Wazuh IDS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 61: Zeile 61:
 
* Öffne im Dashboard ''Threat Hunting'' und filtere auf ''rule.groups: suricata''
 
* Öffne im Dashboard ''Threat Hunting'' und filtere auf ''rule.groups: suricata''
 
* Der Alert "ICMP Test" muss erscheinen
 
* Der Alert "ICMP Test" muss erscheinen
 +
===Tests von Desktop===
 +
<pre>
 
===Tests von Desktop===
 
===Tests von Desktop===
 
<pre>
 
<pre>
Zeile 68: Zeile 70:
  
 
# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body
 
# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body
# Test: curl -X POST http://www.it213.int/host.php --data-urlencode "fqdn=example.com;ls" -d "submit=Auflösen"
+
# Test: curl -X POST http://www.dkbi.com/host.php --data-urlencode "fqdn=example.com;ls" -d "submit=Auflösen"
 
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:9000002;)
 
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:9000002;)
  
 
# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body
 
# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body
# Test: curl -X POST http://www.it213.int/sql-classic.php --data-urlencode "username=' OR '1'='1' --"
+
# Test: curl -X POST http://www.dkbi.com/sql-classic.php --data-urlencode "username=' OR '1'='1' --"
 
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:9000003;)
 
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:9000003;)
  
Zeile 80: Zeile 82:
  
 
# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)
 
# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)
# Test: ab -n 1000 -c 500 http://www.it213.int/
+
# Test: ab -n 1000 -c 500 http://www.dkbi.com/
 
alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:9000054; rev:2;)
 
alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:9000054; rev:2;)
  
 
# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)
 
# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)
# Test: nmap -sS -p1-100 10.88.213.21
+
# Test: nmap -sS -p1-100 172.26.52.11
 
alert tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;)
 
alert tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;)
  
 
# Scan: TCP NULL-Scan (keine Flags gesetzt)
 
# Scan: TCP NULL-Scan (keine Flags gesetzt)
# Test: nmap -sN -p1-100 10.88.213.21
+
# Test: nmap -sN -p1-100 172.26.52.11
 
alert tcp any any -> any any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:9000061; rev:1;)
 
alert tcp any any -> any any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:9000061; rev:1;)
  
 
# Scan: UDP-Sweep mit leerer Payload
 
# Scan: UDP-Sweep mit leerer Payload
# Test: nmap -sU --min-rate=1000 10.88.213.21
+
# Test: nmap -sU --min-rate=1000 172.26.52.11
 
alert udp any any -> any any (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:9000064; rev:1;)
 
alert udp any any -> any any (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:9000064; rev:1;)
  
 
# Scan: ICMP Ping-Sweep (viele Echo-Requests)
 
# Scan: ICMP Ping-Sweep (viele Echo-Requests)
# Test: nmap -sn 10.88.213.0/24
+
# Test: nmap -sn 172.26.52.0/24
 
alert icmp any any -> any any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:9000065; rev:1;)
 
alert icmp any any -> any any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:9000065; rev:1;)
  
 
# Brute Force SSH
 
# Brute Force SSH
# Test: hydra -l kit -P bad-passwords ssh://10.88.213.21
+
#g wget https://xinux.de/downloads/bad-passwords
 +
# Test: hydra -l kit -P bad-passwords ssh://172.26.52.11
 
alert tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;)
 
alert tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;)
  
 
# HTTP: sqlmap User-Agent erkennen
 
# HTTP: sqlmap User-Agent erkennen
# Test: sqlmap -u "http://www.it213.int/sql-classic.php" --data "username=test"
+
# Test: sqlmap -u "http://www.dkbi.com/sql-classic.php" --data "username=test"
 
alert http any any -> any any (msg:"SQLmap Scanner detected"; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:9000070; rev:1;)
 
alert http any any -> any any (msg:"SQLmap Scanner detected"; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:9000070; rev:1;)
  
 
# HTTP: curl User-Agent erkennen
 
# HTTP: curl User-Agent erkennen
# Test: curl http://www.it213.int/host.php
+
# Test: curl http://www.dkbi.com/host.php
 
alert http any any -> any any (msg:"curl User-Agent detected"; http.user_agent; content:"curl"; nocase; classtype:policy-violation; sid:9000071; rev:1;)
 
alert http any any -> any any (msg:"curl User-Agent detected"; http.user_agent; content:"curl"; nocase; classtype:policy-violation; sid:9000071; rev:1;)
  
 
# ICMP Tunnel - großes Payload
 
# ICMP Tunnel - großes Payload
# Test: ping -c 5 -s 500 10.88.213.21
+
# Test: ping -c 5 -s 500 172.26.52.11
 
alert icmp any any -> any any (msg:"OWN ICMP Large Payload - possible tunnel"; itype:8; dsize:>200; classtype:misc-attack; sid:9000072; rev:1;)
 
alert icmp any any -> any any (msg:"OWN ICMP Large Payload - possible tunnel"; itype:8; dsize:>200; classtype:misc-attack; sid:9000072; rev:1;)
  
 
# TCP SYN Flood
 
# TCP SYN Flood
# Test: hping3 -S --flood -V -p 80 10.88.213.21
+
# Test: hping3 -S --flood -V -p 80 172.26.52.11
 
alert tcp any any -> any any (msg:"TCP SYN Flood Potential Detected"; flags:S; threshold: type both, track by_dst, count 150, seconds 10; classtype:misc-attack; sid:9000073; rev:1;)
 
alert tcp any any -> any any (msg:"TCP SYN Flood Potential Detected"; flags:S; threshold: type both, track by_dst, count 150, seconds 10; classtype:misc-attack; sid:9000073; rev:1;)
  
 
# SSH Connection Attempt
 
# SSH Connection Attempt
# Test: ssh root@10.88.213.21
+
# Test: ssh root@172.26.52.11
 
alert tcp any any -> any 22 (msg:"SSH Connection Attempt"; content:"SSH"; nocase; classtype:misc-activity; sid:9000074; rev:1;)
 
alert tcp any any -> any 22 (msg:"SSH Connection Attempt"; content:"SSH"; nocase; classtype:misc-activity; sid:9000074; rev:1;)
  
 +
 +
</pre>
 +
[[Kategorie:WAZUH]]
 +
[[Kategorie:Suricata]]
  
 
</pre>
 
</pre>
 
[[Kategorie:WAZUH]]
 
[[Kategorie:WAZUH]]
 
[[Kategorie:Suricata]]
 
[[Kategorie:Suricata]]

Version vom 2. Juli 2026, 07:15 Uhr

Wazuh-Agent auf dem IDS (Suricata)

Der IDS ids.dkbi.com läuft als reiner Sensor am OVS-Mirror-Port und liefert die East-West-Telemetrie an das SIEM. Er sammelt und überträgt, führt aber keine Active Response aus:

  • IDS — Suricata-eve-Feed (/var/log/suricata/eve.json, Alerts aus der local.rules)

Suricata-Decoder und -Regeln (Rule-IDs ab 86600) bringt Wazuh bereits mit. Der Agent ist hier ausschließlich Transport für eve.json an den Manager wazuh.dkbi.com.

Repository einrichten

GPG-Schlüssel importieren
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
chmod 644 /usr/share/keyrings/wazuh.gpg
Repository hinzufügen
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
apt update

Agent installieren

Agent mit Manager-Adresse und Namen installieren
WAZUH_MANAGER="wazuh.dkbi.com" WAZUH_AGENT_NAME="ids" apt install -y wazuh-agent
Dienst aktivieren und starten
systemctl daemon-reload
systemctl enable --now wazuh-agent
Repository deaktivieren (verhindert ungewollte Updates)
sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list
apt update
  • Öffne das Wazuh-Dashboard, gehe zu Agent Management → Summary und prüfe, ob der Agent ids mit Status Active erscheint

eve.json anbinden

Der Suricata-Feed wird als statische localfile-Sektion eingebunden.

  • Ergänze in /var/ossec/etc/ossec.conf folgenden Block:
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
  

Leserechte für den Agent

Suricata schreibt eve.json standardmäßig mit 0640 root:root — der wazuh-User kommt nicht heran und es werden keine Ereignisse übertragen.

Zugriff testen
  • sudo -u wazuh cat /var/log/suricata/eve.json > /dev/null
  • Bei Permission denied in /etc/suricata/suricata.yaml unter outputs: eve-log: den Dateimodus setzen:
  filetype: regular
  filename: eve.json
  filemode: 0644
  
Suricata und Agent neu starten
systemctl restart suricata
systemctl restart wazuh-agent

Kontrolle

  • Löse den Funktionstest aus (ICMP-Regel sid:9000041):
  ping -c1 1.1.1.1
  
  • Öffne im Dashboard Threat Hunting und filtere auf rule.groups: suricata
  • Der Alert "ICMP Test" muss erscheinen

Tests von Desktop

===Tests von Desktop===
<pre>
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest)
# Test: ping -c 1 1.1.1.1
alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:9000041;)

# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body
# Test: curl -X POST http://www.dkbi.com/host.php --data-urlencode "fqdn=example.com;ls" -d "submit=Auflösen"
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:9000002;)

# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body
# Test: curl -X POST http://www.dkbi.com/sql-classic.php --data-urlencode "username=' OR '1'='1' --"
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:9000003;)

# DNS: Policy - verbietet "google" in DNS-Queries
# Test: host google.de
alert dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:9000043;)

# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)
# Test: ab -n 1000 -c 500 http://www.dkbi.com/
alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:9000054; rev:2;)

# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)
# Test: nmap -sS -p1-100 172.26.52.11
alert tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;)

# Scan: TCP NULL-Scan (keine Flags gesetzt)
# Test: nmap -sN -p1-100 172.26.52.11
alert tcp any any -> any any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:9000061; rev:1;)

# Scan: UDP-Sweep mit leerer Payload
# Test: nmap -sU --min-rate=1000 172.26.52.11
alert udp any any -> any any (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:9000064; rev:1;)

# Scan: ICMP Ping-Sweep (viele Echo-Requests)
# Test: nmap -sn 172.26.52.0/24
alert icmp any any -> any any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:9000065; rev:1;)

# Brute Force SSH
#g wget https://xinux.de/downloads/bad-passwords
# Test: hydra -l kit -P bad-passwords ssh://172.26.52.11
alert tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;)

# HTTP: sqlmap User-Agent erkennen
# Test: sqlmap -u "http://www.dkbi.com/sql-classic.php" --data "username=test"
alert http any any -> any any (msg:"SQLmap Scanner detected"; http.user_agent; content:"sqlmap"; nocase; classtype:web-application-attack; sid:9000070; rev:1;)

# HTTP: curl User-Agent erkennen
# Test: curl http://www.dkbi.com/host.php
alert http any any -> any any (msg:"curl User-Agent detected"; http.user_agent; content:"curl"; nocase; classtype:policy-violation; sid:9000071; rev:1;)

# ICMP Tunnel - großes Payload
# Test: ping -c 5 -s 500 172.26.52.11
alert icmp any any -> any any (msg:"OWN ICMP Large Payload - possible tunnel"; itype:8; dsize:>200; classtype:misc-attack; sid:9000072; rev:1;)

# TCP SYN Flood
# Test: hping3 -S --flood -V -p 80 172.26.52.11
alert tcp any any -> any any (msg:"TCP SYN Flood Potential Detected"; flags:S; threshold: type both, track by_dst, count 150, seconds 10; classtype:misc-attack; sid:9000073; rev:1;)

# SSH Connection Attempt
# Test: ssh root@172.26.52.11
alert tcp any any -> any 22 (msg:"SSH Connection Attempt"; content:"SSH"; nocase; classtype:misc-activity; sid:9000074; rev:1;)