catalogue

. OSSEC

. HashSentry: Host-Based IDS in Python

. Afick

. 检测流程

1. OSSEC

OSSEC is an Open Source Host-based Intrusion Detection System. It performs

. log analysis

. integrity checking

. Windows registry monitoring

. rootkit detection

. real-time alerting and active response

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

0x1: Improving File Integrity Monitoring with OSSEC

FIM or "File Integrity Monitoring" can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too

. owner

. permissions

. modification time.

Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).
During its implementation, a file integrity monitoring project may face two common issues:

. The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!

. The process must be fine tuned to react only on important changes otherwise they are two risks:

    ) The real suspicious changes will be hidden in the massive flow of false-positives.

    ) People in charge of the control could miss interesting changes.

0x2: false positive

A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package!

Relevant Link:

http://ossec.github.io/docs/

https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/

2. HashSentry: Host-Based IDS in Python

HashSentry modus operandi goes like this:

. The remote File System is mounted using sshfs

. A hashing algorithm is applied to files and compared with their known original hash. (Hashes are learnt on first run)

. Alerts are sent to the sysadmin in case a file is modified or a new file appears

Relevant Link:

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

3. Afick

Afick is a fast and portable intrusion detection and integrity monitoring system, designed to work on all platform (it only needs perl and standard modules), including windows, linux, unix.
The configuration syntax is very close from tripwire/aide

0x1: functionnalities

. portable without any change to all common operating systems (windows, UNIX ...)

. easy install : no need to compile or to install many others tools

. fast

. display new/deleted/modified files

. display dangling links

. may be used by any user

. any number of base and config

. config file with exceptions and jokers

. configuration file syntax close from aide's one

. command line is perfect on UNIX, but windows users prefer graphical interfaces, so I add a Tk interface

Relevant Link:

https://sourceforge.net/projects/afick/

http://afick.sourceforge.net/

4. 检测流程

. 遍历目标目录所有文件

. 获取meta信息

    ) filepath

    ) hashsum

    ) gmt_create

    ) gmt_modified

. 计算filepath的hash值,定位到sqlite里的hash(filepath)记录,如果未找到对应记录,则说明该文件是新增的

    ) 需要额外判断一下当前是否是本机第一次运行(基线建立),第一次运行则忽略

    ) 如果不是第一次运行,则上报异常文件新增事件

. 如果成功定位到定位到sqlite里的hash(filepath)记录,获取gmt_create、gmt_modified,比对和当前文件的gmt_create、gmt_modified是否相同,如果相同,则说明当前文件没有修改,则直接跳过

. 如果gmt_create、gmt_modified不一致,则说明有可能被修改了(因为可能vim打开一次也会导致gmt_create、gmt_modified的改变),计算对应文件内容的HASH值,并和hash(filepath)记录对应记录里的hash进行比对,如果不一致说明文件被修改了,上报该条记录,并更新sqlite缓存记录

敏感目录的文件完整性监控,是对恶意软件犯罪行为的一个普适抽象,即不管这是个什么马,在linux要实现持久存活,都有极大可能会往/etc/init.d/下面写入新文件,或者修改已有文件

Relevant Link:

http://securityxploded.com/pymal.php

https://sourceforge.net/directory/os:windows/?q=file%20integrity%20check

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

http://www.ethanjoachimeldridge.info/tech-blog/implementing-subresource-integrity-sri

http://liw.iki.fi/liw/download/md5sum.py

https://github.com/clouserw/scripts/blob/master/md5verify.py

https://bbs.archlinux.org/viewtopic.php?id=83839

https://pypi.python.org/pypi/hsh/

Copyright (c) 2016 LittleHann All rights reserved

Sensitive directory/file Integrity Monitoring and Checking的更多相关文章

  1. mkdir: Cannot create directory /file. Name node is in safe mode.

    刚刚在hadoop想创建一个目录的时候,发现报错了 具体信息如下: [hadoop@mini1 hadoop-2.6.4]$ hadoop fs -mkdir /file mkdir: Cannot ...

  2. node.js delete directory & file system

    node.js delete directory & file system delete a not empty directory https://nodejs.org/api/fs.ht ...

  3. 文件操作总结 (Path,Directory,File)

    Path类就是对字符串的操作,与实际的文件没有任何关系 属性: Path.GetFileName("路径"), //获取文件名带后缀: Path.GetFileNameWithou ...

  4. 文件操作:Directory,File,FielStream、StreamRead和StreamWriter的使用

    Directory文件类,File,FielStream.StreamRead和StreamWriter的使用 (转载) 创建一个新文件 Directory.CreateDirectory(@&quo ...

  5. 文件夹文件遍历并插入数据库的操作,IO Directory File的递归操作

    在我们管理内容管理系统时,数据量大时,对机器的依赖性就比较强了,比如,我要将一个文件夹中的很多图片上传到网站,一个个上传会很花时间,就想到了通过遍历文件夹得到文件名,并将路径与文件保存到数据库中对应的 ...

  6. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  7. wazhu之agent功能详解

      一.日志数据收集 日志数据收集是从服务器或设备生成的记录中收集的实时过程.此组件可以通过文本文件或Windows事件日志接收日志.它还可以通过远程syslog直接接收日志,这对防火墙和其他此类设备 ...

  8. Linux File System Change Monitoring Technology、Notifier Technology

    catalog . 为什么要监控文件系统 : hotplug . udev . fanotify(fscking all notification system) . inotify . code e ...

  9. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

随机推荐

  1. JS定时刷新页面及跳转页面

    JS定时刷新页面及跳转页面 Javascript 返回上一页1. Javascript 返回上一页 history.go(-1), 返回两个页面: history.go(-2); 2. history ...

  2. Flexible 弹性盒子模型之flex

    实例 让所有弹性盒模型对象的子元素都有相同的长度,忽略它们内部的内容: #main div { flex:1; } 复制 效果预览 浏览器支持 表格中的数字表示支持该属性的第一个浏览器的版本号. 紧跟 ...

  3. js实现toggleClass

  4. JavaScript学习(零)前引

    一)概述 JavaScript是一个面向web的编程语言,一种解释性语言,边执行边解释.也是一种基于对象(Object)和事件驱动(EventDriven)的,安全性好的脚本语言,语法和java类似. ...

  5. BCS datetime 时间区间问题

    BCS 整合sql表时发现以下问题: datetime字段在列表中带了时区,比如插入12-6号的数据,在sql中显示的是12-5 date类型字段无法正确识别,插入成功但报错 LobSystem (外 ...

  6. AndroidStudio安装流程 以及 使用过程中出现的异常

    Android Studio2.0 教程从入门到精通Windows版 - 安装篇 Android Studio第一次启动跳不过“ downloading components”解决方案 通过hosts ...

  7. 【转】你所不知道的HTML <head/> 头标签

    HTML的头部内容特别多,有针对SEO的头部信息,也有针对移动设备的头部信息.而且各个浏览器内核以及各个国内浏览器厂商都有些自己的标签元素,有很多差异性.移动端的工作已经越来越成为前端工作的重要内容, ...

  8. MySQL 数据库通过日志恢复

    http://blog.csdn.net/hanxin1987216/article/details/5976856 要想从二进制日志恢复数据,你需要知道当前二进制日志文件的路径和文件名.一般可以从选 ...

  9. Mac新建文件夹、txt文件、无格式文件

    新建文件夹: mkdir test 新建txt touch test.txt 新建无后缀格式文件 touch test 如果要删除文件夹 rm -r -f test

  10. 微信app支付 ci框架做的

    /**     * 组合微信app支付  获得prepayid     * @param int $order_num     */    private function _wxpay_reques ...