Wazuh IDS: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 61: | Zeile 61: | ||
* Öffne im Dashboard ''Threat Hunting'' und filtere auf ''rule.groups: suricata'' | * Öffne im Dashboard ''Threat Hunting'' und filtere auf ''rule.groups: suricata'' | ||
* Der Alert "ICMP Test" muss erscheinen | * Der Alert "ICMP Test" muss erscheinen | ||
| + | ===Tests von Desktop=== | ||
| + | <pre> | ||
===Tests von Desktop=== | ===Tests von Desktop=== | ||
<pre> | <pre> | ||
| Zeile 68: | Zeile 70: | ||
# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body | # HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body | ||
| − | # Test: curl -X POST http://www. | + | # Test: curl -X POST http://www.dkbi.com/host.php --data-urlencode "fqdn=example.com;ls" -d "submit=Auflösen" |
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:9000002;) | alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:9000002;) | ||
# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body | # HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body | ||
| − | # Test: curl -X POST http://www. | + | # Test: curl -X POST http://www.dkbi.com/sql-classic.php --data-urlencode "username=' OR '1'='1' --" |
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:9000003;) | alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:9000003;) | ||
| Zeile 80: | Zeile 82: | ||
# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich) | # DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich) | ||
| − | # Test: ab -n 1000 -c 500 http://www. | + | # Test: ab -n 1000 -c 500 http://www.dkbi.com/ |
alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:9000054; rev:2;) | alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:9000054; rev:2;) | ||
# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit) | # Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit) | ||
| − | # Test: nmap -sS -p1-100 | + | # Test: nmap -sS -p1-100 172.26.52.11 |
alert tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;) | alert tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;) | ||
# Scan: TCP NULL-Scan (keine Flags gesetzt) | # Scan: TCP NULL-Scan (keine Flags gesetzt) | ||
| − | # Test: nmap -sN -p1-100 | + | # Test: nmap -sN -p1-100 172.26.52.11 |
alert tcp any any -> any any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:9000061; rev:1;) | alert tcp any any -> any any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:9000061; rev:1;) | ||
# Scan: UDP-Sweep mit leerer Payload | # Scan: UDP-Sweep mit leerer Payload | ||
| − | # Test: nmap -sU --min-rate=1000 | + | # Test: nmap -sU --min-rate=1000 172.26.52.11 |
alert udp any any -> any any (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:9000064; rev:1;) | alert udp any any -> any any (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:9000064; rev:1;) | ||
# Scan: ICMP Ping-Sweep (viele Echo-Requests) | # Scan: ICMP Ping-Sweep (viele Echo-Requests) | ||
| − | # Test: nmap -sn | + | # Test: nmap -sn 172.26.52.0/24 |
alert icmp any any -> any any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:9000065; rev:1;) | alert icmp any any -> any any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:9000065; rev:1;) | ||
# Brute Force SSH | # Brute Force SSH | ||
| − | # Test: hydra -l kit -P bad-passwords ssh:// | + | #g wget https://xinux.de/downloads/bad-passwords |
| + | # Test: hydra -l kit -P bad-passwords ssh://172.26.52.11 | ||
alert tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;) | alert tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;) | ||
# HTTP: sqlmap User-Agent erkennen | # HTTP: sqlmap User-Agent erkennen | ||
| − | # Test: sqlmap -u "http://www. | + | # Test: sqlmap -u "http://www.dkbi.com/sql-classic.php" --data "username=test" |
alert http any any -> any any (msg:"SQLmap Scanner detected"; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:9000070; rev:1;) | alert http any any -> any any (msg:"SQLmap Scanner detected"; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:9000070; rev:1;) | ||
# HTTP: curl User-Agent erkennen | # HTTP: curl User-Agent erkennen | ||
| − | # Test: curl http://www. | + | # Test: curl http://www.dkbi.com/host.php |
alert http any any -> any any (msg:"curl User-Agent detected"; http.user_agent; content:"curl"; nocase; classtype:policy-violation; sid:9000071; rev:1;) | alert http any any -> any any (msg:"curl User-Agent detected"; http.user_agent; content:"curl"; nocase; classtype:policy-violation; sid:9000071; rev:1;) | ||
# ICMP Tunnel - großes Payload | # ICMP Tunnel - großes Payload | ||
| − | # Test: ping -c 5 -s 500 | + | # Test: ping -c 5 -s 500 172.26.52.11 |
alert icmp any any -> any any (msg:"OWN ICMP Large Payload - possible tunnel"; itype:8; dsize:>200; classtype:misc-attack; sid:9000072; rev:1;) | alert icmp any any -> any any (msg:"OWN ICMP Large Payload - possible tunnel"; itype:8; dsize:>200; classtype:misc-attack; sid:9000072; rev:1;) | ||
# TCP SYN Flood | # TCP SYN Flood | ||
| − | # Test: hping3 -S --flood -V -p 80 | + | # Test: hping3 -S --flood -V -p 80 172.26.52.11 |
alert tcp any any -> any any (msg:"TCP SYN Flood Potential Detected"; flags:S; threshold: type both, track by_dst, count 150, seconds 10; classtype:misc-attack; sid:9000073; rev:1;) | alert tcp any any -> any any (msg:"TCP SYN Flood Potential Detected"; flags:S; threshold: type both, track by_dst, count 150, seconds 10; classtype:misc-attack; sid:9000073; rev:1;) | ||
# SSH Connection Attempt | # SSH Connection Attempt | ||
| − | # Test: ssh root@ | + | # Test: ssh root@172.26.52.11 |
alert tcp any any -> any 22 (msg:"SSH Connection Attempt"; content:"SSH"; nocase; classtype:misc-activity; sid:9000074; rev:1;) | alert tcp any any -> any 22 (msg:"SSH Connection Attempt"; content:"SSH"; nocase; classtype:misc-activity; sid:9000074; rev:1;) | ||
| + | |||
| + | </pre> | ||
| + | [[Kategorie:WAZUH]] | ||
| + | [[Kategorie:Suricata]] | ||
</pre> | </pre> | ||
[[Kategorie:WAZUH]] | [[Kategorie:WAZUH]] | ||
[[Kategorie:Suricata]] | [[Kategorie:Suricata]] | ||
Version vom 2. Juli 2026, 07:15 Uhr
Wazuh-Agent auf dem IDS (Suricata)
Der IDS ids.dkbi.com läuft als reiner Sensor am OVS-Mirror-Port und liefert die East-West-Telemetrie an das SIEM. Er sammelt und überträgt, führt aber keine Active Response aus:
- IDS — Suricata-eve-Feed (/var/log/suricata/eve.json, Alerts aus der local.rules)
Suricata-Decoder und -Regeln (Rule-IDs ab 86600) bringt Wazuh bereits mit. Der Agent ist hier ausschließlich Transport für eve.json an den Manager wazuh.dkbi.com.
Repository einrichten
- GPG-Schlüssel importieren
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
chmod 644 /usr/share/keyrings/wazuh.gpg
- Repository hinzufügen
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
apt update
Agent installieren
- Agent mit Manager-Adresse und Namen installieren
WAZUH_MANAGER="wazuh.dkbi.com" WAZUH_AGENT_NAME="ids" apt install -y wazuh-agent
- Dienst aktivieren und starten
systemctl daemon-reload
systemctl enable --now wazuh-agent
- Repository deaktivieren (verhindert ungewollte Updates)
sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt update
- Öffne das Wazuh-Dashboard, gehe zu Agent Management → Summary und prüfe, ob der Agent ids mit Status Active erscheint
eve.json anbinden
Der Suricata-Feed wird als statische localfile-Sektion eingebunden.
- Ergänze in /var/ossec/etc/ossec.conf folgenden Block:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
Leserechte für den Agent
Suricata schreibt eve.json standardmäßig mit 0640 root:root — der wazuh-User kommt nicht heran und es werden keine Ereignisse übertragen.
- Zugriff testen
- sudo -u wazuh cat /var/log/suricata/eve.json > /dev/null
- Bei Permission denied in /etc/suricata/suricata.yaml unter outputs: eve-log: den Dateimodus setzen:
filetype: regular filename: eve.json filemode: 0644
- Suricata und Agent neu starten
systemctl restart suricata
systemctl restart wazuh-agent
Kontrolle
- Löse den Funktionstest aus (ICMP-Regel sid:9000041):
ping -c1 1.1.1.1
- Öffne im Dashboard Threat Hunting und filtere auf rule.groups: suricata
- Der Alert "ICMP Test" muss erscheinen
Tests von Desktop
===Tests von Desktop=== <pre> # ICMP: einfacher Ping/Traceroute (schneller Funktionstest) # Test: ping -c 1 1.1.1.1 alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:9000041;) # HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body # Test: curl -X POST http://www.dkbi.com/host.php --data-urlencode "fqdn=example.com;ls" -d "submit=Auflösen" alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:9000002;) # HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body # Test: curl -X POST http://www.dkbi.com/sql-classic.php --data-urlencode "username=' OR '1'='1' --" alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:9000003;) # DNS: Policy - verbietet "google" in DNS-Queries # Test: host google.de alert dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:9000043;) # DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich) # Test: ab -n 1000 -c 500 http://www.dkbi.com/ alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:9000054; rev:2;) # Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit) # Test: nmap -sS -p1-100 172.26.52.11 alert tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;) # Scan: TCP NULL-Scan (keine Flags gesetzt) # Test: nmap -sN -p1-100 172.26.52.11 alert tcp any any -> any any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:9000061; rev:1;) # Scan: UDP-Sweep mit leerer Payload # Test: nmap -sU --min-rate=1000 172.26.52.11 alert udp any any -> any any (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:9000064; rev:1;) # Scan: ICMP Ping-Sweep (viele Echo-Requests) # Test: nmap -sn 172.26.52.0/24 alert icmp any any -> any any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:9000065; rev:1;) # Brute Force SSH #g wget https://xinux.de/downloads/bad-passwords # Test: hydra -l kit -P bad-passwords ssh://172.26.52.11 alert tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;) # HTTP: sqlmap User-Agent erkennen # Test: sqlmap -u "http://www.dkbi.com/sql-classic.php" --data "username=test" alert http any any -> any any (msg:"SQLmap Scanner detected"; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:9000070; rev:1;) # HTTP: curl User-Agent erkennen # Test: curl http://www.dkbi.com/host.php alert http any any -> any any (msg:"curl User-Agent detected"; http.user_agent; content:"curl"; nocase; classtype:policy-violation; sid:9000071; rev:1;) # ICMP Tunnel - großes Payload # Test: ping -c 5 -s 500 172.26.52.11 alert icmp any any -> any any (msg:"OWN ICMP Large Payload - possible tunnel"; itype:8; dsize:>200; classtype:misc-attack; sid:9000072; rev:1;) # TCP SYN Flood # Test: hping3 -S --flood -V -p 80 172.26.52.11 alert tcp any any -> any any (msg:"TCP SYN Flood Potential Detected"; flags:S; threshold: type both, track by_dst, count 150, seconds 10; classtype:misc-attack; sid:9000073; rev:1;) # SSH Connection Attempt # Test: ssh root@172.26.52.11 alert tcp any any -> any 22 (msg:"SSH Connection Attempt"; content:"SSH"; nocase; classtype:misc-activity; sid:9000074; rev:1;)