- 浏览: 85134 次
- 性别:
- 来自: 长沙
文章分类
最新评论
-
abc670454997:
大哥你不更新了啊!!!!!!!
网页游戏外挂的设计与编写:QQ摩天大楼【三】(登陆准备-信息发送方式) -
zhou2008gang:
貌似技术还没说到要点。。。
网页游戏外挂的设计与编写:QQ摩天大楼【三】(登陆准备-信息发送方式) -
mymelon:
怎么不继续写了?
网页游戏外挂的设计与编写:QQ摩天大楼【三】(登陆准备-信息发送方式) -
chinaxhb:
我以前也做过一个C#写的网页游戏外挂,不过现在游戏关掉了。现在 ...
网页游戏外挂的设计与编写:QQ摩天大楼【三】(登陆准备-信息发送方式) -
sumee:
哈哈....终于出新了!!!!顶起
网页游戏外挂的设计与编写:QQ摩天大楼【三】(登陆准备-信息发送方式)
这些天仔细分析了OSSEC日志收集(LogCollector)部分的细节。
OSSEC-LogCollector是创建一个无限循环,类似一个监听日志的守护进程,只要监听到日志有变动,就用SOCEKT发送消息给日志分析(analysisd)的守护进程,然后进行解码、匹配等操作。
下面先讲OSSEC是如何读取日志的。以读取WINDOWS XP下的事件日志为例。
读取事件日志主要是用到了Windows.h中的几个API:
OpenEventLog,CloseEventLog,ReadEventLog,GetLastError,等。
代码在最下面,我先说明一下每个函数的作用。
int StartEL(char *app, HIDSEL *el)
打开日志,返回该日志的数目。
char *GetELCategory(int categoryID)
根据类型ID获取日志类型。
char *GetEventDLL(char *evt_name, char *source, char *evt)
从注册表获取日志的名称。
char *GetELMsg(EVENTLOGRECORD *er, char *name, char * source, LPTSTR *elSStr)
获取该条日志的描述信息。
void ReadEL(HIDSEL *el, int printit)
读取事件日志。注,若只需要读取一次日志,printit设为1即可。OSSEC设置此参数的做法,我想是要忽略已有的日志,只对新产生的日志做处理。
#include "stdio.h" #include "windows.h" #define BUFFER_SIZE 2048*256 #define HIDS_MAXSTR 6144 #define HIDS_FLSIZE 256 #define HIDS_LOG_HEADER 256 /*Event logging local structure*/ typedef struct _HIDSEL { int timeOfLast; char *name; EVENTLOGRECORD *er; HANDLE h; DWORD record; }HIDSEL; /* *Starts the event logging for each el */ int StartEL(char *app, HIDSEL *el) { DWORD recordNum = 0; /*Opening the event log*/ el->h = OpenEventLog(NULL,app); if(!el->h) { printf("HIDS-LogCollecotor ERROR: Uable to open the event log : %s.", app); return (-1); } el->name = app; if(GetOldestEventLogRecord(el->h, &el->record) == 0) { /*Unable to read oldest event log record*/ printf("HIDS-LogCollecotor ERROR: Uable to query last event log from: %s.", app); CloseEventLog(el->h); el->h = NULL; return(-1); } if(GetNumberOfEventLogRecords(el->h, &recordNum) == 0) { printf("HIDS-LogCollecotor ERROR: Uable to get the number of event logs from: %s.", app); CloseEventLog(el->h); el->h = NULL; return(-1); } if(recordNum <= 0) { return 0; } return (int)recordNum; } /* * Returns a string related to the category id of the log. */ char *GetELCategory(int categoryID) { char *cat; switch(categoryID) { case EVENTLOG_ERROR_TYPE: cat = "ERROR"; break; case EVENTLOG_WARNING_TYPE: cat = "WARNING"; break; case EVENTLOG_INFORMATION_TYPE: cat = "INFORMATION"; break; case EVENTLOG_AUDIT_SUCCESS: cat = "AUDIT_SUCCESS"; break; case EVENTLOG_AUDIT_FAILURE: cat = "AUDIT_FAILURE"; break; default: cat = "Unknown"; break; } return cat; } /** * Returns the event. */ char *GetEventDLL(char *evt_name, char *source, char *evt) { //char *retStr; HKEY key; DWORD ret; char keyName[512]; keyName[511] = '\0'; _snprintf(keyName, 510, "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s", evt_name, source); /* Checking if we have it in memory. */ //retStr = OSHash_Get(dll_hash, keyName + 42); //if(retStr) //{ // return(retStr); //} /* Opening registry */ if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyName, 0, KEY_ALL_ACCESS, &key) != ERROR_SUCCESS) { return(NULL); } ret = MAX_PATH -1; if (RegQueryValueEx(key, "EventMessageFile", NULL, NULL, (LPBYTE)evt, &ret) != ERROR_SUCCESS) { evt[0] = '\0'; RegCloseKey(key); return(NULL); } else { /* Adding to memory. */ char *skey; char *sval; skey = strdup(keyName + 42); sval = strdup(evt); if(skey && sval) { //OSHash_Add(dll_hash, skey, sval); } else { printf("Log Collector: ERROR: Not enough Memory. Exiting."); } } RegCloseKey(key); return(evt); } /** * Returns a descriptive message of the event. */ char *GetELMsg(EVENTLOGRECORD *er, char *name, char * source, LPTSTR *elSStr) { DWORD fmFlags = 0; char strTmp[257]; char event[MAX_PATH +1]; char *curr_str; char *next_str; LPSTR message = NULL; HMODULE hevt; /* Initializing variables */ event[MAX_PATH] = '\0'; strTmp[256] = '\0'; /* Flags for format event */ fmFlags |= FORMAT_MESSAGE_FROM_HMODULE; fmFlags |= FORMAT_MESSAGE_ALLOCATE_BUFFER; fmFlags |= FORMAT_MESSAGE_ARGUMENT_ARRAY; /* Get the file name from the registry (stored on event) */ if(!(curr_str = GetEventDLL(name, source, event))) { return(NULL); } /* If our event has multiple libraries, try each one of them */ while((next_str = strchr(curr_str, ';'))) { *next_str = '\0'; ExpandEnvironmentStrings(curr_str, strTmp, 255); /* Reverting back old value. */ *next_str = ';'; /* Loading library. */ hevt = LoadLibraryEx(strTmp, NULL, DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE); if(hevt) { if(!FormatMessage(fmFlags, hevt, er->EventID, 0, (LPTSTR) &message, 0, elSStr)) { message = NULL; } FreeLibrary(hevt); /* If we have a message, we can return it */ if(message) return(message); } curr_str = next_str +1; } /* Getting last value. */ ExpandEnvironmentStrings(curr_str, strTmp, 255); hevt = LoadLibraryEx(strTmp, NULL, DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE); if(hevt) { int hr; if(!(hr = FormatMessage(fmFlags, hevt, er->EventID, 0, (LPTSTR) &message, 0, elSStr))) { message = NULL; } FreeLibrary(hevt); /* If we have a message, we can return it */ if(message) return(message); } return(NULL); } /* *Reads the event log. */ void ReadEL(HIDSEL *el, int printit) { DWORD _evtid = 65535; DWORD nstr; DWORD usrSize; DWORD domainSize; DWORD read, needed; int sizeLeft; int strSize; int id; char mbuffer[BUFFER_SIZE +1]; LPSTR sstr = NULL; char *strTmp = NULL; char *category; char *source; char *computerName; char *descriptiveMsg; char elUsr[HIDS_FLSIZE +1]; char elDomain[HIDS_FLSIZE +1]; char elStr[HIDS_MAXSTR +1]; char finalMsg[HIDS_MAXSTR +1]; LPSTR elSStr[HIDS_FLSIZE +1]; /* Er must point to the mbuffer */ el->er = (EVENTLOGRECORD *) &mbuffer; /* Zeroing the values */ elStr[HIDS_MAXSTR] = '\0'; elUsr[HIDS_FLSIZE] = '\0'; elDomain[HIDS_FLSIZE] = '\0'; finalMsg[HIDS_MAXSTR] = '\0'; elSStr[0] = NULL; elSStr[HIDS_FLSIZE] = NULL; /* Event log is not open */ if(!el->h) { return; } /* Reading the event log */ while(ReadEventLog(el->h, EVENTLOG_FORWARDS_READ|EVENTLOG_SEQUENTIAL_READ, 0, el->er, BUFFER_SIZE - 1, &read, &needed)) { if(!printit) { /* Setting er to the beginning of the buffer */ el->er = (EVENTLOGRECORD *)&mbuffer; continue; } while(read > 0) { /* We need to initialize every variable before the loop */ category = GetELCategory(el->er->EventType); source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD)); computerName = source + strlen(source) + 1; descriptiveMsg = NULL; /* Getting event id. */ id = (int)el->er->EventID & _evtid; /* Initialing domain/user size */ usrSize = 255; domainSize = 255; elDomain[0] = '\0'; elUsr[0] = '\0'; /* We must have some description */ if(el->er->NumStrings) { sizeLeft = HIDS_MAXSTR - 1024; sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset); elStr[0] = '\0'; for (nstr = 0;nstr < el->er->NumStrings;nstr++) { strSize = strlen(sstr); if(sizeLeft > 1) { strncat(elStr, sstr, sizeLeft); } strTmp = strchr(elStr, '\0'); if(strTmp) { *strTmp = ' '; strTmp++; *strTmp = '\0'; } else { printf("Log Collector: Invalid application string (size+)"); } sizeLeft-=strSize + 2; if(nstr <= 92) { elSStr[nstr] = (LPSTR)sstr; elSStr[nstr +1] = NULL; } sstr = strchr((LPSTR)sstr, '\0'); if(sstr) sstr++; else break; } /* Get a more descriptive message (if available) */ descriptiveMsg = GetELMsg(el->er, el->name, source, elSStr); if(descriptiveMsg != NULL) { /* Remove any \n or \r */ /* Replace tabs from the argument field to spaces. * So whenever we have option:\tvalue\t, it will * become option: value\t */ strTmp = descriptiveMsg; while(*strTmp != '\0') { if(*strTmp == '\n') *strTmp = ' '; else if(*strTmp == '\r') *strTmp = ' '; else if((*strTmp == ':') && (strTmp[1] == '\t')) { strTmp[1] = ' '; strTmp++; } strTmp++; } } } else { strncpy(elStr, "(no message)", 128); } /* Getting username */ if(el->er->UserSidLength) { SID_NAME_USE account_type; if(!LookupAccountSid(NULL, (SID *)((LPSTR)el->er + el->er->UserSidOffset), elUsr, &usrSize, elDomain, &domainSize, &account_type)) { strncpy(elUsr, "(no user)", 255); strncpy(elDomain, "no domain", 255); } } else { strncpy(elUsr, "(no user)", 255); strncpy(elDomain, "no domain", 255); } if(printit) { DWORD _evtid = 65535; int id = (int)el->er->EventID & _evtid; finalMsg[HIDS_MAXSTR - HIDS_LOG_HEADER] = '\0'; finalMsg[HIDS_MAXSTR - HIDS_LOG_HEADER -1] = '\0'; printf("WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s\n", el->name, category, id, source, elUsr, elDomain, computerName, descriptiveMsg != NULL?descriptiveMsg:elStr); /*send msg to server ................... ................... */ } if(descriptiveMsg != NULL) { LocalFree(descriptiveMsg); } /* Changing the point to the er */ read -= el->er->Length; el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length); } /* Setting er to the beginning of the buffer */ el->er = (EVENTLOGRECORD *)&mbuffer; } id = GetLastError(); if(id == ERROR_HANDLE_EOF) { return; } /* Event log was cleared. */ else if(id == ERROR_EVENTLOG_FILE_CHANGED) { printf("Log Collector: WARN: Event log cleared: '%s'", el->name); /* Closing the event log and reopenning. */ CloseEventLog(el->h); el->h = NULL; /* Reopening. */ if(StartEL(el->name, el) < 0) { printf("Log Collector: ERROR: Unable to reopen event log '%s'", el->name); } } else { printf("Log Collector: WARN: Error reading event log: %d", id); } } int main() { HIDSEL hidsEL[3]; int a,b,c; a = StartEL("System",&hidsEL[0]); //b = StartEL("Security",&hidsEL[1]); //c = StartEL("Application",&hidsEL[2]); ReadEL(&hidsEL[0],1); //ReadEL(&hidsEL[1],1); //ReadEL(&hidsEL[2],1); system("pause"); return 0; }
发表评论
-
OSSEC an open source HIDS --- Decode
2009-03-31 23:21 0To be continue... -
OSSEC an open source HIDS --- Log Analysised ( 2 )
2009-03-26 17:13 4315承接自上文 OSSEC an open source HIDS ... -
OSSEC an open source HIDS --- Log Analysised ( 1 )
2009-03-26 17:10 2741OSSEC最基本的功能就是日志分析。 ... -
OSSEC an open source HIDS --- OverView
2009-03-26 14:34 2247OSSEC 是一个开源的基于主机的入侵检测系统。 ...
相关推荐
ossec-hids-1.6 HIDS ossec
带有PCRE2的OSSEC 3.3.0,解压之后可以直接运行install.sh安装
OSSEC是一款开源的基于主机的入侵检测系统,可以简称为HIDS。它具备日志分析,文件完整性检查,策略监控,rootkit检测,实时报警以及联动响应等功能。它支持多种操作系统:Linux、Windows、MacOS、Solaris、HP-UX、...
ossec官方源码,3.6.0最新版本,编译后用于安装linux下的server和agent,方便部署,可本地自行编译成多平台的可执行程序
ossec用于安装在linux主机,可以安装服务器版本和代理版本。用于检测攻击行为,文件系统变化,收集系统日志等。
ossec入侵检测搭建部署,第三方web管理ossec-wui0.9版本
更改目录cd OSSEC-ELK-Application-Servers-Setup 生成ssh密钥。 您可以将其保存在首选文件中。 ssh-keygen 使用上面生成的ssh密钥的正确路径更新Vagrantfile。 在第19行(私钥)和第20行(公钥)。 我将文件另存...
ossec 开源主机威胁检测工具,可以用于在windows系统上收集日志信息,检测攻击行为及文件系统变化等。
这些是用于创建OSSEC-HIDS 2.8版debian软件包的文件,这些文件包含在ossec.net网站和WAZUH存储库中。 您可以在以下位置找到这些软件包: 或直接在以下: : 这些文件可以构建两个不同的程序包: ossec-hids:...
WINDOWS下配合OSSEC SERVER的agent,安装方便,与Server段联合使用,可以实现多平台的SEIM功能
WAZUH-OSSEC:WAZUH-开源安全平台安装
OSSEC is a full platform to monitor and... It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.
OSSEC & OSSIM Unified Open Source Security开源安全框架精要PPT 内容:Why OSSIM ,OSSIM Architecture,OSSIM Embedded Tools,OSSIM Collectors ,OSSIM Collector Anatomy,OSSIM Threat assessment ,OSSIM ...
作为一款HIDS,OSSEC应该被安装在一台实施监控的系统中。另外有时候不需要安装完全版本得OSSEC,如果有多台电脑都安装了OSSEC,那么就可以采用客户端/服务器模式来运行。客户机通过客户端程序将数据发回到服务器端...
OSSEC HIDS的主要功能有日志分析、完整性检查、rootkit检测、基于时间的警报和主动响应。除了具有入侵检测系统功能外,它还一般被用在SEM/SIM(安全事件管理(SEM: Security Event Management)/安全信息管理(SIM...
它在一个简单,功能强大且开源的解决方案中将HIDS(基于主机的入侵检测),日志监视和SIM / SIEM的所有方面结合在一起。 访问我们的网站以获取最新信息。 最新发行 ossec网站上提供了当前的稳定版本。 可以从...
当网站源文件更新后,对于该存储库发出拉取请求时,它们将由Travis从ossec / ossec-docs存储库自动构建。 请勿更改此REPO中的文件。 如果要更新网站,请编辑ossec / ossec-docs中的文件,然后让Travis进行其余操作...
Logstash, OSSEC + Logstash + Elasticsearch + Kibana OSSEC使用 LOGSTASH - ELASTICSEARCH - KIBANA 管理 OSSEC警报管理现在是Magento安装脚本的一部分。 https://github.com/magenx/Magento-Automat
ansible-ossec-agent Ansible角色,用于安装和配置OSSEC HIDS代理。 要求 Ansible 2.9.9或更高
dj-wasabi.ossec-agent 该角色将在服务器上安装并配置ossec-agent。 当配置了参数ossec_server_name ,它将使操作延迟以自动验证代理。 生成状态: 要求 该角色将在以下方面工作: 红色的帽子 的Ubuntu 德比安 ...