需求:
现有一批高危用户, 需要实时关注该账号的登录情况。由于之前已经写好了一个针对用户登录账号的审计规则, 因此, 这里需要用到**Wazuh CDB list**这个功能(此功能主要用例是创建用户,IP或域名的白/黑列表。)消费审计规则数据即可。
- 新建列表
1
2
3
4
5
| $ more blacklist
admin:
root:
administrator:
|
- 将列表文件添加到
ossec.conf
1
2
3
4
5
6
7
8
| $ more ossec.conf
<ossec_config>
<ruleset>
<!-- User-defined CDB list -->
<list>etc/lists/blacklist</list>
</ruleset>
</ossec_config>
|
- 编译列表
1
2
3
| $ /var/ossec/bin/ossec-makelists
* File etc/lists/blacklist.cdb needs to be updated
|
- 重启进程
1
| $ sudo systemctl restart wazuh-manager
|
- 配置规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| <group name="local,blacklist,">
<rule id="100163" level="12">
<if_sid>100303</if_sid>
<list field="http.email" lookup="match_key">etc/lists/blacklist</list>
<description>Wazuh Rules - High-risk user login detected. $(src_ip) -> $(http.email) -> $(http.hostname) -> $(http.url) = $(http.results).</description>
<options>no_full_log</options>
<group>blacklist,</group>
</rule>
</group>
|
- 测试规则
1
2
3
4
5
6
7
8
9
| $ ./ossec-logtest
2019/10/18 15:06:47 ossec-testrule: INFO: Started (pid: 2184).
ossec-testrule: Type one log per line.
**Phase 3: Completed filtering (rules).
Rule id: '100163'
Level: '12'
Description: 'Wazuh Rules - High-risk user login detected. 1.1.1.1 -> admin -> canon88.github.io -> /user/login = success.'
**Alert to be generated.
|