本周重点
①HIDS的基本应用(suricata)
②Suricata的基本应用
③Suricata的流量检测
④Suricata的https流量检测
⑤利用Elastic整合Suricata日志
⑥利用Wazuh对Suricata主动响应
本周主要内容
①HIDS的基本应用(suricata)
1、NIDS
1、定义:网络入侵检测系统
2、工作机制:网络流量需要经过NIDS系统,如果通过NIDS的检测规则,没有发现问题,则可以进入后续的设备。类似于在服务器的前面加入一层过滤器。
2、suricata的安装
1、安装:按照官方文档的提示,使用提供的命令进行在线安装
yum install epel-release yum-plugin-copr
yum copr enable @oisf/suricata-6.0
yum install suricata
# 安装完成后,对应的路径如下:
Suricata主程序路径:/usr/sbin/suricata
Suricata核心配置目录:/etc/suricata/
Suricata日志目录:/var/log/suricata/
Suricata附属程序目录:/usr/bin
# 日志目录下的4个文件的功能
eve.json:以JSON格式存储预警信息或附加信息
fast.log:预警核心文件,只用于存储警告信息,非结构化数据
stats.log:Suricata的统计信息
suricata.log:Suricata程序的运行日志
#Linux安装
# yum install libjansson, libpcap, libpcre2, libmagic, zlib, libyaml, gcc, pkg-config,libgeoip, liblua5.1, libhiredis, libevent
2、修改基础配置信息
直接编辑/etc/suricata/suricata.yaml
vars:
# more specific is better for alert accuracy and performance
address-groups:
#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
HOME_NET: "[192.168.112.0/24]" # 指定192.168.112.0/24网段属于本地网络
#EXTERNAL_NET: "!$HOME_NET" # 指定非HOME_NET的IP为外部网络
EXTERNAL_NET: "any" # 指定任意IP地址,只要是源IP,均视为外部网络
3、手工创建一个规则文件(没有规则文件启动会报错)
touch /etc/suricata/rules/suricata.rules
再指定 default-rule-path: /etc/suricata/rules 或 /var/lib/suricata/rules 均可
#加入一条规则
alert http $EXTERNAL_NET any <> $HOME_NET 80 (msg:"出现404错误"; content: "404"; http_stat_code; sid:561001;)
4、启动
cd /etc/suricata && suricata -c suricata.yaml -i ens33
-c <path> 指定配置文件的路径
-i ens33 指定网络接口,凡是拦截网络流量的工具,都需要设定网卡
-D daemon 守护线程,所以这里的-D就是将suricata切到守护模式(后台启动)
-r <path> 作用就是导入离线的流量包,比如用wireshake抓包,然后保存成一个pcap文件, 可以用 -r ../../xxx.pcap
3、规则语法基础
- 预警规则
()中的内容,使用key:value的方式来设置元素,元素之间使用“;”隔开。如果规则中存在特色字符,使用转移字符\来解决
alert http $External_net any <> $HOME_NET 80 (msg:"提示信息";content:"404";target;sid:1232;rev:123)
action: 比如alert,drop,reject
协议字符:http,tcp,ssh
src_ip: $External_net
src_port: any 代表任意,一般来说源端口是任意的
方向:请求流量使用-> , 既有请求流量又需要响应流量,使用 <> ; 只有这么两种
dest_ip:$HOME_NET
dest_port: 80 目标端口
- IP地址的规则
../.. IP范围 , 192.168.211.1/24
!IP 代表取反,比如 !192.168.211.10 表示除掉192.168.211.10的地址
[...,...,....] 分组IP地址,[172.12.2.2,192.168.211.0/24]
IP 指定IP地址,就是写死IP地址
- 端口规则
[80,81,82] 分组写法,表示在[]中存在IP即可,类似SQL中的 in
[80:100] 表示从80到100的范围
[80:] 从80端口开始到最高的端口65535
!80 取反,排除80端口
[80:100,!99] 复合写法,表示80到100的端口,去掉99号端口
- meta keyword 元关键字
msg:预警描述信息
sid:规则编号:唯一
rev:规则的版本,默认为0,可以自由设定
classtype:规则的归类,在文件classification.config中定义
reference:引用参考,一般用于引用CVE编号
priority:优先级,如果设定了优先级,则可能会覆盖classtype中定义的优先级,这个关键字的取值范围1~255,建议设定为 1-4,1级最高
metadata:元素据,用于添加非功能性的数据
target:允许指定警报的是那一侧的攻击目标,target:[src_ip | dest_ip]
②Suricata的基本应用
1、识别HTTP攻击
1、定义攻击类型
修改类型定义文件classification.config
# custom define web classtype
config classification: web_status_error,WEB服务器状态异常,4
config classification: web_scan_attack,WEB页面扫描攻击,2
config classification: web_sql_injection,SQL注入攻击,1
config classification: web_shell_attack,木马植入攻击,1
2、编写检查的规则
检查规则在文件/var/lib/suricata/rules目录下面,文件名suricata.rules;/var/log/suricata
## Configure Suricata to load Suricata-Update managed rules.
##
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
3、编写规则
alert http any any <> $HOME_NET 80 (msg:"WEB服务器404异常";content:"404";http_stat_code;classtype:web_status_error;sid:5610001;rev:1;)
alert http any any <> $HOME_NET 80 (msg:"SQL注入攻击-union";content:"union";http_uri;classtype:web_sql_injection;sid:5610002;rev:1;)
4、重启suricata,验证规则是否生效
在浏览器中输入:[http://192.168.230.138/dashboard/phpinfo.php?id=1%20union%20select%201,2,3,4%20#](http://192.168.230.138/dashboard/phpinfo.php?id=1 union select 1,2,3,4 #)
监控日志:/var/log/suricata/fast.log
05/20/2024-11:39:51.470394 [**] [1:5610002:1] SQL注入攻击-union [**] [Classification: SQL注入攻击] [Priority: 1] {TCP} 192.168.230.1:59589 -> 192.168.230.138:80
5、练习:
- SQL注入检测:database(),version(),char()
- web403异常,web 500异常
2、识别频率类的攻击的规则
404错误,当在一个时间范围内,连续多次的出现404,判定可能存在路径扫描
规则编写:
alert http any any <> $HOME_NET 80 (msg:"频繁出现404,疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)
threshold: 阈值
- 类型:type threshold 达到阈值则生成报警,limit 达到阈值后,最多生成多少次报警,这里的多少次由count决定,both照顾前面两种情况
- 追踪方向:track \
- 阈值:count \ 设定匹配规则的次数
- 时间窗口: seconds \ 设定n秒
练习:
1、识别登录的暴力破解密码的攻击
规则编写
alert http any any <> $HOME_NET 8080 (msg:"疑似登录爆破攻击";http.response_body;content:"login-fail";classtype:web_brute_attack;threshold:type threshold,track by_src,count 5,seconds 20;sid:561004;rev:1;)
增加检测的类型
config classification: web_brute_attack,暴力破解攻击,1
重启之后,进行验证;这里使用的目标web系统是woniusales
3、content规则字段解析
1、content字节表达方式
" |22| ; |3B| : |3A| | |7C|
例子:
content:"a|0D|bc"; content:"|61 0D 62 63|"; content:"a|0D|b|63|";
content在匹配的时候,区分大小写
如果不区分大小写,就需要是nocase关键字,告诉suricata在做匹配的时候不需要区分大小写
content: "abc"; nocase;
注意:nocase必须放在content的后面
2、深度:depth,表示从payload的有效载荷开始取指定的数目的字符
比如:payload=”abcdefghijk”,如果content=”def”;depth:3 这样就匹配不到
3、开始和结束字符
startswith: 检查content的值作为前缀;比如: content:” G E T ” ; s t a r t s w i t h ; 表示被检测的内容必须以 GET”;startswith; 表示被检测的内容必须以 GET”;startswith;表示被检测的内容必须以GET作为开始。
endswith:检查content的值作为后缀;比如:content:”.png”;endswith; 表示被检测的内容必须以.png结束
4、偏移量offset
从有效载荷的开始数offset个字节然后才开始匹配content的内容
\
4、检测XSS攻击流量
规则:
alert http any any <> $HOME_NET 8080 (msg:"疑似XSS攻击";http.uri;content:"<script";nocase;classtype:web_sql_injection;sid:561005;rev:1;)
5、使用pcre进行复杂内容验证
pcre是兼容perl的正则表达式的一个标准,可以使用perl的规则来编写正则表达式
语法:pcre:”/regex/正则匹配的类型”
正则匹配的类型: i 表示忽略大小写,A,G
练习:
检测流量中包含一句话木马
php的一句话木马:
<php eval($_GET[0]);?>
jsp的一句话木马:
<% Process process = Runtime.getRuntime().exec(request.getParameter("cmd")); %>
规则
alert http any any <> $HOME_NET 80 (msg:"流量中存在一句话木马";http.uri;content:"<?";pcre:"/eval|assert|system\(|exec|$_GET|$_POST/i";classtype:web_shell_attack;sid:561006;rev:1;)
如果是在post的正文里面使用了一句话木马,如何检测?
检测的目标从http.uri变成请求正文内容,请求的正文关键字是: http.request_body 或 http_client_body
alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)
4、一个规则中进行多个字段的匹配
规则描述
先匹配请求方法,如果是post,再匹配正文中是否存在一句话木马
alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561009;rev:1;)
5、检测文件上传流量
1、文件上传的流量特征
- 方法是POST
- content_type必须是multipart/form-data
- 正文中必须要有: Content-Disposition
2、规则
alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";classtype:web_file_upload;sid=561010;rev:1;)
3、文件上传的时候,包含一句话木马
alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";http.request_body;pcre:"/eval|assert|system\(exec|$_POST|$_GET\(/i";classtype:web_file_upload;sid=561010;rev:1;)
3、练习:
编写一个上传文件的一句话木马检测规则
③Suricata的流量检测
1、icmp流量监测
规则:
alert icmp any any -> $HOME_NET any (msg:"检测到死亡ping攻击";dsize:>30;itype:8;threshold: type both,track by_src,count 20,seconds 5;sid:561011;rev:1;)
解释:
协议使用icmp, 目标端口设置为any,dsize关键字的作用判断有效载荷的字节数,>n,<n,!n; itype是icmp协议的类型type,这里的取8.
2、tcp flood
规则
alert tcp any any -> $HOME_NET any (msg:"TCP泛洪";flow: established,to_server;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1;)
解释:
协议使用tcp,
关键字flow:
关键字可用于匹配流的方向,例如到/从客户端或到/从服务器。它还可以匹配是否建立了流。流关键字还可以用来表示签名必须只在流上匹配(只在流上匹配)或只在包上匹配(不在流上匹配)。
因此,使用Flow关键字可以匹配:
to_client
在从服务器到客户端的数据包上匹配。
to_server
在从客户端到服务器的数据包上匹配。
from_client
在从客户机到服务器的数据包上匹配(与到服务器相同)。
from_server
在从服务器到客户机的数据包上进行匹配(与“客户机”相同)。
已建立
匹配已建立的连接。
not_established
匹配不属于已建立连接的数据包。
无状态 stateless
匹配属于或不属于已建立连接的数据包。
3、SYN Flood
规则
alert tcp any any -> $HOME_NET any (msg:"SYN flood";flags:S;flow:stateless,to_server;dsize:>100;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1)
flags:
F:finished 结束
S:syn 同步,会话开始
R:rst,reset 复位
A:ack 应答
U:urg 紧急
4、检测CC攻击流量
规则
alert http any any -> $HOME_NET 8080 (msg:"CC攻击";flow:established,to_server;threshold:type both,track by_src,count 20,seconds 1;http:method;content:"POST";http.request_body;content:"barcode";sid:561013;rev:1;)
这里使用了关键字flow,表示请求的发送是基于先建立的tcp的连接
5、MySQL爆破流量检测
规则
alert tcp any any <> $HOME_NET 3306 (msg:"MySQL爆破攻击";content:"Access denied for user";threshold: type threshold,track by_src,count 10,seconds 10;sid:561014;rev:1;)
6、MySQL木马写入流量检测
select "<?php eval($_POST[1]);?>" into outfile "/opt/shell.php"
规则
alert tcp any any <> $HOME_NET 3306 (msg:"MySQL木马写入攻击";content:"into outfile";nocase;pcre:"/eval|assert|system|_POST|_GET/i";classtype:web_shell_attackl;sid:561015;rev:1;)
7、SSH流量检测
特征
规则:
alert ssh any any <> $HOME_NET 22 (msg:"SSH爆破";content:"|15 00 00 00 00 00 00 00 00 00 00|";threshold: type threshold,track by_src,count 3,seconds 10;sid:561016;rev:1;)
④Suricata的https流量检测
1、suricata是没有办法分析加密流量,所以只能通过其他的软件先将流量进行解密,然后传递给suricata
2、构造实验环境
- 一台客户机,模拟客户发送https请求,发给nginx
- 一台Linux,安装nginx服务,该设备上必须要安装https的证书,并且反向代理远程的tomcat
- 一台tomcat服务器,
- suricata可以安装在nginx或tomcat的服务器上
一、代理检测HTTPS的流量
原理:因为NIDS没有办法去检测加密的流量,所以需要通过代理的方式,先将加密的流量解密再进行检测。使用nginx来代理,然后suricata去检测nginx的流量。
1、准备好实验环境
- tomcat:192.168.230.13
- nginx:192.168.230.139
- suricata:192.168.230.138
2、给nginx生成证书
这里的证书的作用是用于解密浏览器传递过来的https加密流量
# 确认openssl是否安装好 openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 # 生成私钥 openssl genrsa -des3 -out server.pass.key 2048 # 去除私钥中的密码 rsa -in server.pass.key -out server.key # 生成CSR证书 req -new -key server.key -out server.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=dev/OU=dev/CN=localhost" # 生成SSL的证书 openssl x509 -req -day 365 -in server.csr -signkey server.key -out server.crt # 将 server.key ,server.csr ,server.crt 复制到/usr/local/nginx/conf下面去 cp -p server.crt server.csr server.key /usr/local/nginx/conf/
3、修改nginx.conf文件,对tomcat进行反向代理
user nginx; #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; error_log /var/log/nginx/error.log; #pid logs/nginx.pid; pid /run/nginx.pid; events { worker_connections 1024; } http { #include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; upstream mytomcat{ server 192.168.230.138:8080 weight=1; } # HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate /usr/local/nginx/conf/server.crt; ssl_certificate_key /usr/local/nginx/conf/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } location /woniusales/{ proxy_pass http://mytomcat/woniusales/; proxy_redirect default; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location =/50x.html{ root html; } } }
4、启动nginx和tomcat,然后验证环境是否配置成果
5、准备suricata的规则
alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)
6、重启suricata,在浏览器这边去输入含有敏感的关键字的请求,检测suricata是否能够正确的拦截流量
05/21/2024-06:25:02.489259 [**] [1:561008:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080 05/21/2024-06:25:02.489259 [**] [1:561009:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080
练习:
按照上述过程,编写一个检测流量中含有MySQL注入的规则
二、在suricata中实现ips的功能
suricata自己是没有办法去实现丢弃或者封禁的功能,suricata提供NFQueue的功能,这个功能和iptables的NFQueue结合起来就用实现对流量的管制
NFQueue的用途:iptables将流量放到这个队列中,然后等待用户程序对流量进行分析做出处置的决策,然后iptables会根据决策来执行处置行为。
实现步骤
1、安装iptables
yum -y install iptables iptables-services systemctl stop firewalld systemctl start iptables.service
2、开启iptables的队列功能
iptables -I INPUT -p tcp --dport 80 -j NFQUEUE iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -I INPUT -p tcp --dport 8080 -j NFQUEUE iptables -I OUTPUT -p tcp --sport 8080 -j NFQUEUE
3、suricata启动队列监听
suricata -c suricata.yaml -q 0
4、指定规则
drop http any any <> $HOME_NET 80 (msg:"频繁出现404,疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)
如果频繁的出现404则丢弃该IP过来的数据包
5、结果,可以看出多了drop标记
05/21/2024-08:40:53.583490 [**] [1:5610001:1] WEB服务器404异常 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941 05/21/2024-08:40:53.771510 [Drop] [**] [1:561003:1] 频繁出现404,疑似路径扫描 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941
⑤利用Elastic整合Suricata日志
一、配置FileBeat
1、查看目前已经启用哪些模块
[root@centqiang filebeat-7.14]# ./filebeat modules list
Error in modules manager: modules management requires 'filebeat.config.modules.path' setting
[root@centqiang filebeat-7.14]# vi filebeat.yml
filebeat.config.modules:
path: /opt/filebeat-7.14/modules.d/*.yml
reload.enabled: true
reload.period: 10s
2、启用suricata模块
[root@centqiang filebeat-7.14]# ./filebeat modules enable suricata
Enabled suricata
3、对Suricat模块进行初始化
可以直接完成相应模板及Kibana的Dashboard的创建和处理,前提是先启动ES和Kibana。
(1)编辑: modules.d/suricata.yml
- module: suricata
eve:
enabled: true
var.paths: ["/var/log/suricata/eve.json"]
(2)编辑:filebeat.yml,配置Filebeat连接Elastic和Kibana
setup.kibana:
host: "192.168.112.198:5601"
protocol: "http"
setup.dashboards.enabled: true
(3)运行 ./filebeat setup -e进行初始化操作,用于连接和配置ElasticSearch和Kibana。
[root@centqiang filebeat-7.14]# ./filebeat setup -e
2021-12-27T14:54:50.670+0800 INFO instance/beat.go:665 Home path: [/opt/filebeat-7.14] Config path: [/opt/filebeat-7.14] Data path: [/opt/filebeat-7.14/data] Logs path: [/opt/filebeat-7.14/logs]
2021-12-27T14:54:50.670+0800 INFO instance/beat.go:673 Beat ID: 5ff8de48-96bf-4699-8777-818b8f6e16c0
2021-12-27T14:54:50.671+0800 INFO [beat] instance/beat.go:1014 Beat info {"system_info": {"beat": {"path": {"config": "/opt/filebeat-7.14", "data": "/opt/filebeat-7.14/data", "home": "/opt/filebeat-7.14", "logs": "/opt/filebeat-7.14/logs"}, "type": "filebeat", "uuid": "5ff8de48-96bf-4699-8777-818b8f6e16c0"}}}
2021-12-27T14:54:50.671+0800 INFO [beat] instance/beat.go:1023 Build info {"system_info": {"build": {"commit": "574c21d25ddb65a63665ac26b54799f81a7e9706", "libbeat": "7.14.2", "time": "2021-09-15T10:26:32.000Z", "version": "7.14.2"}}}
2021-12-27T14:54:50.671+0800 INFO [beat] instance/beat.go:1026 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.16.6"}}}
2021-12-27T14:54:50.671+0800 INFO [beat] instance/beat.go:1030 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-12-27T09:38:40+08:00","containerized":false,"name":"centqiang","ip":["127.0.0.1/8","::1/128","192.168.112.195/24","fe80::c135:a71d:3611:b840/64","fe80::3726:145f:911a:51b2/64","fe80::2b1d:468a:d07a:34bc/64"],"kernel_version":"3.10.0-1160.el7.x86_64","mac":["00:0c:29:30:a6:c8"],"os":{"type":"linux","family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"CST","timezone_offset_sec":28800,"id":"4014b10d46364734aa0c022a21147156"}}}
2021-12-27T14:54:50.671+0800 INFO [beat] instance/beat.go:1059 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/opt/filebeat-7.14", "exe": "/opt/filebeat-7.14/filebeat", "name": "filebeat", "pid": 10688, "ppid": 7839, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2021-12-27T14:54:50.090+0800"}}}
2021-12-27T14:54:50.671+0800 INFO instance/beat.go:309 Setup Beat: filebeat; Version: 7.14.2
2021-12-27T14:54:50.672+0800 INFO [esclientleg] eslegclient/connection.go:100 elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.672+0800 INFO [publisher] pipeline/module.go:113 Beat name: centqiang
2021-12-27T14:54:50.673+0800 INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
2021-12-27T14:54:50.674+0800 INFO [esclientleg] eslegclient/connection.go:100 elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.677+0800 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.14.2
ILM policy and write alias loading not enabled.
2021-12-27T14:54:50.679+0800 INFO template/load.go:229 Existing template will be overwritten, as overwrite is enabled.
2021-12-27T14:54:50.680+0800 INFO template/load.go:132 Try loading template wazuh to Elasticsearch
2021-12-27T14:54:50.747+0800 INFO template/load.go:124 Template with name "wazuh" loaded.
2021-12-27T14:54:50.747+0800 INFO [index-management] idxmgmt/std.go:297 Loaded index template.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
2021-12-27T14:54:50.747+0800 INFO kibana/client.go:122 Kibana url: http://192.168.112.198:5601
2021-12-27T14:54:52.039+0800 INFO kibana/client.go:122 Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.013+0800 INFO instance/beat.go:848 Kibana dashboards successfully loaded.
Loaded dashboards
2021-12-27T14:56:10.013+0800 WARN [cfgwarn] instance/beat.go:574 DEPRECATED: Setting up ML using Filebeat is going to be removed. Please use the ML app to setup jobs. Will be removed in version: 8.0.0
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
2021-12-27T14:56:10.014+0800 INFO [esclientleg] eslegclient/connection.go:100 elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.018+0800 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.018+0800 INFO kibana/client.go:122 Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.046+0800 WARN fileset/modules.go:425 X-Pack Machine Learning is not enabled
2021-12-27T14:56:10.067+0800 WARN fileset/modules.go:425 X-Pack Machine Learning is not enabled
Loaded machine learning job configurations
2021-12-27T14:56:10.067+0800 INFO [esclientleg] eslegclient/connection.go:100 elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.070+0800 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.072+0800 INFO [esclientleg] eslegclient/connection.go:100 elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.075+0800 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.203+0800 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.14.2-suricata-eve-pipeline"}
2021-12-27T14:56:10.263+0800 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.14.2-suricata-eve-dns"}
2021-12-27T14:56:10.320+0800 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v1"}
2021-12-27T14:56:10.367+0800 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v2"}
2021-12-27T14:56:10.427+0800 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.14.2-suricata-eve-tls"}
2021-12-27T14:56:10.482+0800 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.14.2-suricata-eve-http"}
2021-12-27T14:56:10.482+0800 INFO cfgfile/reload.go:262 Loading of config files completed.
2021-12-27T14:56:10.482+0800 INFO [load] cfgfile/list.go:129 Stopping 1 runners ...
2021-12-27T14:56:10.546+0800 INFO [modules] fileset/pipelines.go:133 Elasticsearch pipeline loaded. {"pipeline": "filebeat-7.14.2-wazuh-alerts-pipeline"}
Loaded Ingest pipelines
如果上述命令执行过程没有出现错误,说明初始化成功。
二、在Kibana中配置Dashboard
1、确认索引正常
2、搜索Dashboard
2、进入[Filebeat Suricata] Alert Overview
可以看到,Suricata预警在下方以表格的形式正常列出,但是上方的图表却出现了错误。
3、为图表修正错误
将鼠标放在 Error 提示信息上,可以看到,出错的图表的错误主要出现在关联的某个字段已经不存在的情况。
此时,只需要点击图表右上方的齿轮按钮,并在“Edit Visualization”菜单中,为其指定正确的列名即可。
4、Discover搜索并查看
三、利用Wazuh整合Suricata
1、配置Wazuh监控eve.json
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
2、确认内置规则
ruleset/rules/0475-suricata_rules.xml
<group name="ids,suricata,">
<rule id="86600" level="0">
<decoded_as>json</decoded_as>
<field name="timestamp">\.+</field>
<field name="event_type">\.+</field>
<description>Suricata messages.</description>
<options>no_full_log</options>
</rule>
<rule id="86601" level="3">
<if_sid>86600</if_sid>
<field name="event_type">^alert$</field>
<description>Suricata: Alert - $(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
3、自定义规则对应Wazuh级别
<group name="ids,suricata,">
<rule id="86601" level="5" overwrite="yes">
<if_sid>86600</if_sid>
<field name="event_type">^alert$</field>
<description>Suricata普通预警:$(alert.signature)</description>
<options>no_full_log</options>
</rule>
<rule id="86605" level="12">
<if_sid>86601</if_sid>
<field name="alert.severity">^1$</field>
<description>Suricata严重预警:$(alert.signature)</description>
<options>no_full_log</options>
</rule>
</group>
4、启动Wazuh并实时查看alerts.log
5、在Kibana中进行查看
⑥利用Wazuh对Suricata主动响应
一、配置解码器和规则
1、基本思路
从eve.json中可以读取到src_ip,并且通过JSON解码器也能够识别为正常的字段值,但是firewall-drop需要的字段是srcip(Wauzh内置的静态字段),而不是src_ip,所以必须要想办法将src_ip识别和提取出来,变成Wazuh的srcip的字段,才可以正常触发主动响应。
那么如何从eve.json中提取出src_ip,并且赋值给srcip呢?就按照原始Wazuh提取数据字段的方式进行处理即可。
2、解码器
<!-- Suricata主动响应解码器 -->
<decoder name="suricata_eve">
<prematch>^{"timestamp</prematch>
<regex offset="after_prematch">"event_type":"(\w+)"\S+"src_ip":"(\S+)"\S+"signature":"(\S+)"\S+"severity":(\d)</regex>
<order>event_type,srcip,signature,severity</order>
</decoder>
直接监控fast.log也不是不可以,但是有很多信息无法准确提取,所以建议监控eve.json日志
3、规则
<group name="ids,suricata,">
<rule id="562600" level="0">
<decoded_as>suricata_eve</decoded_as>
<description>Suricata预警信息根规则.</description>
<options>no_full_log</options>
</rule>
<rule id="562601" level="3">
<if_sid>562600</if_sid>
<field name="event_type">^alert$</field>
<description>Suricata-Wazuh预警:$(srcip))</description>
<options>no_full_log</options>
</rule>
<rule id="562602" level="12">
<if_sid>562601</if_sid>
<field name="severity">^1$</field>
<description>Suricata致命预警:$(srcip) - $(signature)</description>
<options>no_full_log</options>
</rule>
</group>
4、禁用json解码器
<decoder name="json">
<prematch>^NoUse{\s*"</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
由于内置解码器json会先于suricata_eve自定义解码器执行,所以前期可以先通过禁用json解码器的方式进行规则调试,但是后期肯定不能这样做,否则对其他JSON数据的解码就会存在问题,仍然需要寻找解决方案。
5、测试规则
/var/ossec/bin/wazuh-logtest
{"timestamp":"2021-12-28T12:24:18.861779+0800","flow_id":801237179200730,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":1110,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=%3C?eval($_POST[a]);","http_user_agent":"Mozilla/5.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":793,"bytes_toclient":1074,"start":"2021-12-28T12:24:18.816346+0800"}}
二、设计主动响应
1、主动响应
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>9</level>
<timeout>600</timeout>
</active-response>
2、进行测试
** Alert 1640685105.129291: - ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,
2021 Dec 28 17:51:45 centqiang->/var/ossec/logs/active-responses.log
Rule: 651 (level 3) -> 'Host Blocked by firewall-drop Active Response'
2021/12/28 17:51:45 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-12-28T17:51:45.954+0800","rule":{"level":12,"description":"Suricata致命预警:URL地址木马","id":"566002","firedtimes":1,"mail":true,"groups":["ids"," suricata_eve"]},"agent":{"id":"000","name":"centqiang"},"manager":{"name":"centqiang"},"id":"1640685105.128130","full_log":"{\"timestamp\":\"2021-12-28T17:51:44.154165+0800\",\"flow_id\":1619038894591458,\"in_iface\":\"ens33\",\"event_type\":\"alert\",\"src_ip\":\"192.168.112.1\",\"src_port\":16996,\"dest_ip\":\"192.168.112.195\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":5613007,\"rev\":1,\"signature\":\"URL地址木马\",\"category\":\"站点木马植入\",\"severity\":1},\"http\":{\"hostname\":\"192.168.112.195\",\"url\":\"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":374},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":820,\"bytes_toclient\":1074,\"start\":\"2021-12-28T17:51:44.101858+0800\"}}","decoder":{"name":"suricata_eve"},"data":{"srcip":"192.168.112.1","event_type":"alert","signature":"URL地址木马","severity":"1"},"location":"/var/log/suricata/eve.json"},"program":"active-response/bin/firewall-drop"}}
version: 1
origin.name: node01
origin.module: wazuh-execd
command: add
parameters.extra_args: []
parameters.alert.timestamp: 2021-12-28T17:51:45.954+0800
parameters.alert.rule.level: 12
parameters.alert.rule.description: Suricata致命预警:URL地址木马
parameters.alert.rule.id: 566002
parameters.alert.rule.firedtimes: 1
parameters.alert.rule.mail: true
parameters.alert.rule.groups: ["ids", " suricata_eve"]
parameters.alert.agent.id: 000
parameters.alert.agent.name: centqiang
parameters.alert.manager.name: centqiang
parameters.alert.id: 1640685105.128130
parameters.alert.full_log: {"timestamp":"2021-12-28T17:51:44.154165+0800","flow_id":1619038894591458,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":16996,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":820,"bytes_toclient":1074,"start":"2021-12-28T17:51:44.101858+0800"}}
parameters.alert.decoder.name: suricata_eve
parameters.alert.data.srcip: 192.168.112.1
parameters.alert.data.event_type: alert
parameters.alert.data.signature: URL地址木马
parameters.alert.data.severity: 1
parameters.alert.location: /var/log/suricata/eve.json
parameters.program: active-response/bin/firewall-drop
三、存在的问题
1、双向流量的srcip问题
Suricata存在双向流量,如果是from_server=>to_client方向的流量,src_ip是服务器IP地址,此时使用Wazuh去提取该IP并且进行主动响应,则IP地址提取错误,应该提取的是dest_ip才是攻击源IP地址。解决方案:
(1)在Suricata规则中使用metadata: key value;来标识方向,进而让Wazuh进行识别(得需要两个解码器)
(2)利用Suricata的target,并设置为target: dest_ip,而不是默认的src_ip。
(3)使用Python实时解析Suricata日志并对Severity=1级别进行主动响应,抛弃Wazuh的规则约束。
以下是通过使用target来定义规则的用法:
第一步:定义解码器
<decoder name="suricata_eve">
<prematch>^{"timestamp</prematch>
<regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex>
<order>event_type,signature,severity,srcip</order>
</decoder>
第二步:进行测试
[root@centqiang alerts]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
{"timestamp":"2022-07-28T11:28:26.648845+0800","flow_id":1784851008772983,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.195","src_port":80,"dest_ip":"192.168.112.1","dest_port":56009,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":561001,"rev":0,"signature":"出现404错误","category":"","severity":3,"source":{"ip":"192.168.112.1","port":56009},"target":{"ip":"192.168.112.195","port":80}},"http":{"hostname":"192.168.112.195","url":"/dashboard/phpinfo.phpx","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":404,"length":692},"files":[{"filename":"/dashboard/phpinfo.phpx","sid":[],"gaps":false,"state":"UNKNOWN","stored":false,"size":645,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":6,"bytes_toserver":692,"bytes_toclient":1837,"start":"2022-07-28T11:28:26.646007+0800"}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'suricata_eve'
event_type: 'alert'
severity: '3'
signature: '出现404错误'
srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
id: '562601'
level: '3'
description: 'Suricata-Wazuh预警:192.168.112.1)'
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
2、json解码器被禁用问题
为了不禁用json解码器,可以将suricata_eve解码器直接定义成json解码器的子解码器
<decoder name="json">
<prematch>^{\s*"</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
<decoder name="suricata_eve">
<parent>json</parent>
<prematch>^{"timestamp</prematch>
<regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex>
<order>event_type,signature,severity,srcip</order>
</decoder>
在定义规则时将解码器直接指定为json即可
<rule id="562600" level="0">
<decoded_as>json</decoded_as>
<description>Suricata预警信息根规则.</description>
<options>no_full_log</options>
</rule>
此时再进行日志测试,结果如下:
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
parent: 'json'
event_type: 'alert'
severity: '3'
signature: '出现404错误'
srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
id: '562601'
level: '3'
description: 'Suricata-Wazuh预警:192.168.112.1'
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
prematch>^{\s*“
<plugin_decoder>JSON_Decoder</plugin_decoder>
json
^{“timestamp
“event_type”:”(\w+)”\S+“signature”:“(\S+)”\S+“severity”😦\d+)\S+“source”:{“ip”:“(\S+)”
event_type,signature,severity,srcip
在定义规则时将解码器直接指定为json即可
```xml
<rule id="562600" level="0">
<decoded_as>json</decoded_as>
<description>Suricata预警信息根规则.</description>
<options>no_full_log</options>
</rule>
此时再进行日志测试,结果如下:
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
parent: 'json'
event_type: 'alert'
severity: '3'
signature: '出现404错误'
srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
id: '562601'
level: '3'
description: 'Suricata-Wazuh预警:192.168.112.1'
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
事实上,如果不是为了实现主动响应,Wazuh本身就自带Suricata规则,直接使用即可。