catalogue

. OSSEC

. HashSentry: Host-Based IDS in Python

. Afick

. 检测流程

1. OSSEC

OSSEC is an Open Source Host-based Intrusion Detection System. It performs

. log analysis

. integrity checking

. Windows registry monitoring

. rootkit detection

. real-time alerting and active response

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

0x1: Improving File Integrity Monitoring with OSSEC

FIM or "File Integrity Monitoring" can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too

. owner

. permissions

. modification time.

Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).
During its implementation, a file integrity monitoring project may face two common issues:

. The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!

. The process must be fine tuned to react only on important changes otherwise they are two risks:

    ) The real suspicious changes will be hidden in the massive flow of false-positives.

    ) People in charge of the control could miss interesting changes.

0x2: false positive

A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package!

Relevant Link:

http://ossec.github.io/docs/

https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/

2. HashSentry: Host-Based IDS in Python

HashSentry modus operandi goes like this:

. The remote File System is mounted using sshfs

. A hashing algorithm is applied to files and compared with their known original hash. (Hashes are learnt on first run)

. Alerts are sent to the sysadmin in case a file is modified or a new file appears

Relevant Link:

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

3. Afick

Afick is a fast and portable intrusion detection and integrity monitoring system, designed to work on all platform (it only needs perl and standard modules), including windows, linux, unix.
The configuration syntax is very close from tripwire/aide

0x1: functionnalities

. portable without any change to all common operating systems (windows, UNIX ...)

. easy install : no need to compile or to install many others tools

. fast

. display new/deleted/modified files

. display dangling links

. may be used by any user

. any number of base and config

. config file with exceptions and jokers

. configuration file syntax close from aide's one

. command line is perfect on UNIX, but windows users prefer graphical interfaces, so I add a Tk interface

Relevant Link:

https://sourceforge.net/projects/afick/

http://afick.sourceforge.net/

4. 检测流程

. 遍历目标目录所有文件

. 获取meta信息

    ) filepath

    ) hashsum

    ) gmt_create

    ) gmt_modified

. 计算filepath的hash值,定位到sqlite里的hash(filepath)记录,如果未找到对应记录,则说明该文件是新增的

    ) 需要额外判断一下当前是否是本机第一次运行(基线建立),第一次运行则忽略

    ) 如果不是第一次运行,则上报异常文件新增事件

. 如果成功定位到定位到sqlite里的hash(filepath)记录,获取gmt_create、gmt_modified,比对和当前文件的gmt_create、gmt_modified是否相同,如果相同,则说明当前文件没有修改,则直接跳过

. 如果gmt_create、gmt_modified不一致,则说明有可能被修改了(因为可能vim打开一次也会导致gmt_create、gmt_modified的改变),计算对应文件内容的HASH值,并和hash(filepath)记录对应记录里的hash进行比对,如果不一致说明文件被修改了,上报该条记录,并更新sqlite缓存记录

敏感目录的文件完整性监控,是对恶意软件犯罪行为的一个普适抽象,即不管这是个什么马,在linux要实现持久存活,都有极大可能会往/etc/init.d/下面写入新文件,或者修改已有文件

Relevant Link:

http://securityxploded.com/pymal.php

https://sourceforge.net/directory/os:windows/?q=file%20integrity%20check

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

http://www.ethanjoachimeldridge.info/tech-blog/implementing-subresource-integrity-sri

http://liw.iki.fi/liw/download/md5sum.py

https://github.com/clouserw/scripts/blob/master/md5verify.py

https://bbs.archlinux.org/viewtopic.php?id=83839

https://pypi.python.org/pypi/hsh/

Copyright (c) 2016 LittleHann All rights reserved

Sensitive directory/file Integrity Monitoring and Checking的更多相关文章

  1. mkdir: Cannot create directory /file. Name node is in safe mode.

    刚刚在hadoop想创建一个目录的时候,发现报错了 具体信息如下: [hadoop@mini1 hadoop-2.6.4]$ hadoop fs -mkdir /file mkdir: Cannot ...

  2. node.js delete directory & file system

    node.js delete directory & file system delete a not empty directory https://nodejs.org/api/fs.ht ...

  3. 文件操作总结 (Path,Directory,File)

    Path类就是对字符串的操作,与实际的文件没有任何关系 属性: Path.GetFileName("路径"), //获取文件名带后缀: Path.GetFileNameWithou ...

  4. 文件操作:Directory,File,FielStream、StreamRead和StreamWriter的使用

    Directory文件类,File,FielStream.StreamRead和StreamWriter的使用 (转载) 创建一个新文件 Directory.CreateDirectory(@&quo ...

  5. 文件夹文件遍历并插入数据库的操作,IO Directory File的递归操作

    在我们管理内容管理系统时,数据量大时,对机器的依赖性就比较强了,比如,我要将一个文件夹中的很多图片上传到网站,一个个上传会很花时间,就想到了通过遍历文件夹得到文件名,并将路径与文件保存到数据库中对应的 ...

  6. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  7. wazhu之agent功能详解

      一.日志数据收集 日志数据收集是从服务器或设备生成的记录中收集的实时过程.此组件可以通过文本文件或Windows事件日志接收日志.它还可以通过远程syslog直接接收日志,这对防火墙和其他此类设备 ...

  8. Linux File System Change Monitoring Technology、Notifier Technology

    catalog . 为什么要监控文件系统 : hotplug . udev . fanotify(fscking all notification system) . inotify . code e ...

  9. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

随机推荐

  1. 针对JS经典题型对全局变量及局部变量的理解浅谈

    第一次写博,还蛮激动... 看到了三题经典题型,就我目前的认识对此题进行总结.如有错误,敬请指正 首先,我们先明确一下JS引擎的工作步骤: js引擎工作分为两步: 1.将这个js中的变量和函数声明保存 ...

  2. 函数的使用顺序---TABLES,USING,CHANGING

    SAP使用PERFORM的时候: ... [TABLES   itab1 itab2 ...]     [USING    a1 a2 ...]     [CHANGING a1 a2 ...]. E ...

  3. [转] IIS配置文件的XML格式不正确 applicationHost.config崩溃 恢复解决办法

    IIS配置文件的XML格式不正确 applicationHost.config崩溃 恢复解决办法 源文件:http://www.cnblogs.com/yuejin/p/3385584.html   ...

  4. Android InputType详解

    android:inputType 如果设置android:inputType = "number",则默认弹出的输入键盘为数字键盘,且输入的内容只能为数字. InputType文 ...

  5. ViewPager之引导页

    一.概述 ViewPager是android-support-v4中提供的类,它是一个容器类,常用于页面之间的切换. 本文介绍ViewPager最基础的应用:在多个View之间进行切换,亦即ViewP ...

  6. Java中一些常用的方法

    1.计算程序运行时常 long start = System.currentTimeMillis(); … … … long end = System.currentTimeMillis(); Sys ...

  7. SQL Server 2012 新特性:其他

    安装期间的设置   为了强化角色分离,不自动在 sysadmin 固定服务器角色中设置 BUILTIN\administrators 和 Local System (NT AUTHORITY\SYST ...

  8. 在Windows中玩转Docker Toolbox

    最近在研究虚拟化,容器和大数据,所以从Docker入手,下面介绍一下在Windows下怎么玩转Docker. Docker本身在Windows下有两个软件,一个就是Docker,另一个是Docker ...

  9. Couchbase 环境搭建与使用(C#)

    Couchbase Couchbase Server (前身是 Membase) 是一个分布式的面向文档的 NoSQL 数据库管理系统,该系统联合了 CouchDB 的简单和可靠以及 Memcache ...

  10. 浏览器js与css文件有缓存未更新致最新版本

    这是由于编码人员频繁更改引入的资源文件,浏览器中存在缓存,当你清空浏览器缓存也无济于事时可以采用在资源文件尾部加?_MM(MM为随机参数)即可强制更新资源文件.