OSSIM Agent的主要職責(zé)是收集網(wǎng)絡(luò)上存在的各種設(shè)備發(fā)送的所有數(shù)據(jù)，然后按照一種標(biāo)準(zhǔn)方式有序發(fā)給OSSIM Server，Agent收集到數(shù)據(jù)后在發(fā)送給Server之前要對(duì)這些數(shù)據(jù)進(jìn)行歸一化處理，本文主要就如何有序發(fā)送數(shù)據(jù)與如何完成歸一化進(jìn)行討論。
OSSIM傳感器在通過(guò)GET框架實(shí)現(xiàn)OSSIM代理和OSSIM服務(wù)器之間通信協(xié)議和數(shù)據(jù)格式的之間轉(zhuǎn)換。下面我們先簡(jiǎn)要看一下ossim-agent腳本：

成都創(chuàng)新互聯(lián)公司服務(wù)項(xiàng)目包括虹口網(wǎng)站建設(shè)、虹口網(wǎng)站制作、虹口網(wǎng)頁(yè)制作以及虹口網(wǎng)絡(luò)營(yíng)銷(xiāo)策劃等。多年來(lái)，我們專(zhuān)注于互聯(lián)網(wǎng)行業(yè)，利用自身積累的技術(shù)優(yōu)勢(shì)、行業(yè)經(jīng)驗(yàn)、深度合作伙伴關(guān)系等，向廣大中小型企業(yè)、政府機(jī)構(gòu)等提供互聯(lián)網(wǎng)行業(yè)的解決方案，虹口網(wǎng)站推廣取得了明顯的社會(huì)效益與經(jīng)濟(jì)效益。目前，我們服務(wù)的客戶以成都為中心已經(jīng)輻射到虹口省份的部分城市，未來(lái)相信會(huì)繼續(xù)擴(kuò)大服務(wù)區(qū)域并繼續(xù)獲得客戶的支持與信任！

#!/usr/bin/python -OOt
import sys
sys.path.append('/usr/share/ossim-agent/')
sys.path.append('/usr/local/share/ossim-agent/')
from ossim_agent.Agent import Agent
agent = Agent()
agent.main()

這里需要GET作為OSSIM代理向OSSIM服務(wù)器輸送數(shù)據(jù)。實(shí)現(xiàn)緊密整合所需的兩個(gè)主要操作是“生成”（或）OSSIM兼容事件的“映射Mapping”）和此類(lèi)數(shù)據(jù)向OSSIM的“傳輸”服務(wù)器。它負(fù)責(zé)此類(lèi)操作的GET框架的兩個(gè)組件是EventHandler和Sender Agent，如圖1所示。

圖1 將Get框架內(nèi)容集成到OSSIM

Event Handler的主要任務(wù)是映射數(shù)據(jù)源插件采集的事件到SIEM實(shí)例警報(bào)的OSSIM標(biāo)準(zhǔn)化事件格式。為了執(zhí)行這樣的過(guò)程，原始消息經(jīng)歷由RAW LOG轉(zhuǎn)換為現(xiàn)有歸一化數(shù)據(jù)字段格式的一個(gè)轉(zhuǎn)變；在上圖中我們將這些機(jī)制表示為“歸一化Normalization”和“OSSIM消息”。部分日志歸一化代碼：

from Logger import Logger
from time import mktime, strptime
logger = Logger.logger
class Event:
    EVENT_TYPE = 'event'
    EVENT_ATTRS = [
        "type",
        "date",
        "sensor",
        "interface",
        "plugin_id",
        "plugin_sid",
        "priority",
        "protocol",
        "src_ip",
        "src_port",
        "dst_ip",
        "dst_port",
        "username",
        "password",
        "filename",
        "userdata1",
        "userdata2",
        "userdata3",
        "userdata4",
        "userdata5",
        "userdata6",
        "userdata7",
        "userdata8",
        "userdata9",
        "occurrences",
        "log",
        "data",
        "snort_sid",    # snort specific
        "snort_cid",    # snort specific
        "fdate",
        "tzone"
    ]

    def __init__(self):
        self.event = {}
        self.event["event_type"] = self.EVENT_TYPE

    def __setitem__(self, key, value):

        if key in self.EVENT_ATTRS:
            self.event[key] = self.sanitize_value(value)
            if key == "date":
                # 以秒為單位
                self.event["fdate"]=self.event[key]
                try:
                    self.event["date"]=int(mktime(strptime(self.event[key],"%Y-%m-%d %H:%M:%S")))
                except:
                    logger.warning("There was an error parsing date (%s)" %\
                        (self.event[key]))
        elif key != 'event_type':
            logger.warning("Bad event attribute: %s" % (key))

    def __getitem__(self, key):
        return self.event.get(key, None)
    # 事件表示
    def __repr__(self):
        event = self.EVENT_TYPE
        for attr in self.EVENT_ATTRS:
            if self[attr]:
                event += ' %s="%s"' % (attr, self[attr])
        return event + "\n"
    # 返回內(nèi)部哈希值
    def dict(self):
        return self.event

    def sanitize_value(self, string):
        return str(string).strip().replace("\"", "\\\"").replace("'", "")

class EventOS(Event):
    EVENT_TYPE = 'host-os-event'
    EVENT_ATTRS = [
        "host",
        "os",
        "sensor",
        "interface",
        "date",
        "plugin_id",
        "plugin_sid",
        "occurrences",
        "log",
        "fdate",
    ]

class EventMac(Event):
    EVENT_TYPE = 'host-mac-event'
    EVENT_ATTRS = [
        "host",
        "mac",
        "vendor",
        "sensor",
        "interface",
        "date",
        "plugin_id",
        "plugin_sid",
        "occurrences",
        "log",
        "fdate",
    ]

class EventService(Event):
    EVENT_TYPE = 'host-service-event'
    EVENT_ATTRS = [
        "host",
        "sensor",
        "interface",
        "port",
        "protocol",
        "service",
        "application",
        "date",
        "plugin_id",
        "plugin_sid",
        "occurrences",
        "log",
        "fdate",
    ]

class EventHids(Event):
    EVENT_TYPE = 'host-ids-event'
    EVENT_ATTRS = [
        "host",
        "hostname",
        "hids_event_type",
        "target",
        "what",
        "extra_data",
        "sensor",
        "date",
        "plugin_id",
        "plugin_sid",
        "username",
        "password",
        "filename",
        "userdata1",
        "userdata2",
        "userdata3",
        "userdata4",
        "userdata5",
        "userdata6",
        "userdata7",
        "userdata8",
        "userdata9",
        "occurrences",
        "log",
        "fdate",
    ]

class WatchRule(Event):

    EVENT_TYPE = 'event'
    EVENT_ATTRS = [
        "type",
    "date",
    "fdate",
    "sensor",
    "interface",
    "src_ip",
    "dst_ip",
    "protocol",
        "plugin_id",
        "plugin_sid",
        "condition",
        "value",
        "port_from",
        "src_port",
        "port_to",
        "dst_port",
        "interval",
        "from",
        "to",
        "absolute",
    "log",
        "userdata1",
        "userdata2",
        "userdata3",
        "userdata4",
        "userdata5",
        "userdata6",
        "userdata7",
        "userdata8",
        "userdata9",
        "filename",
        "username",
    ]
class Snort(Event):
    EVENT_TYPE = 'snort-event'
    EVENT_ATTRS = [
        "sensor",
        "interface",
        "gzipdata",
        "unziplen",
        "event_type",
        "plugin_id",
        "type",
        "occurrences"
    ]

日志編碼代碼：

import threading, time
from Logger import Logger
logger = Logger.logger
from Output import Output
import Config
import Event
from Threshold import EventConsolidation
from Stats import Stats
from ConnPro import ServerConnPro
class Detector(threading.Thread):
    def __init__(self, conf, plugin, conn):

        self._conf = conf
        self._plugin = plugin
        self.os_hash = {}
        self.conn = conn
        self.consolidation = EventConsolidation(self._conf)
        logger.info("Starting detector %s (%s).." % \
                    (self._plugin.get("config", "name"),
                     self._plugin.get("config", "plugin_id")))
        threading.Thread.__init__(self)
    def _event_os_cached(self, event):
        if isinstance(event, Event.EventOS):
            import string
            current_os = string.join(string.split(event["os"]), ' ')
            previous_os = self.os_hash.get(event["host"], '')
            if current_os == previous_os:
                return True
            else:
                # 失敗并添加到緩存
                self.os_hash[event["host"]] = \
                    string.join(string.split(event["os"]), ' ')
        return False
    def _exclude_event(self, event):

        if self._plugin.has_option("config", "exclude_sids"):
            exclude_sids = self._plugin.get("config", "exclude_sids")
            if event["plugin_sid"] in Config.split_sids(exclude_sids):
                logger.debug("Excluding event with " +\
                    "plugin_id=%s and plugin_sid=%s" %\
                    (event["plugin_id"], event["plugin_sid"]))
                return True
        return False

    def _thresholding(self):
        self.consolidation.process()
    def _plugin_defaults(self, event):
        # 從配置文件中獲取默認(rèn)參數(shù)
        if self._conf.has_section("plugin-defaults"):

        # 1) 日期
            default_date_format = self._conf.get("plugin-defaults",
                                                 "date_format")
            if event["date"] is None and default_date_format and \
               'date' in event.EVENT_ATTRS:
                event["date"] = time.strftime(default_date_format, 
                                              time.localtime(time.time()))
        # 2) 傳感器
            default_sensor = self._conf.get("plugin-defaults", "sensor")
            if event["sensor"] is None and default_sensor and \
               'sensor' in event.EVENT_ATTRS:
                event["sensor"] = default_sensor
        # 3) 網(wǎng)絡(luò)接口
            default_iface = self._conf.get("plugin-defaults", "interface")
            if event["interface"] is None and default_iface and \
               'interface' in event.EVENT_ATTRS:
                event["interface"] = default_iface
        # 4) 源IP
            if event["src_ip"] is None and 'src_ip' in event.EVENT_ATTRS:
                event["src_ip"] = event["sensor"]
        # 5) 時(shí)區(qū)
            default_tzone = self._conf.get("plugin-defaults", "tzone")
            if event["tzone"] is None and 'tzone' in event.EVENT_ATTRS:
                event["tzone"] = default_tzone

        # 6) sensor,source ip and dest != localhost
            if event["sensor"] in ('127.0.0.1', '127.0.1.1'):
                event["sensor"] = default_sensor

            if event["dst_ip"] in ('127.0.0.1', '127.0.1.1'):
                event["dst_ip"] = default_sensor

            if event["src_ip"] in ('127.0.0.1', '127.0.1.1'):
                event["src_ip"] = default_sensor
        # 檢測(cè)日志的類(lèi)型
        if event["type"] is None and 'type' in event.EVENT_ATTRS:
            event["type"] = 'detector'
        return event
    def send_message(self, event):
        if self._event_os_cached(event):
            return

        if self._exclude_event(event):
            return
        #對(duì)于一些空屬性使用默認(rèn)值。
        event = self._plugin_defaults(event)

        # 合并之前檢查
        if self.conn is not None:
            try:
                self.conn.send(str(event))
            except:
                id = self._plugin.get("config", "plugin_id")
                c = ServerConnPro(self._conf, id)
                self.conn = c.connect(0, 10)
                try:
                    self.conn.send(str(event))
                except:
                    return
            logger.info(str(event).rstrip())
        elif not self.consolidation.insert(event):
            Output.event(event)
        Stats.new_event(event)
    def stop(self):
        #self.consolidation.clear()
        pass
#在子類(lèi)中重寫(xiě)
    def process(self):
        pass
    def run(self):
        self.process()
class ParserSocket(Detector):
    def process(self):
        self.process()
class ParserDatabase(Detector):
    def process(self):
        self.process()

… …

從上可以看出，傳感器的歸一化主要負(fù)責(zé)對(duì)每個(gè)LOG內(nèi)數(shù)據(jù)字段進(jìn)行重新編碼，使其生成一個(gè)全新的可能用于發(fā)送到OSSIM服務(wù)器的完整事件。為達(dá)成這種目的GET框架中包含了一些特定的功能，以便將所有的功能轉(zhuǎn)換需要BASE64轉(zhuǎn)換的字段?！癘SSIM消息”負(fù)責(zé)填充GET生成的原始事件中不存在的字段。所以上面講的plugin_id、plugin_sid是用來(lái)表示日志消息來(lái)源類(lèi)型和子類(lèi)型，這也是生成SIEM事件的必填字段。為事件格式完整性考慮，有些時(shí)候在無(wú)法確認(rèn)源或目標(biāo)IP時(shí)，系統(tǒng)默認(rèn)會(huì)采用0.0.0.0來(lái)填充該字段。

注意：這種必填字段我們可利用phpmyadmin工具查看OSSIM的MySQL數(shù)據(jù)庫(kù)。
Sender Agent負(fù)責(zé)完成下面兩個(gè)任務(wù)：
發(fā)送由GET收集并由事件格式化的事件發(fā)送到OSSIM服務(wù)器，這項(xiàng)任務(wù)由Event Hander創(chuàng)建的消息組成消息隊(duì)列發(fā)送到消息中間件實(shí)現(xiàn)，時(shí)序圖如圖2所示。

圖2 序列圖： 從安全探測(cè)器的日志轉(zhuǎn)換到OSSIM服務(wù)器事件

2）管理GET框架和OSSIM服務(wù)器之間的通信，通信端口為T(mén)CP 40001通過(guò)雙向握手實(shí)現(xiàn)。歸一化原始日志是規(guī)范化過(guò)程的一個(gè)重要環(huán)節(jié)，OSSIM在歸一化處理日志的同時(shí)保留了原始日志，可用于日志歸檔，提供了一種從規(guī)范化事件中提取原始日志的手段。
經(jīng)過(guò)歸一化處理的EVENTS，存儲(chǔ)到MySQL數(shù)據(jù)庫(kù)中，如圖3所示。接著就由關(guān)聯(lián)引擎根據(jù)規(guī)則、優(yōu)先級(jí)、可靠性等參數(shù)進(jìn)行交叉關(guān)聯(lián)分析，得出風(fēng)險(xiǎn)值并發(fā)出各種報(bào)警提示信息。

圖3 OSSIM平臺(tái)日志存儲(chǔ)機(jī)制
接下來(lái)我們?cè)倏磦€(gè)實(shí)例，下面是一段Apache、CiscoASA以及SSH的原始日志，如圖4、圖5、圖6所示。

1. Apache插件中的正則表達(dá)式：
   [0001 - apache-access] 訪問(wèn)日志

   event_type=event
   regexp=((?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(?P\d{1,5}))? )?(?P\S+) (?P\S+) (?P\S+) \[(?P\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P[^\"]*)\" (?P\d{3}) ((?P\d+)|-)( \"(?P[^\"]*)\" \"(?P[^\"]*)\")?$
   src_ip={resolv($src)}
   dst_ip={resolv($dst)}
   dst_port={$port}
   date={normalize_date($date)}
   plugin_sid={$code}
   username={$user}
   userdata1={$request}
   userdata2={$size}
   userdata3={$referer_uri}
   userdata4={$useragent}
   filename={$id}

[0002 - apache-error] 錯(cuò)誤日志

event_type=event
regexp=\[(?P\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4})\] \[(?P(emerg|alert|crit|error|warn|notice|info|debug))\] (\[client (?P\S+)\] )?(?P.*)
date={normalize_date($date)}
plugin_sid={translate($type)}
src_ip={resolv($src)}
userdata1={$data}

圖4 Apache原始日志

圖5 一條Cisco ASA 原始日志

圖6 Cisco ASA 事件分類(lèi)

通過(guò)過(guò)OSSIM歸一化處理后的實(shí)際再通過(guò)Web前端展現(xiàn)給大家方便閱讀的格式。歸一化處理后的事件和原始日志的對(duì)比方法我們?cè)凇堕_(kāi)源安全運(yùn)維平臺(tái)OSSIM疑難解析：入門(mén)篇》一書(shū)中還會(huì)講解。而在圖7所示的例子當(dāng)中，僅使用了Userdata1和Userdata2，并沒(méi)有用到Userdata3～Userdata9這些是擴(kuò)展位，主要是為了預(yù)留給其他設(shè)備或服務(wù)使用，這里目標(biāo)地址會(huì)標(biāo)記成IP地址的形式，例如：Host192.168.11.160。實(shí)際上歸一化處理這種操作發(fā)生在系統(tǒng)采集和存儲(chǔ)事件之后，關(guān)聯(lián)和數(shù)據(jù)分析之前，在SIEM工具中把采集過(guò)程中把數(shù)據(jù)轉(zhuǎn)換成易讀懂的格式，采用格式化的數(shù)據(jù)，能更容易理解。

新聞名稱(chēng)：OSSIM傳感器Agent傳送機(jī)制初探
本文URL：http://jinyejixie.com/article28/gpsscp.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供響應(yīng)式網(wǎng)站、微信小程序、ChatGPT、網(wǎng)站改版、做網(wǎng)站、標(biāo)簽優(yōu)化

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)