2018/12/29

之前就一直想從http的log裡找出一些不正常的網路行為
但實行上有點麻煩
要麼就要在每台上去解析log再把資料收回來處理
要麼就是在每台 web server 設定把log丟到一台log server 再來處理這些log
但以上都會碰到相同的問題
就是log格式都不同
處理起來相當不方便
bro ids 解決了這個問題
因為她把http的訊息存成 http.log
由於是port mirror的資料
所以不用管是用什麼web server 沒有格式的問題
以下是收到的部分相關log

"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.232953 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 78 GET 10.10.10.10 /phpmyadmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057225.584942 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 97 GET 10.10.10.10 /phpMyAdmin__/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.108940 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 83 GET 10.10.10.10 /xampp/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057214.432996 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 47 POST 10.10.10.10 /mm.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 33 0 - - - - (empty) - - - FtjKnE4d9dGZ1eTimg - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.824968 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 87 GET 10.10.10.10 /phpmyadmin-old/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.248956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 63 GET 10.10.10.10 /dbadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057210.580951 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 26 POST 10.10.10.10 /xiaohei.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 28 0 - - - - (empty) - - - F2YNwr3qgj6VkZiouf - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057215.136950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 51 GET 10.10.10.10 /index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.020960 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 56 GET 10.10.10.10 /PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.484938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 70 GET 10.10.10.10 /admin/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.308939 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 69 GET 10.10.10.10 /admin/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.648956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 86 GET 10.10.10.10 /tools/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.196985 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 57 GET 10.10.10.10 /PMA2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.937003 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 82 GET 10.10.10.10 /myadmin2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057213.724938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 43 POST 10.10.10.10 /test123.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 21 0 - - - - (empty) - - - FIDl5w1kIO2VHsjo8a - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.163288 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 72 GET 10.10.10.10 /mysqladmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.704931 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 75 GET 10.10.10.10 /phpadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.528944 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 91 GET 10.10.10.10 /claroline/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.776981 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 66 GET 10.10.10.10 /admin/PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057211.996955 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 34 POST 10.10.10.10 /zxc2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 27 0 - - - - (empty) - - - Ft1eC04yYKwCWhrTPi - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.884950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 93 GET 10.10.10.10 /phpma/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.508999 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 17 GET 10.10.10.10 /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.352989 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 5 GET 10.10.10.10 /phpMyAdmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.144976 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 15 GET 10.10.10.10 /mysql/sqlmanager/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.681003 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 18 GET 10.10.10.10 /manager/html - - Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.000982 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 3 GET 10.10.10.10 /phpMyAdmion/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F3YCn01Lompw5GiAdh - text/plain"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057226.644633 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 1 GET 10.10.10.10 /shaAdmin/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F6zWHY3ZersNuWiVX2 - text/plain"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057189.296983 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 30 POST 10.10.10.10 /1hou.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FFzi3l4NQmxiu0bsfg - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057194.068951 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 50 POST 10.10.10.10 /sha.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FjR3jA2532rlkSNbEf - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057202.900966 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 88 POST 10.10.10.10 /2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - F3ewddDCWbrsByyN8 - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057193.716947 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 48 POST 10.10.10.10 /core.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - FMBWxFbha0axdctTj - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057185.908958 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 11 POST 10.10.10.10 /aaaa.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - Fsbkfe4RxpY2HRVpkg - text/plain FGwnQrbAvp4Iov629 - -"


除了偽裝成不同OS跟不同browser之外
再來就是一直try各種預設管理軟体的路徑及檔案
封包丟過來不一定會等回應
所以不一定會有 404 的回應碼
可以用搜尋關鍵字的方式
找出有問題的 ip 來處理

2018/12/26

proxmox中如果guest的vm file是放在local disk
從web介面是沒有辦法online live migration的

會出現

2018-12-26 12:52:46 starting migration of VM 701 to node 'proxmox2'
2018-12-26 12:52:47 found local disk 'local-zfs:vm-701-disk-0' (in current VM config)
2018-12-26 12:52:47 can't migrate local disk 'local-zfs:vm-701-disk-0': can't live migrate attached local disks without with-local-disks option
2018-12-26 12:52:47 ERROR: Failed to sync data - can't migrate VM - check log
2018-12-26 12:52:47 aborting phase 1 - cleanup resources
2018-12-26 12:52:47 ERROR: migration aborted (duration 00:00:01): Failed to sync data - can't migrate VM - check log
TASK ERROR: migration aborted

要手動下指令

qm migrate vmid nodename --with-local-disks --online

例如
qm migrate 701 proxmox2 --with-local-disks --online

2018/12/08

前不久才寫過安裝bro ids 的文章
最近 2018/11/29 更新版 2.6

今天測試安裝完成
記錄一下過程

make 的時間比之上一版更久了

先修改

/usr/local/bro/etc/node.cfg
interface=eth1 (監聽的mirror port)


make install後先使用 broctl 進行 start 發現無法啟動

先安裝sendmail
yum -y install sendmail

再來有二個檔案要修改

/usr/local/bro/share/bro/broctl/standalone.bro

#@load standalone-layout


/usr/local/bro/share/bro/broctl/auto.bro

#@load local-networks
#@load broctl-config

改完後啟動就沒問題了

接下來在 /etc/rc.local加入

/sbin/ifconfig eth1 promisc
/usr/local/bro/bin/broctl start

然後log的預設路徑變了

/usr/local/bro/spool/bro

接下來就可以把所需的log吐出去了

vi /etc/rsyslog.d/bro.conf

input(type="imfile"
      File="/usr/local/bro/spool/bro/sip.log"
      Tag="bro_sip:"
      Severity="debug"
      Facility="user"
     )

user.debug @2.3.4.5:514


Sverity 使用 debug 才不會寫到 /var/log/messages

2018/12/04

之前反應過的proxmox lxc無法mount nfs的問題
在5.3版解決了



2018/12/02

這二天從m$官網下載了iso回來安裝測試

https://www.microsoft.com/zh-tw/software-download/windows10ISO

裝的時候選的是教育版
但沒有辦法使用KMS試証













google了一下
發現要先把key換成 GVLK

https://it.cornell.edu/software-licensing/updating-kms-mak-installation

https://it.cornell.edu/software-licensing/product-keys-updating-kms-mak-activation

win10的換key指令如下
slmgr.vbs /ipk NW6C2-QMPVW-D7KKK-3GKT6-VCFB2

換完後再次執行KMS認証就OK了