[웹로그 #1] CentOS 6.3 + OSSEC + Splunk (그나마 초간단 설치)

Step 1: [ OSSEC install ]

root#] wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

root#] tar xvfz ossec-hids-0.9-2.tar.gz

root#] cd ossec-hids-0.9-2

root#] ./install.sh

1- What kind of installation do you want (server, agent, local or help)? local <- server는 메뉴얼 참고 2- Setting up the installation environment.  - Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec  - Installation will be made at  /var/ossec . 3- Configuring the OSSEC HIDS.   3.1- Do you want e-mail notification? (y/n) [y]: n  <- 메일로 알림 (본인은 No)   3.2- Do you want to run the integrity check daemon? (y/n) [y]: y <- 무결성 체크 데몬 실행      - Running syscheck (integrity check daemon).   3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y <- 루트킷 검출 엔진 실행      - Running rootcheck (rootkit detection).   3.4- Active response allows you to execute a specific        command based on the events received. For example,        you can block an IP address or disable access for        a specific user.        More information at:        http://www.ossec.net/en/manual.html#active-response    - Do you want to enable active response? (y/n) [y]: y <- 실시간 응답    - Active response enabled.    - By default, we can enable the host-deny and the      firewall-drop responses. The first one will add      a host to the /etc/hosts.deny and the second one      will block the host on iptables (if linux) or on      ipfilter (if Solaris, FreeBSD or NetBSD).    - They can be used to stop SSHD brute force scans,      portscans and some other forms of attacks. You can      also add them to block on snort events, for example.    - Do you want to enable the firewall-drop response? (y/n) [y]: y <- 방화벽이 중지되었을 때 응답 사용    - firewall-drop enabled (local) for levels >= 6    - Default white list for the active response:    - Do you want to add more IPs to the white list? (y/n)? [n]: n -> 화이트리스트 IP 추가   3.6- Setting the configuration to analyze the following logs:     -- /var/log/messages     -- /var/log/secure     -- /var/log/xferlog     -- /var/log/maillog     -- /var/log/squid/access.log -> 분석할 로그파일  - If you want to monitor any other file, just change    the ossec.conf and add a new localfile entry.    Any questions about the configuration can be answered    by visiting us online at http://www.ossec.net .

Step 2: [ OSSEC rule update ]

root#] cd ossec-hids-0.9-2

root#] ./install.sh

Step 3: [ OSSEC web ui install ]

root#] http://www.ossec.net/files/ossec-wui-0.3.tar.gz

root#] tar -zxvf ossec-wui-0.3.tar.gz

root#] mv ossec-wui-0.3 /var/www/html/ossec/ (html directory)

root#] ./var/www/html/ossec/setup.sh

 

root#] usermod -G ossec apache

root#] service iptables stop

root#] /var/ossec/bin/ossec-control restart

root#] service httpd restart

 

--> http://host/ossec/  에서 확인

 

 

Step4 : [splunk install ] - 500M 까지는 공짜인듯함.

download ] http://www.splunk.com/  (회원가입 후, linux 용 다운로드)

- 본인은 splunk-5.0.1-143156-Linux-i686.tgz 다운로드 받음

 

root #] tar zxvf splunk-5.0.1-143156-Linux-i686.tgz -C /opt

root #] /opt/splunk/bin/splunk

~~~~ 라이센스 읽고 막..설치됨~~~

 

--> http://host:8000/ 에서 확인 (default id : admin / passwd : chanegeme)

Step5 : result

- OSSEC alert 로그만 인덱싱 한 예 

(500M 이상은 돈 받는다 함;;; 훌륭해 보여서 사고는 싶으나...국내 총판이 생기면서 원가보다 많이 비싸졌다는 애기가 포럼등에서 흘러 나오고 있음...회사성격상...아무리 좋아도...비싸면 무용지물)

- 조금 사용해 보니...이런게 장점일듯...간이 로그 분석용으로 아주 편할듯

- 이유는...splunk이 설치된 가상머신에 긴급하게 받은 로그파일을 옮겨 놓고, splunk에서 index만 추가하면 간편하게 작업이 될듯 하다. 그러면 휴대용 로그분석기?가 되지 않을까라는....충분히...의미 있을거라 생각됨

- 그러나 여기서 크리티컬한!!! 문제가 있다......splunk를 살 돈이 없다.....1 copy가....한화로 몇천 한다고 하던데...상세 견적을 받아봐야 할듯함;;;;

=======================================

 

[ other - ossec log ]

- 각 로그 파일은 아래와 같음. 자세한 내용은 www.ossec.net 에 있는 메뉴얼 참고

/var/ossec/logs/ossec.log

/var/ossec/active-response/ossec-hids-responses.log

/var/ossec/logs/alerts/alerts.log

[ other - ossec monitoring mode ]

- 설치 이후, nmap 이나 기타 포트스캔을 하면 시간이 좀 지나면 연결이 안될것임

- 이유는, 해당 시스템에서 공격이라 판단되면 해당 IP를 차단해 버림

- 만일 모니터링만 하고 싶을 경우 아래 처럼 수정하면 됨

root#] vim /var/ossec/etc/ossec.conf

<!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <disabled>yes</disabled> <--------------- 추가 <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> <--------------- 이건 차단 시간임 </active-response> <active-response> <disabled>yes</disabled> <--------------- 추가 <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> <--------------- 이건 차단 시간임 </active-response>

[other - ossec daemon ]

[root# ossec]# cat /etc/rc.d/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.   touch /var/lock/subsys/local export LANG=ko_KR.eucKR export LC_ALL=ko_KR.eucKR   /var/ossec/bin/ossec-control start [root# ossec] vi /etc/rc.d/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.   touch /var/lock/subsys/local export LANG=ko_KR.eucKR export LC_ALL=ko_KR.eucKR #ossec start /var/ossec/bin/ossec-control start

 

 

<< 참고 URL >>

http://docs.splunk.com/Documentation/Splunk/5.0.1/Installation/InstallonLinux

http://blog.naver.com/junix?Redirect=Log&logNo=80029642579

http://blog.naver.com/junix?Redirect=Log&logNo=80170868011

http://www.ossec.net/?page_id=19

http://splunk-base.splunk.com/

http://www.dt.co.kr/contents.htm?article_no=2003052902013160686001 (웹로그분석툴-기사)

http://dev.kthcorp.com/2012/05/10/data-collect-search-indexing-splunk-review/

http://intellavis.com/blog/?p=201 (SIEM)

 Splunk-5.0.1-Installation.pdf