翻譯:
測試ossec規則/解碼器
大多數人在解決ossec或嘗試編寫新規則和解碼時的第乙個問題是如何測試它們。在過去,這需要手動重新啟動ossec,或者建立乙個測試安裝。在版本1.6中,有乙個工具可以簡化這個任務(ossec-logtest)。
使用ossec-logtest測試
工具ossec-logtest安裝在/var/ossec/bin中。它將讀取當前規則和解碼器(來自/var/ossec)並接受stdin的日誌輸入:
# /var/ossec/bin/ossec-logtest
2008/07/04 09:57:28 ossec-testrule: info: started (pid: 12683).
ossec-testrule: type one log per line.
jul 4 09:42:16 enigma sshd[11990]: accepted password for dcid from 192.168.2.10 port 35259 ssh2
**phase 1: completed pre-decoding.
full event: "jul 4 09:42:16 enigma sshd[11990]: accepted password for dcid from 192.168.2.10 port 35259 ssh2"
hostname: "enigma"
program_name: "sshd"
log: "accepted password for dcid from 192.168.2.10 port 35259 ssh2"
**phase 2: completed decoding.
decoder: 』sshd』
dstuser: 『dcid』
srcip: 『192.168.2.10′
**phase 3: completed filtering (rules).
rule id: 『10100′
level: 『4′
description: 『first time user logged in.』
**alert to be generated.
在上面的示例中,我們提供了乙個身份驗證成功日誌,而ossec-logtest向我們展示了如何解碼、提取哪些資訊以及哪些規則被觸發。在下乙個示例中,我們可以看到它如何從windows中提取使用者下線訊息:
# /var/ossec/bin/ossec-logtest
2008/07/04 09:57:28 ossec-testrule: info: started (pid: 12683).
ossec-testrule: type one log per line.
winevtlog: security: audit_success(538): security: lac: ossec-hm: ossec-hm: user logoff: user name: lac domain: ossec-hm logon id: (0×0,0xf784d5) logon type: 2
**phase 1: completed pre-decoding.
full event: 『winevtlog: security: audit_success(538): security: lac: ossec-hm: ossec-hm: user logoff: user name: lac domain: ossec-hm logon id: (0×0,0xf784d5) logon type: 2′
hostname: 『enigma』
program_name: 『(null)』
log: 『winevtlog: security: audit_success(538): security: lac: ossec-hm: ossec-hm: user logoff: user name: lac domain: ossec-hm logon id: (0×0,0xf784d5) logon type: 2′
**phase 2: completed decoding.
decoder: 『windows』
status: 『audit_success』
id: 『538′
extra_data: 『security』
dstuser: 『lac』
system_name: 『ossec-hm』
**phase 3: completed filtering (rules).
rule id: 『18149′
level: 『3′
description: 『windows user logoff.』
**alert to be generated.
# /var/ossec/bin/ossec-logtest -f
2008/07/04 10:05:43 ossec-testrule: info: started (pid: 23007).
ossec-testrule: type one log per line.
jul 4 10:05:30 enigma sshd[27588]: failed password for invalid user test2 from 127.0.0.1 port 19130 ssh2
**phase 1: completed pre-decoding.
full event: 『jul 4 10:05:30 enigma sshd[27588]: failed password for invalid user test2 from 127.0.0.1 port 19130 ssh2′
hostname: 『enigma』
program_name: 』sshd』
log: 『failed password for invalid user test2 from 127.0.0.1 port 19130 ssh2′
**phase 2: completed decoding.
decoder: 』sshd』
srcip: 『127.0.0.1′
**rule debugging:
trying rule: 1 - generic template for all syslog rules.
*rule 1 matched.
*trying child rules.
trying rule: 5500 - grouping of the pam_unix rules.
trying rule: 5700 - sshd messages grouped.
*rule 5700 matched.
*trying child rules.
trying rule: 5709 - useless sshd message without an user/ip.
trying rule: 5711 - useless sshd message without a user/ip.
trying rule: 5707 - openssh challenge-response exploit.
trying rule: 5701 - possible attack on the ssh server (or version gathering).
trying rule: 5706 - ssh insecure connection attempt (scan).
trying rule: 5713 - corrupted bytes on sshd.
trying rule: 5702 - reverse lookup error (bad isp or attack).
trying rule: 5710 - attempt to login using a non-existent user
*rule 5710 matched.
*trying child rules.
trying rule: 5712 - sshd brute force trying to get access to the system.
**phase 3: completed filtering (rules).
rule id: 『5710′
level: 『5′
description: 『attempt to login using a non-existent user』
**alert to be generated.
OSSEC文件 OSSEC安裝
翻譯 ossec安裝 安裝要求 ubuntu redhat debian 管理 安裝 windows 安裝 ossec只支援windows系統作為 並且需要ossec伺服器來執行。二進位制安裝 在第二個伺服器上編譯ossec 二進位制ossec包的安裝 伺服器虛擬裝置安裝 概述賬戶和密碼 將ovf轉...
OSSEC文件 OSSEC自動安裝
翻譯 ossec有能力編譯和安裝,而不需要安裝。sh的互動。安裝指令碼可以從etc preloaded vars中收集問題的答案。conf配置檔案。安裝程式要求的大多數問題都出現在配置檔案中,以及預設的答案。取消對每個變數的注釋將允許指令碼知道答案。預設安裝的任何更改都應該在配置檔案中進行。如果us...
OSSEC文件 開始使用OSSEC
翻譯 開始使用ossec ossec是乙個監視和控制系統的平台。它將hids 基於主機的入侵檢測 日誌監視和安全事件管理 sim 安全資訊和事件管理 siem 的所有方面整合在乙個簡單 強大且開源的解決方案中。優點 法規遵循需求 ossec幫助客戶滿足特定的遵從性要求,例如pci和hipaa。它允許...