背景
上一篇文章简单的写了下ELK展示分析Nginx日志,但如何对日志进行监控?如果有人攻击我们,如何在第一时间知晓,本文将介绍如何通过ELK系统监控Web攻击,直接上教程:
安装ElastAlert
一、下载安装ElastAlert
安装 epel 库
yum -y install epel-release wget
安装 git
yum -y install gcc git
安装 python3.6
yum -y install python36 python36-devel
配置 py3 虚拟环境
python3.6 -m venv /opt/py3
source /opt/py3/bin/activate
cd /opt/
下载ElastAlert
git clone https://github.com/Yelp/elastalert.git
cd elastalert
python setup.py install
pip install -r requirements.txt
cp config.yaml.example config.yaml
二、配置config.yml
rules_folder: rules
run_every: ##用来设置定时向elasticsearch发送请求
minutes: 1
buffer_time: ##用来设置请求里时间字段的范围,默认是15分钟
minutes: 15
es_host: 192.168.21.158 ##elasticsearch的host地址
es_port: 9200 ##elasticsearch 对应的端口号
writeback_index: elastalert_status ##elastalert产生的日志在elasticsearch中的创建的索引
writeback_alias: elastalert_alerts
alert_time_limit: ##失败重试的时间限制
days: 2
配置完成后运行
elastalert-create-index
三、配置告警规则
新建rules目录,并在web目录中新建yaml配置文件webattack.yml
name: web attack
realert:
minutes: 5
type: frequency
num_events: 19
index: logstash-nginx* #对应logstash的配置文件中output elasticsearch index前缀
timeframe:
minutes: 1
filter:
- query_string: ##告警规则,通过查询ES进行匹配
# sql insert xss detect
query: "request: select.+(from|limit) OR request: union(.*?)select OR request: into.+(dump|out)file OR
request: (base64_decode|sleep|benchmark|and.+1=1|and.+1=2|or%20|exec|information_schema|where%20|union%20|%2ctable_name%20|cmdshell|table_schema) OR
request: (iframe|script|body|img|layer|div|meta|style|base|object|input|onmouseover|onerror|onload) OR
request: .+etc.+passwd OR http_user_agent:(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench) OR
status: (400|404|500|501)
NOT (request:_health.html OR remote_addr:222.222.222.222 )
"
#配置告警
smtp_host: smtp.qiye.163.com
smtp_port: 25
user: xxx@163.com
password: password
#回复给那个邮箱
email_reply_to: xxx@163.com
#从哪个邮箱发送
from_addr: xxx@163.com
alert:
- "email"
email:
- "xx@163.com"
alert_text: |
你好,服务器({})可能正在受到web攻击,请采取手段阻止!!!!
### 截止发邮件前匹配到的请求数:{}
> 发生时间: {}
> timestamp:{}
> attacker's ip: {}
> request: {}
> status:{}
> UA头:{}
>>> 参考来源:{}
alert_text_args:
- host
- num_hits
- time
- "@timestamp"
- client_ip
- url
- status
- http_user_agent
- source
启动elastalert
nohup python -m elastalert.elastalert --verbose --rule rules/webattack.yaml >/dev/null 2>&1 &
运行效果
当匹配到自定义攻击规则的时候,ElastAlert将会以邮件方式发送告警信息:
web attack may be by 104.38.xx.xx at @[xx/xx/2020:16:06:58 +0800]
xxx 发给 xx
你好,服务器(xx.xx.xx.xx)可能正在受到web攻击,请采取手段阻止!!!!
### 截止发邮件前匹配到的请求数:20
> 发生时间: [xx/xx/2020:16:06:58 +0800]
> timestamp:2018-01-13T08:07:04.930Z
> attacker's ip: 184.233.9.121
> request: GET /dbadmin/scripts/setup.php?id=1'and 1=1 HTTP/1.0
> status:200
> UA头:ZmEu
>>> 参考来源:/var/log/nginx/access.log
原文链接:https://vuesite.cn/10860.html,转载请注明出处。