[Graylog] 修改Graylog (OVA版本 ) JAVA_OPTS

No Comments

REF: https://github.com/Graylog2/graylog2-images/issues/84

graylog server 要修改
/opt/graylog/service/graylog-server/run 這個檔案

elasticsearch 服務, 則要修改
/opt/graylog/service/elasticsearch/run 這個檔案

[Graylog] PA Network rule reference

No Comments

REF: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/syslog-field-descriptions.html

潛在威脅條件:14天內(實際只有10天索引)

action:alert, block-url, deny,
action: reset-server, reset-client, reset-both (利用TCP發送 reset 封包給主機或用戶)

PA-Network FW 偵測的類型
Type:TRAFFIC, THREAT, SYSTEM, CONFIG
在 THREAT的 Subtype:應注意 spyware,virus, flood, packet, vulnerability, wildfire-virus, scan

ThreatID: (建議查手冊, 看看有沒有區段可以設定)
Suspicious DNS Query (generic:apk.hz5l.hz155.com)(4010379)
Suspicious DNS Query (generic:rlhqw.cn)(4077880)
Suspicious DNS Query (generic:sslbaidu.jomodns.com)(4083430)
Trojan-Spy/Win32.zbot.aahsy(2556727)
Trojan-Downloader/MSWord.cryptoload.im(1210808)
Trojan-Downloader/MSWord.agent.dpfgv(1210131)
Trojan-Downloader/MSWord.cryptoload.ec(1210235)
Virus/Win32.Adwind.af(1251891)
Virus/Win32.WGeneric.jhukl(1210208)
Virus/Win32.WGeneric.jhvwt(1210379)
Virus/Win32.WGeneric.jhvsx(1210326)
Virus/Win32.WGeneric.jhvxq(1210542)
Nsanti User-Agent Traffic(10028)
FTP: login Brute-force attempt(40001)
一些關鍵字:Brute-force, Virus, User-Agent, Trojan, Suspicious, Vulnerability

Description: 可能是critical
一些關鍵字: failed

RepeatCount: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
也許是…..網路擁塞

Application: 可以看用戶的軟體行為
一些關鍵字: unknown-tcp

[Graylog] 幾個查詢條件

No Comments

HOST: log.udn.twbbs.org

Query:
查詢間諜及惡意軟體
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND (Subtype:(virus OR spyware OR malware OR vulnerability) OR ThreatID:(Detection OR Vulnerability OR Attempt OR Traffic OR Executable))

查詢C&C, 再選來源sourceIP 或被控client IP
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND “Command and Control Traffic”

一段時間內, 重覆次數偏高
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND RepeatCount:(120~)
ex: 非郵件服務, 重覆次數大於1
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND NOT Application:(smtp OR pop3 OR imap OR incomplete) AND RepeatCount:(2~)

查詢成人網站
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND Category:adult

[Graylog] content-pack of PA Network

No Comments

在 Traffic 部分, 因為多一欄 SeesionEndReason而無法套用
修改後, 正常使用

[GrayLog] 提供NAT下的 graylog 服務

No Comments

Graylog 2.1.1 之後, 已不使用12900(要用也可以, 要自己改, 只改 graylog.conf 是沒用的, 一做了 graylog-ctl reconfigure 後, 就又變回來了)

官方的提供的設定如下
http://docs.graylog.org/en/2.1/pages/configuration/web_interface.html#configuring-webif-nginx

 

Apache httpd 2.x

REST API and Web Interface on one port (using HTTP):

<VirtualHost *:80>
    ServerName graylog.example.org
    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location />
        RequestHeader set X-Graylog-Server-URL "http://graylog.example.org/api/"
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>

</VirtualHost>

 

Issus: 在NAT底下的 graylog 主機, 要提供對外的服務
一開始僅設定 apache-httpd 的 proxy_mod 設定
但會出現要連線到 “私有IP:12900” 時, 會出現問題

經由下面的參考網頁, 已能正常連入
REF: https://github.com/Graylog2/graylog2-server/issues/2252

 

ProxyPass http://127.0.0.1:12900/
ProxyPassReverse http://127.0.0.1:12900/

RequestHeader set X-Graylog-Server-URL “https://graylog.example.org/api/”
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/

 

主要概念為, 利用自己路徑 /api 做為 12900 的重導向位置
因為 proxy pass 的 location 無法直接設定為 port 轉 port
透過 /api 做為中介, 並重寫 header(最關鍵部分)後, 已能把私有IP與公有IP做起對應
設定後, 重啟 httpd 服務即可正確轉送的IP對象。

[GrayLog] 設定gmail代發信

No Comments

利用指令完成設定

sudo graylog-ctl set-email-config smtp.gmail.com --port=587 --user=checkingalerts --password=udng3609 --from-email=joe.chc@udngroup.com.tw --no-ssl

做完要

sudo graylog-ctl reconfigure

[GrayLog] 透過rsyslog把apache的log傳到 graylog2裡

No Comments

http://www.jaimegago.com/ship-apache-httpd-logs-to-graylog2-via-rsyslog/

Older Entries Newer Entries