catalogue

. OSSEC

. HashSentry: Host-Based IDS in Python

. Afick

. 检测流程

1. OSSEC

OSSEC is an Open Source Host-based Intrusion Detection System. It performs

. log analysis

. integrity checking

. Windows registry monitoring

. rootkit detection

. real-time alerting and active response

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

0x1: Improving File Integrity Monitoring with OSSEC

FIM or "File Integrity Monitoring" can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too

. owner

. permissions

. modification time.

Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).
During its implementation, a file integrity monitoring project may face two common issues:

. The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!

. The process must be fine tuned to react only on important changes otherwise they are two risks:

    ) The real suspicious changes will be hidden in the massive flow of false-positives.

    ) People in charge of the control could miss interesting changes.

0x2: false positive

A side effect of file integrity monitoring is the number of false positive alerts generated when patching your systems. Keeping the latest patch level is important but hundreds of files can be replaced only by one new package!

Relevant Link:

http://ossec.github.io/docs/

https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/

2. HashSentry: Host-Based IDS in Python

HashSentry modus operandi goes like this:

. The remote File System is mounted using sshfs

. A hashing algorithm is applied to files and compared with their known original hash. (Hashes are learnt on first run)

. Alerts are sent to the sysadmin in case a file is modified or a new file appears

Relevant Link:

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

3. Afick

Afick is a fast and portable intrusion detection and integrity monitoring system, designed to work on all platform (it only needs perl and standard modules), including windows, linux, unix.
The configuration syntax is very close from tripwire/aide

0x1: functionnalities

. portable without any change to all common operating systems (windows, UNIX ...)

. easy install : no need to compile or to install many others tools

. fast

. display new/deleted/modified files

. display dangling links

. may be used by any user

. any number of base and config

. config file with exceptions and jokers

. configuration file syntax close from aide's one

. command line is perfect on UNIX, but windows users prefer graphical interfaces, so I add a Tk interface

Relevant Link:

https://sourceforge.net/projects/afick/

http://afick.sourceforge.net/

4. 检测流程

. 遍历目标目录所有文件

. 获取meta信息

    ) filepath

    ) hashsum

    ) gmt_create

    ) gmt_modified

. 计算filepath的hash值,定位到sqlite里的hash(filepath)记录,如果未找到对应记录,则说明该文件是新增的

    ) 需要额外判断一下当前是否是本机第一次运行(基线建立),第一次运行则忽略

    ) 如果不是第一次运行,则上报异常文件新增事件

. 如果成功定位到定位到sqlite里的hash(filepath)记录,获取gmt_create、gmt_modified,比对和当前文件的gmt_create、gmt_modified是否相同,如果相同,则说明当前文件没有修改,则直接跳过

. 如果gmt_create、gmt_modified不一致,则说明有可能被修改了(因为可能vim打开一次也会导致gmt_create、gmt_modified的改变),计算对应文件内容的HASH值,并和hash(filepath)记录对应记录里的hash进行比对,如果不一致说明文件被修改了,上报该条记录,并更新sqlite缓存记录

敏感目录的文件完整性监控,是对恶意软件犯罪行为的一个普适抽象,即不管这是个什么马,在linux要实现持久存活,都有极大可能会往/etc/init.d/下面写入新文件,或者修改已有文件

Relevant Link:

http://securityxploded.com/pymal.php

https://sourceforge.net/directory/os:windows/?q=file%20integrity%20check

http://blog.makensi.es/post/5759911160/hashsentry-host-based-ids-in-python-for-the-poor

http://www.ethanjoachimeldridge.info/tech-blog/implementing-subresource-integrity-sri

http://liw.iki.fi/liw/download/md5sum.py

https://github.com/clouserw/scripts/blob/master/md5verify.py

https://bbs.archlinux.org/viewtopic.php?id=83839

https://pypi.python.org/pypi/hsh/

Copyright (c) 2016 LittleHann All rights reserved

Sensitive directory/file Integrity Monitoring and Checking的更多相关文章

  1. mkdir: Cannot create directory /file. Name node is in safe mode.

    刚刚在hadoop想创建一个目录的时候,发现报错了 具体信息如下: [hadoop@mini1 hadoop-2.6.4]$ hadoop fs -mkdir /file mkdir: Cannot ...

  2. node.js delete directory & file system

    node.js delete directory & file system delete a not empty directory https://nodejs.org/api/fs.ht ...

  3. 文件操作总结 (Path,Directory,File)

    Path类就是对字符串的操作,与实际的文件没有任何关系 属性: Path.GetFileName("路径"), //获取文件名带后缀: Path.GetFileNameWithou ...

  4. 文件操作:Directory,File,FielStream、StreamRead和StreamWriter的使用

    Directory文件类,File,FielStream.StreamRead和StreamWriter的使用 (转载) 创建一个新文件 Directory.CreateDirectory(@&quo ...

  5. 文件夹文件遍历并插入数据库的操作,IO Directory File的递归操作

    在我们管理内容管理系统时,数据量大时,对机器的依赖性就比较强了,比如,我要将一个文件夹中的很多图片上传到网站,一个个上传会很花时间,就想到了通过遍历文件夹得到文件名,并将路径与文件保存到数据库中对应的 ...

  6. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  7. wazhu之agent功能详解

      一.日志数据收集 日志数据收集是从服务器或设备生成的记录中收集的实时过程.此组件可以通过文本文件或Windows事件日志接收日志.它还可以通过远程syslog直接接收日志,这对防火墙和其他此类设备 ...

  8. Linux File System Change Monitoring Technology、Notifier Technology

    catalog . 为什么要监控文件系统 : hotplug . udev . fanotify(fscking all notification system) . inotify . code e ...

  9. Monitoring and Tuning the Linux Networking Stack: Receiving Data

    http://blog.packagecloud.io/eng/2016/06/22/monitoring-tuning-linux-networking-stack-receiving-data/ ...

随机推荐

  1. div 加载 html页面的方法

    做网页的单页面应用时,需要在一个HTML的Div元素中加载另一个HTML页面,以前有一种方法就是用iframe,举例如下: <div class="main-container&quo ...

  2. 深入学习jQuery选择器系列第一篇——基础选择器和层级选择器

    × 目录 [1]id选择器 [2]元素选择器 [3]类选择器[4]通配选择器[5]群组选择器[6]后代选择器[7]兄弟选择器 前面的话 选择器是jQuery的根基,在jQuery中,对事件处理.遍历D ...

  3. 一步步实现ABAP后台导入EXCEL到数据库【2】

    前文:http://www.cnblogs.com/hhelibeb/p/5912330.html 既然后台作业只能在应用服务器运行,那么,我们可以先将要上传的数据保存在应用服务器中,之后再以后台作业 ...

  4. 【译】Spring 4 自动装配、自动检测、组件扫描示例

    前言 译文链接:http://websystique.com/spring/spring-auto-detection-autowire-component-scanning-example-with ...

  5. 自动分割mp3等音频视频文件的脚本

    由于种种关系,我需要对一批mp3文件进行分割(切割).每个音频文件大约1小时,需要切成每10分钟1个文件,文件名要带序号.手工分割工作量太大,不符合我等“懒人”的做法.于是找到了大名的”格式工厂“. ...

  6. (八)数据呈现——一图胜千言<完结>

    数据分析师就像厨师一样.厨师的工作有5步:下单.备料.切配.烹饪.打荷.数据分析师的工作也有5步.呈现数据就好像打荷.厨师在把菜肴端给客人之前要做盘饰美化,让菜肴精致美观,这个工作就是打荷.同样,数据 ...

  7. PHP语法(三):控制结构(For循环/If/Switch/While)

    相关链接: PHP语法(一):基础和变量 PHP语法(二):数据类型.运算符和函数 PHP语法(三):控制结构(For循环/If/Switch/While) 本文我来总结几个PHP常用的控制结构,先来 ...

  8. ubuntu系统安装初始化脚本

    ubuntu系统安装初始化脚本 经常安装卸载ubuntu,每次系统安装完成后要安装好多软件,一个个命令输很麻烦浪费时间,一个sh文件全搞定! 1. flashplayer下载:点击这里 2. Auda ...

  9. 如何利用报表工具FineReport实现报表列的动态展示

    相信动态列的实现困扰了很多人,大数据量,多字段的加载将会非常耗时,数据又做不到真正的动态灵活.现有的方式都是通过变向的隐藏等方式来实现. 那该如何解决呢?这里分享帆软报表设计器FineReport的实 ...

  10. ongl(原始类型和包装类型)

    原始类型和包装类型 //首先创建两个实体类 user 和 address user中包含address package cn.jbit.bean; public class User { //用户类 ...