https://wiki.itcollege.ee/index.php?action=history&feed=atom&title=IDS_Systeemid_-_Labor_2 IDS Systeemid - Labor 2 - Revision history 2026-05-08T11:14:58Z Revision history for this page on the wiki MediaWiki 1.45.1 https://wiki.itcollege.ee/index.php?title=IDS_Systeemid_-_Labor_2&diff=76489&oldid=prev Aelliku: /* Labor 2 */ 2014-07-01T15:33:43Z <p><span class="autocomment">Labor 2</span></p> <table style="background-color: #fff; color: #202122;" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="en"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 18:33, 1 July 2014</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l3">Line 3:</td> <td colspan="2" class="diff-lineno">Line 3:</td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Käesolevas laboris uurime ühte konkreetset rünnakut ning kirjutame selle tuvastamiseks reegli. Lisaks sellele paigaldame Logstashi ja Kibana nimelised tarkvarad, et graafiliselt vaaadelda rünnakuid. Logstash ja Kibana sobivad väga hästi logide kogumiseks ja keskkonsoolina kasutamiseks.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Käesolevas laboris uurime ühte konkreetset rünnakut ning kirjutame selle tuvastamiseks reegli. Lisaks sellele paigaldame Logstashi ja Kibana nimelised tarkvarad, et graafiliselt vaaadelda rünnakuid. Logstash ja Kibana sobivad väga hästi logide kogumiseks ja keskkonsoolina kasutamiseks.</div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Eelduslik labor 1 on leitav: [[IDS Systeemid - Labor 1]]</ins></div></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Laboris on kasutusel Ubuntu Linux 14.04 LTS. Täpsem info laborite kohta on leitav: [[IDS systeemid - Labori paigaldusjuhend]]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Laboris on kasutusel Ubuntu Linux 14.04 LTS. Täpsem info laborite kohta on leitav: [[IDS systeemid - Labori paigaldusjuhend]]</div></td></tr> <!-- diff cache key ico_mediawiki-ITK_:diff:1.41:old-76488:rev-76489:php=table --> </table> Aelliku https://wiki.itcollege.ee/index.php?title=IDS_Systeemid_-_Labor_2&diff=76488&oldid=prev Aelliku: /* Labor 2 */ 2014-07-01T15:33:06Z <p><span class="autocomment">Labor 2</span></p> <table style="background-color: #fff; color: #202122;" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="en"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 18:33, 1 July 2014</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l3">Line 3:</td> <td colspan="2" class="diff-lineno">Line 3:</td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Käesolevas laboris uurime ühte konkreetset rünnakut ning kirjutame selle tuvastamiseks reegli. Lisaks sellele paigaldame Logstashi ja Kibana nimelised tarkvarad, et graafiliselt vaaadelda rünnakuid. Logstash ja Kibana sobivad väga hästi logide kogumiseks ja keskkonsoolina kasutamiseks.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Käesolevas laboris uurime ühte konkreetset rünnakut ning kirjutame selle tuvastamiseks reegli. Lisaks sellele paigaldame Logstashi ja Kibana nimelised tarkvarad, et graafiliselt vaaadelda rünnakuid. Logstash ja Kibana sobivad väga hästi logide kogumiseks ja keskkonsoolina kasutamiseks.</div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Laboris on kasutusel Ubuntu Linux 14.04 LTS. Täpsem info laborite kohta on leitav: [[IDS systeemid - Labori paigaldusjuhend]]</ins></div></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Paigaldame Logstashi ja Kibana==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Paigaldame Logstashi ja Kibana==</div></td></tr> </table> Aelliku https://wiki.itcollege.ee/index.php?title=IDS_Systeemid_-_Labor_2&diff=76310&oldid=prev Aelliku at 21:16, 2 June 2014 2014-06-02T21:16:02Z <p></p> <p><b>New page</b></p><div>=Labor 2=<br /> ==Reegli kirjutamine ning rünnaku tuvastus ja analüüs==<br /> <br /> Käesolevas laboris uurime ühte konkreetset rünnakut ning kirjutame selle tuvastamiseks reegli. Lisaks sellele paigaldame Logstashi ja Kibana nimelised tarkvarad, et graafiliselt vaaadelda rünnakuid. Logstash ja Kibana sobivad väga hästi logide kogumiseks ja keskkonsoolina kasutamiseks.<br /> <br /> ==Paigaldame Logstashi ja Kibana==<br /> <br /> 1. Paigaldame eeldus tarkvara:<br /> <br /> &lt;source lang=&quot;bash&quot;&gt;<br /> apt-get install apache2 openjdk-7-jdk openjdk-7-jre-headless<br /> &lt;/source&gt;<br /> <br /> 2. Laeme alla ja paigaldame Logstashi ja Kibana(alla laadimine võtab natuke aega):<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.0.tar.gz<br /> wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.2.0.deb<br /> wget https://download.elasticsearch.org/logstash/logstash/packages/debian/logstash_1.4.1-1-bd507eb_all.deb<br /> <br /> tar -C /var/www/ -xzf kibana-3.1.0.tar.gz<br /> mv /var/www/kibana-3.1.0 /var/www/kibana<br /> dpkg -i elasticsearch-1.1.0.deb<br /> dpkg -i logstash_1.4.0-1-c82dc09_all.deb<br /> &lt;/source&gt;<br /> <br /> 3. Loome Logstashi konfiguratsiooni faili ja kopeerime sinna konfiguratsiooni:<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> touch /etc/logstash/conf.d/logstash.conf<br /> vim /etc/logstash/conf.d/logstash.conf<br /> &lt;/source&gt;<br /> <br /> Kopeerime logstash.conf faili järgnevad read:<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> input {<br /> file { <br /> path =&gt; [&quot;/var/log/suricata/eve.json&quot;]<br /> codec =&gt; json <br /> type =&gt; &quot;SuricataIDPS-logs&quot; <br /> }<br /> <br /> }<br /> <br /> filter {<br /> if [type] == &quot;SuricataIDPS-logs&quot; {<br /> date {<br /> match =&gt; [ &quot;timestamp&quot;, &quot;ISO8601&quot; ]<br /> }<br /> }<br /> <br /> if [src_ip] {<br /> geoip {<br /> source =&gt; &quot;src_ip&quot; <br /> target =&gt; &quot;geoip&quot; <br /> database =&gt; &quot;/opt/logstash/vendor/geoip/GeoLiteCity.dat&quot; <br /> add_field =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;%{[geoip][longitude]}&quot; ]<br /> add_field =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;%{[geoip][latitude]}&quot; ]<br /> }<br /> mutate {<br /> convert =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;float&quot; ]<br /> }<br /> }<br /> }<br /> <br /> output { <br /> elasticsearch {<br /> host =&gt; localhost<br /> }<br /> }<br /> &lt;/source&gt;<br /> <br /> 4. Seadistame käivitumise teenused:<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> update-rc.d elasticsearch defaults 95 10<br /> update-rc.d logstash defaults<br /> <br /> service apache2 restart<br /> service elasticsearch start<br /> service logstash start<br /> &lt;/source&gt;<br /> <br /> 5. Seadistame Apache:<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> cd /etc/apache2/sites-available/<br /> cp 000-default.conf kibana.conf<br /> &lt;/source&gt;<br /> <br /> Seadistame VirtualHosti konfi järgnevaks:<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> Listen 8080<br /> &lt;VirtualHost *:8080&gt;<br /> # The ServerName directive sets the request scheme, hostname and port that<br /> # the server uses to identify itself. This is used when creating<br /> # redirection URLs. In the context of virtual hosts, the ServerName<br /> # specifies what hostname must appear in the request&#039;s Host: header to<br /> # match this virtual host. For the default virtual host (this file) this<br /> # value is not decisive as it is used as a last resort host regardless.<br /> # However, you must set it for any further virtual host explicitly.<br /> #ServerName www.example.com<br /> ServerName ids.planet.zz<br /> ServerAdmin webmaster@localhost<br /> DocumentRoot /var/www/kibana-3.1.0<br /> <br /> # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,<br /> # error, crit, alert, emerg.<br /> # It is also possible to configure the loglevel for particular<br /> # modules, e.g.<br /> #LogLevel info ssl:warn<br /> <br /> ErrorLog ${APACHE_LOG_DIR}/error.log<br /> CustomLog ${APACHE_LOG_DIR}/access.log combined<br /> <br /> # For most configuration files from conf-available/, which are<br /> # enabled or disabled at a global level, it is possible to<br /> # include a line for only one particular virtual host. For example the<br /> # following line enables the CGI configuration for this host only<br /> # after it has been globally disabled with &quot;a2disconf&quot;.<br /> #Include conf-available/serve-cgi-bin.conf<br /> &lt;/VirtualHost&gt;<br /> &lt;/source&gt;<br /> <br /> Lubame virtualhosti:<br /> <br /> &lt;source lang=&quot;bash&quot;&gt;<br /> a2ensite kibana.conf<br /> &lt;/source&gt;<br /> Kofigureerime Kibana esmaseks töölauaks Logstashi vaate:<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> cd /var/www/kibana-3.1.0/app/dashboards/<br /> curl -o suricata2.json https://gist.githubusercontent.com/regit/8849943/raw/15f1626090d7bb0d75bca33807cfaa4199b767b4/Suricata%20dashboard<br /> &lt;/source&gt;<br /> <br /> Laeme apache teenuse uuesti:<br /> &lt;source lang=&quot;bash&quot;&gt;<br /> service apache2 reload<br /> &lt;/source&gt;<br /> <br /> Minnes veebilehtsejaga aadressile http://ids.planet.zz:8080/#/dashboard/file/suricata2.json, avaneb meile Kibana liides eelnevalt Suricata jaoks loodud vaatega.<br /> <br /> <br /> <br /> http://blog.oneiroi.co.uk/ids/ips/security/visualization/kibana/logstash/suricata/arm/utilite/suricata-logstash-kibana-utilite-pro-arm/<br /> <br /> https://gist.github.com/regit<br /> <br /> https://home.regit.org/category/securite/<br /> <br /> http://www.appliednsm.com/category/analysis/</div> Aelliku