catalogue

. OSSEC

. HashSentry: Host-Based IDS in Python

. Afick

. 检测流程

1. OSSEC

OSSEC is an Open Source Host-based Intrusion Detection System. It performs

. log analysis

. integrity checking

. Windows registry monitoring

. rootkit detection

. real-time alerting and active response

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

0x1: Improving File Integrity Monitoring with OSSEC

FIM or "File Integrity Monitoring" can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too

. owner

. permissions

. modification time.

Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).
During its implementation, a file integrity monitoring project may face two common issues:

. The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!

. The process must be fine tuned to react only on important changes otherwise they are two risks:

    ) The real suspicious changes will be hidden in the massive flow of false-positives.

    ) People in charge of the control could miss interesting changes.

0x2: false positive

A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package!

Relevant Link:

http://ossec.github.io/docs/

https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/

2. HashSentry: Host-Based IDS in Python

HashSentry modus operandi goes like this:

. The remote File System is mounted using sshfs

. A hashing algorithm is applied to files and compared with their known original hash. (Hashes are learnt on first run)

. Alerts are sent to the sysadmin in case a file is modified or a new file appears

Relevant Link:

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

3. Afick

Afick is a fast and portable intrusion detection and integrity monitoring system, designed to work on all platform (it only needs perl and standard modules), including windows, linux, unix.
The configuration syntax is very close from tripwire/aide

0x1: functionnalities

. portable without any change to all common operating systems (windows, UNIX ...)

. easy install : no need to compile or to install many others tools

. fast

. display new/deleted/modified files

. display dangling links

. may be used by any user

. any number of base and config

. config file with exceptions and jokers

. configuration file syntax close from aide's one

. command line is perfect on UNIX, but windows users prefer graphical interfaces, so I add a Tk interface

Relevant Link:

https://sourceforge.net/projects/afick/

http://afick.sourceforge.net/

4. 检测流程

. 遍历目标目录所有文件

. 获取meta信息

    ) filepath

    ) hashsum

    ) gmt_create

    ) gmt_modified

. 计算filepath的hash值,定位到sqlite里的hash(filepath)记录,如果未找到对应记录,则说明该文件是新增的

    ) 需要额外判断一下当前是否是本机第一次运行(基线建立),第一次运行则忽略

    ) 如果不是第一次运行,则上报异常文件新增事件

. 如果成功定位到定位到sqlite里的hash(filepath)记录,获取gmt_create、gmt_modified,比对和当前文件的gmt_create、gmt_modified是否相同,如果相同,则说明当前文件没有修改,则直接跳过

. 如果gmt_create、gmt_modified不一致,则说明有可能被修改了(因为可能vim打开一次也会导致gmt_create、gmt_modified的改变),计算对应文件内容的HASH值,并和hash(filepath)记录对应记录里的hash进行比对,如果不一致说明文件被修改了,上报该条记录,并更新sqlite缓存记录

敏感目录的文件完整性监控,是对恶意软件犯罪行为的一个普适抽象,即不管这是个什么马,在linux要实现持久存活,都有极大可能会往/etc/init.d/下面写入新文件,或者修改已有文件

Relevant Link:

http://securityxploded.com/pymal.php

https://sourceforge.net/directory/os:windows/?q=file%20integrity%20check

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

http://www.ethanjoachimeldridge.info/tech-blog/implementing-subresource-integrity-sri

http://liw.iki.fi/liw/download/md5sum.py

https://github.com/clouserw/scripts/blob/master/md5verify.py

https://bbs.archlinux.org/viewtopic.php?id=83839

https://pypi.python.org/pypi/hsh/

Copyright (c) 2016 LittleHann All rights reserved

Sensitive directory/file Integrity Monitoring and Checking的更多相关文章

  1. mkdir: Cannot create directory /file. Name node is in safe mode.

    刚刚在hadoop想创建一个目录的时候,发现报错了 具体信息如下: [hadoop@mini1 hadoop-2.6.4]$ hadoop fs -mkdir /file mkdir: Cannot ...

  2. node.js delete directory & file system

    node.js delete directory & file system delete a not empty directory https://nodejs.org/api/fs.ht ...

  3. 文件操作总结 (Path,Directory,File)

    Path类就是对字符串的操作,与实际的文件没有任何关系 属性: Path.GetFileName("路径"), //获取文件名带后缀: Path.GetFileNameWithou ...

  4. 文件操作:Directory,File,FielStream、StreamRead和StreamWriter的使用

    Directory文件类,File,FielStream.StreamRead和StreamWriter的使用 (转载) 创建一个新文件 Directory.CreateDirectory(@&quo ...

  5. 文件夹文件遍历并插入数据库的操作,IO Directory File的递归操作

    在我们管理内容管理系统时,数据量大时,对机器的依赖性就比较强了,比如,我要将一个文件夹中的很多图片上传到网站,一个个上传会很花时间,就想到了通过遍历文件夹得到文件名,并将路径与文件保存到数据库中对应的 ...

  6. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  7. wazhu之agent功能详解

      一.日志数据收集 日志数据收集是从服务器或设备生成的记录中收集的实时过程.此组件可以通过文本文件或Windows事件日志接收日志.它还可以通过远程syslog直接接收日志,这对防火墙和其他此类设备 ...

  8. Linux File System Change Monitoring Technology、Notifier Technology

    catalog . 为什么要监控文件系统 : hotplug . udev . fanotify(fscking all notification system) . inotify . code e ...

  9. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

随机推荐

  1. win10 下visual studio 2015 在调试模式下不能跟踪源文件

    win10 下visual studio 2015 在调试模式下不能跟踪源文件,只要一调试就会关闭(隐藏)打开的文档,非常不方便.经过一番折腾,发现是配置的问题. 如果安装多个版本的VS,请删除对应版 ...

  2. node-sass 在Mac中安装报错

    在做一个基于react项目要安装依赖的包时总是报一下错误 应该是node-sass的问题  找到官网下载跟我错误提示一样的文件也就是 darwin-x64-46 不同的系统不一样 修改为跟本地一样的名 ...

  3. Dynamics CRM 2015-超大Solution导入问题

    我们在将比较大的solution导入CRM的时候,经常会遇到超时的问题,这是因为CRM的本身的优化限制导致的,那么如何解决呢? 官方已经有了解决方案了. 在浏览完两种解决方法之后,我们要知道的是: 1 ...

  4. Android中使用ImageViewSwitcher实现图片切换轮播导航效果

    前面写过了使用ViewFlipper和ViewPager实现屏幕中视图切换的效果(ViewPager未实现轮播)附链接: Android中使用ViewFlipper实现屏幕切换 Android中使用V ...

  5. RecyclerView 的介绍以及多布局的实例

    RecyclerView 的使用以及多布局的实例 RecyclerView 是在Android5.0之后推出的,是一个比ListView更加灵活更加高效的适配器类型控件.但是RecyclerView不 ...

  6. 2016 DTCC(中国数据库技术大会)

    上周去参加了2016 DTCC(数据库技术大会),会议总共持续3天,议题非常多,我这里搜集了最新的公开的PPT内容,有兴趣的同学可以下载看看,PPT合集下载链接为:http://pan.baidu.c ...

  7. mysql查询本周、月、季度、年

    #查询本周记录 select * from product_process where WEEKOFYEAR(update_time)=WEEKOFYEAR(now()); #查询本月数据 selec ...

  8. Akka初步介绍

    Akka可能很多人都没有用过,也不知道是什么,但如果说起Scala或Spark就有很多人都听说过或使用过 ,这里简单说下三者的关系Akka是使用Scala开发的,Spark中使用了Akka作为其消息的 ...

  9. Windows下磁盘分配操作

    问题概述:在装系统的时候有时候并不能一下分出完全符合我们使用习惯的分区大小,我们可能需要在后期调整分区大小.以下是有关分区大小调整的操作. 使用工具:Windows磁盘管理工具. 操作步骤: 1.使用 ...

  10. python爬虫学习(7) —— 爬取你的AC代码

    上一篇文章中,我们介绍了python爬虫利器--requests,并且拿HDU做了小测试. 这篇文章,我们来爬取一下自己AC的代码. 1 确定ac代码对应的页面 如下图所示,我们一般情况可以通过该顺序 ...