wazuh配置mysql日志分析
1.先排除原有的0295-mysql_rules.xml
<!--在ossec.conf文件中的ruleset标签下 -->
<rule_exclude>0295-mysql_rules.xml</rule_exclude>
2.解码器配置
<decoder name="mysql_log">
<prematch>\d+ Connect|\d+ Query</prematch>
<regex offset="after_prematch">Access denied for user '(\S+)'@'(\S+)'</regex>
<order>user, srcip</order>
</decoder>
3.配置对应的mysql检测规则
在local_rules.xml文件下
<group name="mysql_log,">
<rule id="50100" level="0">
<decoded_as>mysql_log</decoded_as>
<description>MySQL messages grouped.</description>
</rule>
<rule id="50105" level="3">
<if_sid>50100</if_sid>
<regex>\d+ Connect</regex>
<description>MySQL: 用户$(dstuser)正在登陆.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,</group>
</rule>
<rule id="50106" level="9">
<if_sid>50105</if_sid>
<match>Access denied for user</match>
<description>MySQL: 用户$(dstuser)登陆失败.</description>
<group>authentication_failed,</group>
</rule>
<rule id="50107" level="10">
<if_sid>50106</if_sid>
<match>Access denied for user</match>
<description>MySQL: 用户ling登陆失败.</description>
<user>ling</user>
<group>authentication_failed,</group>
</rule>
<rule id="50108" level="3">
<if_sid>50100</if_sid>
<match>select @@version_comment limit 1</match>
<description>MySQL: 用户$(dstuser)登陆成功.</description>
<group>authentication_success,mysql_query</group>
</rule>
<rule id="50109" level="7" frequency="3" timeframe="60" ignore="30">
<if_matched_sid>50106</if_matched_sid>
<different_user/>
<description>MySQL: 相同IP: $(srcip), 不同User: $(dstuser)正在登陆.</description>
<group>authentication_success,mysql_query,</group>
</rule>
<!-- 新增检测暴力破解 -->
<rule id="561002" level="12" frequency="5" timeframe="30">
<if_matched_sid>50106</if_matched_sid>
<description>多次登录失败,疑似暴力破解,用户名:$(dstuser).</description>
<group>attack,</group>
</rule>
</group>
4.重启wazuh,去logtest中做测试
结果为:
13 Connect Access denied for user 'ling'@'192.168.84.1' (using password: YES)
**Phase 1: Completed pre-decoding.
full event: '13 Connect Access denied for user 'ling'@'192.168.84.1' (using password: YES)'
**Phase 2: Completed decoding.
name: 'mysql_log'
dstuser: 'ling'
srcip: '192.168.84.1'
**Phase 3: Completed filtering (rules).
id: '50107'
level: '10'
description: 'MySQL: 用户ling登陆失败.'
groups: '['mysql_log', 'authentication_failed']'
firedtimes: '8'
mail: 'False'
**Alert to be generated.