基於OSSIM平臺的漏洞掃描詳解

Ossim 中漏洞掃描詳解

 

Openvas是一套開源漏洞掃描系統，若是手動搭建須要複雜的過程，花費很多人力和時間成本，由於它是套免費的漏洞掃描系統，功能上不遜色於商業版的漏洞掃描器，受到很多用戶的青睞，下表對比了NeXpose、RSAS和啓明的漏洞掃描器的主要功能。

 

有了以上背景以後，下文主要針對OSSIM平臺下如何以圖形化方式操做漏洞掃描的過程。

 

準備工做：首先確保沒有運行的掃描進程和任務

掃描漏洞同時升級漏洞庫會致使升級失敗。

 

第一步：同步插件

#openvas-nvt-sync

[i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'.

[i] The 'OpenVAS NVT Feed' is provided by 'The OpenVAS Project'.

[i] Online information about this feed: 'http://www.openvas.org/openvas-nvt-feed.html'.

[i] NVT dir: /var/lib/openvas/plugins

[i] Will use rsync

[i] Using rsync: /usr/bin/rsync

[i] Configured NVT rsync feed: rsync://feed.openvas.org:/nvt-feed

OpenVAS feed server - http://www.openvas.org/

This service is hosted by Intevation GmbH - http://intevation.de/

All transactions are logged.

Please report synchronization problems to openvas-feed@intevation.de.

If you have any other questions, please use the OpenVAS mailing lists

or the OpenVAS IRC chat. See http://www.openvas.org/ for details.

receiving incremental file list

deleting gb_openssl_38562.nasl.asc

deleting gb_openssl_38562.nasl

./

COPYING

         588 100%  574.22kB/s    0:00:00 (xfer#1, to-check=13347/13355)

COPYING.GPLv2

       18002 100%   17.17MB/s    0:00:00 (xfer#2, to-check=13346/13355)

COPYING.files

     1819904 100%    1.77MB/s    0:00:00 (xfer#3, to-check=13345/13355)

DDI_Directory_Scanner.nasl

       32957 100%   32.74kB/s    0:00:00 (xfer#4, to-check=13342/13355)

DDI_Directory_Scanner.nasl.asc

         198 100%    0.20kB/s    0:00:00 (xfer#5, to-check=13341/13355)

... ...

同步數萬個插件時間比較長，消耗資源不大，能夠去喝杯咖啡啦，或者瞭解一下插件的組成。

 

            表1 Openvas主要腳本分類及分佈狀況

 

規則名稱	數量	備註
IIS_frontpage_DOS_2.nasl	1
phpbb	8
RA_ssh_detect RA_www_css RA_www_detect	3
RHSA_2009_03**	279	Redhat Security Advisory
3com_switches	1
weblogic*	3
cisco_ids cisco_*** ciscoworks	16
awstats	4
apache	23
DDI	30
EZ_hotscripts	3
anti_nessus	1
basilix	8
bluecoat	1
bugbear	3
bugzilla	9
ca_unicenter	2
cacti	5
calendar	3
Spoll_7_5_sql_injection	2
avaya_switches	1
citrix	8
clamav	2
CUPS	12
cutenews	12
checkpoint	6
cheopsNG	4
cvstrac	24
DB2	4
deb_*.nasl	2595	Debian Linux
DNS	5
deluxeBB	3
eftp	3
ls exchange*
exchange	2
fcore	684
find_service	5
fortigate	1
freebsd	2009
ftp	30
gb_CESA	1528
gb_RHSA	871
gb_adobe	167
gb_apple	70
gb_baofeng_storm	3
gb_bpsoft	3
gb_clamav	16
gb_ccproxy	2
gb_clamav	16
gb_fedora	4679
gb_google	162
gb_hp_ux	242	HP-UNIX
gb_ibm_db2	27
gb_ibm_websphere	8
gb_ibm_tivoli	5
gb_ibm_was	16
gb_ibm_lotus	10
gb_mandriva	1684
gb_java	2
gb_kaspersky	6
gb_google_chrome	153
gb_foxmail	2
gb_fsecure	7
gb_ms	155	Windows 相關
gb_ubuntu	1261
gb_samba	12
gb_sun_java	35
gb_wireshark	87
glsa	1727
gb_vmware	41
IIS	20
lotus	5
ipswitch	5
mysql	5
gb_nmap	187
nortel	7
nagios	5
openssh	4
oscommerce	5
postgresql	5
phpgroupware	12
phpmyadmin	7
phpbb	8
smb	52
sendmail	15
suse	65
ssh	11
smtp	9
Ubuntu	179
tomcat	6
tftp	11
wu_ftpd	6

 

第二步：更新插件（作這一步操做，建議在輕負載下進行）

#perl /usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate            /* 比較消耗CPU和磁盤I/O  */

2015-09-07 07:27:33   Framework profile has been found...

2015-09-07 07:27:33   Deleting all tasks in 192.168.11.150 ...

2015-09-07 07:27:33   updateplugins: configured to not updateplugins

2015-09-07 07:27:33   updateplugins: configured to not repair DB

2015-09-07 07:27:33   BEGIN  - DUMP PLUGINS

2015-09-07 07:29:01   FINISH - DUMP PLUGINS [ Process took 88 seconds ]

2015-09-07 07:29:01   BEGIN  - IMPORT PLUGINS

2015-09-07 07:30:00   FINISH - IMPORT PLUGINS [ 40473 plugins - Process took 59 seconds ]

2015-09-07 07:30:00   BEGIN  - UPDATE CATEGORIES

2015-09-07 07:30:00   FINISH - UPDATE CATEGORIES [ Process took 0 seconds ]

2015-09-07 07:30:00   BEGIN  - UPDATE FAMILIES

2015-09-07 07:30:00   FINISH - UPDATE FAMILIES [ Process took 0 seconds ]

2015-09-07 07:30:00   BEGIN  - UPDATE OPENVAS_PLUGINS

2015-09-07 07:30:03   FINISH - UPDATE OPENVAS_PLUGINS [ Process took 3 seconds ]

2015-09-07 07:30:03   BEGIN  - UPDATE NESSUS_PREFERENCES

2015-09-07 07:30:03   show tables like "vuln_nessus_preferences_defaults"

2015-09-07 07:30:03   updateprefs: Getting plugin preferences

2015-09-07 07:30:05   FINISH - UPDATE NESSUS_PREFERENCES [ Process took 2 seconds ]

 

2015-09-07 07:30:06   Creating Deep profile...

2015-09-07 07:30:06   Filling categories...............

2015-09-07 07:30:06   Done

2015-09-07 07:30:06   Filling families.............................................................

2015-09-07 07:30:06   Done

2015-09-07 07:30:06   Filling plugins...

2015-09-07 07:30:13   Filling preferences in Alienvault DB...

2015-09-07 07:30:14   Done

2015-09-07 07:30:14   Deep profile inserted

 

2015-09-07 07:30:15   Creating Default profile...

2015-09-07 07:30:15   Filling categories...............

2015-09-07 07:30:15   Done

2015-09-07 07:30:15   Filling families.............................................................

2015-09-07 07:30:15   Done

2015-09-07 07:30:15   Filling plugins...

2015-09-07 07:30:23   Filling preferences in Alienvault DB...

2015-09-07 07:30:24   Done

2015-09-07 07:30:24   Default profile inserted

 

2015-09-07 07:30:24   Creating Ultimate profile...

2015-09-07 07:30:24   Filling categories...............

2015-09-07 07:30:24   Done

2015-09-07 07:30:24   Filling families.............................................................

2015-09-07 07:30:24   Done

2015-09-07 07:30:24   Filling plugins...

2015-09-07 07:30:32   Filling preferences in Alienvault DB...

2015-09-07 07:30:33   Done

2015-09-07 07:30:33   Ultimate profile inserted

 

2015-09-07 07:30:33   BEGIN  - UPDATE PORT SCANNER

2015-09-07 07:30:35   FINISH - UPDATE PORT SCANNER [ Process took 2 seconds ]

 

Updating plugin_sid vulnerabilities scanner ids

plugins fetched

Updating...

Script id:94151, Name:IT-Grundschutz M4.288: Sichere Administration von VoIP-Endger?ten, Priority:0

Script id:703073, Name:Debian Security Advisory DSA 3073-1 (libgcrypt11 - security update), Priority:1

Script id:804624, Name:Adobe Reader Plugin Signature Bypass Vulnerability (Windows), Priority:2

Script id:868149, Name:Fedora Update for kernel FEDORA-2014-9959, Priority:5

Script id:95048, Name:IT-Grundschutz M5.145: Sicherer Einsatz von CUPS, Priority:0

Script id:842216, Name:Ubuntu Update for linux USN-2616-1, Priority:4

Script id:105036, Name:Open××× Detection, Priority:0

Script id:868005, Name:Fedora Update for audacious-plugins FEDORA-2014-8183, Priority:1

Script id:869350, Name:Fedora Update for springframework FEDORA-2015-6862, Priority:5

 

… …

 

Script id:105084, Name:Multiple ManageEngine Products  Arbitrary File Upload Vulnerability, Priority:3

Script id:867751, Name:Fedora Update for python-keystoneclient FEDORA-2014-5555, Priority:3

Script id:882209, Name:CentOS Update for nss CESA-2015:1185 centos6, Priority:2

Script id:842209, Name:Ubuntu Update for libmodule-signature-perl USN-2607-1, Priority:5

 

通過一刻鐘等待終於更新完成。注意，該過程須要一鼓作氣，中途不能強制退出。

 

下面用時間軸表示每一個步驟的演進順序和所花費的時間，以下圖所示。從某日的00:34:34開始到00:38:50結束的過程。

若是有些用戶不習慣在CLI下操做升級命令，這一工做一樣能夠在WebUI中完成。

第三步：驗證更新

咱們看到最後一行顯示總數爲40473，這個數值和下載的插件數量一直，表明升級完成。

注意：漏洞升級視頻你們可訪問：http://www.tudou.com/programs/view/kyTmc42Ky14/

第四步：開始漏洞掃描-定製策略

首先掃描資產，創建資源池，這裏就不詳細介紹。在OSSIM系統裏默認定義了三種策略，默認爲Default,該策略最爲經常使用。

若是須要更改策略，請點擊CREATE NEW PROFILE按鈕。

接着開始掃描，填寫任務名稱，選擇Sensor,選擇策略，選擇資源池內的主機，最後點擊新建任務按鈕。

 

掃描準備

 

漏洞掃描時那些進程最繁忙？

Htop是Linux系統中的一個互動的進程查看工具，該命令能夠幫助管理員瞭解掃描發生的變化。#htop  -d 50

一次掃描多少機器合適？

若是所監控網段服務器數量超過25臺，這裏假設是100臺，那麼至少分4次掃描，例如直接輸入「192.168.11.0/24」，這樣表示一個網段，那麼OSSIM系統負載將會明顯增大，掃描等待時間明顯延長，可能會長達數天，直到超過一個計劃任務的週期，這樣可能形成一個惡性循環，直到拖垮整個系統。

進過300多分鐘都沒有結束的任務最後逃脫不了失敗的命運。

掃描結果分析

 不過在分析時，談到「過期」的漏洞問題，在一些古老些操做系統Windows NT/2000、Solaris7/8、Linux（2.2 、2.4內核）曾經存在的那些系統漏洞、網絡服務器漏洞，在現代系統中已經絕跡，受影響系統已經被修復，這種漏洞變得沒有任何價值。對這些系統進行漏洞掃描變得沒有意義。