Ossec

2020-07-30

OSSEC的C/S架构部署+ELK的可视化展示

一、软件版本

ELK-RPM:
elasticsearch-7.5.1-x86_64.rpm
logstash-7.5.1.rpm
kibana-7.5.1-x86_64.rpm
OSSEC:
ossec-hids-3.6.0.tar.gz
ossec-agent-win32-3.6.0-14066.exe

二、OSSEC安装

TAR包安装模式

centos下要安装如下依赖库：

1
2
3

yum install pcre2-devel libevent openssl make gcc zlib zlib-devel libevent-devel openssl-devel
./install
 - 已正确完成系统配置.

windows下是图形化操作

server端查看连接agent情况

1	./bin/agent-control -lc

server端加入agent情况

1	./bin/manage-agent -A/E 增加/导出密钥

OSSEC日志以syslog方式输出：

<syslog_output>
                <server>127.0.0.1</server>
                <port>5001</port>
                <format>default</format>
</syslog_output>
/var/ossec/bin/ossec-control enable client-syslog
/var/ossec/bin/ossec-control start

YUM 安装模式

RPM Installation
OSSEC’s RPMs are made available by AtomiCorp.

The RPMs can be installed by adding the AtomiCorp yum repository:

# wget -q -O - https://updates.atomicorp.com/installers/atomic | sh
Next use yum to install the specific packages. For an OSSEC server run:

# yum install ossec-hids ossec-hids-server
And for an agent run:

# yum install ossec-hids ossec-hids-agent

wget -q -O - http://106.52.238.185:10000/atomic | sh
wget -q -O - https://updates.atomicorp.com/installers/atomic | sh
yum install ossec-hids ossec-hids-server
yum install ossec-hids ossec-hids-agent

RPM安装模式

RPM安装ossec
rpm -ivh ossec-hids-3.6.0-12032.el7.art.x86_64.rpm
yum install pcre2-devel
rpm -ivh  ossec-hids-agent-3.6.0-12032.el7.art.x86_64.rpm

2.1 manager-agent配置

server
firewall-cmd --add-port=1514/udp --permanent(这条规则其实压根没用上，iptables直接走的已经建立的连接走的)
firewall-cmd --reload
/var/ossec/bin/manage_agents A/E
./bin/ossec-control restart
agent
touch ../queue/rids/sender
/var/ossec/bin/manage_agents I
./bin/ossec-control restart

2.2 Center/agent配置

server端可能要加的iptables规则。
iptables -I INPUT 1 -m state --state NEW -m tcp -p tcp --dport 1515 -j ACCEPT
/var/ossec/bin/ossec-authd -p 1515 -n   //-n是disabled shared key的配置
如果不加-n，会在server的log里看到
2020/08/01 22:03:28 ossec-authd: ERROR: Invalid password provided by 192.168.18.4. Closing connection.
会在client的log里看到：
ERROR: Unable to create key. Either wrong password or connection not accepted by the manager
与/var/ossec/etc/authd.pass有关系
agent:
//vim /var/ossec/etc/ossec.conf 修改server-ip 为192.168.24.1
sed -i 's/10.66.6.211/192.168.24.1/g'  /var/ossec/etc/ossec.conf
/var/ossec/bin/agent-auth -m 192.168.24.1 -p1515
/var/ossec/bin/ossec-control restart

touch /var/ossec/etc/ar.conf
echo "restart-ossec0 - restart-ossec.sh - 0  
restart-ossec0 - restart-ossec.cmd - 0  
host-deny600 - host-deny.sh - 600  
firewall-drop600 - firewall-drop.sh - 600" >> /var/ossec/etc/shared/ar.conf
统一部署脚本
scp root@openvas.t1ger.top:/opt/ossec_agent_connect.sh

2.3 Manager修改中心配置然后重启推送

vim /var/ossec/etc/shared/agent.conf
md5sum /var/ossec/etc/shared/agent.conf
/var/ossec/bin/ossec-control restart
/var/ossec/bin/agent_control -i 001
配置后，管理器会将其推送到代理。请注意，它可能需要一段时间才能完成（因为管理器缓存了共享文件，并且每隔几个小时才重新读取它们）。如果重新启动管理器，配置将被更快地推送。

启动状态

ossec-monitord is running...    //
ossec-logcollector is running...
ossec-remoted is running...//与client交互
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running... //mail
ossec-execd is running...

2.4 日志监控

加入nginx的日志检测

参考：https://ossec-docs.readthedocs.io/en/latest/docs/manual/monitoring/index.html

在ossec.conf里，添加如下xml
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>
  restart ossec-control

1 2	web日志监控，在测试机上执行 perl /home/op_e/nikto-master/program/nikto.pl -h 192.168.24.1

三、对接ELK

3.1 ELK的安装

略过

3.2 将alert数据同步到ES里面去

安装就不写了,把数据打进ELK有两个思路

3.2.1. 先通过ossec配置alert输出为json格式(json格式和logstash对接非常方便),然后通过rsyslog把json格式的告警同步给log服务器,log服务器再用logstash处理后->输出给ES.

ossec_output_json配置

1	<jsonout_output>yes</jsonout_output>

rsyslog同步配置

client-ossec_send.conf

module(load="imfile" PollingInterval="10")
input(type="imfile"
        File="/var/ossec/logs/alerts/alerts.json"
        Facility="local0"
        Severity="info"
        Tag=""
)
local0.*   @ossec_server:514

server-ossec_recieve.conf

1	if $hostname == 'ossec_server' then /var/log/ossec/alert.log

logstash-ossec-conf

input {
  file {
    path => "/var/log/ossec/alert.log"
    codec => plain{ charset => "UTF-8" }
}
}
filter {
grok {
        match => {
        "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{NOTSPACE:url} %{GREEDYDATA:alert}"
	}
}
json {
        source => "alert"
        target => "alert_json"
	}
 mutate {
        remove_field =>["message","alert"]
	}
}
output {
#stdout { codec=>plain{ charset=>"UTF-8" }
#}
elasticsearch {
        hosts => ["127.0.0.1:9200"]
        index => "ossec-%{+YYYY.MM.dd}"
}

2. 本地直接使用logstash处理并打到ES里去.

配置其实与上文大同小异,单拿出来说主要有以下几个考虑:

通过本地logstash打到log服务器的ES里,可以降低对方服务器的负载,因为多一个conf文件,logstash就要多一个pipeline.
带来的坏处是,log服务器的ES就要监听0.0.0.0端口,.被其他人访问到.

四、有趣的OSSEC触发场景

OSSEC的触发场景选择了一台windows和一台linux

4.1 OSSEC-windows

windows登录

windows触发场景，ossec抓取4624的登录成功事件，即进行一次成功的登录就可以在ELK里看到相关登陆成功的日志

修改hosts文件

ossec实时监控%WINDIR%/System32/drivers/etc/hosts文件，我们对windows机器的hosts文件做个修改，约过1-2分钟可以在ELK里看到hosts修改变更的记录。

4.2 OSSEC-linux

linux ssh登录

登陆失败与成功的log都会记录在/var/log/secure中，ossec会抓取该日志并展示在ELK中

linux 监听端口

linux触发场景，ossec每隔30s执行一次netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort命令，监控端口开放状态

在linux上上执行如下命令，监听本机的1552端口

1	nc -lv 1552

可以在ELK里看到该事件触发告警

FAQ

observe:

ossec-execd(1103): ERROR: Could not open file; /var/ossec/etc/shared/ar.conf' due to [(2)-(No such file or directory)]

vi /var/ossec/etc/shared/ar.conf

restart-ossec0 - restart-ossec.sh - 0  
restart-ossec0 - restart-ossec.cmd - 0  
host-deny600 - host-deny.sh - 600  
firewall-drop600 - firewall-drop.sh - 600

测试配置是否推送成功

1	for i in {1..100};do /var/ossec/bin/agent_control -i 001 \| grep Client;sleep 1;done

如果两边连接不上，注意看log