但因為port數量有限制
想說從linux上來處理
找到
daemonlogger
還滿方便的
daemonlogger -i eth1 -o eth2 -d
如果是proxmox 在 guest 設定沒用
要在host上設定
2021/11/05
2018/12/29
之前就一直想從http的log裡找出一些不正常的網路行為
但實行上有點麻煩
要麼就要在每台上去解析log再把資料收回來處理
要麼就是在每台 web server 設定把log丟到一台log server 再來處理這些log
但以上都會碰到相同的問題
就是log格式都不同
處理起來相當不方便
bro ids 解決了這個問題
因為她把http的訊息存成 http.log
由於是port mirror的資料
所以不用管是用什麼web server 沒有格式的問題
以下是收到的部分相關log
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.232953 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 78 GET 10.10.10.10 /phpmyadmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057225.584942 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 97 GET 10.10.10.10 /phpMyAdmin__/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.108940 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 83 GET 10.10.10.10 /xampp/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057214.432996 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 47 POST 10.10.10.10 /mm.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 33 0 - - - - (empty) - - - FtjKnE4d9dGZ1eTimg - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.824968 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 87 GET 10.10.10.10 /phpmyadmin-old/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.248956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 63 GET 10.10.10.10 /dbadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057210.580951 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 26 POST 10.10.10.10 /xiaohei.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 28 0 - - - - (empty) - - - F2YNwr3qgj6VkZiouf - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057215.136950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 51 GET 10.10.10.10 /index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.020960 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 56 GET 10.10.10.10 /PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.484938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 70 GET 10.10.10.10 /admin/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.308939 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 69 GET 10.10.10.10 /admin/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.648956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 86 GET 10.10.10.10 /tools/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.196985 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 57 GET 10.10.10.10 /PMA2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.937003 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 82 GET 10.10.10.10 /myadmin2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057213.724938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 43 POST 10.10.10.10 /test123.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 21 0 - - - - (empty) - - - FIDl5w1kIO2VHsjo8a - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.163288 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 72 GET 10.10.10.10 /mysqladmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.704931 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 75 GET 10.10.10.10 /phpadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.528944 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 91 GET 10.10.10.10 /claroline/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.776981 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 66 GET 10.10.10.10 /admin/PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057211.996955 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 34 POST 10.10.10.10 /zxc2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 27 0 - - - - (empty) - - - Ft1eC04yYKwCWhrTPi - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.884950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 93 GET 10.10.10.10 /phpma/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.508999 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 17 GET 10.10.10.10 /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.352989 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 5 GET 10.10.10.10 /phpMyAdmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.144976 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 15 GET 10.10.10.10 /mysql/sqlmanager/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.681003 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 18 GET 10.10.10.10 /manager/html - - Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.000982 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 3 GET 10.10.10.10 /phpMyAdmion/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F3YCn01Lompw5GiAdh - text/plain"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057226.644633 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 1 GET 10.10.10.10 /shaAdmin/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F6zWHY3ZersNuWiVX2 - text/plain"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057189.296983 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 30 POST 10.10.10.10 /1hou.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FFzi3l4NQmxiu0bsfg - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057194.068951 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 50 POST 10.10.10.10 /sha.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FjR3jA2532rlkSNbEf - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057202.900966 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 88 POST 10.10.10.10 /2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - F3ewddDCWbrsByyN8 - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057193.716947 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 48 POST 10.10.10.10 /core.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - FMBWxFbha0axdctTj - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057185.908958 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 11 POST 10.10.10.10 /aaaa.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - Fsbkfe4RxpY2HRVpkg - text/plain FGwnQrbAvp4Iov629 - -"
但實行上有點麻煩
要麼就要在每台上去解析log再把資料收回來處理
要麼就是在每台 web server 設定把log丟到一台log server 再來處理這些log
但以上都會碰到相同的問題
就是log格式都不同
處理起來相當不方便
bro ids 解決了這個問題
因為她把http的訊息存成 http.log
由於是port mirror的資料
所以不用管是用什麼web server 沒有格式的問題
以下是收到的部分相關log
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.232953 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 78 GET 10.10.10.10 /phpmyadmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057225.584942 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 97 GET 10.10.10.10 /phpMyAdmin__/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.108940 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 83 GET 10.10.10.10 /xampp/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057214.432996 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 47 POST 10.10.10.10 /mm.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 33 0 - - - - (empty) - - - FtjKnE4d9dGZ1eTimg - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.824968 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 87 GET 10.10.10.10 /phpmyadmin-old/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.248956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 63 GET 10.10.10.10 /dbadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057210.580951 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 26 POST 10.10.10.10 /xiaohei.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 28 0 - - - - (empty) - - - F2YNwr3qgj6VkZiouf - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057215.136950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 51 GET 10.10.10.10 /index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.020960 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 56 GET 10.10.10.10 /PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.484938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 70 GET 10.10.10.10 /admin/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057218.308939 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 69 GET 10.10.10.10 /admin/phpmyadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057223.648956 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 86 GET 10.10.10.10 /tools/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057216.196985 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 57 GET 10.10.10.10 /PMA2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057222.937003 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 82 GET 10.10.10.10 /myadmin2/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057213.724938 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 43 POST 10.10.10.10 /test123.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 21 0 - - - - (empty) - - - FIDl5w1kIO2VHsjo8a - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.163288 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 72 GET 10.10.10.10 /mysqladmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057221.704931 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 75 GET 10.10.10.10 /phpadmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.528944 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 91 GET 10.10.10.10 /claroline/phpMyAdmin/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057217.776981 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 66 GET 10.10.10.10 /admin/PMA/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057211.996955 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 34 POST 10.10.10.10 /zxc2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 27 0 - - - - (empty) - - - Ft1eC04yYKwCWhrTPi - text/plain - - -"
"2018-12-29T04:20:32.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057224.884950 CMitkC4cDzyAFEKkR7 103.13.222.104 58845 10.10.10.10 80 93 GET 10.10.10.10 /phpma/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.508999 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 17 GET 10.10.10.10 /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.352989 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 5 GET 10.10.10.10 /phpMyAdmin1/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.144976 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 15 GET 10.10.10.10 /mysql/sqlmanager/index.php - - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:41.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057229.681003 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 18 GET 10.10.10.10 /manager/html - - Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 0 0 - - - - (empty) - - - - - - - - -"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057227.000982 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 3 GET 10.10.10.10 /phpMyAdmion/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F3YCn01Lompw5GiAdh - text/plain"
"2018-12-29T04:20:28.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057226.644633 C95B7c0UxBS1gw2Yg 103.13.222.104 64912 10.10.10.10 80 1 GET 10.10.10.10 /shaAdmin/index.php - 1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 0 159 404 Not Found - - (empty) - - - - - - F6zWHY3ZersNuWiVX2 - text/plain"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057189.296983 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 30 POST 10.10.10.10 /1hou.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FFzi3l4NQmxiu0bsfg - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057194.068951 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 50 POST 10.10.10.10 /sha.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - FjR3jA2532rlkSNbEf - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057202.900966 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 88 POST 10.10.10.10 /2.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 24 0 - - - - (empty) - - - F3ewddDCWbrsByyN8 - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057193.716947 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 48 POST 10.10.10.10 /core.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - FMBWxFbha0axdctTj - text/plain - - -"
"2018-12-29T04:20:11.000Z","bro-ids-centos7-lxc","bro-ids-centos7-lxc bro_http: 1546057185.908958 CTOH8U3JKYGtswHTJe 103.13.222.104 52431 10.10.10.10 80 11 POST 10.10.10.10 /aaaa.php - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Safari/537.36 25 0 - - - - (empty) - - - Fsbkfe4RxpY2HRVpkg - text/plain FGwnQrbAvp4Iov629 - -"
除了偽裝成不同OS跟不同browser之外
再來就是一直try各種預設管理軟体的路徑及檔案
封包丟過來不一定會等回應
所以不一定會有 404 的回應碼
可以用搜尋關鍵字的方式
找出有問題的 ip 來處理
2018/11/17
之前有寫到 security onion
裡面有個好用的 bro ids 可以獨立安裝
已經裝起來跑了一段時間了
效果不錯
做個記錄
首先安裝
我是裝在centos 7上 按照文件把該補的rpm補一下
make 時要花一點時間
裝好後修改
/usr/local/bro/etc/node.cfg
裡的監聽interface (使用port mirror)
然後在/etc/rc.local加上
/usr/local/bro/bin/broctl start 開几啟動
所有的相關記錄會放在
/usr/local/bro/logs/current
歷史資料會按日期分開
分門別類 相當完整 可以依照個自的需求針對某個檔案進行解析
capture_loss.log files.log pe.log software.log stderr.log weird.log
conn.log http.log radius.log ssh.log stdout.log x509.log
dns.log known_hosts.log smtp.log ssl.log syslog.log
dpd.log notice.log snmp.log stats.log tunnel.log
我是利用rsyslog把需要的資料丟出來到graylog
建立/etc/rsyslog.d/bro.conf
範例如下
$InputFileName /usr/local/bro/logs/current/sip.log
$InputFileTag bro_sip:
$InputFileStateFile stat-bro_sip
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
# check for new lines every second
$InputFilePollingInterval 1
# To the ELSA test server!:
local7.info @1.2.3.4:514
目前graylog的marketplace只有一個Content Pack 是解析從security onion丟來的log
所以如果要統計一下來源 ip要自己再寫一下extractor
而且因為每個log檔的格式不盡相同
所以要依需求產生不同的extractor
2016/03/29
上週認証設備掛點
除了認証失效外
因為流量的計算也在該台上 所以quota的限制也就失效了
本來想直接撈LP的netflow資料來算
但因為會包含內部對內部的流量 所以會造成問題
因此打算用對外port mirror的資料轉成netflow來使用
fprobe
把port mirror的資料轉成netflow格式再吐出來
flow-tools
收集netflow並格式化成所需的資料
在ubuntu上直接apt-get install就好了
centos沒辦法直接yum
相關指令如下
/usr/sbin/fprobe -ieth1 -fip localhost:555
/usr/bin/flow-capture -V 5 -z 6 -n 572 -e 5000 -N -1 -w /tmp/flow 0/0/555
計算流量排名指令如下
取出超過10G下載或上傳量的ip
flow-cat /tmp/flow/`date +'%Y-%m-%d'`/ft*|flow-report -v TYPE=ip-destination-address|grep "192.168.\|10.10."|sort -rnk3 |awk '$3 > 5000000000 {print $1}'|grep -v -f /root/netflow_white_list > /tmp/netflow_quota_download
flow-cat /tmp/flow/`date +'%Y-%m-%d'`/ft*|flow-report -v TYPE=ip-source-address|grep "192.168.\|10.10."|sort -rnk3 |awk '$3 > 5000000000 {print $1}'|grep -v -f /root/netflow_white_list > /tmp/netflow_quota_upload
https://jal.tw/doku.php?id=netflow:fprobe
除了認証失效外
因為流量的計算也在該台上 所以quota的限制也就失效了
本來想直接撈LP的netflow資料來算
但因為會包含內部對內部的流量 所以會造成問題
因此打算用對外port mirror的資料轉成netflow來使用
fprobe
把port mirror的資料轉成netflow格式再吐出來
flow-tools
收集netflow並格式化成所需的資料
在ubuntu上直接apt-get install就好了
centos沒辦法直接yum
相關指令如下
/usr/sbin/fprobe -ieth1 -fip localhost:555
/usr/bin/flow-capture -V 5 -z 6 -n 572 -e 5000 -N -1 -w /tmp/flow 0/0/555
計算流量排名指令如下
取出超過10G下載或上傳量的ip
flow-cat /tmp/flow/`date +'%Y-%m-%d'`/ft*|flow-report -v TYPE=ip-destination-address|grep "192.168.\|10.10."|sort -rnk3 |awk '$3 > 5000000000 {print $1}'|grep -v -f /root/netflow_white_list > /tmp/netflow_quota_download
flow-cat /tmp/flow/`date +'%Y-%m-%d'`/ft*|flow-report -v TYPE=ip-source-address|grep "192.168.\|10.10."|sort -rnk3 |awk '$3 > 5000000000 {print $1}'|grep -v -f /root/netflow_white_list > /tmp/netflow_quota_upload
https://jal.tw/doku.php?id=netflow:fprobe
2016/01/11
昨天看到這個工具還不錯 fastnetmon
https://github.com/pavel-odintsov/fastnetmon
可以使用netflow sflow port mirror的資料來計算pps mbps 及flow數
當到達指定的上限時
可以發出告警或執行特定動作
安裝很簡單
裝好centos 7後
wget https://raw.githubusercontent.com/pavel-odintsov/fastnetmon/master/src/fastnetmon_install.pl -Ofastnetmon_install.pl
perl fastnetmon_install.pl
會自動把需要的套件補齊
裝好後依需求修改 /etc/fastnetmon.conf
另外在/tmp找到notify_about_attack.sh
cp到/usr/local/bin/ 一樣依需求修改內容
如果使用port mirror 要把網卡的 promisc打開
寫入 /etc/rc.local
/usr/sbin/ifconfig eth1 promisc
再來設定開机執行 fastnetmon
systemctl enable fastnetmon
以下的程式可以觀看即時的狀況
/opt/fastnetmon/fastnetmon_client
https://github.com/pavel-odintsov/fastnetmon
可以使用netflow sflow port mirror的資料來計算pps mbps 及flow數
當到達指定的上限時
可以發出告警或執行特定動作
安裝很簡單
裝好centos 7後
wget https://raw.githubusercontent.com/pavel-odintsov/fastnetmon/master/src/fastnetmon_install.pl -Ofastnetmon_install.pl
perl fastnetmon_install.pl
會自動把需要的套件補齊
裝好後依需求修改 /etc/fastnetmon.conf
另外在/tmp找到notify_about_attack.sh
cp到/usr/local/bin/ 一樣依需求修改內容
如果使用port mirror 要把網卡的 promisc打開
寫入 /etc/rc.local
/usr/sbin/ifconfig eth1 promisc
再來設定開机執行 fastnetmon
systemctl enable fastnetmon
以下的程式可以觀看即時的狀況
/opt/fastnetmon/fastnetmon_client
2015/08/06
2013/05/14
有關rspan的config方法如下
前提是二台switch要用trunk連結
不能使用routing模式
使用RSPAN監聽switch A連接server端的實例:
switch A配置如下:
!
vlan 925
remote-span
monitor session 1 source interface FastEthernet1/1 both
monitor session 1 destination remote vlan 925
!
switch B配置如下:
!
vlan 925
remote-span
monitor session 1 source remote vlan 925
monitor session 1 destination interface Fastethernet 2/2
若在switch B上需要再加上一個port來monitor
則再加上
monitor session 2 source interface Gi1/1
monitor session 2 destination remote vlan 925
把 gi1/1的流量也丟到vlan 925
再把vlan 925 導出來
亦即 vlan 925視為一個pool
跨不同的switch 但所有的switch 都必須設定vlan 925且定義為remote-span
可以把所有要monitor的流量丟進去
最後再導出來
http://tc.wangchao.net.cn/bbs/detail_1628933.html
rspan無法在routing架構下使用
必須使用erspan來達成
前提是二台switch要用trunk連結
不能使用routing模式
使用RSPAN監聽switch A連接server端的實例:
switch A配置如下:
!
vlan 925
remote-span
monitor session 1 source interface FastEthernet1/1 both
monitor session 1 destination remote vlan 925
!
switch B配置如下:
!
vlan 925
remote-span
monitor session 1 source remote vlan 925
monitor session 1 destination interface Fastethernet 2/2
若在switch B上需要再加上一個port來monitor
則再加上
monitor session 2 source interface Gi1/1
monitor session 2 destination remote vlan 925
把 gi1/1的流量也丟到vlan 925
再把vlan 925 導出來
亦即 vlan 925視為一個pool
跨不同的switch 但所有的switch 都必須設定vlan 925且定義為remote-span
可以把所有要monitor的流量丟進去
最後再導出來
http://tc.wangchao.net.cn/bbs/detail_1628933.html
rspan無法在routing架構下使用
必須使用erspan來達成
訂閱:
文章 (Atom)