IDS Systeemid - Labor 2

From ICO wiki
Revision as of 17:33, 1 July 2014 by Aelliku (talk | contribs) (→‎Labor 2)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Labor 2

Reegli kirjutamine ning rünnaku tuvastus ja analüüs

Käesolevas laboris uurime ühte konkreetset rünnakut ning kirjutame selle tuvastamiseks reegli. Lisaks sellele paigaldame Logstashi ja Kibana nimelised tarkvarad, et graafiliselt vaaadelda rünnakuid. Logstash ja Kibana sobivad väga hästi logide kogumiseks ja keskkonsoolina kasutamiseks.

Eelduslik labor 1 on leitav: IDS Systeemid - Labor 1

Laboris on kasutusel Ubuntu Linux 14.04 LTS. Täpsem info laborite kohta on leitav: IDS systeemid - Labori paigaldusjuhend

Paigaldame Logstashi ja Kibana

1. Paigaldame eeldus tarkvara:

  apt-get install apache2 openjdk-7-jdk openjdk-7-jre-headless

2. Laeme alla ja paigaldame Logstashi ja Kibana(alla laadimine võtab natuke aega):

   wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.0.tar.gz
   wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.2.0.deb
   wget https://download.elasticsearch.org/logstash/logstash/packages/debian/logstash_1.4.1-1-bd507eb_all.deb

   tar -C /var/www/ -xzf kibana-3.1.0.tar.gz
   mv /var/www/kibana-3.1.0 /var/www/kibana
   dpkg -i elasticsearch-1.1.0.deb
   dpkg -i logstash_1.4.0-1-c82dc09_all.deb

3. Loome Logstashi konfiguratsiooni faili ja kopeerime sinna konfiguratsiooni:

  touch /etc/logstash/conf.d/logstash.conf
  vim /etc/logstash/conf.d/logstash.conf

Kopeerime logstash.conf faili järgnevad read:

   input {
    file { 
      path => ["/var/log/suricata/eve.json"]
      codec =>   json 
      type => "SuricataIDPS-logs" 
    }

  }

  filter {
    if [type] == "SuricataIDPS-logs" {
      date {
        match => [ "timestamp", "ISO8601" ]
      }
    }

    if [src_ip]  {
      geoip {
        source => "src_ip" 
        target => "geoip" 
        database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
      }
      mutate {
        convert => [ "[geoip][coordinates]", "float" ]
      }
    }
  }

  output { 
    elasticsearch {
      host => localhost
    }
  }

4. Seadistame käivitumise teenused:

 update-rc.d elasticsearch defaults 95 10
 update-rc.d logstash defaults
 
 service apache2 restart
 service elasticsearch start
 service logstash start

5. Seadistame Apache:

  cd /etc/apache2/sites-available/
  cp 000-default.conf kibana.conf

Seadistame VirtualHosti konfi järgnevaks:

    Listen 8080
    <VirtualHost *:8080>
            # The ServerName directive sets the request scheme, hostname and port that
            # the server uses to identify itself. This is used when creating
            # redirection URLs. In the context of virtual hosts, the ServerName
            # specifies what hostname must appear in the request's Host: header to
            # match this virtual host. For the default virtual host (this file) this
            # value is not decisive as it is used as a last resort host regardless.
            # However, you must set it for any further virtual host explicitly.
            #ServerName www.example.com
            ServerName  ids.planet.zz
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/kibana-3.1.0

            # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
            # error, crit, alert, emerg.
            # It is also possible to configure the loglevel for particular
            # modules, e.g.
            #LogLevel info ssl:warn

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            # For most configuration files from conf-available/, which are
            # enabled or disabled at a global level, it is possible to
            # include a line for only one particular virtual host. For example the
            # following line enables the CGI configuration for this host only
            # after it has been globally disabled with "a2disconf".
            #Include conf-available/serve-cgi-bin.conf
    </VirtualHost>

Lubame virtualhosti:

  a2ensite kibana.conf

Kofigureerime Kibana esmaseks töölauaks Logstashi vaate:

  cd /var/www/kibana-3.1.0/app/dashboards/
  curl -o suricata2.json https://gist.githubusercontent.com/regit/8849943/raw/15f1626090d7bb0d75bca33807cfaa4199b767b4/Suricata%20dashboard

Laeme apache teenuse uuesti:

  service apache2 reload

Minnes veebilehtsejaga aadressile http://ids.planet.zz:8080/#/dashboard/file/suricata2.json, avaneb meile Kibana liides eelnevalt Suricata jaoks loodud vaatega.


http://blog.oneiroi.co.uk/ids/ips/security/visualization/kibana/logstash/suricata/arm/utilite/suricata-logstash-kibana-utilite-pro-arm/

https://gist.github.com/regit

https://home.regit.org/category/securite/

http://www.appliednsm.com/category/analysis/