需求:
针对GrayLog的安全告警日志中的一些攻击IP,经常需要手工去微步在线情报社区去查恶意IP,为了提高效率,探索是否可以对IP进行自动化关联查询
思路:
1、GrayLog的LookupTable有HTTP JSONPATH这种方式,可以研究一下怎么使用2、翻阅微步在线API接口文档以及一些常用的IP地址库接口API 3、结合GrayLog强大的可定制化的功能,探索是否可以实现想要的效果
解决过程与步骤:
1、微步在线API接口文档
2、curl命令测试
curl -v -X GET 'https://api.threatbook.cn/v3/scene/ip_reputation?apikey=API_KEY&resource=37.59.54.205'
yum install jq -y
curl -X GET 'https://api.threatbook.cn/v3/scene/ip_reputation?apikey=API_KEY&resource=37.59.54.205'| jq
3、GrayLog配置Lookup Tables
https://api.threatbook.cn/v3/scene/ip_reputation?apikey=API_KEY&resource=${key}
{
"data": {
"37.59.54.205": {
"severity": "low",
"judgments": [
"Scanner",
"IDC"
],
"tags_classes": [],
"basic": {
"carrier": "OVH SAS",
"location": {
"country": "France",
"province": "Ile-de-France",
"city": "Paris",
"lng": "2.345101",
"lat": "48.848483",
"country_code": "FR"
}
},
"asn": {
"rank": 2,
"info": "OVH, FR",
"number": 16276
},
"scene": "",
"confidence_level": "low",
"is_malicious": true,
"update_time": "2020-11-25 09:11:44"
}
},
"response_code": 0,
"verbose_msg": "OK"
}
IPv4 归属地,经纬度查询可以使用如下API接口
接口地址:https://api.ipplus360.com/ip/geo/v1/city/
请求方式:HTTPS GET/POST
请求示例:https://api.ipplus360.com/ip/geo/v1/city/?key=您申请的key&ip=您需要查询的ip&coordsys=WGS84
最后针对以上API接口配置的LookupTable如下
4、可以针对有公网IP字段调用以上接口并将查询结果保存为日志
例如对Linux服务器暴力破解攻击IP为例例如将Linux服务器接入到GrayLog后,使用正则表达式提取器提取出暴力破解IP的ssh_login_failed_ip字段
Failed password for .* from(.+?)\s.?
然后使用LookupTable提取器,将IP经纬度结果转成字段
ip_geo_latitude Lookup Table
Trying to extract data from ssh_login_failed_ip into ssh_login_failed_ip_geo_latitude
ip_geo_longitude Lookup Table
Trying to extract data from ssh_login_failed_ip into ssh_login_failed_ip_geo_longitude
当然也可以调用IP威胁情报的LookupTable
ip_geo_longitude Lookup Table
Trying to extract data from ssh_login_failed_ip into ssh_login_failed_ip_geo_longitude
5、Pipeline配置
使用Pipeline拼接出经纬度地址位置字段
rule "GeoIP lookup: ssh_login_failed_ip"
when
has_field("ssh_login_failed_ip_geo_latitude") and has_field("ssh_login_failed_ip_geo_longitude")
then
let ip_geo_latitude = to_string($message.ssh_login_failed_ip_geo_latitude);
let ip_geo_longitude = to_string($message.ssh_login_failed_ip_geo_longitude);
let ip_location_temp1 = concat(to_string(ip_geo_latitude),",");
let ip_location_temp2 = concat(ip_location_temp1, ip_geo_longitude);
set_field("ssh_login_failed_ip_location", ip_location_temp2);
end
使用Pipeline配置生成IP威胁情报查询结果字段ssh_login_failed_ip_threatcheck_result
ip_threatcheck_result
rule "IPThreatChecklookup: ssh_login_failed_ip"
when
has_field("ssh_login_failed_ip")
then
let ip_threatcheck_result = lookup("ipthreatcheck",to_string($message.ssh_login_failed_ip));
debug (ip_threatcheck_result) ;
set_field("ssh_login_failed_ip_threatcheck_result", ip_threatcheck_result);
end
6、配置DashBoard显示攻击IP的经纬度
最终的效果
如上图所示:Zombie关键字搜索可以判定该攻击IP为僵尸傀儡机
地理位置为荷兰
Tips:
附上提取器的相关语法配置文件
{
"extractors": [
{
"title": "ip_geo_latitude",
"extractor_type": "lookup_table",
"converters": [],
"order": 1,
"cursor_strategy": "copy",
"source_field": "ssh_login_failed_ip",
"target_field": "ssh_login_failed_ip_geo_latitude",
"extractor_config": {
"lookup_table_name": "ipplus360_lat"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "ip_geo_longitude",
"extractor_type": "lookup_table",
"converters": [],
"order": 2,
"cursor_strategy": "copy",
"source_field": "ssh_login_failed_ip",
"target_field": "ssh_login_failed_ip_geo_longitude",
"extractor_config": {
"lookup_table_name": "ipplus360_lng"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "ip_threatcheck",
"extractor_type": "lookup_table",
"converters": [],
"order": 3,
"cursor_strategy": "copy",
"source_field": "ssh_login_failed_ip",
"target_field": "ssh_login_failed_ip_threatcheck",
"extractor_config": {
"lookup_table_name": "ipthreatcheck"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "json_extractor",
"extractor_type": "json",
"converters": [],
"order": 4,
"cursor_strategy": "copy",
"source_field": "ssh_login_failed_ip_threatcheck_result",
"target_field": "",
"extractor_config": {
"flatten": false,
"list_separator": ", ",
"kv_separator": "=",
"key_prefix": "ip_threatcheck_result_",
"key_separator": "_",
"replace_key_whitespace": false,
"key_whitespace_replacement": "_"
},
"condition_type": "none",
"condition_value": ""
},
{
"title": "ssh_login_failed_ip_extractor",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "ssh_login_failed_ip",
"extractor_config": {
"regex_value": "Failed password for .* from(.+?)\\s.?"
},
"condition_type": "string",
"condition_value": "Failed password "
}
],
"version": "4.2.10"
}