1、Syscheck
Integrity checking is an essential part of intrusion detection.
執行週期 periodically: scans the system every few hours(by default 22h for ubuntu and 20h for windows).
數據存放位置 database stored: on the maneger in /var/ossec/queue/syscheck.
三次改變則以後忽略 By default when a file has changed 3 times futher changes are automaticallyignored.
配置選項:祥見原文http://www.ossec.net/doc/manual/syscheck/index.html#configuration-options
2、Rootcheck
執行週期:by default every 2 hours.
檢測內容:
a. Read the rootkit_files.txt which contains a database of rootkits and files commonly used by them.
b. Reat the rootkit_trojans.txt which contains a database of signatures of files trojaned by rootkits.
c. Scan the /dev directory looking for anomalies.
d. Scan the whole filesystem looking for unusual files and permission problems.
e. Look for the presence of hidden processes.
f. Look for the presence of hidden ports.
g. Scan all interfaces on the system and look for the ones with "promisc" mode enabled.
配置選項:見原文http://www.ossec.net/doc/manual/rootcheck/index.html#configuration-options
3、Agent
Agent可以在終端配置,也可以在服務器端集中配置。http://www.ossec.net/doc/manual/agent/agent-configuration.html
Agentless:在沒有裝agent的設備或系統上,也可以進行integrity checking:http://www.ossec.net/doc/manual/agent/agentless-monitoring.html#agentless-monitoring
4、Log monitoring/analysis
It is done in real time.
It is done inside OSSEC by the logcollector and analysisd processes.
配置選項:詳見原文:http://www.ossec.net/doc/manual/monitoring/index.html#configuration-options。
OSSEC不僅能監測文件名固定的log文件,也可以監測文件名隨時間變化的log文件。比如/var/log/apache2/access.log.2010-09-25, 可以設置爲
<location>/var/log/apache2/access.log.%Y-%m-%d.
Ossec不僅能處理log文件,也檢測進程和命令的輸出,並對他們像log一樣進行處理。
比如通過監聽命令"df -f"的輸出,並設置相應的rule(已設置),一旦有磁盤利用率達到100%就報警;
比如通過監聽命令"netstat -tan | grep LISTEN | grep -v 127.0.01"的輸出,並設置相應的rule,一旦有新的端口開放(即此命令的輸出有改變)就報警。
甚至可以檢測是否有U盤插入等等。
此方法很靈活啊!
http://www.ossec.net/doc/manual/monitoring/process-monitoring.html
5、Rules and Decoders
測試new rules and decoders的方法:使用工具/var/ossec/bin/ossec-logtest。http://www.ossec.net/doc/manual/rules-decoders/testing.html
CDB(Contet-based Data Base) list lookups from within Rules. http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html
編寫自己的decoder和rules:
ossec的decoder文件保存在/var/ossec/etc/decoder.xml中。自己要編寫最好新建一個local_decoder.xml。(測試未通過,不知是在何處設置decoder文件)
ossec有自己的一套正則表達式regex解析法,所以regex越簡單越好越不容易出錯。
先編寫好decoder,再在/var/ossec/bin/local_rules.xml中添加對應的rules。http://www.ossec.net/doc/manual/rules-decoders/create-custom.html
如果在ossec.conf中沒有指定<decoders>,那麼將默認加載etc/decoder.xml and etc/local_decoder.xml。
ossec.conf中不僅可以單文件的指定rules文件和decoder文件,也可以直接指定目錄,例如:
<ossec_config>
<rules>
<decoder>etc/decoder.xml</decoder>
<decoder_dir>rules/plugins</decoder_dir>
<rule>rules/rules/00_rules_config.xml</rule>
<rule_dir pattern=".xml$">rules/</rule_dir>
<rule_dir>rules/plugins</rule_dir>
</rules>
</ossec_config>
可以通過syslog將alart發送給一個或多個syslog servers。http://www.ossec.net/doc/manual/output/syslog-output.html
<syslog_output>
<server>192.168.4.1</server>
</syslog_output>
<syslog_output>
<level>10</level>
<server>10.1.1.1</server>
</syslog_output>
也可以將alert發個一個或多個E-Mail郵箱。
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>mx.example.com..</smtp_server>
<email_from>[email protected]</email_from>
</global>
<alerts>
<email_alert_level>10</email_alert_level>
</alerts>
也可以輸出到數據庫和prelude。
可以設置一些腳本命令來主動響應一些alert。http://www.ossec.net/doc/manual/ar/index.html