开源SOC实现(三)-OpenSource EDR
2022-12-10 11:37:25 Author: Kali渗透测试教程(查看原文) 阅读量:20 收藏

前言:由于之前部署环境损坏实验环境地址由原来192.168.116.200迁移至192.168.116.201


在之前的章节中介绍了如何部署Wazuh indexer以及Garylog,实现了数据的规范化处理,存储安全日志,接下来需要部署EDR采集所有终端上的活动以及行为,提供了对终端上正在发生事件的持续、全面的可见性。EDR通常有两部分组成,部署在终端上的agent以及用于接收终端上报的日志以及威胁分析的manager。

EDR跟传统的杀软存在本质上的区别,杀软用于检测终端上是否存在恶意软件,但现在网络攻击趋于复杂,技战术趋于隐蔽,高级威胁趋于活跃,单纯依靠杀软已经无法满足运营需求,也无法发现隐蔽攻击,EDR相对于杀软可以采集终端行为日志,比如网络连接、命令行执行、用户登录、进程迁移等行为

开源的EDR种类繁多,此次选择Wazuh server,提供开箱即用功能,例如提供日志分析功能、文件完整性监控、漏洞检测,并且可持续集成,比如允许自定义检测规则、第三方应用调用、RESTful API以及主动响应等功能。

https://documentation.wazuh.com/current/getting-started/components/wazuh-server.html

接下来安装Wazuh server

https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html

第一步:添加Wazuh repository

rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUHecho -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

第二步:安装Wazuh server

yum -y install wazuh-manager

第三步:配置wazuh manager相关服务

systemctl daemon-reloadsystemctl enable wazuh-managersystemctl start wazuh-manager

第四步:查看服务状态

systemctl status wazuh-manager

也可以看到很多wazuh子进程信息

ps auxf | grep wazuh

完成Wazuh server安装之后,需要把对应的安全日志转发到Garylog中,以便可以正常进行格式处理以及使用Wazuh indexer进行存储以及搜索使用。

使用浏览器登录Garylog的Web控制台

http://192.168.116.201:9000/gettingstarted

点击System->Inputs进入对应页面配置输入源信息,接收Wazuh server的安全日志

在下拉框中选择Raw/Plaintext TCP

点击右边绿色Launch new input按钮,配置详细输入源信息,其中Title命名为Wazuh server,Bind address值默认为0.0.0.0,Port值默认为5555,保持默认即可,如果是生产环境建议开启TLS传输加密,保障数据的传输安全。

点击Save保存配置如下图所示

查看端口监听,可以看到5555监听端口

netstat -npltd

完成上述步骤以后,agent会把终端上收集到的日志发送给Wazuh server,Wazuh server收到之后根据规则匹配,满足规则的写进/var/ossec/logs/alerts/alerts.json文件中,接下来需要利用Fluent Bit读取alerts.json这个文件并且将其发送到Garylog中。

接下来使用脚本自动安装Fluent Bit

curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh

脚本具体为如下所示

//install.sh
#!/usr/bin/env bashset -e
# Provided primarily to simplify testing for staging, etc.RELEASE_URL=${FLUENT_BIT_PACKAGES_URL:-https://packages.fluentbit.io}RELEASE_KEY=${FLUENT_BIT_PACKAGES_KEY:-https://packages.fluentbit.io/fluentbit.key}
echo "================================"echo " Fluent Bit Installation Script "echo "================================"echo "This script requires superuser access to install packages."echo "You will be prompted for your password by sudo."
# Determine package type to install: https://unix.stackexchange.com/a/6348# OS used by all - for Debs it must be Ubuntu or Debian# CODENAME only used for Debsif [ -f /etc/os-release ]; then # Debian uses Dash which does not support source # shellcheck source=/dev/null . /etc/os-release OS=$( echo "${ID}" | tr '[:upper:]' '[:lower:]') CODENAME=$( echo "${VERSION_CODENAME}" | tr '[:upper:]' '[:lower:]')elif lsb_release &>/dev/null; then OS=$(lsb_release -is | tr '[:upper:]' '[:lower:]') CODENAME=$(lsb_release -cs)else OS=$(uname -s)fi
# Clear any previous sudo permissionsudo -k
# Now set up repos and install dependent on OS, version, etc.# Will require sudocase ${OS} in amzn|amazonlinux) # We need variable expansion and non-expansion on the URL line to pick up the base URL. # Therefore we combine things with sed to handle it. sudo sh <<SCRIPTrpm --import $RELEASE_KEYcat << EOF > /etc/yum.repos.d/fluent-bit.repo[fluent-bit]name = Fluent Bitbaseurl = $RELEASE_URL/amazonlinux/VERSION_ARCH_SUBSTRgpgcheck=1repo_gpgcheck=1gpgkey=$RELEASE_KEYenabled=1EOFsed -i 's|VERSION_ARCH_SUBSTR|\$releasever/\$basearch/|g' /etc/yum.repos.d/fluent-bit.repocat /etc/yum.repos.d/fluent-bit.repoyum -y install fluent-bitSCRIPT ;; centos|centoslinux|rhel|redhatenterpriselinuxserver|fedora|rocky|almalinux) sudo sh <<SCRIPTrpm --import $RELEASE_KEYcat << EOF > /etc/yum.repos.d/fluent-bit.repo[fluent-bit]name = Fluent Bitbaseurl = $RELEASE_URL/centos/VERSION_ARCH_SUBSTRgpgcheck=1repo_gpgcheck=1gpgkey=$RELEASE_KEYenabled=1EOFsed -i 's|VERSION_ARCH_SUBSTR|\$releasever/\$basearch/|g' /etc/yum.repos.d/fluent-bit.repocat /etc/yum.repos.d/fluent-bit.repoyum -y install fluent-bitSCRIPT ;; ubuntu|debian) # Remember apt-key add is deprecated # https://wiki.debian.org/DebianRepository/UseThirdParty#OpenPGP_Key_distribution sudo sh <<SCRIPTexport DEBIAN_FRONTEND=noninteractivemkdir -p /usr/share/keyrings/curl $RELEASE_KEY | gpg --dearmor > /usr/share/keyrings/fluentbit-keyring.gpgcat > /etc/apt/sources.list.d/fluent-bit.list <<EOFdeb [signed-by=/usr/share/keyrings/fluentbit-keyring.gpg] $RELEASE_URL/${OS}/${CODENAME} ${CODENAME} mainEOFcat /etc/apt/sources.list.d/fluent-bit.listapt-get -y updateapt-get -y install fluent-bitSCRIPT ;; *) echo "${OS} not supported." exit 1 ;;esac
echo ""echo "Installation completed. Happy Logging!"echo ""

编辑Fluent Bit配置文件

vi /etc/fluent-bit/fluent-bit.conf

将默认的配置文件修改成下图所示,IP地址根据实际情况替换

[SERVICE]    flush        5    daemon       Off    log_level    info    parsers_file parsers.conf    plugins_file plugins.conf    http_server  Off    http_listen  0.0.0.0    http_port    2020    storage.metrics on    storage.path /var/log/flb-storage/    storage.sync normal    storage.checksum off    storage.backlog.mem_limit 5M    Log_File /var/log/td-agent-bit.log[INPUT]    name  tail    path  /var/ossec/logs/alerts/alerts.json    tag wazuh    parser  json    Buffer_Max_Size 5MB    Buffer_Chunk_Size 400k    storage.type      filesystem    Mem_Buf_Limit     512MB[OUTPUT]    Name  tcp    Host  192.168.116.201    Port  5555    net.keepalive off    Match wazuh    Format  json_lines    json_date_key true

接下来启动Fluent Bit服务并设置开机自启动

systemctl start fluent-bitsystemctl enable fluent-bit

查看日志

tailf /var/log/td-agent-bit.log

接下来使用ssh重新登录并同时查看Garylog数据源网络连接

点击蓝色Show received messages按钮,查看接收到的日志

这样就完成了OpenSource EDR安装以及数据转发,欢迎订阅收看开源SOC实现(四)-OpenSource EDR配置以及agent安装


文章来源: http://mp.weixin.qq.com/s?__biz=MzI3NDYwMzI4Mg==&mid=2247485794&idx=1&sn=d13813f68e495d47fabe531a92b18786&chksm=eb10c51fdc674c09e78c95ae1d3ecce2fc1b4814c1f57927d3f13ff9b149b7c3c1214356e3c4#rd
如有侵权请联系:admin#unsafe.sh