RSS[Graylog2][timezone]
3 月 01
graylog 設定服務的時區(search畫面, 預設是UTC)
完成設定後, 要做 reconfigure
$ sudo graylog-ctl set-timezone Asia/Taipei $ sudo graylog-ctl reconfigure $ sudo reboot
[Graylog2][Connection refused][port 4001]
2 月 28
REF: https://github.com/Graylog2/graylog2-images/issues/59
一直無法正常啟用 graylog2, 後來在系統日誌裡看到 port 4001 拒絕連線
mariussturm commented on 27 May 2015
Looks like the Etcd database got corrupted for some reason. Maybe the machine run out of diskspace or was hard resetted. If this is a single node installation you could try to delete /var/opt/graylog/data/etcd and afterwards run sudo graylog-ctl reconfigure
[Graylog] 升級 OVA 版本的 graylog2
10 月 12
REF: http://docs.graylog.org/en/2.1/pages/configuration/graylog_ctl.html
Upgrade Graylog
Warning
The Graylog omnibus package does not support unattended upgrading from Graylog 1.x to Graylog 2.1.x!
Always perform a full backup or snapshot of the appliance before proceeding. Only upgrade if the release notes say the next version is a drop-in replacement. Choose the Graylog version you want to install from the list of Omnibus packages . graylog_latest.deb always links to the newest version:
$ wget https://packages.graylog2.org/releases/graylog-omnibus/ubuntu/graylog_latest.deb
$ sudo graylog-ctl stop
$ sudo dpkg -G -i graylog_latest.deb
$ sudo graylog-ctl reconfigure
$ sudo reboot
如果遇到 reconfigure 失敗或不成功的狀況, 可參考
https://github.com/Graylog2/graylog2-images/issues/59
delete /var/opt/graylog/data/etcd
run sudo graylog-ctl reconfigure
[Graylog] 修改Graylog (OVA版本 ) JAVA_OPTS
8 月 03
REF: https://github.com/Graylog2/graylog2-images/issues/84
graylog server 要修改
/opt/graylog/service/graylog-server/run 這個檔案
elasticsearch 服務, 則要修改
/opt/graylog/service/elasticsearch/run 這個檔案
[Graylog] PA Network rule reference
7 月 21
REF: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/syslog-field-descriptions.html
潛在威脅條件:14天內(實際只有10天索引)
action:alert, block-url, deny,
action: reset-server, reset-client, reset-both (利用TCP發送 reset 封包給主機或用戶)
PA-Network FW 偵測的類型
Type:TRAFFIC, THREAT, SYSTEM, CONFIG
在 THREAT的 Subtype:應注意 spyware,virus, flood, packet, vulnerability, wildfire-virus, scan
ThreatID: (建議查手冊, 看看有沒有區段可以設定)
Suspicious DNS Query (generic:apk.hz5l.hz155.com)(4010379)
Suspicious DNS Query (generic:rlhqw.cn)(4077880)
Suspicious DNS Query (generic:sslbaidu.jomodns.com)(4083430)
Trojan-Spy/Win32.zbot.aahsy(2556727)
Trojan-Downloader/MSWord.cryptoload.im(1210808)
Trojan-Downloader/MSWord.agent.dpfgv(1210131)
Trojan-Downloader/MSWord.cryptoload.ec(1210235)
Virus/Win32.Adwind.af(1251891)
Virus/Win32.WGeneric.jhukl(1210208)
Virus/Win32.WGeneric.jhvwt(1210379)
Virus/Win32.WGeneric.jhvsx(1210326)
Virus/Win32.WGeneric.jhvxq(1210542)
Nsanti User-Agent Traffic(10028)
FTP: login Brute-force attempt(40001)
一些關鍵字:Brute-force, Virus, User-Agent, Trojan, Suspicious, Vulnerability
Description: 可能是critical
一些關鍵字: failed
RepeatCount: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
也許是…..網路擁塞
Application: 可以看用戶的軟體行為
一些關鍵字: unknown-tcp
[Graylog] 幾個查詢條件
6 月 29
HOST: log.udn.twbbs.org
Query:
查詢間諜及惡意軟體
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND (Subtype:(virus OR spyware OR malware OR vulnerability) OR ThreatID:(Detection OR Vulnerability OR Attempt OR Traffic OR Executable))
查詢C&C, 再選來源sourceIP 或被控client IP
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND “Command and Control Traffic”
一段時間內, 重覆次數偏高
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND RepeatCount:(120~)
ex: 非郵件服務, 重覆次數大於1
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND NOT Application:(smtp OR pop3 OR imap OR incomplete) AND RepeatCount:(2~)
查詢成人網站
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND Category:adult