检测规则: https://github.com/ossec/ossec-hids/blob/master/etc/rules/

 

针对web安全里的,https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_appsec_rules.xml

31100

POST /.*(?:Googlebot|MSNBot|BingBot)

/wp-comments-post\.php

WordPress Comment Spam (coming from a fake search engine UA).

31100

thumb\.php|timthumb\.php

"GET \S+thumb\.php\?src=\S+\.php

TimThumb vulnerability exploit attempt.

31100

login\.php

"POST /\S+\.php/login\.php\?cPath=

osCommerce login.php bypass attempt.

31100

login\.php

/admin/[A-Za-z0-9@_-]+\.php/login\.php

osCommerce file manager login.php bypass attempt.

31100

/cache/external

"GET /\S+/cache/external\S+\.php

TimThumb backdoor access attempt.

31100

cart\.php

"GET /\S+cart\.php\?\S+templatefile=\.\./

Cart.php directory transversal attempt.

31100

DECLARE%20@S%20CHAR|%20AS%20CHAR

MSSQL Injection attempt (ur.php, urchin.js).

31100

"ZmEu"| "libwww-perl/|"the beast"|"Morfeus|"ZmEu|"Nikto|"w3af\.sourceforge\.net|MJ12bot/v| Jorgee"|"Proxy Gear Pro|"DataCha0s

Blacklisted user agent (known malicious user agent).

31108

wp-login\.php|/administrator

\] "POST \S+wp-login\.php| "POST /administrator

CMS (WordPress or Joomla) login attempt.

31509

CMS (WordPress or Joomla) brute force attempt.

31100

" "Wget/

Blacklisted user agent (wget).

31100

uploadify\.php

"GET /\S+/uploadify\.php\?src=http://\S+\.php

Uploadify vulnerability exploit attempt.

31100

delete\.php

"GET \S+/delete\.php\?board_skin_path=http://\S+\.php

BBS delete.php exploit attempt.

31100

shell\.php

"GET \S+/shell\.php\?cmd=

Simple shell.php command execution.

31100

phpMyAdmin/scripts/setup\.php

PHPMyAdmin scans (looking for setup.php).

31100

\.swp$|\.bak$|/\.htaccess|/server-status|/\.ssh|/\.history|/wallet\.dat

Suspicious URL access.

31100

\] "POST

no_log

POST request received.

31530

/wp-admin/|/administrator/|/admin/

Ignoring often post requests inside /wp-admin and /admin.

31530

High amount of POST requests in a small period of time (likely bot).

31100

%00

"GET /\S+\.php\?\S+%00

Anomaly URL query (attempting to pass null termination).

可以看到,都是一些单事件的正则匹配。每个规则里都有一个if sid 31100,表示含义如下,表示数据采集是access log:

https://github.com/ossec/ossec-hids/blob/master/etc/rules/web_rules.xml

web-log

Access log messages grouped.

31100

^2|^3

is_simple_http_request

Ignored URLs (simple queries).

31100

^4

Web server 400 error code.

31101

\.jpg$|\.gif$|favicon\.ico$|\.png$|robots\.txt$|\.css$|\.js$|\.jpeg$

is_simple_http_request

Ignored extensions on 400 error codes.

31100,31108

=select%20|select\+|insert%20|%20from%20|%20where%20|union%20|

union\+|where\+|null,null|xp_cmdshell

SQL injection attempt.

attack,sql_injection,

31100

%027|%00|%01|%7f|%2E%2E|%0A|%0D|\.\./\.\.|\.\.\\\.\.|echo;|

cmd\.exe|root\.exe|_mem_bin|msadc|/winnt/|/boot\.ini|

/x90/|default\.ida|/sumthin|nsiislog\.dll|chmod%|wget%|cd%20|

exec%20|\.\./\.\.//|%5C\.\./%5C|\./\./\./\./|2e%2e%5c%2e|\\x5C\\x5C

Common web attack.

attack,

31100

%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|

%20ONLOAD=|INPUT%20|iframe%20

XSS (Cross Site Scripting) attempt.

attack,

31103, 31104, 31105

^200

A web attack returned code 200 (success).

attack,

31100

\?-d|\?-s|\?-a|\?-b|\?-w

PHP CGI-bin vulnerability attempt.

attack,

31100

\+as\+varchar

%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)%2Bchar\(\d+\)

MSSQL Injection attempt (/ur.php, urchin.js)

attack,

31103, 31104, 31105

^/search\.php\?search=|^/index\.php\?searchword=

Ignored URLs for the web attacks

31100

URL too long. Higher than allowed on most

browsers. Possible attack.

invalid_access,

31100

^50

Web server 500 error code (server error).

31120

^501

Web server 501 error code (Not Implemented).

31120

^500

alert_by_email

Web server 500 error code (Internal Error).

system_error,

31120

^503

alert_by_email

Web server 503 error code (Service unavailable).

31101

is_valid_crawler

Ignoring google/msn/yahoo bots.

31101

^499

Ignored 499's on nginx.

31101

Multiple web server 400 error codes

from same source ip.

web_scan,recon,

31103

Multiple SQL injection attempts from same

source ip.

attack,sql_injection,

31104

Multiple common web attacks from same source ip.

attack,

31105

Multiple XSS (Cross Site Scripting) attempts

from same source ip.

attack,

31121

Multiple web server 501 error code (Not Implemented).

web_scan,recon,

31122

Multiple web server 500 error code (Internal Error).

system_error,

31123

Multiple web server 503 error code (Service unavailable).

web_scan,recon,

31100

=%27|select%2B|insert%2B|%2Bfrom%2B|%2Bwhere%2B|%2Bunion%2B

SQL injection attempt.

attack,sqlinjection,

31100

%EF%BC%87|%EF%BC%87|%EF%BC%87|%2531|%u0053%u0045

SQL injection attempt.

attack,sqlinjection,

整个引擎的数据采集:

Application

eventlog

Security

eventlog

System

eventlog

Windows PowerShell

eventlog

./shared/win_audit_rcl.txt

./shared/win_applications_rcl.txt

./shared/win_malware_rcl.txt

72000

no

%WINDIR%/win.ini

%WINDIR%/system.ini

C:\autoexec.bat

C:\config.sys

C:\boot.ini

%WINDIR%/SysNative/at.exe

%WINDIR%/SysNative/attrib.exe

%WINDIR%/SysNative/cacls.exe

%WINDIR%/SysNative/cmd.exe

%WINDIR%/SysNative/drivers/etc

%WINDIR%/SysNative/eventcreate.exe

%WINDIR%/SysNative/ftp.exe

%WINDIR%/SysNative/lsass.exe

%WINDIR%/SysNative/net.exe

%WINDIR%/SysNative/net1.exe

%WINDIR%/SysNative/netsh.exe

%WINDIR%/SysNative/reg.exe

%WINDIR%/SysNative/regedt32.exe

%WINDIR%/SysNative/regsvr32.exe

%WINDIR%/SysNative/runas.exe

%WINDIR%/SysNative/sc.exe

%WINDIR%/SysNative/schtasks.exe

%WINDIR%/SysNative/sethc.exe

%WINDIR%/SysNative/subst.exe

%WINDIR%/SysNative/wbem/WMIC.exe

%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe

%WINDIR%/SysNative/winrm.vbs

%WINDIR%/System32/CONFIG.NT

%WINDIR%/System32/AUTOEXEC.NT

%WINDIR%/System32/at.exe

%WINDIR%/System32/attrib.exe

%WINDIR%/System32/cacls.exe

%WINDIR%/System32/debug.exe

%WINDIR%/System32/drwatson.exe

%WINDIR%/System32/drwtsn32.exe

%WINDIR%/System32/edlin.exe

%WINDIR%/System32/eventcreate.exe

%WINDIR%/System32/eventtriggers.exe

%WINDIR%/System32/ftp.exe

%WINDIR%/System32/net.exe

%WINDIR%/System32/net1.exe

%WINDIR%/System32/netsh.exe

%WINDIR%/System32/rcp.exe

%WINDIR%/System32/reg.exe

%WINDIR%/regedit.exe

%WINDIR%/System32/regedt32.exe

%WINDIR%/System32/regsvr32.exe

%WINDIR%/System32/rexec.exe

%WINDIR%/System32/rsh.exe

%WINDIR%/System32/runas.exe

%WINDIR%/System32/sc.exe

%WINDIR%/System32/subst.exe

%WINDIR%/System32/telnet.exe

%WINDIR%/System32/tftp.exe

%WINDIR%/System32/tlntsvr.exe

%WINDIR%/System32/drivers/etc

%WINDIR%/System32/wbem/WMIC.exe

%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe

%WINDIR%/System32/winrm.vbs

%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup

.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$

HKEY_LOCAL_MACHINE\Software\Classes\batfile

HKEY_LOCAL_MACHINE\Software\Classes\cmdfile

HKEY_LOCAL_MACHINE\Software\Classes\comfile

HKEY_LOCAL_MACHINE\Software\Classes\exefile

HKEY_LOCAL_MACHINE\Software\Classes\piffile

HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects

HKEY_LOCAL_MACHINE\Software\Classes\Directory

HKEY_LOCAL_MACHINE\Software\Classes\Folder

HKEY_LOCAL_MACHINE\Software\Classes\Protocols

HKEY_LOCAL_MACHINE\Software\Policies

HKEY_LOCAL_MACHINE\Security

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\Security\Policy\Secrets

HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users

\Enum$

yes

 

 

 我们再看看powershell相关的检测如何做的:

 

18101

^400$

PowerShell

Windows PowerShell was started.

18101

^800$

PowerShell

Windows PowerShell command executed.

18101

^403$

PowerShell

Windows PowerShell was stopped.

20501

Set-StrictMode -Version 1; .+[A-Za-z0-9@_-]+

A wrong/misspelled command was tried

20501

CommandLine= CommandInvocation

Powershell background activity

20501

Set-ExecutionPolicy|Mimikatz|EncodedCommand|Payload|Find-AVSignature|DllInjection|ReflectivePEInjection|Invoke-Shellcode|Invoke--Shellcode|Invoke-ShellcodeMSIL|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|Set-MasterBootRecord|New-ElevatedPersistenceOption|Invoke-CallbackIEX|Invoke-PSInject|Invoke-DllEncode|Get-ServiceUnquoted|Get-ServiceEXEPerms|Get-ServicePerms|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-UserAddMSI|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Invoke-FindDLLHijack|Invoke-FindPathHijack|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-UnattendedInstallFiles|Get-Webconfig|Get-Webconfig|Get-ApplicationHost|Invoke-AllChecks|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|HTTP-Backdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Execute-OnTime|DNS_TXT_Pwnage|Out-Word|Out-Excel|Out-Java|Out-Shortcut|Out-CHM|Out-HTA|Enable-DuplicateToken|Remove-Update|Execute-DNSTXT-Code|Download-Execute-PS|Execute-Command-MSSQL|Download_Execute|Get-PassHashes|Invoke-CredentialsPhish|Get-LsaSecret|Get-Information|Invoke-MimikatzWDigestDowngrade|Copy-VSS|Check-VM|Invoke-NetworkRelay|Create-MultipleSessions|Run-EXEonRemote|Invoke-BruteForce|Port-Scan|Invoke-PowerShellIcmp|Invoke-PowerShellUdp|Invoke-PsGcatAgent|Invoke-PoshRatHttps|Invoke-PowerShellTcp|Invoke-PoshRatHttp|Invoke-PowerShellWmi|Invoke-PSGcat|Remove-PoshRat|TexttoEXE|Invoke-Encode|Invoke-Decode|Base64ToString|StringtoBase64|Do-Exfiltration|Parse_Keys|Add-Exfiltration|Add-Persistence|Remove-Persistence|Invoke-CreateCertificate|powercat|Find-PSServiceAccounts|Get-PSADForestKRBTGTInfo|Discover-PSMSSQLServers|Discover-PSMSExchangeServers|Get-PSADForestInfo|Get-KerberosPolicy|Discover-PSInterestingServices

Possibly Dangerous Command Detected (https://gist.github.com/gfoss/2b39d680badd2cad9d82#file-powershell-command-line-logging)

 数据采集是windows日志,

windows

Group of windows rules.

18100

^INFORMATION

Windows informational event.

18100

^WARNING

Windows warning event.

18100

^ERROR

Windows error event.

system_error,

18100

^AUDIT_SUCCESS|^success

Windows audit success event.

 

再看看针对macfee的av上报事件写的过滤规则:

^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$

^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$

^257$|^5000$|^5026$|^5052$|^5055$

quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted

The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean

10

18101,18102,18103

windows

^McLogEvent

Grouping of McAfee Windows AV rules.

7500

$MCAFEE_INFO

McAfee Windows AV informational event.

7500

$MCAFEE_WARN

McAfee Windows AV warning event.

7500

$MCAFEE_ERROR

McAfee Windows AV error event.

7500

$MCAFEE_VIRUS

virus

McAfee Windows AV - Virus detected and not removed.

7504

$MCAFEE_VIRUS_OK

virus

McAfee Windows AV - Virus detected and properly removed.

7504

Will be deleted

virus

McAfee Windows AV - Virus detected and file will be deleted.

7500

scan started|scan stopped

McAfee Windows AV - Scan started or stopped.

7501

^257

completed\. No detections

McAfee Windows AV - Scan completed with no viruses found.

7500

scan was cancelled |has taken too long

McAfee Windows AV - Virus scan cancelled.

7500

scan was canceled because

McAfee Windows AV - Virus scan cancelled due to shutdown.

7500

update was successful

McAfee Windows AV - Virus program or DAT update succeeded.

7500

update failed

McAfee Windows AV - Virus program or DAT update failed.

7500

update was cancelled

McAfee Windows AV - Virus program or DAT update cancelled.

7505

contains the EICAR test file

alert_by_email

McAfee Windows AV - EICAR test file detected.

7502

Multiple McAfee AV warning events.

 

统计类规则写法,https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml

^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$

authentication_success

$SYS_USERS

System user successfully logged to the system.

invalid_login,

^rpc\.statd\[\d+\]: gethostbyname error for [^A-Za-z0-9@_-]+

Buffer overflow attack on rpc.statd

exploit_attempt,

ftpd\[\d+\]: \S+ FTP LOGIN FROM .+ 0bin0sh

Buffer overflow on WU-FTPD versions prior to 2.6

exploit_attempt,

\?{21}

Possible buffer overflow attempt.

exploit_attempt,

changed by \(\(null\)

"Null" user changed some information.

exploit_attempt,

@{25}

Buffer overflow attempt (probably on yppasswd).

exploit_attempt,

cachefsd: Segmentation Fault - core dumped

Heap overflow in the Solaris cachefsd service.

2002-0033

exploit_attempt,

attempt to execute code on stack by

Stack overflow attempt or program exiting

with SEGV (Solaris).

http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/389-392.html

exploit_attempt,

authentication_failed

Multiple authentication failures.

authentication_failures,

authentication_success

authentication_failures

Multiple authentication failures followed

by a success.

virus

Multiple viruses detected - Possible outbreak.

virus,

adduser

attacks

Attacks followed by the addition

of an user.

connection_attempt

Network scan from same source ip.

http://project.honeynet.org/papers/enemy2/

 

看看 ossec的 规则规范:https://ossec-documentation.readthedocs.io/en/latest/manual/lids/rules.html

Rules

Rules compare log messsages to a set of pre-defined conditions. The comparisons can happen on the entire log message, or on fields defined in decoders.

rule

Each rule begins by defining certain settings

level

This defines the severity of the rule. Valid levels are 0-16.

id

A unique identification number for the rule.

maxsize

Specifies the maximum size of the event. The valid range is 1-99999

frequency

Specifies the number of times the rule must have matched before firing. The number that triggers the rule is actually 2 more than this setting.

Note

More information about how frequency is counted can be found in this thread.

timeframe

The timeframe in seconds. This option is intended to be used with the frequency option.

ignore

The time (in seconds) to ignore this rule after firing it (to avoid floods).

overwrite

Used to supercede an OSSEC rule with local changes. This is useful to change the level or other options of rules included with OSSEC.

noalert

Prevent the rule from triggering an alert. Further rule checks will not happen, except for rules specifically using this rule in an configuraiton.

match

A simple string comparison.

regex

This option uses the OSSEC regex syntax for comparisons.

pcre2

The pcre2 option utlizes OSSEC’s pcre2 support. Refer to the pcre2 page for information on the syntax. ==》PCRE - Perl Compatible Regular Expressions

decoded_as

Define a decoder that must be matched for the rule comparison to continue. 从后面示例可以看到主要是自定义一些“解码”“检查”函数,提取数据等!!!

==》示例:

ossec

rootcheck

Rootcheck event.

pci_dss_10.6.1,rootcheck,

 

^sshd

sshd

^Accepted

^ \S+ for (\S+) from (\S+) port

user, srcip

name, user, location

sshd

^User \S+ from

^User (\S+) from (\S+)

user, srcip

sshd

^User

^(\S+), coming from (\S+),

user, srcip

name, user, location

sshd

^Postponed keyboard-interactive|^Failed keyboard-interactive

user (\S+) from (\S+) port (\d+)

user, srcip, srcport

sshd

^Failed \S+ for invalid user|^Failed \S+ for illegal user

from (\S+) port \d+ \w+$

srcip

sshd

^Failed \S+

^for (\S+) from (\S+) port \d+

user, srcip

sshd

^error: PAM: Authentication \w+

^for (\S+) from (\S+)$

user, srcip

sshd

^error: PAM:

user (\S+) from (\S+)

user, srcip

sshd

^reverse mapping checking

^\w+ for \S+ \[(\S+)\] |^\w+ for (\S+)

srcip

sshd

^Invalid user|^Illegal user

from (\S+)

srcip

sshd

^scanned from

(\S+)

srcip

sshd

^Received disconnect

^from (\S+): |^from (\S+)

srcip

sshd

^Disconnected from invalid user

\S+ (\S+)

srcip

 

ossec

syscheck_integrity_changed

Integrity checksum changed.

syscheck,

ossec

syscheck_integrity_changed_2nd

Integrity checksum changed again (2nd time).

syscheck,

ossec

syscheck_integrity_changed_3rd

Integrity checksum changed again (3rd time).

syscheck,

ossec

syscheck_deleted

File deleted. Unable to retrieve checksum.

syscheck,

ossec

syscheck_new_entry

File added to the system.

syscheck,

500

^ossec: agentless:

Integrity checksum for agentless device changed.

syscheck,agentless

ossec

hostinfo_modified

Host information changed.

hostinfo,

 

category

The decoded category to match (ids, syslog, firewall, web-log, squid or windows).

srcip

Any IP address or CIDR block to be compared to an IP decoded as srcip. Use “!” to negate it.

dstip

Any IP address or CIDR block to be compared to an IP decoded as dstip. Use “!” to negate it.

extra_data

Any string that is decoded into the extra_data field.

user

Any username (decoded as the username).

program_name

Program name is decoded from syslog process name.

hostname

Any hostname (decoded as the syslog hostname) or log file.

time

Time that the event was generated. Any time range can be defined, in the format of hh:mm-hh:mm. AM/PM can also be used:

weekday

Specify a week day that the event was generated. Multiple entries can be separated by commas.

id

Any ID (decoded as the ID).

url

Any string decoded into the url field.

if_sid

Matches if the rule ID has matched. This is used to create children to other rules. ==》数据过滤用

if_group

Matches if the group has matched before. This can be used to create children of other rules.

if_level

Matches if the level has matched before.

if_matched_sid

Matches if an alert of the defined ID has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.

Note

Rules at level 0 are discarded immediately and will not be used with the if_matched_ rules. The level must be at least 1, but the option can be added to the rule to make sure it does not get logged.

if_matched_group

Matches if an alert of the defined group has been triggered in a set number of seconds. This option is used in conjunction with frequency and timeframe.

same_id

Specifies that the decoded id must be the same. This option is used in conjunction with frequency and timeframe.

same_source_ip

Specifies that the decoded source ip must be the same. This option is used in conjunction with frequency and timeframe.

same_source_port

Specifies that the decoded source port must be the same. This option is used in conjunction with frequency and timeframe.

same_dst_port

Specifies that the decoded destination port must be the same. This option is used in conjunction with frequency and timeframe.

same_location

Specifies that the location must be the same. This option is used in conjunction with frequency and timeframe.

same_user

Specifies that the decoded user must be the same. This option is used in conjunction with frequency an timeframe.

举例:登录尝试最后攻击成功!!!==》这样看,ossec做得还是不错的!!!

674

675 authentication_success

676 authentication_failures

677

678 Multiple authentication failures followed

679 by a success.

680

 其中有一个group是认证成功的,我们看看其定义,可知道是表示是各个场景下认证成功的数据采集:

830

831 4715

832 ^%SEC_LOGIN-5-LOGIN_SUCCESS

833 Successful login to the router.

834 authentication_success,

835

836

 

960

961 3900

962 ^LOGIN,

963 Courier (imap/pop3) authentication success.

964 authentication_success,

965

 

1169

1170 51000

1171 password auth succeeded for

1172 User successfully logged in using a password.

1173 authentication_success,

1174

 还有类似的更多。。。

我们再看看authentication_failures定义,可知道是表示是各个场景下认证失败的数据采集:

1389

1390 11100

1391 repeated login failures

1392 Multiple FTP failed login attempts.

1393 authentication_failures,

1394

1395

1487

1488 9306

1489

1490 Horde brute force (multiple failed logins).

1491 authentication_failures,

1492

1652

1653 3601

1654

1655 Multiple failed logins from same source ip.

1656 authentication_failures,

1657

...

 

再补充下检测暴力破解的case:

1066

1067 9705

1068

1069 Dovecot brute force attack (multiple auth failures).

1070 authentication_failures,

1071

 

 

description

The rule description.

list

Preform a CDB lookup using an ossec list. This is a fast on disk database which will always find keys within two seeks of the file.

field

Field that is used as the key to look up in the CDB file:

Value: srcip

Value: srcport

Value: dstip

Value: dstport

Value: extra_data

Value: user

Value: url

Value: id

Value: hostname

Value: program_name

Value: status

Value: action

lookup

This is the type of lookup that is preformed:

Value: match_key

Positive key match: field is the key to search within the cdb and will match if they key is present.

This is the default if no lookup is specified.

Value: not_match_key

Negative key match: field is the key to search and will match if it IS NOT present in the database.

Value: match_key_value

Key and Value Match: field is searched for in the cdb and if found the value will be compared with regex from attribute check_value.

Note

This feature is not yet complete.

Value: address_match_key

Positive key match: field is an IP address and the key to search within the cdb and will match if they key is present.

Value: not_address_match_key

Negative key match: field is an IP address the key to search and will match if it IS NOT present in the database.

Value: address_match_key_value

Key and Value Match: field is an IP address searched for in the cdb and if found the value will be compared with regex from attribute check_value.

Note

This feature is not yet complete.

check_value

regex pattern for matching on the value pulled out of the cdb when using lookup types: address_match_key_value, match_key_value

Path to the CDB file to be used for lookup from the OSSEC directory. This file must also be included in the ossec.conf file.

Example:

path/to/list/file

Checking srcip against cdb list file

info

Extra information may be added to an alert using info. The type must be specified using one of the following options:

type

Value: text

This is the default when no type is selected. Just used for additional information about the alert/event.

Value: link

Link to more information about the alert/event.

Value: cve

The CVE Number related to this alert/event.

Value: ovsdb

The osvdb id related to this alert/event.

Example:

500

alert_by_email

Ossec started

Ossec server started.

http://ossec.net/wiki/Rule:205

2009-1002

61509

Internal Why we are running this run in our company

Type text is the default

options

Additional rule options

alert_by_email

Always alert by email.

Example: alert_by_email

no_email_alert

Never alert by email.

Example: no_email_alert

no_log

Do not log this alert.

Example: no_log

check_diff

Used to determine when the output of a command changes.

group

Add additional groups to the alert. Groups are optional tags added to alerts. They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.

 

我们再看看wazuh,因为是继承自OSSEC,所以规则:https://github.com/wazuh/wazuh-ruleset/tree/master/rules

但是加了mitre!!!

2832

REPLACE (root)

Root's crontab entry changed.

T1053.003

pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_10.2.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AU.6,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,

 其他差异见下一个博客。

 

查看原文