OSSEC是一款開源的多平臺的入侵檢測系統(tǒng)，可以運行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系統(tǒng)中。包括了日志分析，全面檢測，root-kit檢測。

1. 測試和驗證OSSEC泛化及告警規(guī)則

OSSEC默認(rèn)具有一個ossec-logtest工具用于測試OSSEC的泛化及告警規(guī)則。該工具一般默認(rèn)安裝于目錄 /var/ossec/bin 中。

使用示例：

/var/ossec/bin/ossec-logtest  
2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.  
2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).  
ossec-testrule: Type one log per line.  
Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2  
 
**Phase 1: Completed pre-decoding.  
       full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'  
       hostname: '172.16.25.122/172.16.24.32'  
       program_name: 'sshd'  
       log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'  
 
**Phase 2: Completed decoding.  
       decoder: 'sshd'  
       dstuser: 'root'  
       srcip: '172.16.24.121'  
 
**Phase 3: Completed filtering (rules).  
       Rule id: '10100'  
       Level: '4'  
       Description: 'First time user logged in.'  
**Alert to be generated. 

如上文所示，當(dāng)輸入日志內(nèi)容：

Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

該條日志經(jīng)過三步處理，生成了一條4級告警，規(guī)則ID為10100，內(nèi)容為“First time user logged in.”

使用ossec-logtest–v命令，可獲取更詳細的日志分析邏輯。

/var/ossec/bin/ossec-logtest  -v  
2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.  
2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).  
ossec-testrule: Type one log per line.  
 
Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121  
 
**Phase 1: Completed pre-decoding.  
       full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121' 
       hostname: '172.16.25.122/172.16.24.32' 
       program_name: 'sshd' 
       log: 'Did not receive identification string from 172.16.24.121' 
 
**Phase 2: Completed decoding.  
       decoder: 'sshd' 
       srcip: '172.16.24.121' 
 
**Rule debugging:  
    Trying rule: 1 - Generic template for all syslog rules.  
       *Rule 1 matched.  
       *Trying child rules.  
    Trying rule: 5500 - Grouping of the pam_unix rules.  
    Trying rule: 5700 - SSHD messages grouped.  
       *Rule 5700 matched.  
       *Trying child rules.  
    Trying rule: 5709 - Useless SSHD message without an user/ip and context.  
    Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.  
    Trying rule: 5721 - System disconnected from sshd.  
    Trying rule: 5722 - ssh connection closed.  
    Trying rule: 5723 - SSHD key error.  
    Trying rule: 5724 - SSHD key error.  
    Trying rule: 5725 - Host ungracefully disconnected.  
    Trying rule: 5727 - Attempt to start sshd when something already bound to the port.  
    Trying rule: 5729 - Debug message.  
    Trying rule: 5732 - Possible port forwarding failure.  
    Trying rule: 5733 - User entered incorrect password.  
    Trying rule: 5734 - sshd could not load one or more host keys.  
    Trying rule: 5735 - Failed write due to one host disappearing.  
    Trying rule: 5736 - Connection reset or aborted.  
    Trying rule: 5707 - OpenSSH challenge-response exploit.  
    Trying rule: 5701 - Possible attack on the ssh server (or version gathering).  
    Trying rule: 5706 - SSH insecure connection attempt (scan).  
       *Rule 5706 matched.  
 
**Phase 3: Completed filtering (rules).  
       Rule id: '5706' 
       Level: '6' 
       Description: 'SSH insecure connection attempt (scan).' 
**Alert to be generated. 

2. 自定義日志泛化規(guī)則

2.1 添加日志源

添加日志源的方式很簡單，通過修改/var/ossec/etc/ossec.conf 即可實現(xiàn)。

如果日志源是本地文件，可通過添加如下配置實現(xiàn)。

<localfile> 
  <log_format>syslog</log_format> 
  <location>/path/to/log/file</location> 
</localfile> 

如果日志源是遠程syslog，可通過添加如下配置實現(xiàn)。

<remote> 
<connection>syslog</connection> 
<protocol>udp</protocol> 
<port>2514</port> 
<allowed-ips>172.16.24.0/24</allowed-ips> 
</remote> 

2.2 創(chuàng)建自定義的日志泛化規(guī)則

假如有兩條日志如下文：

Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: 
User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: 
User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

該日志使用ossec-logtest分析之后結(jié)果如下：

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
**Phase 2: Completed decoding.
       No decoder matched

由此可知OSSEC在分析日志的時候，經(jīng)過了兩個泛化過程：pre-decoding和 decoding。

pre-decoding過程是ossec內(nèi)置的，只要是標(biāo)準(zhǔn)的syslog日志，都可以解析出如下4個基本信息。

Timestamp:Jun 11 22:06:30
Hostname: 172.17.153.38/172.16.24.32
Programe_name: /usr/bin/auditServerd
Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

在decoding過程，用戶可以通過修改/var/ossec/etc/decoder.xml，實現(xiàn)自定義的泛化。例如在該文件中添加如下規(guī)則：

<decoder name="auditServerd"> 
  <program_name>/usr/bin/auditServerd</program_name> 
</decoder> 

再次執(zhí)行/var/ossec/bin/ossec-logtest

**Phase 1: Completed pre-decoding.  
       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
       hostname: '172.17.153.38/172.16.24.32'  
       program_name: '/usr/bin/auditServerd'  
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
 
**Phase 2: Completed decoding.  
       decoder: 'auditServerd' 

發(fā)現(xiàn)，該條日志成功命中了名為auditServerd的規(guī)則，該條規(guī)則可以準(zhǔn)確的將日志定位為是程序auditServerd所發(fā)出的。

除此之外，基于auditServerd這條規(guī)則，我們還可以添加更多的子規(guī)則，來識別出更多的信息。如:

<decoder name="auditServerd">                                 
  <program_name>/usr/bin/auditServerd</program_name>                          
</decoder> 
<decoder name="auditServerd-login">                                        
  <parent>auditServerd</parent>                             
  <regex offset="after_parent">^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$</regex>    
  <order>user,status,srcip,dstip,dstport</order>                                  
</decoder> 

再次執(zhí)行/var/ossec/bin/ossec-logtest，可獲取更多的信息，如下：

**Phase 1: Completed pre-decoding.  
      full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'  
      hostname: '172.17.153.38/172.16.24.32'  
      program_name: '/usr/bin/auditServerd'  
      log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'  
   
**Phase 2: Completed decoding.  
      decoder: 'auditServerd'  
       dstuser: 'blackrat'  
      status:'SUCEESS'  
      srcip: '172.17.153.36'  
       dstip: '172.17.153. 

用戶通過配置上述正則表達式，獲取特定字段，用于后續(xù)的關(guān)聯(lián)分析。OSSEC一共內(nèi)置了14個用戶可解析的字段：

 - location – where the log came from (only on FTS)
   - srcuser  - extracts the source username
   - dstuser  - extracts the destination (target) username
   - user     – an alias to dstuser (only one of the two can be used)
   - srcip    - source ip
   - dstip    - dst ip
   - srcport  - source port
   - dstport  - destination port
   - protocol – protocol
   - id       – event id 
   - url      - url of the event
   - action   – event action (deny, drop, accept, etc)
   - status   – event status (success, failure, etc)
   - extra_data     – Any extra data

3. 自定義日志告警規(guī)則

3.1 規(guī)則文件路徑配置

OSSEC的規(guī)則配置文件默認(rèn)路徑為/var/ossec/rules/，要加載規(guī)則文件，需要在/var/ossec/etc/ossec.conf 中配置，默認(rèn)的配置如下：

<ossec_config>  <!-- rules global entry --> 
  <rules> 
    <include>rules_config.xml</include> 
    <include>pam_rules.xml</include> 
    <include>sshd_rules.xml</include> 
    <include>telnetd_rules.xml</include> 
    <include>syslog_rules.xml</include> 
    <include>arpwatch_rules.xml</include> 
     ......    
    <include>clam_av_rules.xml</include>   
    <include>bro-ids_rules.xml</include> 
    <include>dropbear_rules.xml</include> 
    <include>local_rules.xml</include>   
</rules>   
</ossec_config>  <!-- rules global entry --> 

其實通過下列配置，可以實現(xiàn)加載/var/ossec/rules 下的所有規(guī)則文件：

 <ossec_config> 
    <rules> 
        <rule_dir pattern=".xml$">rules</rule_dir> 
    </rules> 
</ossec_config> 

于泛化規(guī)則，也可以通過配置decoder_dir域來實現(xiàn)，如：

<ossec_config> 
    <rules> 
        <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir> 
    </rules> 
</ossec_config> 

上述配置可將/var/ossec/rules/plugins/plugins/decoders目錄下所有的xml文件都添加為OSSEC日志泛化規(guī)則。

對于更詳細的配置及語法，可參考下列文檔：

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

3.2 OSSEC告警規(guī)則配置

例如，我們需要增加對程序auditServerd的告警規(guī)則，我們需要針對auditServerd程序新建一個規(guī)則文件，對于OSSEC中已經(jīng)存在的規(guī)則文件如sshd, openbsd, vsftpd等，我們只需要在對應(yīng)的文件中進行新增或修改。

首先我們新建文件

/var/ossec/rules/auditServerd_rules.xml

添加如下內(nèi)容：

<group name="auditServer,"> 
   <rule id="80000" level="0" noalert="1"> 
    <decoded_as>auditServerd</decoded_as> 
    <description>Grouping for the auditServerd rules.</description> 
  </rule> 
 
  <rule id="80001" level="10"> 
    <if_sid>80000</if_sid> 
    <user>blackrat</user> 
    <srcip>172.17.153.36</srcip> 
    <description>User blackrat is not allowed login from 172.17.153.36!</description> 
  </rule> 
</group> 

上述規(guī)則中，規(guī)則id 80000 用于對日志進行分組計數(shù)，假如日志中出現(xiàn)了泛化為auditServerd的日志，則對該日志分組為auditServer，且狀態(tài)機計數(shù)加1.

規(guī)則80001描述了假如user為blackrat，srcip為172.17.153.36 則命中，并發(fā)出“User blackrat is not allowed login from 172.17.153.36!”的告警。

將該文件路徑加入到文件/var/ossec/etc/ossec.conf中

 …  
<include>dropbear_rules.xml</include>   
<include>local_rules.xml</include>   
<include>auditServerd_rules.xml</include>   
</ossec_config> 

執(zhí)行/var/ossec/bin/ossec-logtest，結(jié)果如下：

**Phase 1: Completed pre-decoding.  
       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
       hostname: '172.17.153.38/172.16.24.32'  
       program_name: '/usr/bin/auditServerd'  
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
 
**Phase 2: Completed decoding.  
       decoder: 'auditServerd'  
       dstuser: 'blackrat'  
       status: 'SUCEESS'  
       srcip: '172.17.153.36'  
       dstip: '172.17.153.38'  
       dstport: '3333'  
 
**Phase 3: Completed filtering (rules).  
       Rule id: '80001'  
       Level: '10'  
       Description: 'User blackrat is not allowed login from 172.17.153.36!'  
**Alert to be generated. 

3.3 關(guān)聯(lián)分析告警規(guī)則

OSSEC可以實現(xiàn)基于因果關(guān)系、事件頻次的關(guān)聯(lián)分析告警，具體實現(xiàn)方式如下。

假如我們想要實現(xiàn)當(dāng)來自同一IP的用戶登陸auditServerd，在1分鐘內(nèi)達到5次登錄失敗時，進行告警，我們可以配置規(guī)則如下：

<group name="auditServer,"> 
   <rule id="80000" level="0" noalert="1"> 
    <decoded_as>auditServerd</decoded_as> 
    <description>Grouping for the auditServerd rules.</description> 
  </rule> 
 
  <rule id="80001" level="10"> 
    <if_sid>80000</if_sid> 
    <match>SUCEESS</match> 
    <user>blackrat</user> 
    <srcip>172.17.153.36</srcip> 
    <description>User blackrat is not allowed login from 172.17.153.36!</description> 
  </rule> 
 
  <rule id="80002" level="1"> 
    <if_sid>80000</if_sid> 
    <match>PWD_ERROR</match> 
    <group>authServer_login_failures,</group> 
    <description>login auditServerd password error.</description> 
  </rule> 
 
  <rule id="80003" level="15" frequency="5" timeframe="60" ignore="30">   
    <if_matched_group>authServer_login_failures</if_matched_group> 
    <description>auditServerd brute force trying to get access to </description>         
    <description>the audit system.</description> 
    <same_source_ip /> 
    <group>authentication_failures,</group> 
  </rule> 
</group> 

執(zhí)行/var/ossec/bin/ossec-logtest，連續(xù)五次輸入日志：

結(jié)果如下：

**Phase 1: Completed pre-decoding.  
       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
       hostname: '172.17.153.38/172.16.24.32'  
       program_name: '/usr/bin/auditServerd'  
       log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'  
**Phase 2: Completed decoding.  
       decoder: 'auditServerd'  
       dstuser: 'blackrat'  
       status: 'PWD_ERROR'  
       srcip: '172.17.153.36'  
       dstip: '172.17.153.38'  
       dstport: '3333'  
 
**Phase 3: Completed filtering (rules).  
       Rule id: '80003'  
       Level: '15'  
       Description: 'auditServerd brute force trying to get access to the audit system.'  
**Alert to be generated. 

對于OSSEC日志告警規(guī)則更詳細的語法，參見：

http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

對于OSSEC中正則表達式的語法，參加：

http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html