catalogue

. OSSEC

. HashSentry: Host-Based IDS in Python

. Afick

. 检测流程

1. OSSEC

OSSEC is an Open Source Host-based Intrusion Detection System. It performs

. log analysis

. integrity checking

. Windows registry monitoring

. rootkit detection

. real-time alerting and active response

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

0x1: Improving File Integrity Monitoring with OSSEC

FIM or "File Integrity Monitoring" can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too

. owner

. permissions

. modification time.

Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).
During its implementation, a file integrity monitoring project may face two common issues:

. The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!

. The process must be fine tuned to react only on important changes otherwise they are two risks:

    ) The real suspicious changes will be hidden in the massive flow of false-positives.

    ) People in charge of the control could miss interesting changes.

0x2: false positive

A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package!

Relevant Link:

http://ossec.github.io/docs/

https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/

2. HashSentry: Host-Based IDS in Python

HashSentry modus operandi goes like this:

. The remote File System is mounted using sshfs

. A hashing algorithm is applied to files and compared with their known original hash. (Hashes are learnt on first run)

. Alerts are sent to the sysadmin in case a file is modified or a new file appears

Relevant Link:

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

3. Afick

Afick is a fast and portable intrusion detection and integrity monitoring system, designed to work on all platform (it only needs perl and standard modules), including windows, linux, unix.
The configuration syntax is very close from tripwire/aide

0x1: functionnalities

. portable without any change to all common operating systems (windows, UNIX ...)

. easy install : no need to compile or to install many others tools

. fast

. display new/deleted/modified files

. display dangling links

. may be used by any user

. any number of base and config

. config file with exceptions and jokers

. configuration file syntax close from aide's one

. command line is perfect on UNIX, but windows users prefer graphical interfaces, so I add a Tk interface

Relevant Link:

https://sourceforge.net/projects/afick/

http://afick.sourceforge.net/

4. 检测流程

. 遍历目标目录所有文件

. 获取meta信息

    ) filepath

    ) hashsum

    ) gmt_create

    ) gmt_modified

. 计算filepath的hash值,定位到sqlite里的hash(filepath)记录,如果未找到对应记录,则说明该文件是新增的

    ) 需要额外判断一下当前是否是本机第一次运行(基线建立),第一次运行则忽略

    ) 如果不是第一次运行,则上报异常文件新增事件

. 如果成功定位到定位到sqlite里的hash(filepath)记录,获取gmt_create、gmt_modified,比对和当前文件的gmt_create、gmt_modified是否相同,如果相同,则说明当前文件没有修改,则直接跳过

. 如果gmt_create、gmt_modified不一致,则说明有可能被修改了(因为可能vim打开一次也会导致gmt_create、gmt_modified的改变),计算对应文件内容的HASH值,并和hash(filepath)记录对应记录里的hash进行比对,如果不一致说明文件被修改了,上报该条记录,并更新sqlite缓存记录

敏感目录的文件完整性监控,是对恶意软件犯罪行为的一个普适抽象,即不管这是个什么马,在linux要实现持久存活,都有极大可能会往/etc/init.d/下面写入新文件,或者修改已有文件

Relevant Link:

http://securityxploded.com/pymal.php

https://sourceforge.net/directory/os:windows/?q=file%20integrity%20check

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

http://www.ethanjoachimeldridge.info/tech-blog/implementing-subresource-integrity-sri

http://liw.iki.fi/liw/download/md5sum.py

https://github.com/clouserw/scripts/blob/master/md5verify.py

https://bbs.archlinux.org/viewtopic.php?id=83839

https://pypi.python.org/pypi/hsh/

Copyright (c) 2016 LittleHann All rights reserved

Sensitive directory/file Integrity Monitoring and Checking的更多相关文章

  1. mkdir: Cannot create directory /file. Name node is in safe mode.

    刚刚在hadoop想创建一个目录的时候,发现报错了 具体信息如下: [hadoop@mini1 hadoop-2.6.4]$ hadoop fs -mkdir /file mkdir: Cannot ...

  2. node.js delete directory & file system

    node.js delete directory & file system delete a not empty directory https://nodejs.org/api/fs.ht ...

  3. 文件操作总结 (Path,Directory,File)

    Path类就是对字符串的操作,与实际的文件没有任何关系 属性: Path.GetFileName("路径"), //获取文件名带后缀: Path.GetFileNameWithou ...

  4. 文件操作:Directory,File,FielStream、StreamRead和StreamWriter的使用

    Directory文件类,File,FielStream.StreamRead和StreamWriter的使用 (转载) 创建一个新文件 Directory.CreateDirectory(@&quo ...

  5. 文件夹文件遍历并插入数据库的操作,IO Directory File的递归操作

    在我们管理内容管理系统时,数据量大时,对机器的依赖性就比较强了,比如,我要将一个文件夹中的很多图片上传到网站,一个个上传会很花时间,就想到了通过遍历文件夹得到文件名,并将路径与文件保存到数据库中对应的 ...

  6. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  7. wazhu之agent功能详解

      一.日志数据收集 日志数据收集是从服务器或设备生成的记录中收集的实时过程.此组件可以通过文本文件或Windows事件日志接收日志.它还可以通过远程syslog直接接收日志,这对防火墙和其他此类设备 ...

  8. Linux File System Change Monitoring Technology、Notifier Technology

    catalog . 为什么要监控文件系统 : hotplug . udev . fanotify(fscking all notification system) . inotify . code e ...

  9. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

随机推荐

  1. C#中日期和时间相加的方法

    可能对于初入此行业人来说有些困惑,实现起来有一丝复杂. 比如说时间是:2016-08-05 14:46:30,中间过了56秒钟.要求得出56秒之后的时间格式是:年月日时分秒 下面介绍最简单的办法, m ...

  2. swift 如何在IOS应用图标上添加消息数

    在应用图标右上角添加消息数提醒,可以很方便的告知用户该应用中有无新消息需要处理.下面用xcode 7.3.1来简要说明一下如何用swift语言进行此功能的实现. 1.修改 AppDelegate.sw ...

  3. safari cookie设置中文失败

    最近用H5进行手机端开发,由于是window操作系统,为了方便开发和调试,直接在chrome浏览器上进行测试,然后在android机上进行手机端测试,当功能基本完工后,原来在android上运行正常的 ...

  4. IIS初始化(预加载),解决第一次访问慢,程序池被回收问题

    你以为你可以慢,那是不可能的!你以为你可以不动,那也是不可能的! 河南是守株待兔故事情节的发源地,讲的是懒惰的农夫坐在树桩旁等待可爱的小毛兔撞树的故事,那么这种事情怎么可能天天出现呢!你以为的事并一定 ...

  5. java——HashMap的实现原理,自己实现简单的HashMap

    数据结构中有数组和链表来实现对数据的存储,但是数组存储区间是连续的,寻址容易,插入和删除困难:而链表的空间是离散的,因此寻址困难,插入和删除容易. 因此,综合了二者的优势,我们可以设计一种数据结构-- ...

  6. Arduino 1602液晶屏实验和程序

    在Arduino IDE中, 项目->加载库->管理库中搜索LiquidCrystal,然后安装即可 1.接线图 2.引脚图 3.最简单程序 #include <LiquidCrys ...

  7. STM32 按键输入

    #include "stm32f10x.h"#include "key.h" //按键初始化函数void KEY_Init(void) { GPIO_InitT ...

  8. Chrome 扩展机制

    据说,今年9月份开始,谷歌将在Chrome浏览器中全面禁用NPAPI插件,Chrome 45以后将无法再加载NPAPI插件,并推出了一种新的机制:扩展. 其实,如果把浏览器看作一块画布的话,NPAPI ...

  9. POJ 2356. Find a multiple 抽屉原理 / 鸽巢原理

    Find a multiple Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 7192   Accepted: 3138   ...

  10. HDOJ 2111. Saving HDU 贪心 结构体排序

    Saving HDU Time Limit: 3000/1000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Others) Total ...