:type threshold,track by_src,count 5,seconds 20;sid:561004;rev:1;)

增加检测的类型

config classification: web_brute_attack,暴力破解攻击,1

重启之后,进行验证;这里使用的目标web系统是woniusales

3、content规则字段解析

1、content字节表达方式

"     |22|
;     |3B|
:     |3A|
|     |7C|

例子:

content:"a|0D|bc";
content:"|61 0D 62 63|";
content:"a|0D|b|63|";

content在匹配的时候,区分大小写

如果不区分大小写,就需要是nocase关键字,告诉suricata在做匹配的时候不需要区分大小写

content: "abc"; nocase;

注意:nocase必须放在content的后面

2、深度:depth,表示从payload的有效载荷开始取指定的数目的字符

比如:payload="abcdefghijk",如果content="def";depth:3 这样就匹配不到

3、开始和结束字符

startswith: 检查content的值作为前缀;比如: content:" G E T " ; s t a r t s w i t h ; 表示被检测的内容必须以 GET";startswith; 表示被检测的内容必须以 GET";startswith;表示被检测的内容必须以GET作为开始。

endswith:检查content的值作为后缀;比如:content:".png";endswith; 表示被检测的内容必须以.png结束

4、偏移量offset

从有效载荷的开始数offset个字节然后才开始匹配content的内容

\

4、检测XSS攻击流量

规则:

alert http any any <> $HOME_NET 8080 (msg:"疑似XSS攻击";http.uri;content:"<script";nocase;classtype:web_sql_injection;sid:561005;rev:1;)

5、使用pcre进行复杂内容验证

pcre是兼容perl的正则表达式的一个标准,可以使用perl的规则来编写正则表达式

语法:pcre:"/regex/正则匹配的类型"

正则匹配的类型: i 表示忽略大小写,A,G

练习:

检测流量中包含一句话木马

php的一句话木马:

php 复制代码
<php eval($_GET[0]);?>

jsp的一句话木马:

jsp 复制代码
<% Process process = Runtime.getRuntime().exec(request.getParameter("cmd")); %>

规则

alert http any any <> $HOME_NET 80 (msg:"流量中存在一句话木马";http.uri;content:"<?";pcre:"/eval|assert|system\(|exec|$_GET|$_POST/i";classtype:web_shell_attack;sid:561006;rev:1;)

如果是在post的正文里面使用了一句话木马,如何检测?

检测的目标从http.uri变成请求正文内容,请求的正文关键字是: http.request_body 或 http_client_body

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)

4、一个规则中进行多个字段的匹配

规则描述

先匹配请求方法,如果是post,再匹配正文中是否存在一句话木马

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561009;rev:1;)

5、检测文件上传流量

1、文件上传的流量特征

  • 方法是POST
  • content_type必须是multipart/form-data
  • 正文中必须要有: Content-Disposition

2、规则

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";classtype:web_file_upload;sid=561010;rev:1;)

3、文件上传的时候,包含一句话木马

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";http.request_body;pcre:"/eval|assert|system\(exec|$_POST|$_GET\(/i";classtype:web_file_upload;sid=561010;rev:1;)

3、练习:

编写一个上传文件的一句话木马检测规则

③Suricata的流量检测

1、icmp流量监测

规则:

alert icmp any any -> $HOME_NET any (msg:"检测到死亡ping攻击";dsize:>30;itype:8;threshold: type both,track by_src,count 20,seconds 5;sid:561011;rev:1;)

解释:

协议使用icmp, 目标端口设置为any,dsize关键字的作用判断有效载荷的字节数,>n,<n,!n; itype是icmp协议的类型type,这里的取8.

2、tcp flood

规则

alert  tcp  any any -> $HOME_NET any (msg:"TCP泛洪";flow: established,to_server;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1;)

解释:

协议使用tcp,

关键字flow:

关键字可用于匹配流的方向,例如到/从客户端或到/从服务器。它还可以匹配是否建立了流。流关键字还可以用来表示签名必须只在流上匹配(只在流上匹配)或只在包上匹配(不在流上匹配)。
因此,使用Flow关键字可以匹配:
to_client
在从服务器到客户端的数据包上匹配。
to_server
在从客户端到服务器的数据包上匹配。
from_client
在从客户机到服务器的数据包上匹配(与到服务器相同)。
from_server
在从服务器到客户机的数据包上进行匹配(与"客户机"相同)。
已建立
匹配已建立的连接。
not_established
匹配不属于已建立连接的数据包。
无状态 stateless
匹配属于或不属于已建立连接的数据包。

3、SYN Flood

规则

alert  tcp any  any -> $HOME_NET any (msg:"SYN flood";flags:S;flow:stateless,to_server;dsize:>100;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1)

flags:

F:finished 结束

S:syn 同步,会话开始

R:rst,reset 复位

A:ack 应答

U:urg 紧急

4、检测CC攻击流量

规则

alert http any any -> $HOME_NET 8080 (msg:"CC攻击";flow:established,to_server;threshold:type both,track by_src,count 20,seconds 1;http:method;content:"POST";http.request_body;content:"barcode";sid:561013;rev:1;)

这里使用了关键字flow,表示请求的发送是基于先建立的tcp的连接

5、MySQL爆破流量检测

规则

alert tcp any any <> $HOME_NET 3306 (msg:"MySQL爆破攻击";content:"Access denied for user";threshold: type threshold,track by_src,count 10,seconds 10;sid:561014;rev:1;)

6、MySQL木马写入流量检测

select "<?php eval($_POST[1]);?>" into outfile  "/opt/shell.php"

规则

alert tcp any any <> $HOME_NET 3306 (msg:"MySQL木马写入攻击";content:"into outfile";nocase;pcre:"/eval|assert|system|_POST|_GET/i";classtype:web_shell_attackl;sid:561015;rev:1;)

7、SSH流量检测

特征

规则:

alert  ssh any  any <> $HOME_NET 22 (msg:"SSH爆破";content:"|15 00 00 00 00 00 00 00 00 00 00|";threshold: type threshold,track by_src,count 3,seconds 10;sid:561016;rev:1;)

④Suricata的https流量检测

1、suricata是没有办法分析加密流量,所以只能通过其他的软件先将流量进行解密,然后传递给suricata

2、构造实验环境

  • 一台客户机,模拟客户发送https请求,发给nginx
  • 一台Linux,安装nginx服务,该设备上必须要安装https的证书,并且反向代理远程的tomcat
  • 一台tomcat服务器,
  • suricata可以安装在nginx或tomcat的服务器上

一、代理检测HTTPS的流量

原理:因为NIDS没有办法去检测加密的流量,所以需要通过代理的方式,先将加密的流量解密再进行检测。使用nginx来代理,然后suricata去检测nginx的流量。

1、准备好实验环境

  • tomcat:192.168.230.13
  • nginx:192.168.230.139
  • suricata:192.168.230.138

2、给nginx生成证书

这里的证书的作用是用于解密浏览器传递过来的https加密流量

shell 复制代码
# 确认openssl是否安装好
openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
# 生成私钥
openssl genrsa -des3 -out server.pass.key 2048
# 去除私钥中的密码
rsa -in server.pass.key -out server.key
# 生成CSR证书
req -new -key server.key -out server.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=dev/OU=dev/CN=localhost"
# 生成SSL的证书
openssl x509 -req -day 365 -in server.csr -signkey server.key -out server.crt

# 将 server.key  ,server.csr ,server.crt 复制到/usr/local/nginx/conf下面去
cp -p server.crt server.csr server.key    /usr/local/nginx/conf/

3、修改nginx.conf文件,对tomcat进行反向代理

ini 复制代码
user nginx;
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

error_log /var/log/nginx/error.log;
#pid        logs/nginx.pid;
pid /run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    #include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    upstream mytomcat{
        server 192.168.230.138:8080 weight=1;
        }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /usr/local/nginx/conf/server.crt;
        ssl_certificate_key  /usr/local/nginx/conf/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
        location /woniusales/{
                proxy_pass http://mytomcat/woniusales/;
                proxy_redirect default;
        }
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location =/50x.html{
                root html;
        }
    }

}

4、启动nginx和tomcat,然后验证环境是否配置成果

5、准备suricata的规则

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)

6、重启suricata,在浏览器这边去输入含有敏感的关键字的请求,检测suricata是否能够正确的拦截流量

05/21/2024-06:25:02.489259  [**] [1:561008:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080
05/21/2024-06:25:02.489259  [**] [1:561009:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080

练习:

按照上述过程,编写一个检测流量中含有MySQL注入的规则

二、在suricata中实现ips的功能

suricata自己是没有办法去实现丢弃或者封禁的功能,suricata提供NFQueue的功能,这个功能和iptables的NFQueue结合起来就用实现对流量的管制

NFQueue的用途:iptables将流量放到这个队列中,然后等待用户程序对流量进行分析做出处置的决策,然后iptables会根据决策来执行处置行为。

实现步骤

1、安装iptables

shell 复制代码
yum -y install iptables iptables-services
systemctl stop firewalld
systemctl start iptables.service

2、开启iptables的队列功能

bash 复制代码
iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 8080  -j NFQUEUE

3、suricata启动队列监听

suricata -c suricata.yaml  -q 0

4、指定规则

drop http any any <> $HOME_NET 80 (msg:"频繁出现404,疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)

如果频繁的出现404则丢弃该IP过来的数据包

5、结果,可以看出多了drop标记

05/21/2024-08:40:53.583490  [**] [1:5610001:1] WEB服务器404异常 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941
05/21/2024-08:40:53.771510  [Drop] [**] [1:561003:1] 频繁出现404,疑似路径扫描 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941

⑤利用Elastic整合Suricata日志

一、配置FileBeat
1、查看目前已经启用哪些模块
cmd 复制代码
[root@centqiang filebeat-7.14]# ./filebeat modules list
Error in modules manager: modules management requires 'filebeat.config.modules.path' setting
[root@centqiang filebeat-7.14]# vi filebeat.yml
filebeat.config.modules:
  path: /opt/filebeat-7.14/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s
2、启用suricata模块
cmd 复制代码
[root@centqiang filebeat-7.14]# ./filebeat modules enable suricata
Enabled suricata
3、对Suricat模块进行初始化

可以直接完成相应模板及Kibana的Dashboard的创建和处理,前提是先启动ES和Kibana。

(1)编辑: modules.d/suricata.yml

- module: suricata
  eve:
    enabled: true
    var.paths: ["/var/log/suricata/eve.json"]

(2)编辑:filebeat.yml,配置Filebeat连接Elastic和Kibana

setup.kibana:
  host: "192.168.112.198:5601"
  protocol: "http"
setup.dashboards.enabled: true

(3)运行 ./filebeat setup -e进行初始化操作,用于连接和配置ElasticSearch和Kibana。

cmd 复制代码
[root@centqiang filebeat-7.14]# ./filebeat setup -e
2021-12-27T14:54:50.670+0800    INFO    instance/beat.go:665    Home path: [/opt/filebeat-7.14] Config path: [/opt/filebeat-7.14] Data path: [/opt/filebeat-7.14/data] Logs path: [/opt/filebeat-7.14/logs]
2021-12-27T14:54:50.670+0800    INFO    instance/beat.go:673    Beat ID: 5ff8de48-96bf-4699-8777-818b8f6e16c0
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1014    Beat info    {"system_info": {"beat": {"path": {"config": "/opt/filebeat-7.14", "data": "/opt/filebeat-7.14/data", "home": "/opt/filebeat-7.14", "logs": "/opt/filebeat-7.14/logs"}, "type": "filebeat", "uuid": "5ff8de48-96bf-4699-8777-818b8f6e16c0"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1023    Build info    {"system_info": {"build": {"commit": "574c21d25ddb65a63665ac26b54799f81a7e9706", "libbeat": "7.14.2", "time": "2021-09-15T10:26:32.000Z", "version": "7.14.2"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1026    Go runtime info    {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.16.6"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1030    Host info    {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-12-27T09:38:40+08:00","containerized":false,"name":"centqiang","ip":["127.0.0.1/8","::1/128","192.168.112.195/24","fe80::c135:a71d:3611:b840/64","fe80::3726:145f:911a:51b2/64","fe80::2b1d:468a:d07a:34bc/64"],"kernel_version":"3.10.0-1160.el7.x86_64","mac":["00:0c:29:30:a6:c8"],"os":{"type":"linux","family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"CST","timezone_offset_sec":28800,"id":"4014b10d46364734aa0c022a21147156"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1059    Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/opt/filebeat-7.14", "exe": "/opt/filebeat-7.14/filebeat", "name": "filebeat", "pid": 10688, "ppid": 7839, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2021-12-27T14:54:50.090+0800"}}}
2021-12-27T14:54:50.671+0800    INFO    instance/beat.go:309    Setup Beat: filebeat; Version: 7.14.2
2021-12-27T14:54:50.672+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.672+0800    INFO    [publisher]    pipeline/module.go:113    Beat name: centqiang
2021-12-27T14:54:50.673+0800    INFO    beater/filebeat.go:117    Enabled modules/filesets: wazuh (alerts),  ()
2021-12-27T14:54:50.674+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.677+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
ILM policy and write alias loading not enabled.
2021-12-27T14:54:50.679+0800    INFO    template/load.go:229    Existing template will be overwritten, as overwrite is enabled.
2021-12-27T14:54:50.680+0800    INFO    template/load.go:132    Try loading template wazuh to Elasticsearch
2021-12-27T14:54:50.747+0800    INFO    template/load.go:124    Template with name "wazuh" loaded.
2021-12-27T14:54:50.747+0800    INFO    [index-management]    idxmgmt/std.go:297    Loaded index template.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
2021-12-27T14:54:50.747+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:54:52.039+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.013+0800    INFO    instance/beat.go:848    Kibana dashboards successfully loaded.
Loaded dashboards
2021-12-27T14:56:10.013+0800    WARN    [cfgwarn]    instance/beat.go:574    DEPRECATED: Setting up ML using Filebeat is going to be removed. Please use the ML app to setup jobs. Will be removed in version: 8.0.0
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
2021-12-27T14:56:10.014+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.018+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.018+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.046+0800    WARN    fileset/modules.go:425    X-Pack Machine Learning is not enabled
2021-12-27T14:56:10.067+0800    WARN    fileset/modules.go:425    X-Pack Machine Learning is not enabled
Loaded machine learning job configurations
2021-12-27T14:56:10.067+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.070+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.072+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.075+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.203+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-pipeline"}
2021-12-27T14:56:10.263+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns"}
2021-12-27T14:56:10.320+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v1"}
2021-12-27T14:56:10.367+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v2"}
2021-12-27T14:56:10.427+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-tls"}
2021-12-27T14:56:10.482+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-http"}
2021-12-27T14:56:10.482+0800    INFO    cfgfile/reload.go:262    Loading of config files completed.
2021-12-27T14:56:10.482+0800    INFO    [load]    cfgfile/list.go:129    Stopping 1 runners ...
2021-12-27T14:56:10.546+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-wazuh-alerts-pipeline"}
Loaded Ingest pipelines

如果上述命令执行过程没有出现错误,说明初始化成功。

二、在Kibana中配置Dashboard
1、确认索引正常
2、搜索Dashboard
2、进入[Filebeat Suricata] Alert Overview

可以看到,Suricata预警在下方以表格的形式正常列出,但是上方的图表却出现了错误。

3、为图表修正错误

将鼠标放在 Error 提示信息上,可以看到,出错的图表的错误主要出现在关联的某个字段已经不存在的情况。

此时,只需要点击图表右上方的齿轮按钮,并在"Edit Visualization"菜单中,为其指定正确的列名即可。

4、Discover搜索并查看
三、利用Wazuh整合Suricata
1、配置Wazuh监控eve.json
xml 复制代码
<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
2、确认内置规则

ruleset/rules/0475-suricata_rules.xml

xml 复制代码
<group name="ids,suricata,">
    <rule id="86600" level="0">
        <decoded_as>json</decoded_as>
        <field name="timestamp">\.+</field>
        <field name="event_type">\.+</field>
        <description>Suricata messages.</description>
        <options>no_full_log</options>
    </rule>
    <rule id="86601" level="3">
        <if_sid>86600</if_sid>
        <field name="event_type">^alert$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
</group>
3、自定义规则对应Wazuh级别
xml 复制代码
<group name="ids,suricata,">
    <rule id="86601" level="5" overwrite="yes">
      <if_sid>86600</if_sid>
      <field name="event_type">^alert$</field>
      <description>Suricata普通预警:$(alert.signature)</description>
      <options>no_full_log</options>
    </rule>
    <rule id="86605" level="12">
      <if_sid>86601</if_sid>
      <field name="alert.severity">^1$</field>
      <description>Suricata严重预警:$(alert.signature)</description>
      <options>no_full_log</options>
    </rule>
</group>
4、启动Wazuh并实时查看alerts.log
5、在Kibana中进行查看

⑥利用Wazuh对Suricata主动响应

一、配置解码器和规则
1、基本思路

从eve.json中可以读取到src_ip,并且通过JSON解码器也能够识别为正常的字段值,但是firewall-drop需要的字段是srcip(Wauzh内置的静态字段),而不是src_ip,所以必须要想办法将src_ip识别和提取出来,变成Wazuh的srcip的字段,才可以正常触发主动响应。

那么如何从eve.json中提取出src_ip,并且赋值给srcip呢?就按照原始Wazuh提取数据字段的方式进行处理即可。

2、解码器
xml 复制代码
<!-- Suricata主动响应解码器 -->
<decoder name="suricata_eve">
  <prematch>^{"timestamp</prematch>
  <regex offset="after_prematch">"event_type":"(\w+)"\S+"src_ip":"(\S+)"\S+"signature":"(\S+)"\S+"severity":(\d)</regex>
  <order>event_type,srcip,signature,severity</order>
</decoder>

直接监控fast.log也不是不可以,但是有很多信息无法准确提取,所以建议监控eve.json日志

3、规则
xml 复制代码
<group name="ids,suricata,">
  <rule id="562600" level="0">
      <decoded_as>suricata_eve</decoded_as>
      <description>Suricata预警信息根规则.</description>
      <options>no_full_log</options>
  </rule>
  <rule id="562601" level="3">
      <if_sid>562600</if_sid>
      <field name="event_type">^alert$</field>
      <description>Suricata-Wazuh预警:$(srcip))</description>
      <options>no_full_log</options>
  </rule>
  <rule id="562602" level="12">
      <if_sid>562601</if_sid>
      <field name="severity">^1$</field>
      <description>Suricata致命预警:$(srcip) - $(signature)</description>
      <options>no_full_log</options>
  </rule>
</group>
4、禁用json解码器
xml 复制代码
<decoder name="json">
  <prematch>^NoUse{\s*"</prematch>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

由于内置解码器json会先于suricata_eve自定义解码器执行,所以前期可以先通过禁用json解码器的方式进行规则调试,但是后期肯定不能这样做,否则对其他JSON数据的解码就会存在问题,仍然需要寻找解决方案。

5、测试规则
json 复制代码
/var/ossec/bin/wazuh-logtest
{"timestamp":"2021-12-28T12:24:18.861779+0800","flow_id":801237179200730,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":1110,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=%3C?eval($_POST[a]);","http_user_agent":"Mozilla/5.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":793,"bytes_toclient":1074,"start":"2021-12-28T12:24:18.816346+0800"}}
二、设计主动响应
1、主动响应
xml 复制代码
<active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <level>9</level>
    <timeout>600</timeout>
</active-response>
2、进行测试
cmd 复制代码
** Alert 1640685105.129291: - ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,
2021 Dec 28 17:51:45 centqiang->/var/ossec/logs/active-responses.log
Rule: 651 (level 3) -> 'Host Blocked by firewall-drop Active Response'
2021/12/28 17:51:45 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-12-28T17:51:45.954+0800","rule":{"level":12,"description":"Suricata致命预警:URL地址木马","id":"566002","firedtimes":1,"mail":true,"groups":["ids"," suricata_eve"]},"agent":{"id":"000","name":"centqiang"},"manager":{"name":"centqiang"},"id":"1640685105.128130","full_log":"{\"timestamp\":\"2021-12-28T17:51:44.154165+0800\",\"flow_id\":1619038894591458,\"in_iface\":\"ens33\",\"event_type\":\"alert\",\"src_ip\":\"192.168.112.1\",\"src_port\":16996,\"dest_ip\":\"192.168.112.195\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":5613007,\"rev\":1,\"signature\":\"URL地址木马\",\"category\":\"站点木马植入\",\"severity\":1},\"http\":{\"hostname\":\"192.168.112.195\",\"url\":\"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":374},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":820,\"bytes_toclient\":1074,\"start\":\"2021-12-28T17:51:44.101858+0800\"}}","decoder":{"name":"suricata_eve"},"data":{"srcip":"192.168.112.1","event_type":"alert","signature":"URL地址木马","severity":"1"},"location":"/var/log/suricata/eve.json"},"program":"active-response/bin/firewall-drop"}}
version: 1
origin.name: node01
origin.module: wazuh-execd
command: add
parameters.extra_args: []
parameters.alert.timestamp: 2021-12-28T17:51:45.954+0800
parameters.alert.rule.level: 12
parameters.alert.rule.description: Suricata致命预警:URL地址木马
parameters.alert.rule.id: 566002
parameters.alert.rule.firedtimes: 1
parameters.alert.rule.mail: true
parameters.alert.rule.groups: ["ids", " suricata_eve"]
parameters.alert.agent.id: 000
parameters.alert.agent.name: centqiang
parameters.alert.manager.name: centqiang
parameters.alert.id: 1640685105.128130
parameters.alert.full_log: {"timestamp":"2021-12-28T17:51:44.154165+0800","flow_id":1619038894591458,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":16996,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":820,"bytes_toclient":1074,"start":"2021-12-28T17:51:44.101858+0800"}}
parameters.alert.decoder.name: suricata_eve
parameters.alert.data.srcip: 192.168.112.1
parameters.alert.data.event_type: alert
parameters.alert.data.signature: URL地址木马
parameters.alert.data.severity: 1
parameters.alert.location: /var/log/suricata/eve.json
parameters.program: active-response/bin/firewall-drop
三、存在的问题
1、双向流量的srcip问题

Suricata存在双向流量,如果是from_server=>to_client方向的流量,src_ip是服务器IP地址,此时使用Wazuh去提取该IP并且进行主动响应,则IP地址提取错误,应该提取的是dest_ip才是攻击源IP地址。解决方案:

(1)在Suricata规则中使用metadata: key value;来标识方向,进而让Wazuh进行识别(得需要两个解码器)

(2)利用Suricata的target,并设置为target: dest_ip,而不是默认的src_ip。

(3)使用Python实时解析Suricata日志并对Severity=1级别进行主动响应,抛弃Wazuh的规则约束。

以下是通过使用target来定义规则的用法:

第一步:定义解码器

xml 复制代码
<decoder name="suricata_eve">
  <prematch>^{"timestamp</prematch>
  <regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex>
  <order>event_type,signature,severity,srcip</order>
</decoder>

第二步:进行测试

cmd 复制代码
[root@centqiang alerts]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
{"timestamp":"2022-07-28T11:28:26.648845+0800","flow_id":1784851008772983,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.195","src_port":80,"dest_ip":"192.168.112.1","dest_port":56009,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":561001,"rev":0,"signature":"出现404错误","category":"","severity":3,"source":{"ip":"192.168.112.1","port":56009},"target":{"ip":"192.168.112.195","port":80}},"http":{"hostname":"192.168.112.195","url":"/dashboard/phpinfo.phpx","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":404,"length":692},"files":[{"filename":"/dashboard/phpinfo.phpx","sid":[],"gaps":false,"state":"UNKNOWN","stored":false,"size":645,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":6,"bytes_toserver":692,"bytes_toclient":1837,"start":"2022-07-28T11:28:26.646007+0800"}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
    name: 'suricata_eve'
    event_type: 'alert'
    severity: '3'
    signature: '出现404错误'
    srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
    id: '562601'
    level: '3'
    description: 'Suricata-Wazuh预警:192.168.112.1)'
    groups: '['ids', 'suricata']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.
2、json解码器被禁用问题

为了不禁用json解码器,可以将suricata_eve解码器直接定义成json解码器的子解码器

xml 复制代码
<decoder name="json">
  <prematch>^{\s*"</prematch>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
<decoder name="suricata_eve">
  <parent>json</parent>
  <prematch>^{"timestamp</prematch>
  <regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex>
  <order>event_type,signature,severity,srcip</order>
</decoder>

在定义规则时将解码器直接指定为json即可

xml 复制代码
<rule id="562600" level="0">
      <decoded_as>json</decoded_as>
      <description>Suricata预警信息根规则.</description>
      <options>no_full_log</options>
</rule>

此时再进行日志测试,结果如下:

cmd 复制代码
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
    name: 'json'
    parent: 'json'
    event_type: 'alert'
    severity: '3'
    signature: '出现404错误'
    srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
    id: '562601'
    level: '3'
    description: 'Suricata-Wazuh预警:192.168.112.1'
    groups: '['ids', 'suricata']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

prematch>^{\s*"

<plugin_decoder>JSON_Decoder</plugin_decoder>

json

^{"timestamp

"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity"😦\d+)\S+"source":{"ip":"(\S+)"

event_type,signature,severity,srcip

在定义规则时将解码器直接指定为json即可

```xml
<rule id="562600" level="0">
      <decoded_as>json</decoded_as>
      <description>Suricata预警信息根规则.</description>
      <options>no_full_log</options>
</rule>

此时再进行日志测试,结果如下:

cmd 复制代码
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
    name: 'json'
    parent: 'json'
    event_type: 'alert'
    severity: '3'
    signature: '出现404错误'
    srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
    id: '562601'
    level: '3'
    description: 'Suricata-Wazuh预警:192.168.112.1'
    groups: '['ids', 'suricata']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

事实上,如果不是为了实现主动响应,Wazuh本身就自带Suricata规则,直接使用即可。

相关推荐
-一杯为品-4 分钟前
【51单片机】程序实验5&6.独立按键-矩阵按键
c语言·笔记·学习·51单片机·硬件工程
huaqiwangan12 分钟前
电子远勘在侦查中有什么作用?
网络安全
运维老司机23 分钟前
Jenkins修改LOGO
运维·自动化·jenkins
D-海漠39 分钟前
基础自动化系统的特点
运维·自动化
我言秋日胜春朝★1 小时前
【Linux】进程地址空间
linux·运维·服务器
风尚云网1 小时前
风尚云网前端学习:一个简易前端新手友好的HTML5页面布局与样式设计
前端·css·学习·html·html5·风尚云网
繁依Fanyi1 小时前
简易安卓句分器实现
java·服务器·开发语言·算法·eclipse
C-cat.1 小时前
Linux|环境变量
linux·运维·服务器
yunfanleo1 小时前
docker run m3e 配置网络,自动重启,GPU等 配置渠道要点
linux·运维·docker
m51271 小时前
LinuxC语言
java·服务器·前端