从上层检测逻辑看ossec hips规则引擎——支持单事件正则,统计类规则,支持前后关联,例如暴力破解,爆破成功检测
2023-09-14 09:11:46 时间
检测规则: https://github.com/ossec/ossec-hids/blob/master/etc/rules/
针对web安全里的,https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_appsec_rules.xml
<!-- Collection of rules for common web attacks that we are seeing in the wild.
- The real goal is to stop bots and automated attacks from doing further damage
- on sites that are not updated.
-->
<group name="web,appsec,attack">
<!-- Checking POST / requests - WP comment spam coming from fake search engines.
-->
<rule id="31501" level="6">
<if_sid>31100</if_sid>
<pcre2>POST /.*(?:Googlebot|MSNBot|BingBot)</pcre2>
<url_pcre2>/wp-comments-post\.php</url_pcre2>
<description>WordPress Comment Spam (coming from a fake search engine UA).</description>
</rule>
<!-- Timthumb scans.
-->
<rule id="31502" level="6">
<if_sid>31100</if_sid>
<url_pcre2>thumb\.php|timthumb\.php</url_pcre2>
<pcre2> "GET \S+thumb\.php\?src=\S+\.php</pcre2>
<description>TimThumb vulnerability exploit attempt.</description>
</rule>
<!-- osCommerce login.php bypass
-->
<rule id="31503" level="6">
<if_sid>31100</if_sid>
<url_pcre2>login\.php</url_pcre2>
<pcre2> "POST /\S+\.php/login\.php\?cPath=</pcre2>
<description>osCommerce login.php bypass attempt.</description>
</rule>
<!-- osCommerce file manager login.php bypass
-->
<rule id="31504" level="6">
<if_sid>31100</if_sid>
<url_pcre2>login\.php</url_pcre2>
<pcre2>/admin/[A-Za-z0-9@_-]+\.php/login\.php</pcre2>
<description>osCommerce file manager login.php bypass attempt.</description>
</rule>
<!-- Timthumb backdoor access.
-->
<rule id="31505" level="6">
<if_sid>31100</if_sid>
<url_pcre2>/cache/external</url_pcre2>
<pcre2> "GET /\S+/cache/external\S+\.php</pcre2>
<description>TimThumb backdoor access attempt.</description>
</rule>
<!-- Timthumb backdoor access.
-->
<rule id="31506" level="6">
<if_sid>31100</if_sid>
<url_pcre2>cart\.php</url_pcre2>
<pcre2> "GET /\S+cart\.php\?\S+templatefile=\.\./</pcre2>
<description>Cart.php directory transversal attempt.</description>
</rule>
<!-- MSSQL IIS inject rules -->
<rule id="31507" level="6">
<if_sid>31100</if_sid>
<url_pcre2>DECLARE%20@S%20CHAR|%20AS%20CHAR</url_pcre2>
<description>MSSQL Injection attempt (ur.php, urchin.js).</description>
</rule>
<!-- BAD/Annoying user agents -->
<rule id="31508" level="6">
<if_sid>31100</if_sid>
<pcre2> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af\.sourceforge\.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</pcre2>
<description>Blacklisted user agent (known malicious user agent).</description>
</rule>
<!-- WordPress wp-login.php brute force -->
<rule id="31509" level="3">
<if_sid>31108</if_sid>
<url_pcre2>wp-login\.php|/administrator</url_pcre2>
<pcre2>\] "POST \S+wp-login\.php| "POST /administrator</pcre2>
<description>CMS (WordPress or Joomla) login attempt.</description>
</rule>
<!-- If we see frequent wp-login POST's, it is likely a bot. -->
<rule id="31510" level="8" frequency="6" timeframe="30">
<if_matched_sid>31509</if_matched_sid>
<same_source_ip />
<description>CMS (WordPress or Joomla) brute force attempt.</description>
</rule>
<!-- Nothing wrong with wget per se, but it misses a lot of links
- that generates many 404s. Blocking it to avoid the noise.
-->
<rule id="31511" level="0">
<if_sid>31100</if_sid>
<pcre2>" "Wget/</pcre2>
<description>Blacklisted user agent (wget).</description>
</rule>
<!-- Uploadify scans.
-->
<rule id="31512" level="6">
<if_sid>31100</if_sid>
<url_pcre2>uploadify\.php</url_pcre2>
<pcre2> "GET /\S+/uploadify\.php\?src=http://\S+\.php</pcre2>
<description>Uploadify vulnerability exploit attempt.</description>
</rule>
<!-- BBS delete.php skin_path.
-->
<rule id="31513" level="6">
<if_sid>31100</if_sid>
<url_pcre2>delete\.php</url_pcre2>
<pcre2> "GET \S+/delete\.php\?board_skin_path=http://\S+\.php</pcre2>
<description>BBS delete.php exploit attempt.</description>
</rule>
<!-- Simple shell.php command execution
-->
<rule id="31514" level="6">
<if_sid>31100</if_sid>
<url_pcre2>shell\.php</url_pcre2>
<pcre2> "GET \S+/shell\.php\?cmd=</pcre2>
<description>Simple shell.php command execution.</description>
</rule>
<!-- PHPMyAdmin scans
-->
<rule id="31515" level="6">
<if_sid>31100</if_sid>
<url_pcre2>phpMyAdmin/scripts/setup\.php</url_pcre2>
<description>PHPMyAdmin scans (looking for setup.php).</description>
</rule>
<!-- Suspicious URL's access
-->
<rule id="31516" level="6">
<if_sid>31100</if_sid>
<url_pcre2>\.swp$|\.bak$|/\.htaccess|/server-status|/\.ssh|/\.history|/wallet\.dat</url_pcre2>
<description>Suspicious URL access.</description>
</rule>
<!-- Checking POST requests - Too many in a small type = likely a bot -->
<rule id="31530" level="3">
<if_sid>31100</if_sid>
<pcre2>\] "POST </pcre2>
<options>no_log</options>
<description>POST request received.</description>
</rule>
<rule id="31531" level="0">
<if_sid>31530</if_sid>
<url_pcre2>/wp-admin/|/administrator/|/admin/</url_pcre2>
<description>Ignoring often post requests inside /wp-admin and /admin.</description>
</rule>
<rule id="31533" level="10" timeframe="20" frequency="6">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
</rule>
<!-- Anomaly rules - Used on common web attacks -->
<rule id="31550" level="6">
<if_sid>31100</if_sid>
<url_pcre2>%00</url_pcre2>
<pcre2> "GET /\S+\.php\?\S+%00</pcre2>
<description>Anomaly URL query (attempting to pass null termination).</description>
</rule>
</group>
可以看到,都是一些单事件的正则匹配。每个规则里都有一个if sid 31100,表示含义如下,表示数据采集是access log:
https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_rules.xml
<group name="web,accesslog,">
<rule id="31100" level="0">
<category>web-log</category>
<description>Access log messages grouped.</description>
</rule>
<rule id="31108" level="0">
<if_sid>31100</if_sid>
<id_pcre2>^2|^3</id_pcre2>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored URLs (simple queries).</description>
</rule>
<rule id="31101" level="5">
<if_sid>31100</if_sid>
<id_pcre2>^4</id_pcre2>
<description>Web server 400 error code.</description>
</rule>
<rule id="31102" level="0">
<if_sid>31101</if_sid>
<url_pcre2>\.jpg$|\.gif$|favicon\.ico$|\.png$|robots\.txt$|\.css$|\.js$|\.jpeg$</url_pcre2>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes.</description>
</rule>
<rule id="31103" level="6">
<if_sid>31100,31108</if_sid>
<url_pcre2>=select%20|select\+|insert%20|%20from%20|%20where%20|union%20|</url_pcre2>
<url_pcre2>union\+|where\+|null,null|xp_cmdshell</url_pcre2>
<description>SQL injection attempt.</description>
<group>attack,sql_injection,</group>
</rule>
<rule id="31104" level="6">
<if_sid>31100</if_sid>
<!-- Attempt to do directory transversal, simple sql injections,
- or access to the etc or bin directory (unix). -->
<url_pcre2>%027|%00|%01|%7f|%2E%2E|%0A|%0D|\.\./\.\.|\.\.\\\.\.|echo;|</url_pcre2>
<url_pcre2>cmd\.exe|root\.exe|_mem_bin|msadc|/winnt/|/boot\.ini|</url_pcre2>
<url_pcre2>/x90/|default\.ida|/sumthin|nsiislog\.dll|chmod%|wget%|cd%20|</url_pcre2>
<url_pcre2>exec%20|\.\./\.\.//|%5C\.\./%5C|\./\./\./\./|2e%2e%5c%2e|\\x5C\\x5C</url_pcre2>
<description>Common web attack.</description>
<group>attack,</group>
</rule>
<rule id="31105" level="6">
<if_sid>31100</if_sid>
<url_pcre2>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url_pcre2>
<url_pcre2>%20ONLOAD=|INPUT%20|iframe%20</url_pcre2>
<description>XSS (Cross Site Scripting) attempt.</description>
<group>attack,</group>
</rule>
<rule id="31106" level="6">
<if_sid>31103, 31104, 31105</if_sid>
<id_pcre2>^200</id_pcre2>
<description>A web attack returned code 200 (success).</description>
<group>attack,</group>
</rule>
<rule id="31110" level="6">
<if_sid>31100</if_sid>
<url_pcre2>\?-d|\?-s|\?-a|\?-b|\?-w</url_pcre2>
<description>PHP CGI-bin vulnerability attempt.</description>
<group>attack,</group>
</rule>
<rule id="31109" level="6">
<if_sid>31100</if_sid>
<url_pcre2>\+as\+varchar</url_pcre2>
<pcre2>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</pcre2>
<description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
<group>attack,</group>
</rule>
<!-- If your site have a search engine, you may need to ignore
- it in here.
-->
<rule id="31107" level="0">
<if_sid>31103, 31104, 31105</if_sid>
<url_pcre2>^/search\.php\?search=|^/index\.php\?searchword=</url_pcre2>
<description>Ignored URLs for the web attacks</description>
</rule>
<rule id="31115" level="13" maxsize="7900">
<if_sid>31100</if_sid>
<description>URL too long. Higher than allowed on most </description>
<description>browsers. Possible attack.</description>
<group>invalid_access,</group>
</rule>
<!-- 500 error codes, server error
- http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
-->
<rule id="31120" level="5">
<if_sid>31100</if_sid>
<id_pcre2>^50</id_pcre2>
<description>Web server 500 error code (server error).</description>
</rule>
<rule id="31121" level="4">
<if_sid>31120</if_sid>
<id_pcre2>^501</id_pcre2>
<description>Web server 501 error code (Not Implemented).</description>
</rule>
<rule id="31122" level="5">
<if_sid>31120</if_sid>
<id_pcre2>^500</id_pcre2>
<options>alert_by_email</options>
<description>Web server 500 error code (Internal Error).</description>
<group>system_error,</group>
</rule>
<rule id="31123" level="4">
<if_sid>31120</if_sid>
<id_pcre2>^503</id_pcre2>
<options>alert_by_email</options>
<description>Web server 503 error code (Service unavailable).</description>
</rule>
<!-- Rules to ignore crawlers -->
<rule id="31140" level="0">
<if_sid>31101</if_sid>
<compiled_rule>is_valid_crawler</compiled_rule>
<description>Ignoring google/msn/yahoo bots.</description>
</rule>
<!-- Ignoring nginx 499's -->
<rule id="31141" level="0">
<if_sid>31101</if_sid>
<id_pcre2>^499</id_pcre2>
<description>Ignored 499's on nginx.</description>
</rule>
<rule id="31151" level="10" frequency="12" timeframe="90">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
<description>Multiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
<rule id="31152" level="10" frequency="6" timeframe="120">
<if_matched_sid>31103</if_matched_sid>
<same_source_ip />
<description>Multiple SQL injection attempts from same </description>
<description>source ip.</description>
<group>attack,sql_injection,</group>
</rule>
<rule id="31153" level="10" frequency="8" timeframe="120">
<if_matched_sid>31104</if_matched_sid>
<same_source_ip />
<description>Multiple common web attacks from same source ip.</description>
<group>attack,</group>
</rule>
<rule id="31154" level="10" frequency="8" timeframe="120">
<if_matched_sid>31105</if_matched_sid>
<same_source_ip />
<description>Multiple XSS (Cross Site Scripting) attempts </description>
<description>from same source ip.</description>
<group>attack,</group>
</rule>
<rule id="31161" level="10" frequency="12" timeframe="120">
<if_matched_sid>31121</if_matched_sid>
<same_source_ip />
<description>Multiple web server 501 error code (Not Implemented).</description>
<group>web_scan,recon,</group>
</rule>
<rule id="31162" level="10" frequency="12" timeframe="120">
<if_matched_sid>31122</if_matched_sid>
<same_source_ip />
<description>Multiple web server 500 error code (Internal Error).</description>
<group>system_error,</group>
</rule>
<rule id="31163" level="10" frequency="12" timeframe="120">
<if_matched_sid>31123</if_matched_sid>
<same_source_ip />
<description>Multiple web server 503 error code (Service unavailable).</description>
<group>web_scan,recon,</group>
</rule>
<rule id="31164" level="6">
<if_sid>31100</if_sid>
<url_pcre2>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url_pcre2>
<description>SQL injection attempt.</description>
<group>attack,sqlinjection,</group>
</rule>
<rule id="31165" level="6">
<if_sid>31100</if_sid>
<url_pcre2>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url_pcre2>
<description>SQL injection attempt.</description>
<group>attack,sqlinjection,</group>
</rule>
</group> <!-- Web access log -->
整个引擎的数据采集:
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Windows PowerShell</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>
<directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
<!-- END of Default Configuration. -->
我们再看看powershell相关的检测如何做的:
<group name="windows,powershell,">
<rule id="20500" level="8">
<if_sid>18101</if_sid>
<id_pcre2>^400$</id_pcre2>
<pcre2>PowerShell</pcre2>
<description>Windows PowerShell was started.</description>
</rule>
<rule id="20501" level="8">
<if_sid>18101</if_sid>
<id_pcre2>^800$</id_pcre2>
<pcre2>PowerShell</pcre2>
<description>Windows PowerShell command executed.</description>
</rule>
<rule id="20502" level="8">
<if_sid>18101</if_sid>
<id_pcre2>^403$</id_pcre2>
<pcre2>PowerShell</pcre2>
<description>Windows PowerShell was stopped.</description>
</rule>
<rule id="20503" level="2">
<if_sid>20501</if_sid>
<pcre2>Set-StrictMode -Version 1; .+[A-Za-z0-9@_-]+</pcre2>
<description>A wrong/misspelled command was tried</description>
</rule>
<rule id="20504" level="2">
<if_sid>20501</if_sid>
<pcre2>CommandLine= CommandInvocation</pcre2>
<description>Powershell background activity</description>
</rule>
<rule id="20505" level="12">
<if_sid>20501</if_sid>
<pcre2>Set-ExecutionPolicy|Mimikatz|EncodedCommand|Payload|Find-AVSignature|DllInjection|ReflectivePEInjection|Invoke-Shellcode|Invoke--Shellcode|Invoke-ShellcodeMSIL|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|Set-MasterBootRecord|New-ElevatedPersistenceOption|Invoke-CallbackIEX|Invoke-PSInject|Invoke-DllEncode|Get-ServiceUnquoted|Get-ServiceEXEPerms|Get-ServicePerms|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-UserAddMSI|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Invoke-FindDLLHijack|Invoke-FindPathHijack|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-UnattendedInstallFiles|Get-Webconfig|Get-Webconfig|Get-ApplicationHost|Invoke-AllChecks|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|HTTP-Backdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Execute-OnTime|DNS_TXT_Pwnage|Out-Word|Out-Excel|Out-Java|Out-Shortcut|Out-CHM|Out-HTA|Enable-DuplicateToken|Remove-Update|Execute-DNSTXT-Code|Download-Execute-PS|Execute-Command-MSSQL|Download_Execute|Get-PassHashes|Invoke-CredentialsPhish|Get-LsaSecret|Get-Information|Invoke-MimikatzWDigestDowngrade|Copy-VSS|Check-VM|Invoke-NetworkRelay|Create-MultipleSessions|Run-EXEonRemote|Invoke-BruteForce|Port-Scan|Invoke-PowerShellIcmp|Invoke-PowerShellUdp|Invoke-PsGcatAgent|Invoke-PoshRatHttps|Invoke-PowerShellTcp|Invoke-PoshRatHttp|Invoke-PowerShellWmi|Invoke-PSGcat|Remove-PoshRat|TexttoEXE|Invoke-Encode|Invoke-Decode|Base64ToString|StringtoBase64|Do-Exfiltration|Parse_Keys|Add-Exfiltration|Add-Persistence|Remove-Persistence|Invoke-CreateCertificate|powercat|Find-PSServiceAccounts|Get-PSADForestKRBTGTInfo|Discover-PSMSSQLServers|Discover-PSMSExchangeServers|Get-PSADForestInfo|Get-KerberosPolicy|Discover-PSInterestingServices</pcre2>
<description>Possibly Dangerous Command Detected (https://gist.github.com/gfoss/2b39d680badd2cad9d82#file-powershell-command-line-logging)</description>
</rule>
</group>
数据采集是windows日志,
<group name="windows,"> <rule id="18100" level="0"> <category>windows</category> <description>Group of windows rules.</description> </rule> <rule id="18101" level="0"> <if_sid>18100</if_sid> <status_pcre2>^INFORMATION</status_pcre2> <description>Windows informational event.</description> </rule> <rule id="18102" level="0"> <if_sid>18100</if_sid> <status_pcre2>^WARNING</status_pcre2> <description>Windows warning event.</description> </rule> <rule id="18103" level="5"> <if_sid>18100</if_sid> <status_pcre2>^ERROR</status_pcre2> <description>Windows error event.</description> <group>system_error,</group> </rule> <rule id="18104" level="0"> <if_sid>18100</if_sid> <status_pcre2>^AUDIT_SUCCESS|^success</status_pcre2> <description>Windows audit success event.</description> </rule>
再看看针对macfee的av上报事件写的过滤规则:
<var name="MCAFEE_ERROR">^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$</var> <var name="MCAFEE_WARN">^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$</var> <var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var> <var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var> <var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var> <var name="MCAFEE_FREQ">10</var> <group name="mcafee,"> <rule id="7500" level="0"> <if_sid>18101,18102,18103</if_sid> <category>windows</category> <extra_data_pcre2>^McLogEvent</extra_data_pcre2> <description>Grouping of McAfee Windows AV rules.</description> </rule> <rule id="7501" level="2"> <if_sid>7500</if_sid> <id_pcre2>$MCAFEE_INFO</id_pcre2> <description>McAfee Windows AV informational event.</description> </rule> <rule id="7502" level="3"> <if_sid>7500</if_sid> <id_pcre2>$MCAFEE_WARN</id_pcre2> <description>McAfee Windows AV warning event.</description> </rule> <rule id="7503" level="4"> <if_sid>7500</if_sid> <id_pcre2>$MCAFEE_ERROR</id_pcre2> <description>McAfee Windows AV error event.</description> </rule> <rule id="7504" level="12"> <if_sid>7500</if_sid> <pcre2>$MCAFEE_VIRUS</pcre2> <group>virus</group> <description>McAfee Windows AV - Virus detected and not removed.</description> </rule> <rule id="7505" level="7"> <if_sid>7504</if_sid> <pcre2>$MCAFEE_VIRUS_OK</pcre2> <group>virus</group> <description>McAfee Windows AV - Virus detected and properly removed.</description> </rule> <rule id="7506" level="7"> <if_sid>7504</if_sid> <pcre2>Will be deleted</pcre2> <group>virus</group> <description>McAfee Windows AV - Virus detected and file will be deleted.</description> </rule> <rule id="7507" level="3"> <if_sid>7500</if_sid> <pcre2>scan started|scan stopped</pcre2> <description>McAfee Windows AV - Scan started or stopped.</description> </rule> <rule id="7508" level="3"> <if_sid>7501</if_sid> <id_pcre2>^257</id_pcre2> <pcre2>completed\. No detections</pcre2> <description>McAfee Windows AV - Scan completed with no viruses found.</description> </rule> <rule id="7509" level="5"> <if_sid>7500</if_sid> <pcre2>scan was cancelled |has taken too long</pcre2> <description>McAfee Windows AV - Virus scan cancelled.</description> </rule> <rule id="7510" level="5"> <if_sid>7500</if_sid> <pcre2>scan was canceled because</pcre2> <description>McAfee Windows AV - Virus scan cancelled due to shutdown.</description> </rule> <rule id="7511" level="3"> <if_sid>7500</if_sid> <pcre2>update was successful</pcre2> <description>McAfee Windows AV - Virus program or DAT update succeeded.</description> </rule> <rule id="07512" level="7"> <if_sid>7500</if_sid> <pcre2>update failed</pcre2> <description>McAfee Windows AV - Virus program or DAT update failed.</description> </rule> <rule id="7513" level="7"> <if_sid>7500</if_sid> <pcre2>update was cancelled</pcre2> <description>McAfee Windows AV - Virus program or DAT update cancelled.</description> </rule> <rule id="7514" level="5"> <if_sid>7505</if_sid> <pcre2>contains the EICAR test file</pcre2> <options>alert_by_email</options> <description>McAfee Windows AV - EICAR test file detected.</description> </rule> <!-- Composite rules --> <rule id="7550" level="10" frequency="$MCAFEE_FREQ" timeframe="240"> <if_matched_sid>7502</if_matched_sid> <description>Multiple McAfee AV warning events.</description> </rule> </group>
统计类规则写法,https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
<var name="SYS_USERS">^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$</var>
<!-- Attack signatures -->
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user_pcre2>$SYS_USERS</user_pcre2>
<description>System user successfully logged to the system.</description>
<group>invalid_login,</group>
</rule>
<rule id="40102" level="14">
<pcre2>^rpc\.statd\[\d+\]: gethostbyname error for [^A-Za-z0-9@_-]+</pcre2>
<description>Buffer overflow attack on rpc.statd</description>
<group>exploit_attempt,</group>
</rule>
<rule id="40103" level="14">
<pcre2>ftpd\[\d+\]: \S+ FTP LOGIN FROM .+ 0bin0sh</pcre2>
<description>Buffer overflow on WU-FTPD versions prior to 2.6</description>
<group>exploit_attempt,</group>
</rule>
<rule id="40104" level="13">
<pcre2>\?{21}</pcre2>
<description>Possible buffer overflow attempt.</description>
<group>exploit_attempt,</group>
</rule>
<rule id="40105" level="12">
<pcre2>changed by \(\(null\)</pcre2>
<description>"Null" user changed some information.</description>
<group>exploit_attempt,</group>
</rule>
<rule id="40106" level="12">
<pcre2>@{25}</pcre2>
<description>Buffer overflow attempt (probably on yppasswd).</description>
<group>exploit_attempt,</group>
</rule>
<rule id="40107" level="14">
<pcre2>cachefsd: Segmentation Fault - core dumped</pcre2>
<description>Heap overflow in the Solaris cachefsd service.</description>
<info type='cve'>2002-0033</info>
<group>exploit_attempt,</group>
</rule>
<rule id="40109" level="12">
<pcre2>attempt to execute code on stack by</pcre2>
<description>Stack overflow attempt or program exiting </description>
<description>with SEGV (Solaris).</description>
<info type="link">http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/389-392.html</info>
<group>exploit_attempt,</group>
</rule>
<rule id="40111" level="10" frequency="10" timeframe="160">
<if_matched_group>authentication_failed</if_matched_group>
<description>Multiple authentication failures.</description>
<group>authentication_failures,</group>
</rule>
<rule id="40112" level="12" timeframe="240">
<if_group>authentication_success</if_group>
<if_matched_group>authentication_failures</if_matched_group>
<same_source_ip />
<description>Multiple authentication failures followed </description>
<description>by a success.</description>
</rule>
<rule id="40113" level="12" frequency="6" timeframe="360">
<if_matched_group>virus</if_matched_group>
<description>Multiple viruses detected - Possible outbreak.</description>
<group>virus,</group>
</rule>
</group> <!-- SYSLOG, ATTACKS, -->
<!-- Privilege escalation messages -->
<group name="syslog,elevation_of_privilege,">
<rule id="40501" level="15" timeframe="300" frequency="2">
<if_group>adduser</if_group>
<if_matched_group>attacks</if_matched_group>
<description>Attacks followed by the addition </description>
<description>of an user.</description>
</rule>
</group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->
<!-- Scan signatures -->
<group name="syslog,recon,">
<rule id="40601" level="10" frequency="10" timeframe="90" ignore="90">
<if_matched_group>connection_attempt</if_matched_group>
<description>Network scan from same source ip.</description>
<same_source_ip />
<info type="link">http://project.honeynet.org/papers/enemy2/</info>
</rule>
</group> <!-- SYSLOG,SCANS -->
看看 ossec的 规则规范:https://ossec-documentation.readthedocs.io/en/latest/manual/lids/rules.html
Rules
Rules compare log messsages to a set of pre-defined conditions. The comparisons can happen on the entire log message, or on fields defined in decoders.
rule
Each rule begins by defining certain settings
- level
This defines the severity of the rule. Valid levels are 0-16.
- id
A unique identification number for the rule.
- maxsize
Specifies the maximum size of the event. The valid range is 1-99999
- frequency
Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.
Note
More information about how frequency is counted can be found in this thread.
- timeframe
The timeframe in seconds. This option is intended to be used with the frequency option.
- ignore
The time (in seconds) to ignore this rule after firing it (to avoid floods).
- overwrite
Used to supercede an OSSEC rule with local changes. This is useful to change the level or other options of rules included with OSSEC.
- noalert
Prevent the rule from triggering an alert. Further rule checks will not happen, except for rules specifically using this rule in an <if_sid> configuraiton.
match
A simple string comparison.
regex
This option uses the OSSEC regex syntax for comparisons.
pcre2
The pcre2 option utlizes OSSEC’s pcre2 support. Refer to the pcre2 page for information on the syntax. ==》PCRE - Perl Compatible Regular Expressions
decoded_as
Define a decoder that must be matched for the rule comparison to continue. 从后面示例可以看到主要是自定义一些“解码”“检查”函数,提取数据等!!!==》示例:<rule id="509" level="0"> <category>ossec</category> <decoded_as>rootcheck</decoded_as> <description>Rootcheck event.</description> <group>pci_dss_10.6.1,rootcheck,</group> </rule>
<decoder name="sshd"> <program_name_pcre2>^sshd</program_name_pcre2> </decoder> <decoder name="sshd-success"> <parent>sshd</parent> <prematch_pcre2>^Accepted</prematch_pcre2> <pcre2 offset="after_prematch">^ \S+ for (\S+) from (\S+) port </pcre2> <order>user, srcip</order> <fts>name, user, location</fts> </decoder> <decoder name="ssh-denied"> <parent>sshd</parent> <prematch_pcre2>^User \S+ from </prematch_pcre2> <pcre2 offset="after_parent">^User (\S+) from (\S+) </pcre2> <order>user, srcip</order> </decoder> <decoder name="sshd-success-solaris"> <parent>sshd</parent> <prematch_pcre2>^User </prematch_pcre2> <pcre2 offset="after_prematch">^(\S+), coming from (\S+), </pcre2> <order>user, srcip</order> <fts>name, user, location</fts> </decoder> <decoder name="ssh-kbd"> <parent>sshd</parent> <prematch_pcre2 offset="after_parent">^Postponed keyboard-interactive|^Failed keyboard-interactive</prematch_pcre2> <pcre2 offset="after_prematch"> user (\S+) from (\S+) port (\d+) </pcre2> <order>user, srcip, srcport</order> </decoder> <decoder name="ssh-invfailed"> <parent>sshd</parent> <prematch_pcre2>^Failed \S+ for invalid user|^Failed \S+ for illegal user</prematch_pcre2> <pcre2 offset="after_prematch">from (\S+) port \d+ \w+$</pcre2> <order>srcip</order> </decoder> <decoder name="ssh-failed"> <parent>sshd</parent> <prematch_pcre2>^Failed \S+ </prematch_pcre2> <pcre2 offset="after_prematch">^for (\S+) from (\S+) port \d+</pcre2> <order>user, srcip</order> </decoder> <decoder name="ssh-error"> <parent>sshd</parent> <prematch_pcre2>^error: PAM: Authentication \w+ </prematch_pcre2> <pcre2 offset="after_prematch">^for (\S+) from (\S+)$</pcre2> <order>user, srcip</order> </decoder> <decoder name="ssh-pam-error"> <parent>sshd</parent> <prematch_pcre2>^error: PAM: </prematch_pcre2> <pcre2 offset="after_prematch">user (\S+) from (\S+)</pcre2> <order>user, srcip</order> </decoder> <decoder name="ssh-reverse-mapping"> <parent>sshd</parent> <prematch_pcre2>^reverse mapping checking </prematch_pcre2> <pcre2 offset="after_prematch">^\w+ for \S+ \[(\S+)\] |^\w+ for (\S+) </pcre2> <order>srcip</order> </decoder> <decoder name="ssh-invalid-user"> <parent>sshd</parent> <prematch_pcre2>^Invalid user|^Illegal user</prematch_pcre2> <pcre2 offset="after_prematch"> from (\S+)</pcre2> <order>srcip</order> </decoder> <decoder name="ssh-scan"> <parent>sshd</parent> <prematch_pcre2>^scanned from</prematch_pcre2> <pcre2 offset="after_prematch"> (\S+) </pcre2> <order>srcip</order> </decoder> <decoder name="ssh-received"> <parent>sshd</parent> <prematch_pcre2>^Received disconnect </prematch_pcre2> <pcre2 offset="after_prematch">^from (\S+): |^from (\S+) </pcre2> <order>srcip</order> </decoder> <decoder name="ssh-disconnected"> <parent>sshd</parent> <prematch_pcre2>^Disconnected from invalid user</prematch_pcre2> <pcre2 offset="after_prematch">\S+ (\S+) </pcre2> <order>srcip</order> </decoder>
<rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,</group> </rule> <rule id="551" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_2nd</decoded_as> <description>Integrity checksum changed again (2nd time).</description> <group>syscheck,</group> </rule> <rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group> </rule> <rule id="553" level="7"> <category>ossec</category> <decoded_as>syscheck_deleted</decoded_as> <description>File deleted. Unable to retrieve checksum.</description> <group>syscheck,</group> </rule> <rule id="554" level="5"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule> <rule id="555" level="7"> <if_sid>500</if_sid> <pcre2>^ossec: agentless: </pcre2> <description>Integrity checksum for agentless device changed.</description> <group>syscheck,agentless</group> </rule> <!-- Hostinfo rules --> <rule id="580" level="8"> <category>ossec</category> <decoded_as>hostinfo_modified</decoded_as> <description>Host information changed.</description> <group>hostinfo,</group> </rule>
category
The decoded category to match (ids, syslog, firewall, web-log, squid or windows).
srcip
Any IP address or CIDR block to be compared to an IP decoded as srcip. Use “!” to negate it.
dstip
Any IP address or CIDR block to be compared to an IP decoded as dstip. Use “!” to negate it.
extra_data
Any string that is decoded into theextra_datafield.
user
Any username (decoded as the username).
program_name
Program name is decoded from syslog process name.
hostname
Any hostname (decoded as the syslog hostname) or log file.
time
Time that the event was generated. Any time range can be defined, in the format of hh:mm-hh:mm. AM/PM can also be used: <time>6 am - 6 pm</time>
weekday
Specify a week day that the event was generated. Multiple entries can be separated by commas.
id
Any ID (decoded as the ID).
url
Any string decoded into the url field.
if_sid
Matches if the rule ID has matched. This is used to create children to other rules. ==》数据过滤用
if_group
Matches if the group has matched before. This can be used to create children of other rules.
if_level
Matches if the level has matched before.
if_matched_sid
Matches if an alert of the defined ID has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.
Note
Rules at level 0 are discarded immediately and will not be used with the
if_matched_rules. The level must be at least1, but the<no_log>option can be added to the rule to make sure it does not get logged.
if_matched_group
same_id
same_source_ip
same_source_port
same_dst_port
same_location
same_user
Specifies that the decoded user must be the same. This option is used in conjunction with frequency an timeframe.举例:登录尝试最后攻击成功!!!==》这样看,ossec做得还是不错的!!!674 <rule id="40112" level="12" timeframe="240"> 675 <if_group>authentication_success</if_group> 676 <if_matched_group>authentication_failures</if_matched_group> 677 <same_source_ip /> 678 <description>Multiple authentication failures followed </description> 679 <description>by a success.</description> 680 </rule>其中有一个group是认证成功的,我们看看其定义,可知道是表示是各个场景下认证成功的数据采集:
830 <rule id="4722" level="3"> 831 <if_sid>4715</if_sid> 832 <id_pcre2>^%SEC_LOGIN-5-LOGIN_SUCCESS</id_pcre2> 833 <description>Successful login to the router.</description> 834 <group>authentication_success,</group> 835 </rule> 836
960 <rule id="3904" level="3"> 961 <if_sid>3900</if_sid> 962 <pcre2>^LOGIN,</pcre2> 963 <description>Courier (imap/pop3) authentication success.</description> 964 <group>authentication_success,</group> 965 </rule>
1169 <rule id="51009" level="0"> 1170 <if_sid>51000</if_sid> 1171 <pcre2>password auth succeeded for</pcre2> 1172 <description>User successfully logged in using a password.</description> 1173 <group>authentication_success,</group> 1174 </rule>还有类似的更多。。。
我们再看看authentication_failures定义,可知道是表示是各个场景下认证失败的数据采集:
1389 <rule id="11109" level="10"> 1390 <if_sid>11100</if_sid> 1391 <pcre2>repeated login failures</pcre2> 1392 <description>Multiple FTP failed login attempts.</description> 1393 <group>authentication_failures,</group> 1394 </rule> 1395 1487 <rule id="9351" level="10" frequency="6" timeframe="120"> 1488 <if_matched_sid>9306</if_matched_sid> 1489 <same_source_ip /> 1490 <description>Horde brute force (multiple failed logins).</description> 1491 <group>authentication_failures,</group> 1492 </rule> 1652 <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120"> 1653 <if_matched_sid>3601</if_matched_sid> 1654 <same_source_ip /> 1655 <description>Multiple failed logins from same source ip.</description> 1656 <group>authentication_failures,</group> 1657 </rule> ...
再补充下检测暴力破解的case:
1066 <rule id="9751" level="10" frequency="6" timeframe="240"> 1067 <if_matched_sid>9705</if_matched_sid> 1068 <same_source_ip /> 1069 <description>Dovecot brute force attack (multiple auth failures).</description> 1070 <group>authentication_failures,</group> 1071 </rule>
description
The rule description.
list
Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.
field
Field that is used as the key to look up in the CDB file:
- Value: srcip
- Value: srcport
- Value: dstip
- Value: dstport
- Value: extra_data
- Value: user
- Value: url
- Value: id
- Value: hostname
- Value: program_name
- Value: status
- Value: action
lookup
This is the type of lookup that is preformed:
Value: match_key
- Positive key match: field is the key to search within the cdb and will match if they key is present.
- This is the default if no lookup is specified.
Value: not_match_key
- Negative key match: field is the key to search and will match if it IS NOT present in the database.
Value: match_key_value
- Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
Value: address_match_key
- Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
Value: not_address_match_key
- Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
Value: address_match_key_value
- Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.
Note
This feature is not yet complete.
check_value
- regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value
Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.
Example:
<rule id="100000" level="7"> <list lookup="match_key" field="srcip">path/to/list/file</list> <description>Checking srcip against cdb list file</description> </rule>
info
Extra information may be added to an alert using info. The type must be specified using one of the following options:
type
Value: text
This is the default when no type is selected. Just used for additional information about the alert/event.
Value: link
Link to more information about the alert/event.
Value: cve
The CVE Number related to this alert/event.
Value: ovsdb
The osvdb id related to this alert/event.
Example:
<rule id="502" level="3"> <if_sid>500</if_sid> <options>alert_by_email</options> <match>Ossec started</match> <description>Ossec server started.</description> <info type="link">http://ossec.net/wiki/Rule:205</info> <info type="cve">2009-1002</info> <info type="osvdb"> 61509</info> <info type="text">Internal Why we are running this run in our company</info> <info>Type text is the default</info> </rule>
options
Additional rule options
alert_by_email
Always alert by email.
- Example: <options>alert_by_email</options>
no_email_alert
Never alert by email.
- Example: <options>no_email_alert</options>
no_log
Do not log this alert.
- Example: <options>no_log</options>
check_diff
Used to determine when the output of a command changes.
group
Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by usingif_grouporif_matched_group, or by alert parsing tools to categorize alerts.
我们再看看wazuh,因为是继承自OSSEC,所以规则:https://github.com/wazuh/wazuh-ruleset/tree/master/rules
但是加了mitre!!!
<rule id="2833" level="8">
<if_sid>2832</if_sid>
<match>REPLACE (root)</match>
<description>Root's crontab entry changed.</description>
<mitre>
<id>T1053.003</id>
</mitre>
<group>pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_10.2.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
其他差异见下一个博客。
相关文章
- 10.24VR行业大事件:App Lab应用数量飙升至1457款,是Quest主商店的三倍多
- Android触摸屏事件派发机制详解与源码分析三(Activity篇)
- 8.31VR行业大事件:卡马克:今年的即兴演讲在VR中进行;《堡垒之夜》或将推出VR版
- 关于onChange事件和omComposition事件的先后顺序解决,采用onKeyDown
- libudev+V4L2 linux usb摄像头列表发现以及热拔插事件
- OO ALV中的data_changed、data_changed_finished事件介绍详解编程语言
- 事件查看器MySQL:追踪数据库活动变化(事件查看器mysql)
- 天翼,有毒?“校园客户端挂马事件”雷锋网独家解析
- js事件小结表格区别
- js判断enter事件
- Javascript阻止javascript事件冒泡,获取控件ID值
- 当文本框的值发生改变时,触发事件,在IE中有效
- 一个事半功倍的c#方法动态注册按钮事件
- 最佳的addEvent事件绑定是怎样诞生的
- JQuery文本改变触发事件如聚焦事件、失焦事件
- ZendFramework2.0事件管理器(TheEventManager)入门教程
- JS实现OCX控件的事件响应示例