2017-02-09

详解OSSIM-OSSEC WIN 4771 案例

介绍

OSSIME中的HIDS是通过OSSEC来实现的，OSSEC采用服务端和客户端模式，主要通过文件完整性监视，日志监视，rootcheck和进程监视来主动监视Unix系统活动的所有方面。OSSIM中服务端已经安装完成，只需要在要监控的主机上安装客户端即可：

ossec http://ossec.github.io/

今天就来看下,怎么一步一步配置4771暴力破解攻击的报警.

储备知识

接收所有日志

因为默认情况下,不是所有的日志都会接收,所以我们首先要打开ossec发送过来的所有日志:

如图操作之后,就可以看到ossec agent所有接收到的日志:

修改完记得要重启hids服务： Environment > Detection > HIDS > HIDS Control.–>Restart.

现在就可以看到所有ossec agent所接受到的日志:

1	#tail -10f /var/ossec/logs/archives/archives.log

匹配规则和报警

默认Ossec有900多条规则,基本上可以涵盖操作系统的各种异常事件,规则路径/var/ossec/alienvault/rules

如果接收到的日志能被规则所匹配就会产生一条报警:

1	# tail -10f /var/ossec/logs/alerts/alerts.log

插件ID和 SID

ossim中插件甚多,可分为采集插件和监视插件,每个插件又有ID和SID,插件位置:/etc/ossim/agent/plugins

alienvault:/etc/ossim/agent/plugins# ll
-rw-r--r-- 1 root alienvault   5033 Jun 27  2016 actiontec.cfg
-rw-r--r-- 1 root alienvault  20029 Nov 29 00:34 aerohive-wap.cfg
-rw-r--r-- 1 root alienvault   5736 Jun 16  2015 airlock.cfg
-rw-r--r-- 1 root alienvault   1720 Nov 15 00:37 airport-extreme.cfg
-rw-r--r-- 1 root alienvault  12580 Sep 20 16:59 aix-audit.cfg
-rw-r--r-- 1 root alienvault    744 Jun 16  2015 aladdin.cfg
-rw-r--r-- 1 root alienvault   6869 Jul 25  2016 alcatel.cfg
-rw-r--r-- 1 root alienvault  12886 Jan 10 23:30 alienvault_plugins.list
-rw-r--r-- 1 root alienvault   8812 Jun 16  2015 allot.cfg
-rw-r--r-- 1 root alienvault   1064 Jun 16  2015 alteonos.cfg
......

比如rule id为18105 对应的插件是:ossec-single-line.cfg

[1388 - Windows Audit Failure: Attempt to reset password]
event_type=event
#precheck="18105"
regexp="^AV\s+\-\sAlert\s+\-\s\"(?P<date>\d+)\"\s\-\->\sRID\:\s\"(?P<rule_id>18105)\"\;\s+RL\:\s+\"(?P<rule_level>\d+)\"\;\s+RG\:\s+\"(?P<rule_group>[^"]*)\"\;\s+RC\:\s+\"(?P<rule_comment>[^"]*)\";\sUSER:\s+\"[^"]+\";\sSRCIP:\s\"(?P<srcip>[^"]*)\"\;\sHOSTNAME:\s+\"\((?P<hostname>[^)]+)\)\s(?P<winip>\S+)->[^"]*\";\sLOCATION\:\s\"(?P<location>[^"]*)\"\;\s+EVENT\:\s+\"\[INIT\](?P<log>.*?An\sattempt\swas\smade\sto\sreset\san\saccount's\spassword.*?Account\sName:\s+(?P<username>.*?)\s+Account\sDomain[^[]*)\[END\]\"\;"
date={normalize_date($date)}
plugin_id={translate($rule_id)}  注意这里有个翻译关系
plugin_sid=102000
device={resolv($winip)}
src_ip={resolv($winip)}
dst_ip={resolv($winip)}
username={$username}

继续在文件中找找翻译关系:

1	18105=7006

所以这里的plugin_id=7006
18105 是事件类型id

如图我们看看plugin_id=7085的插件有哪些事件类型id:

关联分析指令

免费的ossim默认只提供了80多个相关的分析指令.

指令地址:/etc/ossim/server

我们自己新建的指令在:

# pwd
/etc/ossim/server/abb1c771-e2ce-11e6-9443-1b37c2298626
# ls
directives.xml  disabled_directives.data  user.xml

我们详细看一条指令,例如7085:

<directive id="500001" name="AV-FREE-FEED Bruteforce attack, Windows authentication attack against DST_IP" priority="4">
   <rule type="detector" name="Windows authentication failure attempts" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="1" occurrence="1" plugin_id="7085" plugin_sid="18106,18130,18135,18136">
      <rules>
         <rule type="detector" name="Windows Authentication failure" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY" reliability="10" occurrence="3" time_out="15" plugin_id="7085" plugin_sid="18106,18130,18135,18136">
            <rules>
               <rule type="detector" name="Windows Authentication failure" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY" reliability="10" occurrence="10" time_out="30" plugin_id="7085" plugin_sid="18106,18130,18135,18136">
                  <rules>
                     <rule type="detector" name="Windows Authentication failure" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY" reliability="10" occurrence="50" time_out="300" plugin_id="7085" plugin_sid="18106,18130,18135,18136">
                        <rules>
                           <rule type="detector" name="Windows Authentication failure" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY" reliability="10" occurrence="200" time_out="1000" plugin_id="7085" plugin_sid="18106,18130,18135,18136">
                              <rules>
                                 <rule type="detector" name="Windows Authentication failure" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY" reliability="10" occurrence="2000" time_out="3600" plugin_id="7085" plugin_sid="18106,18130,18135,18136"/>
                              </rules>
                           </rule>
                        </rules>
                     </rule>
                  </rules>
               </rule>
            </rules>
         </rule>
      </rules>
   </rule>
</directive>

4771报警详解

有了刚刚上面的知识储备,就可以开始今天的正题了,首先我们看一下win 4771 事件代表什么?

4771事件:代表在域内的账号在除域控制器意外的任何一台加入域的计算机上登陆产生的登陆失败的日志(有点绕,多读几遍)

接收并查找相关日志

为了找到ossec发送过来的原始4771日志,我们首先需要打开接收所有日志,然后从日志中筛选出有关4771告警的日志:

打开接收所有日志上面的储备知识中已经介绍,这里不再赘述,请按照步骤操作.

到域控制器上部署ossec ,具体步骤请参考 OSSIM-HIDS

在域内的客户机登陆域内的任意账号,查找有关4771的告警日志:

alienvault:/# tail -10f /var/ossec/logs/archives/archives.log |grep "4771"
2017 Mar 02 10:01:32 (Host-192-168-69-109) 192.168.69.109->WinEvtLog 2017 Mar 02 10:01:27 WinEvtLog: Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-A
uditing: (no user): no domain: WIN-P84RKPA31HU.zymtest08.com: Kerberos pre-authentication failed. Account Information:  Security ID:  S-1-5-21-2947644658-998118976
-1121298578-1117  Account Name:  cc  Service Information:  Service Name:  krbtgt/ZYMTEST08  Network Information:  Client Address:  ::ffff:192.168.69.147  Client Port:
1172  Additional Information:  Ticket Options:  0x40810010  Failure Code:  0x18  Pre-Authentication Type: 2  Certificate Information:  Certificate Issuer Name:    
Certificate Serial Number:    Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication 
types, ticket options and failure codes are defined in RFC 4120.  If the ticket was malformed or damaged during transit and could not be decrypted, then many fields 
in this event might not be present.

如代码所示,我们已经成功的接收到了有关4771的告警日志

查找匹配的规则和报警

上文提到,ossec提供了900多条规则,大多数的事件是可以被匹配到的,我们现在查找下是否有默认策略匹配到4771事件:

alienvault:/# tail -10f  /var/ossec/logs/alerts/alerts.log |grep "4771"
AV - Alert - "1488420926" --> RID: "18105"; RL: "4"; RG: "windows,"; RC: "Windows audit failure event."; USER: "(no user)"; SRCIP: "None"; HOSTNAME:
 "(Host-192-168-69-109) 192.168.69.109->WinEvtLog"; LOCATION: "(Host-192-168-69-109) 192.168.69.109->WinEvtLog"; EVENT: "[INIT]2017 Mar 02 10:15:19 
 WinEvtLog: Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-P84RKPA31HU.zymtest08.com: Kerberos 
 pre-authentication failed. Account Information:  Security ID:  S-1-5-21-2947644658-998118976-1121298578-1117  Account Name:  cc  Service Information:
 Service Name:  krbtgt/ZYMTEST08  Network Information:  Client Address:  ::ffff:192.168.69.147  Client Port:  1185  Additional Information:  
 Ticket Options:  0x40810010  Failure Code:  0x18  Pre-Authentication Type: 2  Certificate Information:  Certificate Issuer Name:    Certificate 
 Serial Number:    Certificate Thumbprint:    Certificate information is only provided if a certificate was used for pre-authentication.  Pre-authentication 
 types, ticket options and failure codes are defined in RFC 4120.  If the ticket was malformed or damaged during transit and could not be decrypted, then many 
 fields in this event might not be present.[END]";

在规则文件目录查找Windows audit failure event.

通过查看告警日志,我们成功的发现了4771已经被规则匹配出来,其实这里被匹配出的4771事件不是使用关键字4771在ossec规则中匹配到的,我们详细看下配置这个4771的规则是/var/ossec/alienvault/rules/msauth_rules.xml文件:

<group name="windows,">
  <rule id="18100" level="0">
    <category>windows</category>
    <description>Group of windows rules.</description>
  </rule>
  
 中间忽略......
  
  <rule id="18105" level="4">
    <if_sid>18100</if_sid>
    <status>^AUDIT_FAILURE|^failure</status>
    <description>Windows audit failure event.</description>
  </rule>

通过查看规则详情,我们发现真正的匹配是<status>^AUDIT_FAILURE|^failure</status>

我们返回的接收的原始日志查看,发现这么一段:

1	WinEvtLog: Security: AUDIT_FAILURE(4771):

正是由于这个关键字,我们成功的匹配到了4771事件,由于不是直接匹配4771事件,所以会存在一定的误报,毕竟登陆失败的代码还有很多,这里我采用修改其他规则文件来匹配4771事件.

我把18120事件修改成:

<rule id="18120" level="4">
  <if_sid>18105</if_sid>
  <id>^4771$</id>
  <description>4771-Windows login fail.</description>
</rule>

这样就能精确的匹配出4771事件,查看接收到的日志文件:

alienvault:~#  tail -10f  /var/ossec/logs/alerts/alerts.log |grep "18120"
AV - Alert - "1488867475" --> RID: "18120"; RL: "4"; RG: "windows,"; RC: "4771-Windows login fail."; USER: "(no user)"; SRCIP: "None"; HOSTNAME:
 "(Host-192-168-0-201) 192.168.0.201->WinEvtLog"; LOCATION: "(Host-192-168-0-201) 192.168.0.201->WinEvtLog"; EVENT: "[INIT]2017 Mar 07 14:17:55
 WinEvtLog: Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-Auditing: (no user): no domain: GLODON-DC01.grandsoft.com.cn: Kerberos
 pre-authentication failed. Account Information:  Security ID:  S-1-5-21-436374069-1957994488-1801674531-53787  Account Name:  AUTOTEST128004$ 
 Service Information:  Service Name:  krbtgt/grandsoft.com.cn  Network Information:  Client Address:  ::ffff:192.168.128.4  Client Port:  58977 
 Additional Information:  Ticket Options:  0x40810010  Failure Code:  0x18  Pre-Authentication Type: 2  Certificate Information:  Certificate 
 Issuer Name:    Certificate Serial Number:    Certificate Thumbprint:    Certificate information is only provided if a certificate was used for 
 pre-authentication.  Pre-authentication types, ticket options and failure codes are defined in RFC 4120.  If the ticket was malformed or damaged 
 during transit and could not be decrypted, then many fields in this event might not be present.[END]";