RSS[Graylog] 修改Graylog (OVA版本 ) JAVA_OPTS
8 月 03
REF: https://github.com/Graylog2/graylog2-images/issues/84
graylog server 要修改
/opt/graylog/service/graylog-server/run 這個檔案
elasticsearch 服務, 則要修改
/opt/graylog/service/elasticsearch/run 這個檔案
[Graylog] PA Network rule reference
7 月 21
REF: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/syslog-field-descriptions.html
潛在威脅條件:14天內(實際只有10天索引)
action:alert, block-url, deny,
action: reset-server, reset-client, reset-both (利用TCP發送 reset 封包給主機或用戶)
PA-Network FW 偵測的類型
Type:TRAFFIC, THREAT, SYSTEM, CONFIG
在 THREAT的 Subtype:應注意 spyware,virus, flood, packet, vulnerability, wildfire-virus, scan
ThreatID: (建議查手冊, 看看有沒有區段可以設定)
Suspicious DNS Query (generic:apk.hz5l.hz155.com)(4010379)
Suspicious DNS Query (generic:rlhqw.cn)(4077880)
Suspicious DNS Query (generic:sslbaidu.jomodns.com)(4083430)
Trojan-Spy/Win32.zbot.aahsy(2556727)
Trojan-Downloader/MSWord.cryptoload.im(1210808)
Trojan-Downloader/MSWord.agent.dpfgv(1210131)
Trojan-Downloader/MSWord.cryptoload.ec(1210235)
Virus/Win32.Adwind.af(1251891)
Virus/Win32.WGeneric.jhukl(1210208)
Virus/Win32.WGeneric.jhvwt(1210379)
Virus/Win32.WGeneric.jhvsx(1210326)
Virus/Win32.WGeneric.jhvxq(1210542)
Nsanti User-Agent Traffic(10028)
FTP: login Brute-force attempt(40001)
一些關鍵字:Brute-force, Virus, User-Agent, Trojan, Suspicious, Vulnerability
Description: 可能是critical
一些關鍵字: failed
RepeatCount: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
也許是…..網路擁塞
Application: 可以看用戶的軟體行為
一些關鍵字: unknown-tcp
[Graylog] 幾個查詢條件
6 月 29
HOST: log.udn.twbbs.org
Query:
查詢間諜及惡意軟體
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND (Subtype:(virus OR spyware OR malware OR vulnerability) OR ThreatID:(Detection OR Vulnerability OR Attempt OR Traffic OR Executable))
查詢C&C, 再選來源sourceIP 或被控client IP
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND “Command and Control Traffic”
一段時間內, 重覆次數偏高
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND RepeatCount:(120~)
ex: 非郵件服務, 重覆次數大於1
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND NOT Application:(smtp OR pop3 OR imap OR incomplete) AND RepeatCount:(2~)
查詢成人網站
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND Category:adult
[GrayLog] 提供NAT下的 graylog 服務
6 月 07
Graylog 2.1.1 之後, 已不使用12900(要用也可以, 要自己改, 只改 graylog.conf 是沒用的, 一做了 graylog-ctl reconfigure 後, 就又變回來了)
官方的提供的設定如下
http://docs.graylog.org/en/2.1/pages/configuration/web_interface.html#configuring-webif-nginx
Apache httpd 2.x
REST API and Web Interface on one port (using HTTP):
<VirtualHost *:80>
ServerName graylog.example.org
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "http://graylog.example.org/api/"
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</Location>
</VirtualHost>
Issus: 在NAT底下的 graylog 主機, 要提供對外的服務
一開始僅設定 apache-httpd 的 proxy_mod 設定
但會出現要連線到 “私有IP:12900” 時, 會出現問題
經由下面的參考網頁, 已能正常連入
REF: https://github.com/Graylog2/graylog2-server/issues/2252
ProxyPass http://127.0.0.1:12900/
ProxyPassReverse http://127.0.0.1:12900/
RequestHeader set X-Graylog-Server-URL “https://graylog.example.org/api/”
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
主要概念為, 利用自己路徑 /api 做為 12900 的重導向位置
因為 proxy pass 的 location 無法直接設定為 port 轉 port
透過 /api 做為中介, 並重寫 header(最關鍵部分)後, 已能把私有IP與公有IP做起對應
設定後, 重啟 httpd 服務即可正確轉送的IP對象。
[GrayLog] 設定gmail代發信
5 月 06
利用指令完成設定
sudo graylog-ctl set-email-config smtp.gmail.com --port=587 --user=checkingalerts --password=udng3609 --from-email=joe.chc@udngroup.com.tw --no-ssl
做完要
sudo graylog-ctl reconfigure
[GrayLog] 透過rsyslog把apache的log傳到 graylog2裡
5 月 05
http://www.jaimegago.com/ship-apache-httpd-logs-to-graylog2-via-rsyslog/