监控文件/目录

修改ossec.conf配置文件,加入以下内容:


<syscheck>
         <directories check_all="yes">/opt/web</directories>    #检测目录
         <ignore>/var/web/upload</ignore>                               #忽略upload目录检测
         <ignore>/var/web/config.conf</ignore>                        #忽略config.conf文件检测
</syscheck>

 

监控web日志

修改ossec.conf配置文件,加入以下内容:

<localfile>
  <log_format>apache</log_format>                 #日志格式

  <location>/var/log/nginx/error.log</location>   #web日志路径

</localfile>

 

入侵检测

修改ossec.conf配置文件<rootcheck>标签定义的规则文件,达到入侵检测的目的。

比如某种后门会在/tmp目录下生成mcrootkit文件,在/var/ossec/etc/shared/rootkit_files.txt文件中添加如下内容:

tmp/mcrootkit   ! Bash door ::/rootkits/bashdoor.php

 

邮件通知信息

OSSEC HIDS Notification.
2015 Jul 07 18:19:14
Received From: (web-10-10-51-51) 10.10.51.51->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
Rootkit 'Bash' detected by the presence of file '/tmp/secrootkit'.        
--END OF NOTIFICATION

 

自动响应

添加ddos_rules.xml文件到ossec.conf配置文件中


<rules>
<include> ddos_rules.xml </include>
</rules>

 

建立防CC攻击规则

# cat /var/ossec/rules/ddos_rules.xml

  <rule id="31177" level="3">                  #定义rule id
    <if_sid>31108</if_sid>                     #判断rule id 31108
    <url>^/*.php</url>                         #匹配URL地址中包含任何php文件
    <description>CC ATTACKS URL </description#描述
  </rule>
<rule id="31178" level="10" frequency="10" timeframe="60">     <if_matched_sid>31177</if_matched_sid>
    <same_source_ip />
    <description>CC ATTACKS</description>

    <group>DDOS</group>

</rule>


说明:

60秒内同一IP访问php文件超过10次,触发脚本

匹配urle id 为31108的日志中URL包含任何php文件

关于rule id 31108 规则详细定义,请查看web_rules.xml文件。


<rule id="31108" level="0">
  <if_sid>31100</if_sid>
  <id>^2|^3</id>
  <compiled_rule>is_simple_http_request</compiled_rule>
  <description>Ignored URLs (simple queries).</description>
 </rule>

 

说明:rule id 31108是匹配web日志2x,3x访问代码。有效过滤了404,403等错误页面

 

配置自动响应

在ossec.conf配置文件中,添加如下内容:

<command>
    <name>firewall-drop</name>                #命令名称
<executable>firewall-drop.sh</executable>     #执行脚本
<expect>srcip</expect>                        #脚本参数,客户端IP
    <timeout_allowed>yes</timeout_allowed>    #允许超时
  </command>
<active-response>
    <command>firewall-drop</command>         #自动响应命令名称,上面定义
    <location>local</location>               #脚本执行位置,local表示agent端
    <rules_id>31178</rules_id>               #触发rule id
    <timeout>600</timeout>                   #超时时间
</active-response>

 

自定义规则

在日志中过滤字符串,比如日志中出现admin_backdoor,触发报警

 

添加test_rules.xml文件到ossec.conf配置文件中


<rules>
<include> test_rules.xml </include>
</rules>

 

创建过滤规则

#vi /var/ossec/rules/test_rules.xml

<group name="localtest,"><rule id="7777" level="7">
    <decoded_as>admin_backdoor</decoded_as>              #decode名称
    <description>admin_backdoor access</description>

  </rule>

</group>


配置decoder.xml文件

# cat /var/ossec/etc/decoder.xml

<decoder name="admin_backdoor">                          #decoder名称,与test_rules.xml名称匹配
         <prematch>^admin_backdoor</prematch>            #匹配字符串admin_backdoor
</decoder>

 

报警信息:

[root@ossec-server-10-10-51-50 /var/ossec]# ./bin/ossec-logtest     

2015/07/07 19:48:20 ossec-testrule: INFO: Reading local decoder file.
2015/07/07 19:48:20 ossec-testrule: INFO: Started (pid: 16189).
ossec-testrule: Type one log per line.
  
admin_backdoor                         #输入字符串
  
**Phase 1: Completed pre-decoding.
       full event: 'admin_backdoor'
       hostname'ossec-server-10-10-51-50'
       program_name: '(null)'
       log: 'admin_backdoor'
  
**Phase 2: Completed decoding.
       decoder: 'admin_backdoor'
  
**Phase 3: Completed filtering (rules).
       Rule id'7777'                     #匹配到rule id 8888
       Level: '7'
       Description: 'admin_backdoor access'  #描述,上面定义好的
**Alert to be generated.