背景
上一篇文章简单的写了下ELK展示分析Nginx日志,但如何对日志进行监控?如果有人攻击我们,如何在第一时间知晓,本文将介绍如何通过ELK系统监控web攻击,直接上教程:
安装ElastAlert
一、下载安装ElastAlert
安装 epel 库 yum -y install epel-release wget 安装 git yum -y install gcc git 安装 python3.6 yum -y install python36 python36-devel 配置 py3 虚拟环境 python3.6 -m venv /opt/py3 source /opt/py3/bin/activate cd /opt/ 下载ElastAlert git clone https://github.com/Yelp/elastalert.git cd elastalert python setup.py install pip install -r requirements.txt cp config.yaml.example config.yaml
二、配置config.yml
rules_folder rules run_every##用来设置定时向elasticsearch发送请求 minutes1 buffer_time##用来设置请求里时间字段的范围,默认是15分钟 minutes15 es_host 192.168.21.158 ##elasticsearch的host地址 es_port 9200 ##elasticsearch 对应的端口号 writeback_index elastalert_status ##elastalert产生的日志在elasticsearch中的创建的索引 writeback_alias elastalert_alerts alert_time_limit##失败重试的时间限制 days2
配置完成后运行
elastalert-create-index
三、配置告警规则
新建rules目录,并在web目录中新建yaml配置文件webattack.yml
name web attack realert minutes5 type frequency num_events19 index logstash-nginx* #对应logstash的配置文件中output elasticsearch index前缀 timeframe minutes1 filter query_string##告警规则,通过查询ES进行匹配 # sql insert xss detect query"request: select.+(from|limit) OR request: union(.*?)select OR request: into.+(dump|out)file OR request (base64_decode|sleep|benchmark|and.+1=1|and.+1=2|or%20|exec|information_schema|where%20|union%20|%2ctable_name%20|cmdshell|table_schema) OR request (iframe|script|body|img|layer|div|meta|style|base|object|input|onmouseover|onerror|onload) OR request .+etc.+passwd OR http_user_agent:(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench) OR status (400|404|500|501) NOT (request:_health.html OR remote_addr:222.222.222.222 ) " #配置告警 smtp_host smtp.qiye.163.com smtp_port25 user xxx@163.com password password #回复给那个邮箱 email_reply_to xxx@163.com #从哪个邮箱发送 from_addr xxx@163.com alert "email" email "xx@163.com" alert_text 你好,服务器({})可能正在受到web攻击,请采取手段阻止!!!! ### 截止发邮件前匹配到的请求数:{} > 发生时间: {} > timestamp:{} > attacker's ip: {} > request: {} > status:{} > UA头:{} >>> 参考来源:{} alert_text_args host num_hits time"@timestamp" client_ip url status http_user_agent source
启动elastalert
nohup python -m elastalert.elastalert --verbose --rule rules/webattack.yaml >/dev/null 2>&1 &
运行效果
当匹配到自定义攻击规则的时候,ElastAlert将会以邮件方式发送告警信息:
web attack may be by 104.38.xx.xx at @[xx/xx/2020:16:06:58 +0800] xxx 发给 xx 你好,服务器(xx.xx.xx.xx)可能正在受到web攻击,请采取手段阻止!!!! ### 截止发邮件前匹配到的请求数:20 > 发生时间: [xx/xx/2020:16:06:58 +0800] > timestamp:2018-01-13T08:07:04.930Z > attacker's ip: 184.233.9.121 > request: GET /dbadmin/scripts/setup.php?id=1'and 1=1 HTTP/1.0 > status:200 > UA头:ZmEu >>> 参考来源:/var/log/nginx/access.log