Ossec configuration instance

Ossec configuration instance monitoring file/Directory

Modify the ossec. conf configuration file and add the following content:

/Opt/web </directories> # check Directory

/Var/web/upload </ignore> # ignore upload directory detection

/Var/web/config. conf </ignore> # ignore config. conf file detection

</Syscheck>

Monitor web logs

Modify the ossec. conf configuration file and add the following content:

Apache </log_format> # Log Format

/Var/log/nginx/error. log </location> # web log path

</Localfile>

Intrusion Detection

Modify the ossec. conf configuration file Tag-defined rule files for intrusion detection.

For example, a backdoor will generate the mcrootkit file in the/tmp directory and add the following content to the/var/ossec/etc/shared/rootkit_files.txt file:

Tmp/mcrootkit! Bash door:/rootkits/bashdoor. php

Email notification information

Ossec hids Notification. 2015 Jul 07 18:19:14 Received From: (web-10-10-51-51) 10.10.51.51-> rootcheck

Rule: 510 fired (level 7)-> "Host-based anomaly detection event (rootcheck )."

Portion of the log (s ):

Rootkit 'Bash' detected by the presence of file'/tmp/secrootkit '.

-- END OF NOTIFICATION

Automatic response

Add the ddos_rules.xml file to the ossec. conf configuration file.

Ddos_rules.xml </include>

</Rules>

Establish anti-CC attack rules

# Cat/var/ossec/rules/ddos_rules.xml

# Define the rule id

31108 </if_sid> # judge rule id 31108

^/*. Php </url> # Any php file contained in the matched URL

Cc attacks url </description> # description

</Rule>

31177 </if_matched_sid>

Cc attacks </description>

DDOS </group>

</Rule>

Note:

The script is triggered when the same IP address accesses the php file more than 10 times in 60 seconds.

The URL in the log that matches urle id 31108 contains any php file

For detailed rule definition of rule id 31108, see the web_rules.xml file.

31100 </if_sid>

<Id> ^ 2 | ^ 3 </id>

Is_simple_http_request </compiled_rule>

Ignored URLs (simple queries). </description>

</Rule>

Note: rule id 31108 matches the web log 2x and 3x access code. Effectively filtered error pages such as 404,403

Configure automatic response

In the ossec. conf configuration file, add the following content:

<Command>

Firewall-drop </name> # command name

Firewall-drop.sh </executable> # execute the script

Srcip </expect> # script parameter, client IP address

Yes </timeout_allowed> # Allow timeout

</Command>

<Command> firewall-drop </command> # Name of the automatic response command, defined above

Local </location> # script execution location. local indicates the agent side.

31178 </rules_id> # trigger rule id

600 </timeout> # timeout

</Active-response>

Custom rules

Filter strings in the log. for example, if admin_backdoor appears in the log, an alarm is triggered.

Add the test_rules.xml file to the ossec. conf configuration file.

Test_rules.xml </include>

</Rules>

Create filter rules

# Vi/var/ossec/rules/test_rules.xml

Admin_backdoor </decoded_as> # decode name

Admin_backdoor access </description>

</Rule>

</Group>

Configure the decoder. xml file

# Cat/var/ossec/etc/decoder. xml

# Decoder name, which matches the test_rules.xml name

^ Admin_backdoor </prematch> # match the string admin_backdoor.

</Decoder>

Alarm information:

[Root @ ossec-server-10-10-51-50/var/ossec] #./bin/ossec-logtest

2015/07/07 19:48:20 ossec-testrule: INFO: Reading local decoder file.

2015/07/07 19:48:20 ossec-testrule: INFO: Started (pid: 16189 ).

Ossec-testrule: Type one log per line.

Admin_backdoor # Input string

** Phase 1: Completed pre-decoding.

Full event: 'admin _ backdoor'

Hostname: 'ossec-server-10-10-51-50'

Program_name: '(null )'

Log: 'admin _ backdoor'

** Phase 2: Completed decoding.

Decoder: 'admin _ backdoor'

** Phase 3: Completed filtering (rules ).

Rule id: '200' # matched to rule id 7777

Level: '7'

Description: 'admin _ backdoor access' # Description, as defined above

** Alert to be generated.