威脅獵殺實戰（一）：平臺

Linux命令 ApacheKafka Logstash · 發表 2018-09-10 11:27:44

摘要：在國內Threat Hunting常被翻譯成威脅追蹤或威脅狩獵，我們認為：“未知攻焉知防，未知防焉知攻”。藍方並不一定要處於被動防守的狀態，完全可以主動獵殺對手！本文是威脅獵殺實戰系列的第一篇，按照本文的操作步驟，只需幾次Copy&Paste即可搭建一套基於Elastic Sta...

在國內Threat Hunting常被翻譯成威脅追蹤或威脅狩獵，我們認為：“未知攻焉知防，未知防焉知攻”。藍方並不一定要處於被動防守的狀態，完全可以主動獵殺對手！

本文是威脅獵殺實戰系列的第一篇，按照本文的操作步驟，只需幾次Copy&Paste即可搭建一套基於Elastic Stack的威脅獵殺平臺。在後面的文章我們會進一步完善我們的平臺。

NSM架構

1.部署Elastic Stack（容器化）

$ echo "nameserver 9.9.9.9" > /etc/resolv.conf
$ git clone https://github.com/Zer0d0y/docker-elk.git
$ docker-compose build && docker-compose up -d
訪問Kibana web UI：http://localhost:5601
完整指南參考
https://github.com/Zer0d0y/docker-elk

2.部署Bro

2.1 安裝

方式一：使用官方提供的Binary軟體包

Ubuntu 16.04：
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Install_Bro_from_binary.sh$ chmod +x Install_Bro_from_binary.sh
&& ./Install_Bro_from_binary.sh

Bro repository提供5個Binary軟體包：

Bro，包含meta-package
bro-core，包含Bro core和scripts
broctl，包含Bro control
libbroccoli和libbroccoli-dev，包含libbroccoli及其開發標頭檔案

Ubuntu 16.04：
$ wget -nv http://download.opensuse.org/repositories/network:bro/xUbuntu_16.04/Release.key -O Release.key
$ sudo apt-key add - < Release.key
$ sudo apt-get update
$ sudo sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/bro.list"
$ sudo apt-get update
$ sudo apt-get install bro
# 注意：官方同時提供nightly binary builds：https://www.bro.org/download/nightly-packages.html

方式二：原始碼安裝

依賴軟體包：

$ cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

其他依賴軟體包（可選）：

參考：https://www.bro.org/sphinx/install/install.html#id6

Ubuntu 16.04：
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Install_Bro_from_source.sh
$ chmod +x Install_Bro_from_source.sh && ./Install_Bro_from_source.sh# 
注意：也可以安裝Bro開發版：https://www.bro.org/sphinx/install/install.html#id9

方式三：容器化方式（Docker）

參考：https://github.com/bro/bro-docker

2.2 配置

2.2.1 Bro配置檔案

$PREFIX == 預設值：/opt/bro或/usr/local/bro
配置監聽網路介面：$PREFIX/etc/node.cfg
配置本地網路地址：$PREFIX/etc/networks.cfg
主配置檔案：$PREFIX/etc/broctl.cfg
# 完整配置參考：https://www.zer0d0y.info/post/Bro-plus-ELK/

2.2.2 使用systemd管理Bro

# 修改Bro介面名稱
$ INAME=$(ip -o link show | sed -rn '/^[0-9]+: en/{s/.: ([^:]*):.*/\1/p}')
$ sed -i "s/eth0/$INAME/g" /usr/local/bro/etc/node.cfg
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Bro_systemd.service -O /etc/systemd/system/bro.service
$ systemctl daemon-reload
$ systemctl enable bro
$ systemctl start bro

3.整合Elastic Stack，[Kafka]和Bro

3.1 Bro日誌101

conn.log -- IP, TCP, UDP, ICMP
dhcp.log -- DHCPdns.log -- DNS查詢/響應
ftp.log -- FTP請求/響應
http.log -- HTTP請求/響應
files.log -- 檔案還原
mysql.log -- MySQL
irc.log -- IRC
radius.log -- RADIUS認證
kerberos.log -- Kerberos認證
sip.log -- SIP協議
smtp.log -- SMTP事務
ssl.log -- SSL握手
ssh.log -- SSH握手
syslog.log -- Syslog訊息
tunnel.log -- 封裝隧道的細節
Microsoft相關的日誌
dce_rpc.log -- DCE/RPC訊息
ntlm.log -- NTLMrdp.log -- 遠端桌面 (RDP)
smb_files.log -- SMB檔案傳輸
smb_mapping.log -- SMB管道

# 詳細解釋：https://github.com/corelight/bro-cheatsheets

3.2 使用Elastic Stack直接處理Bro的csv格式日誌

# 注意事項
1.埠開放（--> 防火牆）：
elasticsearch:9200
Logstash:5044
Kibana:5061

2."index => "bro_logs-%{+YYYY.MM.dd}"",其中index名稱必須小寫
3.建立Index Patterns前必須有對應Bro的日誌，否則會導致Field不全
# 注意事項

# 軟體環境
Elastic Stack 6.4
bro version 2.5.4


# 方式一：使用Filebeat處理Bro日誌，
資料流：
Bro --> Filebeat --> ELK(Logstash)


1.安裝Filebeat

Ubuntu 16.04：
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Install_Filebeat.sh
$ chmod +x Install_Filebeat.sh && ./Install_Filebeat.sh

2.配置ELK(Logstash)接收來自FileBeat收集的Bro日誌
# 注意：此命令在ELK主機上執行
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Deploy_Bro_Filebeat_Logstash.sh
$ chmod +x Deploy_Bro_Filebeat_Logstash.sh && ./Deploy_Bro_Filebeat_Logstash.sh
$ sed -i 's/8.8.8.8/ELK IP/g' Bro_Filebeat_Logstash.conf
$ systemctl start logstash.service


3.配置Filebeat處理Bro日誌
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Deploy_Filebeat.sh
$ chmod +x Deploy_Filebeat.sh && ./Deploy_Filebeat.sh
$ sed -i 's/8.8.8.8/ELK logstash IP/g' /etc/filebeat/filebeat.yml
$ service filebeat start

4.訪問Kibana web UI：http://localhost:5601，新增"Index Patterns"
正常情況下，欄位(Fields) >= 218


# 方式二：使用Logstash處理Bro日誌，
資料流：
Bro --> Logstash --> ELK(Elasticsearch)

1.安裝Logstash
Ubuntu 16.04：
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Install_Logstash.sh
$ chmod +x Install_Logstash.sh && ./Install_Logstash.sh

2.配置Logstash處理Bro日誌
# 注意：如ELK和Bro不在同一臺伺服器上，需要修改配置檔案中elasticsearch的值，如： hosts => ["ELK IP:9200"]
# sed -i 's/localhost/ELK IP/g' bro*.conf

$ cd /etc/logstash/conf.d
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Deploy_Logstash.sh
$ chmod +x Deploy_Logstash.sh && ./Deploy_Logstash.sh
$ rm -f Deploy_Logstash.sh

3.訪問Kibana web UI：http://localhost:5601，新增“Index Patterns”

# 除錯&排錯
## Logstash
$ mkdir -p /root/xxx/logs && cd /root/xxx
$ /usr/share/logstash/bin/logstash -f xxx.conf --path.logs /root/xxx/logs --log.level=debug --config.debug --config.test_and_exit

$ /usr/share/logstash/bin/logstash -f nmap-logstash.conf --path.logs /root/xxx/logs/ --log.level=debug --config.debug 2>&1 | tee /root/xxx/logs/101
## FileBeat
$ filebeat -e -d "*" -c /etc/filebeat/filebeat.yml

# 容器化ELK專案對應配置（https://github.com/Zer0d0y/docker-elk）
1.docker-elk/docker-compose.yml
logstash:
ports:
- "5044:5044"

2.docker-elk/logstash/pipeline/bro_logs.conf
3.docker-compose build

3.3 使用Elastic Stack + Kafka處理Bro的json格式日誌

資料流：Bro --> Kafka --> Logstash --> ELK(Elasticsearch)

3.3.1 安裝Kafka

# 軟體環境：
# Ubuntu 16.04
# Elastic Stack 6.4
# Bro 2.5.5
# Kafka 2.12
# librdkafka-0.9.4

# 1.安裝Kafka
# 建立臨時目錄
mkdir /src && cd /src

# 下載&驗證kafka
wget https://archive.apache.org/dist/kafka/1.0.0/kafka_2.12-1.0.0.tgz
wget https://archive.apache.org/dist/kafka/1.0.0/kafka_2.12-1.0.0.tgz.asc
gpg --recv-keys3B417B9B 
gpg -v kafka_2.12-1.0.0.tgz.asc

# 安裝&啟動kafka服務
tar -xf kafka_2.12-1.0.0.tgz
sudo mv kafka_2.12-1.0.0 /opt/kafka
sudo sed -i '/^log.dirs/{s/=.*//;}' /opt/kafka/config/server.properties
sudo sed -i 's/^log.dirs/log.dirs=\/var\/lib\/kafka/' /opt/kafka/config/server.properties
sudo sed -i '$alisteners=bro://BRO所在機器的IP地址:9092' /opt/kafka/config/server.properties 

cat > /etc/systemd/system/kafka.service << EOF
[Unit]
Description=Kafka Service
Wants=network.target
After=zookeeper.target

[Service]
ExecStart=/opt/kafka/bin/kafka-server-start.sh /opt/kafka/config/server.pr
ExecReload=on-failure
Restart=always
User=root
Group=root
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=multi-user.target
EOF

# 
sudo apt-get -y install zookeeperd
sudo systemctl enable zookeeper 
sudo systemctl start zookeeper
sudo systemctl daemon-reload
sudo systemctl enable kafka 
sudo systemctl start kafka

3.3.2 安裝kafka外掛（metron-bro-plugin-kafka）

## 安裝librdkafka
curl -L https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz | tar
cd librdkafka-0.9.4/ 
./configure --enable-sasl 
make 
sudo make install 
## 構建外掛
### 先安裝Bro 2.5.5
cd /src
wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Install_Bro_from_source.sh
chmod +x Install_Bro_from_source.sh && ./Install_Bro_from_source.sh


git clone https://github.com/apache/metron-bro-plugin-kafka.git
cd metron-bro-plugin-kafka
./configure --bro-dist=/src/bro-2.5.5/
make 
sudo make install
## 驗證
/usr/local/bro/bin/bro -N Apache::Kafka

3.3.3 配置Bro把日誌傳送到Kafka

$ vi /usr/local/bro/share/bro/site/local.bro
@load /usr/local/bro/lib/bro/plugins/APACHE_KAFKA/scripts/Apache/Kafka/logs-to-kafka.bro
redef Kafka::topic_name = "";
redef Kafka::logs_to_send = set(Conn::LOG, HTTP::LOG, DNS::LOG, SMTP::LOG, SSL::LOG, Software::LOG, DHCP::LOG, FTP::LOG, IRC::LOG, Notice::LOG, X509::LOG, SSH::LOG,
redef Kafka::kafka_conf = table(["metadata.broker.list"] = "BRO所在機器的IP地址:9092");
redef Kafka::tag_json = T;

3.3.4 配置Logstash接收Kafka日誌

## 先安裝Logstash
$ wget https://github.com/tianyulab/Threat_Hunting_with_ELK/raw/master/Bro/Install_Logstash.sh
$ chmod +x Install_Logstash.sh && ./Install_Logstash.sh
$ echo config.reload.automatic: true |sudo tee -a /etc/logstash/logstash.yml
$ echo config.reload.interval: 3s |sudo tee -a /etc/logstash/logstash.yml
# 以Bro conn日誌為例：
$ cat > /etc/logstash/conf.d/bro-conn.conf << EOF
input {
kafka {
topics => ["conn"]
group_id => "bro_logstash"
bootstrap_servers => "10.42.94.92:9092"
codec => json
type => "conn"
auto_offset_reset => "earliest"
}
}

output {
if [type] == "conn" {
elasticsearch {
hosts => ["192.168.8.112:9200"]
index => "bro-conn-%{+YYYY.MM.dd}"
}
}
}
EOF

3.3.5 一鍵部署指令碼

$ wget 
# 修改10.42.94.92 --> 為Kafka監聽IP
$ sed -i 's/10.42.94.92/Kafka監聽IP/g' Deploy_Kafka_for_Bro.sh
# 修改192.168.8.112 --> 為Elasticsearch監聽IP
$ sed -i 's/192.168.8.112/Elasticsearch監聽IP/g' Deploy_Kafka_for_Bro.sh
# 修改"BRO所在機器的IP地址"為BRO所在機器的IP地址
$ sed -i 's/BRO所在機器的IP地址/BRO所在機器的IP地址/g' Deploy_Kafka_for_Bro.sh
$ sh -x Deploy_Kafka_for_Bro.sh

# 驗證
$ sudo systemctl status zookeeper
$ sudo systemctl status kafka
$ systemctl status logstash
$ /usr/local/bro/bin/bro -N Apache::Kafka
$ /usr/local/bro/bin/broctl status
$ netstat -tunlp| grep -E '2181|9092|9600'

# 安裝過程排錯
$ watch tail log.out
$ cat log.out | grep error
$ cat log.out | grep -B 10 "Configuring incomplete, errors occurred"
$ cat log.out | grep -i "cd librdkafka-0.9.4" -A 50 | more

# Kafka 排錯
$ apt-get install kafkacat
$ kafkacat -b 192.168.8.115:9092 -t http -o end # "http"為Bro的kafka外掛定義的"topics"
或
$ /opt/kafka/bin/kafka-console-consumer.sh --bootstrap-server 192.168.8.115:9092 --topic http

致謝：

@HardenedLinux 團隊

@Rock NSM團隊

@Security Onion團隊