OSSEC是一款开源的多平台的入侵检测系统，可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析，全面检测，root-kit检测。

　　1. 测试和验证OSSEC泛化及告警规则

　　OSSEC默认具有一个ossec-logtest工具用于测试OSSEC的泛化及告警规则。该工具一般默认安装于目录 /var/ossec/bin 中。

　　使用示例：

　　/var/ossec/bin/ossec-logtest 2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file. 2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740). ossec-testrule: Type one log per line. Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2 **Phase 1: Completed pre-decoding. full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2' hostname: '172.16.25.122/172.16.24.32' program_name: 'sshd' log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2' **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '172.16.24.121' **Phase 3: Completed filtering (rules). Rule id: '10100' Level: '4' Description: 'First time user logged in.' **Alert to be generated.

　　如上文所示，当输入日志内容：

　　Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

　　该条日志经过三步处理，生成了一条4级告警，规则ID为10100，内容为“First time user logged in.”

　　使用ossec-logtest–v命令，可获取更详细的日志分析逻辑。

　　/var/ossec/bin/ossec-logtest -v 2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file. 2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091). ossec-testrule: Type one log per line. Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121 **Phase 1: Completed pre-decoding. full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121' hostname: '172.16.25.122/172.16.24.32' program_name: 'sshd' log: 'Did not receive identification string from 172.16.24.121' **Phase 2: Completed decoding. decoder: 'sshd' srcip: '172.16.24.121' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. Trying rule: 5500 - Grouping of the pam_unix rules. Trying rule: 5700 - SSHD messages grouped. *Rule 5700 matched. *Trying child rules. Trying rule: 5709 - Useless SSHD message without an user/ip and context. Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip. Trying rule: 5721 - System disconnected from sshd. Trying rule: 5722 - ssh connection closed. Trying rule: 5723 - SSHD key error. Trying rule: 5724 - SSHD key error. Trying rule: 5725 - Host ungracefully disconnected. Trying rule: 5727 - Attempt to start sshd when something already bound to the port. Trying rule: 5729 - Debug message. Trying rule: 5732 - Possible port forwarding failure. Trying rule: 5733 - User entered incorrect password. Trying rule: 5734 - sshd could not load one or more host keys. Trying rule: 5735 - Failed write due to one host disappearing. Trying rule: 5736 - Connection reset or aborted. Trying rule: 5707 - OpenSSH challenge-response exploit. Trying rule: 5701 - Possible attack on the ssh server (or version gathering). Trying rule: 5706 - SSH insecure connection attempt (scan). *Rule 5706 matched. **Phase 3: Completed filtering (rules). Rule id: '5706' Level: '6' Description: 'SSH insecure connection attempt (scan).' **Alert to be generated.

　　2. 自定义日志泛化规则

　　2.1 添加日志源

　　添加日志源的方式很简单，通过修改/var/ossec/etc/ossec.conf 即可实现。

　　如果日志源是本地文件，可通过添加如下配置实现。

　　 syslog /path/to/log/file

　　如果日志源是远程syslog，可通过添加如下配置实现。

　　 syslog udp 2514 172.16.24.0/24

　　2.2 创建自定义的日志泛化规则

　　假如有两条日志如下文：

　　Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

　　该日志使用ossec-logtest分析之后结果如下：

　　Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .**Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'**Phase 2: Completed decoding. No decoder matched

　　由此可知OSSEC在分析日志的时候，经过了两个泛化过程：pre-decoding和 decoding。

　　pre-decoding过程是ossec内置的，只要是标准的syslog日志，都可以解析出如下4个基本信息。

　　Timestamp:Jun 11 22:06:30Hostname: 172.17.153.38/172.16.24.32Programe_name: /usr/bin/auditServerdLog: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

　　在decoding过程，用户可以通过修改/var/ossec/etc/decoder.xml，实现自定义的泛化。例如在该文件中添加如下规则：

　　 /usr/bin/auditServerd

　　再次执行/var/ossec/bin/ossec-logtest

　　**Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd'

　　发现，该条日志成功命中了名为auditServerd的规则，该条规则可以准确的将日志定位为是程序auditServerd所发出的。

　　除此之外，基于auditServerd这条规则，我们还可以添加更多的子规则，来识别出更多的信息。如:

　　 /usr/bin/auditServerd auditServerd ^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$ user,status,srcip,dstip,dstport

　　再次执行/var/ossec/bin/ossec-logtest，可获取更多的信息，如下：

　　**Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd' dstuser: 'blackrat' status:'SUCEESS' srcip: '172.17.153.36' dstip: '172.17.153.

　　用户通过配置上述正则表达式，获取特定字段，用于后续的关联分析。OSSEC一共内置了14个用户可解析的字段：

　　- location – where the log came from (only on FTS) - srcuser - extracts the source username - dstuser - extracts the destination (target) username - user – an alias to dstuser (only one of the two can be used) - srcip - source ip - dstip - dst ip - srcport - source port - dstport - destination port - protocol – protocol - id – event id - url - url of the event - action – event action (deny, drop, accept, etc) - status – event status (success, failure, etc) - extra_data – Any extra data

　　3. 自定义日志告警规则

　　3.1 规则文件路径配置

　　OSSEC的规则配置文件默认路径为/var/ossec/rules/，要加载规则文件，需要在/var/ossec/etc/ossec.conf 中配置，默认的配置如下：

　　 rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml ...... clam_av_rules.xml bro-ids_rules.xml dropbear_rules.xml local_rules.xml

　　其实通过下列配置，可以实现加载/var/ossec/rules 下的所有规则文件：

　　 rules

　　于泛化规则，也可以通过配置decoder_dir域来实现，如：

　　 rules/plugins/decoders

　　上述配置可将/var/ossec/rules/plugins/plugins/decoders目录下所有的xml文件都添加为OSSEC日志泛化规则。

　　对于更详细的配置及语法，可参考下列文档：

　　http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

　　3.2 OSSEC告警规则配置

　　例如，我们需要增加对程序auditServerd的告警规则，我们需要针对auditServerd程序新建一个规则文件，对于OSSEC中已经存在的规则文件如sshd, openbsd, vsftpd等，我们只需要在对应的文件中进行新增或修改。

　　首先我们新建文件

　　/var/ossec/rules/auditServerd_rules.xml

　　添加如下内容：

　　 auditServerd Grouping for the auditServerd rules. 80000 blackrat 172.17.153.36 User blackrat is not allowed login from 172.17.153.36!

　　上述规则中，规则id 80000 用于对日志进行分组计数，假如日志中出现了泛化为auditServerd的日志，则对该日志分组为auditServer，且状态机计数加1.

　　规则80001描述了假如user为blackrat，srcip为172.17.153.36 则命中，并发出“User blackrat is not allowed login from 172.17.153.36!”的告警。

　　将该文件路径加入到文件/var/ossec/etc/ossec.conf中

　　… dropbear_rules.xml local_rules.xml auditServerd_rules.xml

　　执行/var/ossec/bin/ossec-logtest，结果如下：

　　**Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd' dstuser: 'blackrat' status: 'SUCEESS' srcip: '172.17.153.36' dstip: '172.17.153.38' dstport: '3333' **Phase 3: Completed filtering (rules). Rule id: '80001' Level: '10' Description: 'User blackrat is not allowed login from 172.17.153.36!' **Alert to be generated.

　　3.3 关联分析告警规则

　　OSSEC可以实现基于因果关系、事件频次的关联分析告警，具体实现方式如下。

　　假如我们想要实现当来自同一IP的用户登陆auditServerd，在1分钟内达到5次登录失败时，进行告警，我们可以配置规则如下：

　　 auditServerd Grouping for the auditServerd rules. 80000 SUCEESS blackrat 172.17.153.36 User blackrat is not allowed login from 172.17.153.36! 80000 PWD_ERROR authServer_login_failures, login auditServerd password error. authServer_login_failures auditServerd brute force trying to get access to the audit system. authentication_failures,

　　执行/var/ossec/bin/ossec-logtest，连续五次输入日志：

　　结果如下：

　　**Phase 1: Completed pre-decoding. full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .' hostname: '172.17.153.38/172.16.24.32' program_name: '/usr/bin/auditServerd' log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .' **Phase 2: Completed decoding. decoder: 'auditServerd' dstuser: 'blackrat' status: 'PWD_ERROR' srcip: '172.17.153.36' dstip: '172.17.153.38' dstport: '3333' **Phase 3: Completed filtering (rules). Rule id: '80003' Level: '15' Description: 'auditServerd brute force trying to get access to the audit system.' **Alert to be generated.