从上层检测逻辑看ossec hips规则引擎——支持单事件正则,统计类规则,支持前后关联,例如暴力破解,爆破成功检测

检测规则: https://github.com/ossec/ossec-hids/blob/master/etc/rules/

 

针对web安全里的,https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_appsec_rules.xml

<!-- Collection of rules for common web attacks that we are seeing in the wild.
  -  The real goal is to stop bots and automated attacks from doing further damage
  -  on sites that are not updated.
  -->
<group name="web,appsec,attack">

  <!-- Checking POST / requests - WP comment spam coming from fake search engines.
    -->
  <rule id="31501" level="6">
    <if_sid>31100</if_sid>
    <pcre2>POST /.*(?:Googlebot|MSNBot|BingBot)</pcre2>
    <url_pcre2>/wp-comments-post\.php</url_pcre2>
    <description>WordPress Comment Spam (coming from a fake search engine UA).</description>
   </rule>

  <!-- Timthumb scans.
    -->
  <rule id="31502" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>thumb\.php|timthumb\.php</url_pcre2>
    <pcre2> "GET \S+thumb\.php\?src=\S+\.php</pcre2>
    <description>TimThumb vulnerability exploit attempt.</description>
   </rule>

  <!-- osCommerce login.php bypass
    -->
  <rule id="31503" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>login\.php</url_pcre2>
    <pcre2> "POST /\S+\.php/login\.php\?cPath=</pcre2>
    <description>osCommerce login.php bypass attempt.</description>
   </rule>

  <!-- osCommerce file manager login.php bypass
    -->
  <rule id="31504" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>login\.php</url_pcre2>
    <pcre2>/admin/[A-Za-z0-9@_-]+\.php/login\.php</pcre2>
    <description>osCommerce file manager login.php bypass attempt.</description>
   </rule>

  <!-- Timthumb backdoor access.
    -->
  <rule id="31505" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>/cache/external</url_pcre2>
    <pcre2> "GET /\S+/cache/external\S+\.php</pcre2>
    <description>TimThumb backdoor access attempt.</description>
   </rule>

  <!-- Timthumb backdoor access.
    -->
  <rule id="31506" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>cart\.php</url_pcre2>
    <pcre2> "GET /\S+cart\.php\?\S+templatefile=\.\./</pcre2>
    <description>Cart.php directory transversal attempt.</description>
   </rule>

  <!-- MSSQL IIS inject rules -->
  <rule id="31507" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>DECLARE%20@S%20CHAR|%20AS%20CHAR</url_pcre2>
    <description>MSSQL Injection attempt (ur.php, urchin.js).</description>
  </rule>

  <!-- BAD/Annoying user agents -->
  <rule id="31508" level="6">
    <if_sid>31100</if_sid>
    <pcre2> "ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af\.sourceforge\.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s</pcre2>
    <description>Blacklisted user agent (known malicious user agent).</description>
  </rule>

  <!-- WordPress wp-login.php brute force -->
  <rule id="31509" level="3">
    <if_sid>31108</if_sid>
    <url_pcre2>wp-login\.php|/administrator</url_pcre2>
    <pcre2>\] "POST \S+wp-login\.php| "POST /administrator</pcre2>
    <description>CMS (WordPress or Joomla) login attempt.</description>
  </rule>

  <!-- If we see frequent wp-login POST's, it is likely a bot. -->
  <rule id="31510" level="8" frequency="6" timeframe="30">
    <if_matched_sid>31509</if_matched_sid>
    <same_source_ip />
    <description>CMS (WordPress or Joomla) brute force attempt.</description>
  </rule>

  <!-- Nothing wrong with wget per se, but it misses a lot of links
     - that generates many 404s. Blocking it to avoid the noise.
    -->
  <rule id="31511" level="0">
    <if_sid>31100</if_sid>
    <pcre2>" "Wget/</pcre2>
    <description>Blacklisted user agent (wget).</description>
  </rule>

  <!-- Uploadify scans.
    -->
  <rule id="31512" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>uploadify\.php</url_pcre2>
    <pcre2> "GET /\S+/uploadify\.php\?src=http://\S+\.php</pcre2>
    <description>Uploadify vulnerability exploit attempt.</description>
   </rule>

  <!-- BBS delete.php skin_path.
    -->
  <rule id="31513" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>delete\.php</url_pcre2>
    <pcre2> "GET \S+/delete\.php\?board_skin_path=http://\S+\.php</pcre2>
    <description>BBS delete.php exploit attempt.</description>
   </rule>

  <!-- Simple shell.php command execution
    -->
  <rule id="31514" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>shell\.php</url_pcre2>
    <pcre2> "GET \S+/shell\.php\?cmd=</pcre2>
    <description>Simple shell.php command execution.</description>
   </rule>

  <!-- PHPMyAdmin scans
    -->
  <rule id="31515" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>phpMyAdmin/scripts/setup\.php</url_pcre2>
    <description>PHPMyAdmin scans (looking for setup.php).</description>
   </rule>

  <!-- Suspicious URL's access
    -->
  <rule id="31516" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>\.swp$|\.bak$|/\.htaccess|/server-status|/\.ssh|/\.history|/wallet\.dat</url_pcre2>
    <description>Suspicious URL access.</description>
   </rule>

  <!-- Checking POST requests - Too many in a small type = likely a bot -->
  <rule id="31530" level="3">
    <if_sid>31100</if_sid>
    <pcre2>\] "POST </pcre2>
    <options>no_log</options>
    <description>POST request received.</description>
   </rule>

   <rule id="31531" level="0">
    <if_sid>31530</if_sid>
    <url_pcre2>/wp-admin/|/administrator/|/admin/</url_pcre2>
    <description>Ignoring often post requests inside /wp-admin and /admin.</description>
   </rule>

   <rule id="31533" level="10" timeframe="20" frequency="6">
    <if_matched_sid>31530</if_matched_sid>
    <same_source_ip />
    <description>High amount of POST requests in a small period of time (likely bot).</description>
   </rule>

  <!-- Anomaly rules - Used on common web attacks -->
  <rule id="31550" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>%00</url_pcre2>
    <pcre2> "GET /\S+\.php\?\S+%00</pcre2>
    <description>Anomaly URL query (attempting to pass null termination).</description>
   </rule>


</group>

可以看到,都是一些单事件的正则匹配。每个规则里都有一个if sid 31100,表示含义如下,表示数据采集是access log:

https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_rules.xml

<group name="web,accesslog,">
  <rule id="31100" level="0">
    <category>web-log</category>
    <description>Access log messages grouped.</description>
  </rule>

  <rule id="31108" level="0">
    <if_sid>31100</if_sid>
    <id_pcre2>^2|^3</id_pcre2>
    <compiled_rule>is_simple_http_request</compiled_rule>
    <description>Ignored URLs (simple queries).</description>
   </rule>

  <rule id="31101" level="5">
    <if_sid>31100</if_sid>
    <id_pcre2>^4</id_pcre2>
    <description>Web server 400 error code.</description>
  </rule>

  <rule id="31102" level="0">
    <if_sid>31101</if_sid>
    <url_pcre2>\.jpg$|\.gif$|favicon\.ico$|\.png$|robots\.txt$|\.css$|\.js$|\.jpeg$</url_pcre2>
    <compiled_rule>is_simple_http_request</compiled_rule>
    <description>Ignored extensions on 400 error codes.</description>
  </rule>

  <rule id="31103" level="6">
    <if_sid>31100,31108</if_sid>
    <url_pcre2>=select%20|select\+|insert%20|%20from%20|%20where%20|union%20|</url_pcre2>
    <url_pcre2>union\+|where\+|null,null|xp_cmdshell</url_pcre2>
    <description>SQL injection attempt.</description>
    <group>attack,sql_injection,</group>
  </rule>

  <rule id="31104" level="6">
    <if_sid>31100</if_sid>

    <!-- Attempt to do directory transversal, simple sql injections,
      -  or access to the etc or bin directory (unix). -->
    <url_pcre2>%027|%00|%01|%7f|%2E%2E|%0A|%0D|\.\./\.\.|\.\.\\\.\.|echo;|</url_pcre2>
    <url_pcre2>cmd\.exe|root\.exe|_mem_bin|msadc|/winnt/|/boot\.ini|</url_pcre2>
    <url_pcre2>/x90/|default\.ida|/sumthin|nsiislog\.dll|chmod%|wget%|cd%20|</url_pcre2>
    <url_pcre2>exec%20|\.\./\.\.//|%5C\.\./%5C|\./\./\./\./|2e%2e%5c%2e|\\x5C\\x5C</url_pcre2>
    <description>Common web attack.</description>
    <group>attack,</group>
  </rule>

  <rule id="31105" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url_pcre2>
    <url_pcre2>%20ONLOAD=|INPUT%20|iframe%20</url_pcre2>
    <description>XSS (Cross Site Scripting) attempt.</description>
    <group>attack,</group>
  </rule>

  <rule id="31106" level="6">
    <if_sid>31103, 31104, 31105</if_sid>
    <id_pcre2>^200</id_pcre2>
    <description>A web attack returned code 200 (success).</description>
    <group>attack,</group>
  </rule>

  <rule id="31110" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>\?-d|\?-s|\?-a|\?-b|\?-w</url_pcre2>
    <description>PHP CGI-bin vulnerability attempt.</description>
    <group>attack,</group>
  </rule>

  <rule id="31109" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>\+as\+varchar</url_pcre2>
    <pcre2>%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)</pcre2>
    <description>MSSQL Injection attempt (/ur.php, urchin.js)</description>
    <group>attack,</group>
  </rule>


  <!-- If your site have a search engine, you may need to ignore
    - it in here.
    -->
  <rule id="31107" level="0">
    <if_sid>31103, 31104, 31105</if_sid>
    <url_pcre2>^/search\.php\?search=|^/index\.php\?searchword=</url_pcre2>
    <description>Ignored URLs for the web attacks</description>
  </rule>

  <rule id="31115" level="13" maxsize="7900">
    <if_sid>31100</if_sid>
    <description>URL too long. Higher than allowed on most </description>
    <description>browsers. Possible attack.</description>
    <group>invalid_access,</group>
  </rule>


  <!-- 500 error codes, server error
    - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
    -->
  <rule id="31120" level="5">
    <if_sid>31100</if_sid>
    <id_pcre2>^50</id_pcre2>
    <description>Web server 500 error code (server error).</description>
  </rule>

  <rule id="31121" level="4">
    <if_sid>31120</if_sid>
    <id_pcre2>^501</id_pcre2>
    <description>Web server 501 error code (Not Implemented).</description>
  </rule>

  <rule id="31122" level="5">
    <if_sid>31120</if_sid>
    <id_pcre2>^500</id_pcre2>
    <options>alert_by_email</options>
    <description>Web server 500 error code (Internal Error).</description>
    <group>system_error,</group>
  </rule>

  <rule id="31123" level="4">
    <if_sid>31120</if_sid>
    <id_pcre2>^503</id_pcre2>
    <options>alert_by_email</options>
    <description>Web server 503 error code (Service unavailable).</description>
  </rule>


  <!-- Rules to ignore crawlers -->
  <rule id="31140" level="0">
    <if_sid>31101</if_sid>
    <compiled_rule>is_valid_crawler</compiled_rule>
    <description>Ignoring google/msn/yahoo bots.</description>
  </rule>

  <!-- Ignoring nginx 499's -->
  <rule id="31141" level="0">
    <if_sid>31101</if_sid>
    <id_pcre2>^499</id_pcre2>
    <description>Ignored 499's on nginx.</description>
  </rule>


  <rule id="31151" level="10" frequency="12" timeframe="90">
    <if_matched_sid>31101</if_matched_sid>
    <same_source_ip />
    <description>Multiple web server 400 error codes </description>
    <description>from same source ip.</description>
    <group>web_scan,recon,</group>
  </rule>

  <rule id="31152" level="10" frequency="6" timeframe="120">
    <if_matched_sid>31103</if_matched_sid>
    <same_source_ip />
    <description>Multiple SQL injection attempts from same </description>
    <description>source ip.</description>
    <group>attack,sql_injection,</group>
  </rule>

  <rule id="31153" level="10" frequency="8" timeframe="120">
    <if_matched_sid>31104</if_matched_sid>
    <same_source_ip />
    <description>Multiple common web attacks from same source ip.</description>
    <group>attack,</group>
  </rule>

  <rule id="31154" level="10" frequency="8" timeframe="120">
    <if_matched_sid>31105</if_matched_sid>
    <same_source_ip />
    <description>Multiple XSS (Cross Site Scripting) attempts </description>
    <description>from same source ip.</description>
    <group>attack,</group>
  </rule>

  <rule id="31161" level="10" frequency="12" timeframe="120">
    <if_matched_sid>31121</if_matched_sid>
    <same_source_ip />
    <description>Multiple web server 501 error code (Not Implemented).</description>
    <group>web_scan,recon,</group>
  </rule>

  <rule id="31162" level="10" frequency="12" timeframe="120">
    <if_matched_sid>31122</if_matched_sid>
    <same_source_ip />
    <description>Multiple web server 500 error code (Internal Error).</description>
    <group>system_error,</group>
  </rule>

  <rule id="31163" level="10" frequency="12" timeframe="120">
    <if_matched_sid>31123</if_matched_sid>
    <same_source_ip />
    <description>Multiple web server 503 error code (Service unavailable).</description>
    <group>web_scan,recon,</group>
  </rule>

  <rule id="31164" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B</url_pcre2>
    <description>SQL injection attempt.</description>
    <group>attack,sqlinjection,</group>
  </rule>

  <rule id="31165" level="6">
    <if_sid>31100</if_sid>
    <url_pcre2>%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045</url_pcre2>
    <description>SQL injection attempt.</description>
    <group>attack,sqlinjection,</group>
  </rule>

</group> <!-- Web access log -->

整个引擎的数据采集:

<ossec_config>
  <!-- One entry for each file/Event log to monitor. -->
  <localfile>
    <location>Application</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>
  
  <localfile>
    <location>Windows PowerShell</location>
    <log_format>eventlog</log_format>
  </localfile>

  <!-- Rootcheck - Policy monitor config -->
  <rootcheck>
    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  </rootcheck>

   <!-- Syscheck - Integrity Checking config. -->
  <syscheck>

    <!-- Default frequency, every 20 hours. It doesn't need to be higher
      -  on most systems and one a day should be enough.
      -->
    <frequency>72000</frequency>

    <!-- By default it is disabled. In the Install you must choose
      -  to enable it.
      -->
    <disabled>no</disabled>

    <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>

    <directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
    <directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
    <directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>

    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
    <directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>

    <directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>
  </syscheck>

  <active-response>
    <disabled>yes</disabled>
  </active-response>

</ossec_config>

<!-- END of Default Configuration. -->

 

 

 我们再看看powershell相关的检测如何做的:

 

<group name="windows,powershell,">

  <rule id="20500" level="8">
    <if_sid>18101</if_sid>
    <id_pcre2>^400$</id_pcre2>
    <pcre2>PowerShell</pcre2>
    <description>Windows PowerShell was started.</description>
  </rule>

  <rule id="20501" level="8">
    <if_sid>18101</if_sid>
    <id_pcre2>^800$</id_pcre2>
    <pcre2>PowerShell</pcre2>
    <description>Windows PowerShell command executed.</description>
  </rule>

  <rule id="20502" level="8">
    <if_sid>18101</if_sid>
    <id_pcre2>^403$</id_pcre2>
    <pcre2>PowerShell</pcre2>
    <description>Windows PowerShell was stopped.</description>
  </rule>
  
  <rule id="20503" level="2">
    <if_sid>20501</if_sid>
    <pcre2>Set-StrictMode -Version 1; .+[A-Za-z0-9@_-]+</pcre2>
    <description>A wrong/misspelled command was tried</description>
  </rule>

  <rule id="20504" level="2">
    <if_sid>20501</if_sid>
    <pcre2>CommandLine= CommandInvocation</pcre2>
    <description>Powershell background activity</description>
  </rule>

  <rule id="20505" level="12">
    <if_sid>20501</if_sid>
    <pcre2>Set-ExecutionPolicy|Mimikatz|EncodedCommand|Payload|Find-AVSignature|DllInjection|ReflectivePEInjection|Invoke-Shellcode|Invoke--Shellcode|Invoke-ShellcodeMSIL|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|Set-MasterBootRecord|New-ElevatedPersistenceOption|Invoke-CallbackIEX|Invoke-PSInject|Invoke-DllEncode|Get-ServiceUnquoted|Get-ServiceEXEPerms|Get-ServicePerms|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-UserAddMSI|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Invoke-FindDLLHijack|Invoke-FindPathHijack|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-UnattendedInstallFiles|Get-Webconfig|Get-Webconfig|Get-ApplicationHost|Invoke-AllChecks|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|HTTP-Backdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Execute-OnTime|DNS_TXT_Pwnage|Out-Word|Out-Excel|Out-Java|Out-Shortcut|Out-CHM|Out-HTA|Enable-DuplicateToken|Remove-Update|Execute-DNSTXT-Code|Download-Execute-PS|Execute-Command-MSSQL|Download_Execute|Get-PassHashes|Invoke-CredentialsPhish|Get-LsaSecret|Get-Information|Invoke-MimikatzWDigestDowngrade|Copy-VSS|Check-VM|Invoke-NetworkRelay|Create-MultipleSessions|Run-EXEonRemote|Invoke-BruteForce|Port-Scan|Invoke-PowerShellIcmp|Invoke-PowerShellUdp|Invoke-PsGcatAgent|Invoke-PoshRatHttps|Invoke-PowerShellTcp|Invoke-PoshRatHttp|Invoke-PowerShellWmi|Invoke-PSGcat|Remove-PoshRat|TexttoEXE|Invoke-Encode|Invoke-Decode|Base64ToString|StringtoBase64|Do-Exfiltration|Parse_Keys|Add-Exfiltration|Add-Persistence|Remove-Persistence|Invoke-CreateCertificate|powercat|Find-PSServiceAccounts|Get-PSADForestKRBTGTInfo|Discover-PSMSSQLServers|Discover-PSMSExchangeServers|Get-PSADForestInfo|Get-KerberosPolicy|Discover-PSInterestingServices</pcre2>
    <description>Possibly Dangerous Command Detected (https://gist.github.com/gfoss/2b39d680badd2cad9d82#file-powershell-command-line-logging)</description>
  </rule>

</group>

 数据采集是windows日志,

<group name="windows,">
  <rule id="18100" level="0">
    <category>windows</category>
    <description>Group of windows rules.</description>
  </rule>

  <rule id="18101" level="0">
    <if_sid>18100</if_sid>
    <status_pcre2>^INFORMATION</status_pcre2>
    <description>Windows informational event.</description>
  </rule>
  
  <rule id="18102" level="0">
    <if_sid>18100</if_sid>
    <status_pcre2>^WARNING</status_pcre2>
    <description>Windows warning event.</description>
  </rule>
  
  <rule id="18103" level="5">
    <if_sid>18100</if_sid>
    <status_pcre2>^ERROR</status_pcre2>
    <description>Windows error event.</description>
    <group>system_error,</group>
  </rule>

  <rule id="18104" level="0">
    <if_sid>18100</if_sid>
    <status_pcre2>^AUDIT_SUCCESS|^success</status_pcre2>
    <description>Windows audit success event.</description>
  </rule>

 

再看看针对macfee的av上报事件写的过滤规则:

<var name="MCAFEE_ERROR">^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$</var>
<var name="MCAFEE_WARN">^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$</var>
<var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var>
<var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var> 
<var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var>
<var name="MCAFEE_FREQ">10</var>

<group name="mcafee,">
  <rule id="7500" level="0">
    <if_sid>18101,18102,18103</if_sid>
    <category>windows</category>
    <extra_data_pcre2>^McLogEvent</extra_data_pcre2>
    <description>Grouping of McAfee Windows AV rules.</description>
  </rule>

  <rule id="7501" level="2">
    <if_sid>7500</if_sid>
    <id_pcre2>$MCAFEE_INFO</id_pcre2>
    <description>McAfee Windows AV informational event.</description>
  </rule>

  <rule id="7502" level="3">
    <if_sid>7500</if_sid>
    <id_pcre2>$MCAFEE_WARN</id_pcre2>
    <description>McAfee Windows AV warning event.</description>
  </rule>

  <rule id="7503" level="4">
    <if_sid>7500</if_sid>
    <id_pcre2>$MCAFEE_ERROR</id_pcre2>
    <description>McAfee Windows AV error event.</description>
  </rule>

  <rule id="7504" level="12">
    <if_sid>7500</if_sid>
    <pcre2>$MCAFEE_VIRUS</pcre2>
    <group>virus</group>
    <description>McAfee Windows AV - Virus detected and not removed.</description>
  </rule>

  <rule id="7505" level="7">
    <if_sid>7504</if_sid>
    <pcre2>$MCAFEE_VIRUS_OK</pcre2>
    <group>virus</group>
    <description>McAfee Windows AV - Virus detected and properly removed.</description>
  </rule>

  <rule id="7506" level="7">
    <if_sid>7504</if_sid>
    <pcre2>Will be deleted</pcre2>
    <group>virus</group>
    <description>McAfee Windows AV - Virus detected and file will be deleted.</description>
  </rule>

  <rule id="7507" level="3">
    <if_sid>7500</if_sid>
    <pcre2>scan started|scan stopped</pcre2>
    <description>McAfee Windows AV - Scan started or stopped.</description>
  </rule>

  <rule id="7508" level="3">
    <if_sid>7501</if_sid>
    <id_pcre2>^257</id_pcre2>
    <pcre2>completed\.  No detections</pcre2>
    <description>McAfee Windows AV - Scan completed with no viruses found.</description>
  </rule>

  <rule id="7509" level="5">
    <if_sid>7500</if_sid>
    <pcre2>scan was cancelled |has taken too long</pcre2>
    <description>McAfee Windows AV - Virus scan cancelled.</description>
  </rule>

  <rule id="7510" level="5">
    <if_sid>7500</if_sid>
    <pcre2>scan was canceled because</pcre2>
    <description>McAfee Windows AV - Virus scan cancelled due to shutdown.</description>
  </rule>

  <rule id="7511" level="3">
    <if_sid>7500</if_sid>
    <pcre2>update was successful</pcre2>
    <description>McAfee Windows AV - Virus program or DAT update succeeded.</description>
  </rule>

  <rule id="07512" level="7">
    <if_sid>7500</if_sid>
    <pcre2>update failed</pcre2>
    <description>McAfee Windows AV - Virus program or DAT update failed.</description>
  </rule>

  <rule id="7513" level="7">
    <if_sid>7500</if_sid>
    <pcre2>update was cancelled</pcre2>
    <description>McAfee Windows AV - Virus program or DAT update cancelled.</description>
  </rule>

  <rule id="7514" level="5">
    <if_sid>7505</if_sid>
    <pcre2>contains the EICAR test file</pcre2>
    <options>alert_by_email</options>
    <description>McAfee Windows AV - EICAR test file detected.</description>
  </rule>

  <!-- Composite rules -->

  <rule id="7550" level="10" frequency="$MCAFEE_FREQ" timeframe="240">
    <if_matched_sid>7502</if_matched_sid>
    <description>Multiple McAfee AV warning events.</description>
  </rule>

</group>

 

统计类规则写法,https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml

<var name="SYS_USERS">^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$</var>


<!-- Attack signatures -->
<group name="syslog,attacks,">
  <rule id="40101" level="12">
    <if_group>authentication_success</if_group>
    <user_pcre2>$SYS_USERS</user_pcre2>
    <description>System user successfully logged to the system.</description>
    <group>invalid_login,</group>
  </rule>

  <rule id="40102" level="14">
    <pcre2>^rpc\.statd\[\d+\]: gethostbyname error for [^A-Za-z0-9@_-]+</pcre2>
    <description>Buffer overflow attack on rpc.statd</description>
    <group>exploit_attempt,</group>
  </rule>

  <rule id="40103" level="14">
    <pcre2>ftpd\[\d+\]: \S+ FTP LOGIN FROM .+ 0bin0sh</pcre2>
    <description>Buffer overflow on WU-FTPD versions prior to 2.6</description>
    <group>exploit_attempt,</group>
  </rule>

  <rule id="40104" level="13">
    <pcre2>\?{21}</pcre2>
    <description>Possible buffer overflow attempt.</description>
    <group>exploit_attempt,</group>
  </rule>

  <rule id="40105" level="12">
    <pcre2>changed by \(\(null\)</pcre2>
    <description>"Null" user changed some information.</description>
    <group>exploit_attempt,</group>
  </rule>

  <rule id="40106" level="12">
    <pcre2>@{25}</pcre2>
    <description>Buffer overflow attempt (probably on yppasswd).</description>
    <group>exploit_attempt,</group>
  </rule>

  <rule id="40107" level="14">
    <pcre2>cachefsd: Segmentation Fault - core dumped</pcre2>
    <description>Heap overflow in the Solaris cachefsd service.</description>
    <info type='cve'>2002-0033</info>
    <group>exploit_attempt,</group>
  </rule>

  <rule id="40109" level="12">
    <pcre2>attempt to execute code on stack by</pcre2>
    <description>Stack overflow attempt or program exiting </description>
    <description>with SEGV (Solaris).</description>
    <info type="link">http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/389-392.html</info>
    <group>exploit_attempt,</group>
  </rule>

  <rule id="40111" level="10" frequency="10" timeframe="160">
    <if_matched_group>authentication_failed</if_matched_group>
    <description>Multiple authentication failures.</description>
    <group>authentication_failures,</group>
  </rule>

  <rule id="40112" level="12" timeframe="240">
    <if_group>authentication_success</if_group>
    <if_matched_group>authentication_failures</if_matched_group>
    <same_source_ip />
    <description>Multiple authentication failures followed </description>
    <description>by a success.</description>
  </rule>

  <rule id="40113" level="12" frequency="6" timeframe="360">
    <if_matched_group>virus</if_matched_group>
    <description>Multiple viruses detected - Possible outbreak.</description>
    <group>virus,</group>
  </rule>
  
</group> <!-- SYSLOG, ATTACKS, -->



<!-- Privilege escalation messages -->
<group name="syslog,elevation_of_privilege,">
  <rule id="40501" level="15" timeframe="300" frequency="2">
    <if_group>adduser</if_group>
    <if_matched_group>attacks</if_matched_group>
    <description>Attacks followed by the addition </description>
    <description>of an user.</description>
  </rule>
</group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->



<!-- Scan signatures -->
<group name="syslog,recon,">
  <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90">
    <if_matched_group>connection_attempt</if_matched_group>
    <description>Network scan from same source ip.</description>
    <same_source_ip />
    <info type="link">http://project.honeynet.org/papers/enemy2/</info>
  </rule>
</group> <!-- SYSLOG,SCANS -->

 

看看 ossec的 规则规范:https://ossec-documentation.readthedocs.io/en/latest/manual/lids/rules.html

Rules

Rules compare log messsages to a set of pre-defined conditions. The comparisons can happen on the entire log message, or on fields defined in decoders.

rule

Each rule begins by defining certain settings

  • level

This defines the severity of the rule. Valid levels are 0-16.

  • id

A unique identification number for the rule.

  • maxsize

Specifies the maximum size of the event. The valid range is 1-99999

  • frequency

Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.

Note

More information about how frequency is counted can be found in this thread.

  • timeframe

The timeframe in seconds. This option is intended to be used with the frequency option.

  • ignore

The time (in seconds) to ignore this rule after firing it (to avoid floods).

  • overwrite

Used to supercede an OSSEC rule with local changes. This is useful to change the level or other options of rules included with OSSEC.

  • noalert

Prevent the rule from triggering an alert. Further rule checks will not happen, except for rules specifically using this rule in an <if_sid> configuraiton.

match

A simple string comparison.

regex

This option uses the OSSEC regex syntax for comparisons.

pcre2

The pcre2 option utlizes OSSEC’s pcre2 support. Refer to the pcre2 page for information on the syntax. ==》PCRE - Perl Compatible Regular Expressions

decoded_as

Define a decoder that must be matched for the rule comparison to continue. 从后面示例可以看到主要是自定义一些“解码”“检查”函数,提取数据等!!!
==》示例:
  <rule id="509" level="0">
    <category>ossec</category>
    <decoded_as>rootcheck</decoded_as>
    <description>Rootcheck event.</description>
    <group>pci_dss_10.6.1,rootcheck,</group>
  </rule>

 

<decoder name="sshd">
  <program_name_pcre2>^sshd</program_name_pcre2>
</decoder>

<decoder name="sshd-success">
  <parent>sshd</parent>
  <prematch_pcre2>^Accepted</prematch_pcre2>
  <pcre2 offset="after_prematch">^ \S+ for (\S+) from (\S+) port </pcre2>
  <order>user, srcip</order>
  <fts>name, user, location</fts>
</decoder>

<decoder name="ssh-denied">
  <parent>sshd</parent>
  <prematch_pcre2>^User \S+ from </prematch_pcre2>
  <pcre2 offset="after_parent">^User (\S+) from (\S+) </pcre2>
  <order>user, srcip</order>
</decoder>

<decoder name="sshd-success-solaris">
  <parent>sshd</parent>
  <prematch_pcre2>^User </prematch_pcre2>
  <pcre2 offset="after_prematch">^(\S+), coming from (\S+), </pcre2>
  <order>user, srcip</order>
  <fts>name, user, location</fts>
</decoder>

<decoder name="ssh-kbd">
  <parent>sshd</parent>
  <prematch_pcre2 offset="after_parent">^Postponed keyboard-interactive|^Failed keyboard-interactive</prematch_pcre2>
  <pcre2 offset="after_prematch"> user (\S+) from (\S+) port (\d+) </pcre2>
  <order>user, srcip, srcport</order>
</decoder>

<decoder name="ssh-invfailed">
  <parent>sshd</parent>
  <prematch_pcre2>^Failed \S+ for invalid user|^Failed \S+ for illegal user</prematch_pcre2>
  <pcre2 offset="after_prematch">from (\S+) port \d+ \w+$</pcre2>
  <order>srcip</order>
</decoder>

<decoder name="ssh-failed">
  <parent>sshd</parent>
  <prematch_pcre2>^Failed \S+ </prematch_pcre2>
  <pcre2 offset="after_prematch">^for (\S+) from (\S+) port \d+</pcre2>
  <order>user, srcip</order>
</decoder>

<decoder name="ssh-error">
  <parent>sshd</parent>
  <prematch_pcre2>^error: PAM: Authentication \w+ </prematch_pcre2>
  <pcre2 offset="after_prematch">^for (\S+) from (\S+)$</pcre2>
  <order>user, srcip</order>
</decoder>

<decoder name="ssh-pam-error">
  <parent>sshd</parent>
  <prematch_pcre2>^error: PAM: </prematch_pcre2>
  <pcre2 offset="after_prematch">user (\S+) from (\S+)</pcre2>
  <order>user, srcip</order>
</decoder>

<decoder name="ssh-reverse-mapping">
  <parent>sshd</parent>
  <prematch_pcre2>^reverse mapping checking </prematch_pcre2>
  <pcre2 offset="after_prematch">^\w+ for \S+ \[(\S+)\] |^\w+ for (\S+) </pcre2>
  <order>srcip</order>
</decoder>

<decoder name="ssh-invalid-user">
  <parent>sshd</parent>
  <prematch_pcre2>^Invalid user|^Illegal user</prematch_pcre2>
  <pcre2 offset="after_prematch"> from (\S+)</pcre2>
  <order>srcip</order>
</decoder>

<decoder name="ssh-scan">
  <parent>sshd</parent>
  <prematch_pcre2>^scanned from</prematch_pcre2>
  <pcre2 offset="after_prematch"> (\S+) </pcre2>
  <order>srcip</order>
</decoder>

<decoder name="ssh-received">
  <parent>sshd</parent>
  <prematch_pcre2>^Received disconnect </prematch_pcre2>
  <pcre2 offset="after_prematch">^from (\S+): |^from (\S+) </pcre2>
  <order>srcip</order>
</decoder>

<decoder name="ssh-disconnected">
  <parent>sshd</parent>
  <prematch_pcre2>^Disconnected from invalid user</prematch_pcre2>
  <pcre2 offset="after_prematch">\S+ (\S+) </pcre2>
  <order>srcip</order>
</decoder>

 

  <rule id="550" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed</decoded_as>
    <description>Integrity checksum changed.</description>
    <group>syscheck,</group>
  </rule>
  
  <rule id="551" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
    <description>Integrity checksum changed again (2nd time).</description>
    <group>syscheck,</group>
  </rule>
  
  <rule id="552" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
    <description>Integrity checksum changed again (3rd time).</description>
    <group>syscheck,</group>
  </rule>
  
  <rule id="553" level="7">
    <category>ossec</category>
    <decoded_as>syscheck_deleted</decoded_as>
    <description>File deleted. Unable to retrieve checksum.</description>
    <group>syscheck,</group>
  </rule>
  
  <rule id="554" level="5">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
  </rule>

  <rule id="555" level="7">
    <if_sid>500</if_sid>
    <pcre2>^ossec: agentless: </pcre2>
    <description>Integrity checksum for agentless device changed.</description>
    <group>syscheck,agentless</group>
  </rule>

  <!-- Hostinfo rules -->  
  <rule id="580" level="8">
    <category>ossec</category>
    <decoded_as>hostinfo_modified</decoded_as>
    <description>Host information changed.</description>
    <group>hostinfo,</group>
  </rule>

 

category

The decoded category to match (ids, syslog, firewall, web-log, squid or windows).

srcip

Any IP address or CIDR block to be compared to an IP decoded as srcip. Use “!” to negate it.

dstip

Any IP address or CIDR block to be compared to an IP decoded as dstip. Use “!” to negate it.

extra_data

Any string that is decoded into the extra_data field.

user

Any username (decoded as the username).

program_name

Program name is decoded from syslog process name.

hostname

Any hostname (decoded as the syslog hostname) or log file.

time

Time that the event was generated. Any time range can be defined, in the format of hh:mm-hh:mm. AM/PM can also be used: <time>6 am - 6 pm</time>

weekday

Specify a week day that the event was generated. Multiple entries can be separated by commas.

id

Any ID (decoded as the ID).

url

Any string decoded into the url field.

if_sid

Matches if the rule ID has matched. This is used to create children to other rules. ==》数据过滤用

if_group

Matches if the group has matched before. This can be used to create children of other rules.

if_level

Matches if the level has matched before.

if_matched_sid

Matches if an alert of the defined ID has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.

Note

Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the <no_log> option can be added to the rule to make sure it does not get logged.

if_matched_group

Matches if an alert of the defined group has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.

same_id

Specifies that the decoded id must be the same. This option is used in conjunction with frequency and timeframe.

same_source_ip

Specifies that the decoded source ip must be the same. This option is used in conjunction with frequency and timeframe.

same_source_port

Specifies that the decoded source port must be the same. This option is used in conjunction with frequency and timeframe.

same_dst_port

Specifies that the decoded destination port must be the same. This option is used in conjunction with frequency and timeframe.

same_location

Specifies that the location must be the same. This option is used in conjunction with frequency and timeframe.

same_user

Specifies that the decoded user must be the same. This option is used in conjunction with frequency an timeframe.
举例:登录尝试最后攻击成功!!!==》这样看,ossec做得还是不错的!!!
  674   <rule id="40112" level="12" timeframe="240">
  675     <if_group>authentication_success</if_group>
  676     <if_matched_group>authentication_failures</if_matched_group>
  677     <same_source_ip />
  678     <description>Multiple authentication failures followed </description>
  679     <description>by a success.</description>
  680   </rule>

 其中有一个group是认证成功的,我们看看其定义,可知道是表示是各个场景下认证成功的数据采集:

  830   <rule id="4722" level="3">
  831     <if_sid>4715</if_sid>
  832     <id_pcre2>^%SEC_LOGIN-5-LOGIN_SUCCESS</id_pcre2>
  833     <description>Successful login to the router.</description>
  834     <group>authentication_success,</group>
  835   </rule>
  836 

 

  960   <rule id="3904" level="3">
  961     <if_sid>3900</if_sid>
  962     <pcre2>^LOGIN,</pcre2>
  963     <description>Courier (imap/pop3) authentication success.</description>
  964     <group>authentication_success,</group>
  965   </rule>

 

 1169   <rule id="51009" level="0">
 1170     <if_sid>51000</if_sid>
 1171     <pcre2>password auth succeeded for</pcre2>
 1172     <description>User successfully logged in using a password.</description>
 1173     <group>authentication_success,</group>
 1174   </rule>

 还有类似的更多。。。

我们再看看authentication_failures定义,可知道是表示是各个场景下认证失败的数据采集:

1389   <rule id="11109" level="10">
 1390     <if_sid>11100</if_sid>
 1391     <pcre2>repeated login failures</pcre2>
 1392     <description>Multiple FTP failed login attempts.</description>
 1393     <group>authentication_failures,</group>
 1394   </rule>
 1395 

 1487   <rule id="9351" level="10" frequency="6" timeframe="120">
 1488     <if_matched_sid>9306</if_matched_sid>
 1489     <same_source_ip />
 1490     <description>Horde brute force (multiple failed logins).</description>
 1491     <group>authentication_failures,</group>
 1492   </rule>

 1652   <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120">
 1653     <if_matched_sid>3601</if_matched_sid>
 1654     <same_source_ip />
 1655     <description>Multiple failed logins from same source ip.</description>
 1656     <group>authentication_failures,</group>
 1657   </rule>
...

 

再补充下检测暴力破解的case:

 1066 <rule id="9751" level="10" frequency="6" timeframe="240">
 1067   <if_matched_sid>9705</if_matched_sid>
 1068   <same_source_ip />
 1069   <description>Dovecot brute force attack (multiple auth failures).</description>
 1070   <group>authentication_failures,</group>
 1071 </rule>

 

 

description

The rule description.

list

Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.

  • field

    Field that is used as the key to look up in the CDB file:

    • Value: srcip
    • Value: srcport
    • Value: dstip
    • Value: dstport
    • Value: extra_data
    • Value: user
    • Value: url
    • Value: id
    • Value: hostname
    • Value: program_name
    • Value: status
    • Value: action
  • lookup

    This is the type of lookup that is preformed:

    • Value: match_key

      • Positive key match: field is the key to search within the cdb and will match if they key is present.
      • This is the default if no lookup is specified.
    • Value: not_match_key

      • Negative key match: field is the key to search and will match if it IS NOT present in the database.
    • Value: match_key_value

      • Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.

      Note

      This feature is not yet complete.

    • Value: address_match_key

      • Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.
    • Value: not_address_match_key

      • Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.
    • Value: address_match_key_value

      • Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.

      Note

      This feature is not yet complete.

  • check_value

    • regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value

    Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.

Example:

<rule id="100000" level="7">
      <list lookup="match_key" field="srcip">path/to/list/file</list>
      <description>Checking srcip against cdb list file</description>
</rule>

info

Extra information may be added to an alert using info. The type must be specified using one of the following options:

  • type

    • Value: text

      This is the default when no type is selected. Just used for additional information about the alert/event.

    • Value: link

      Link to more information about the alert/event.

    • Value: cve

      The CVE Number related to this alert/event.

    • Value: ovsdb

      The osvdb id related to this alert/event.

Example:

<rule id="502" level="3">
    <if_sid>500</if_sid>
    <options>alert_by_email</options>
    <match>Ossec started</match>
    <description>Ossec server started.</description>
    <info type="link">http://ossec.net/wiki/Rule:205</info>
    <info type="cve">2009-1002</info>
    <info type="osvdb"> 61509</info>
    <info type="text">Internal Why we are running this run in our company</info>
    <info>Type text is the default</info>
</rule>

options

Additional rule options

  • alert_by_email

    Always alert by email.

    • Example: <options>alert_by_email</options>
  • no_email_alert

    Never alert by email.

    • Example: <options>no_email_alert</options>
  • no_log

    Do not log this alert.

    • Example: <options>no_log</options>

check_diff

Used to determine when the output of a command changes.

group

Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.

 

我们再看看wazuh,因为是继承自OSSEC,所以规则:https://github.com/wazuh/wazuh-ruleset/tree/master/rules

但是加了mitre!!!

  <rule id="2833" level="8">
    <if_sid>2832</if_sid>
    <match>REPLACE (root)</match>
    <description>Root's crontab entry changed.</description>
    <mitre>
      <id>T1053.003</id>
    </mitre>
    <group>pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_10.2.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

 其他差异见下一个博客。


 
posted @ 2022-06-01 15:38  bonelee  阅读(194)  评论(0编辑  收藏  举报