【主机入侵检测】Wazuh解码器之JSON解码器
前言
Wazuh 是一个开源的安全平台,它使用解码器(decoders)来从接收到的日志消息中提取信息。解码器将日志信息分割成字段,以便进行分析。Wazuh 解码器使用 XML 语法,允许用户指定日志数据应该如何被解析和规范化。解码器的工作分为两个阶段:预解码(pre-decoding)和解码(decoding)。在预解码阶段,如果存在类似 syslog 的头部,会提取时间戳、主机名和程序名等一般信息。在随后的解码阶段,解码器解析并解释剩余的日志数据,提取更多相关信息。
Wazuh 内置了一个专门用于 JSON 格式日志的 JSON 解码器。用户还可以创建自定义解码器,以适应特定的需求并提高检测能力。
JSON 解码器
JSON解码器能够提取数字、字符串、布尔值、空值、数组和对象等数据类型。提取的字段被存储为动态字段(即不属于Wazuh内置类型字段),可以被规则引用。下面示例展示Wazuh对Suricata(开源的网络入侵检测)生成的告警日志进行解码操作,Suricata告警日志为JSON格式。
Suricata日志
{
“timestamp”: “2023-05-02T17:46:48.515262+0000”,
“flow_id”: 1234,
“in_iface”: “eth0”,
“event_type”: “alert”,
“src_ip”: “16.10.10.10”,
“src_port”: 5555,
“dest_ip”: “16.10.10.11”,
“dest_port”: 80,
“proto”: “TCP”,
“alert”: {
“action”: “allowed”,
“gid”: 1,
“signature_id”: 2019236,
“rev”: 3,
“signature”: “ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number”,
“category”: “Attempted Administrator Privilege Gain”,
“severity”: 1
},
“payload”: “21YW5kXBtgdW5zIGRlcHJY2F0QgYWI”,
“payload_printable”: “this_is_an_example”,
“stream”: 0,
“host”: “suricata.com”
}
JSON解码器无需依赖Suricata解码器即可从JSON日志中提取每个字段的内容。接下来,我们可以在Wazuh服务器上运行Wazuh自带的wazuh-logtest工具来解析这段日志,该工具会将预解码、解码阶段和规则匹配结果输出到终端,方便我们学习解码器运行过程。该工具默认在/var/ossec/bin/wazuh-logtest路径下。下面是该工具对日志解析结果:
Type one log per line
{"timestamp":"2023-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"21YW5kXBtgdW5zIGRlcHJY2F0QgYWI","payload_printable":"this_is_an_example","stream":0,"host":"suricata.com"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
alert.action: 'allowed'
alert.category: 'Attempted Administrator Privilege Gain'
alert.gid: '1'
alert.rev: '3'
alert.severity: '1'
alert.signature: 'ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number'
alert.signature_id: '2019236'
dest_ip: '16.10.10.11'
dest_port: '80'
event_type: 'alert'
flow_id: '1234'
host: 'suricata.com'
in_iface: 'eth0'
payload: '21YW5kXBtgdW5zIGRlcHJY2F0QgYWI'
payload_printable: 'this_is_an_example'
proto: 'TCP'
src_ip: '16.10.10.10'
src_port: '5555'
stream: '0'
timestamp: '2023-05-02T17:46:48.515262+0000'
**Phase 3: Completed filtering (rules).
id: '86601'
level: '3'
description: 'Suricata: Alert - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number'
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Wazuh解码器的预解码阶段和解码阶段的解码结果分别对应着上面(Phase 1和Phase 2),规则匹配阶段为(Phase 3)。通过查看每个阶段的输出我们可以看到,Wazuh在预解码和解码阶段已经成功的将Suricata日志中关键信息提取,并且在规则匹配阶段命中了ID为86601的规则。
偏移(offset)
Wazuh解码器的offset属性允许解码器跳过日志的一部分来进行解码操作。此机制适用于所解码的日志中既包含JSON格式数据,还包含其它类型的数据。例如,我们收到一段日志如下所示,既包含JSON数据,也包含日志的元信息。
2018 Apr 04 13:11:52 nba_program: this_is_an_example: " player_information: "{ “name”: “Stephen”, “surname”: “Curry”, “team”: “Golden State Warriors”, “number”: 30, “position”: “point guard”}
分析上面的日志信息,真正的JSON格式数据是字符串"player_information"之后的信息,我们需要告诉JSON解码器从该字符串开始进行解码操作。下面是我们通过配置offset属性来完成跳过功能。
<decoder name="raw_json">
<program_name>nba_program</program_name>
<prematch>player_information: "</prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
重点关注<prematch>标签和<plugin_decoder offset=“after_prematch”>标签,其它的标签含义会在后面的文章中介绍。前者表示该解码器要想执行解码操作,日志中必须包含"player_information: "字符串。后者表示使用JSON_Decoder作为解码插件,解码所匹配的日志,offset属性表示跳过<prematch>所匹配的字符串,即"player_information: "。
配置好解码器后使用wazuh-logtest工具解析解析这段日志结果如下:
Type one log per line
2018 Apr 04 13:11:52 nba_program: this_is_an_example: " player_information: "{ "name": "Stephen", "surname": "Curry", "team": "Golden State Warriors", "number": 30, "position": "point guard"}
**Phase 1: Completed pre-decoding.
full event: '2018 Apr 04 13:11:52 nba_program: this_is_an_example: " player_information: "{ "name": "Stephen", "surname": "Curry", "team": "Golden State Warriors", "number": 30, "position": "point guard"}'
timestamp: '2018 Apr 04 13:11:52'
program_name: 'nba_program'
**Phase 2: Completed decoding.
name: 'raw_json'
name: 'Stephen'
number: '30'
position: 'point guard'
surname: 'Curry'
team: 'Golden State Warriors'
正是我们期望的结果,JSON解码器会忽略掉日志中非JSON格式的日志内容。