Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- wazuh [2025/03/20 09:37]
+++ wazuh [2025/03/28 14:54] (aktuell)
@@ Zeile 1: / Zeile 1: @@
+Wazuh ist eine Open Source Sicherheitsplattform, die Unternehmen dabei unterstützt, ihre IT Infrastruktur zu überwachen, Bedrohungen zu erkennen und darauf zu reagieren. Die Software bietet eine umfassende Suite von Funktionen, darunter Log- und Event-Management, Intrusion Detection, Compliance-Management und Security Information and Event Management ([[SIEM]]).
+<code>
+vie-srv-dc01
+vie-srv-fs04
+vie-srv-fs03
+vie-srv-dc02
+vie-srv-lb00
+vie-srv-ex02
+vie-srv-ex01
+vie-srv-gts03
+vie-srv-gts04
+vie-p-srv-fw01
+vie-p-srv-fw02
+vie-p-srv-fw03
+vie-t-srv-fw01
+vie-srv-infra01
+vie-srv-ca01
+vie-t-srv-audit
+vie-p-srv-at01
+vie-p-srv-at02
+vie-p-srv-at03
+vie-p-srv-mb01
+vie-p-srv-mb02
+vie-p-srv-mb03
+vie-p-srv-mb04
+vie-p-srv-ps00
+vie-p-srv-wsy02
+vie-srv-smct01
+vie-p-srv-rg24
+vie-srv-au01
+vie-srv-dvo02
+VIE-SRV-EBK02
+vie-srv-db04
+vie-srv-db05
+vie-srv-dmzfs03
+vie-srv-dmzfs02
+vie-nb-gbi016
+vie-srv-epm00
+VIE-SRV-EPM02
+vie-p-srv-flb01
+</code>
+Wazuh besteht aus mehreren Komponenten, darunter den Wazuh-Agenten, die auf den zu überwachenden Systemen installiert sind, dem Wazuh-Manager, der die Daten von den Agenten sammelt und analysiert, sowie dem Elastic Stack (früher bekannt als [[elk-stack|ELK Stack]]), der für die Speicherung und Visualisierung der Daten verwendet wird.
+Der Wazuh Manager ist das Herzstück des Systems und empfängt die Daten von den Agenten. Er analysiert die Informationen, erkennt Anomalien und Bedrohungen und generiert Warnmeldungen. Diese Warnmeldungen können in Echtzeit an Sicherheitspersonal gesendet werden, um schnelle Reaktionen zu ermöglichen.
+Wazuh unterstützt eine Vielzahl von Betriebssystemen, einschließlich [[Linux]], [[Windows]] und macOS. Es bietet auch die Möglichkeit, benutzerdefinierte Regeln zu erstellen, um spezifische Bedrohungen oder Compliance-Anforderungen abzudecken.
+<code>
+data.win.eventdata.lmPackageName = NTLM
+</code>
+=====Config=====
+====OSSec.conf====
+ossec.conf ist die Hauptkonfigurationsdatei des Wazuh-Managers. Ein Konfigurationsfehler kann den Start der Wazuh-Dienst verhindern. Die Datei gibt es auf dem Wazuh-Manager und dem Wazuh-Agent.
+Auf dem Wazuh-Manager unter
+<code>
+/var/ossec/etc/ossec.conf
+</code>
+Auf dem Wazuh-Agent unter
+^Plattform^Pfad^
+| Windows | C:\Program Files (x86)\ossec-agent\ossec.conf |
+| Linux/Unix | /var/ossec/etc/ossec.conf |
+| macOS | /Library/Ossec/etc/ossec.conf |
+Enable Vulnerability Scan
+<code>
+# In /var/ossec/etc/ossec.conf
+[...]
+<vulnerability-detector>
+    <enabled>yes</enabled>
+    [...]
+</code>
+===Beispiel===
+<code xml>
+<ossec_config>
+  <client>
+    <server>
+      <address>172.21.0.143</address>
+      <port>1514</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu22, ubuntu22.04</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+    <enrollment>
+      <enabled>yes</enabled>
+      <groups>default</groups>
+    </enrollment>
+  </client>
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+<vulnerability-detector>
+   <enabled>yes</enabled>
+   <index-status>yes</index-status>
+   <feed-update-interval>60m</feed-update-interval>
+</vulnerability-detector>
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+    <scan_on_start>yes</scan_on_start>
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+</ossec_config>
+<ossec_config>
+  <localfile>
+    <log_format>apache</log_format>
+    <location>/var/log/nginx/access.log</location>
+  </localfile>
+  <localfile>
+    <log_format>apache</log_format>
+    <location>/var/log/nginx/error.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+</ossec_config>
+</code>
+====Agent.conf====
+Die agent.conf Datei ist ossec.conf sehr ähnlich, wird aber zur zentralen Verteilung von Konfigurationsinformationen an Agenten verwendet.
+Sie befindet sich auf dem Wazuh-Manager unter
+<code>
+/var/ossec/etc/shared/agent.conf
+</code>
+und ist von beginn an leer.
+=====CLI=====
+Managing Agents (interactive
+<code>
+/var/ossec/bin/manage_agents
+</code>
+Removing an agent from the manager
+<code>
+/var/ossec/bin/manage_agents -r <WAZUH_AGENT_ID>
+</code>
+Restart the manager
+<code bash>
+sudo docker exec -it <wazuh-manager-container> /bin/bash
+service wazuh-manager restart
+</code>
+=====Ubuntu Docker Installation=====
+<code bash>
+# https://github.com/AlphaBravoCompany/wazuh-demo-server
+#!/bin/bash
+set -e
+G="\e[32m"
+E="\e[0m"
+if ! grep -q 'Ubuntu' /etc/issue
+  then
+    echo -----------------------------------------------
+    echo "Not Ubuntu? Could not find Codename Ubuntu in lsb_release -a. Please switch to Ubuntu."
+    echo -----------------------------------------------
+    exit 1
+fi
+## Update OS
+echo "Updating OS packages..."
+sudo apt update
+sudo apt upgrade -y
+## Install Prereqs
+echo "Installing Prereqs..."
+sudo apt-get update
+sudo apt-get install -y \
+apt-transport-https ca-certificates curl gnupg lsb-release \
+software-properties-common haveged bash-completion jq
+## Install Docker
+echo "Installing Docker..."
+sysctl -w vm.max_map_count=262144
+curl -sSL https://get.docker.com/ | sh
+systemctl start docker
+usermod -aG docker $USER
+## Install Docker Compose
+echo "Installing docker-compose..."
+curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+chmod +x /usr/local/bin/docker-compose
+## Install Wazuh Docker
+echo "Installing Wazuh..."
+git clone https://github.com/wazuh/wazuh-docker.git -b 4.3 --depth=1
+cd wazuh-docker/single-node
+docker-compose -f generate-indexer-certs.yml run --rm generator
+docker-compose up -d
+## Print Server Information and Links
+cd ../../
+touch ./server-details.txt
+echo -----------------------------------------------
+echo -e ${G}Install is complete. Please use the below information to access your environment.${E} | tee ./server-details.txt
+echo -e ${G}Wazuh UI:${E} https://this-host-ip | tee -a ./server-details.txt
+echo -e ${G}Wazuh Login${E}: admin/SecretPassword | tee -a ./server-details.txt
+echo Details above are saved to the file at ./server-details.txt
+echo -----------------------------------------------
+</code>
+=====Queries=====
+Siehe [[Elasticsearch]]
+[[https://opensearch.org/docs/latest/query-dsl/|Docs]], [[https://documentation.wazuh.com/current/user-manual/indexer-api/use-case.html]]
+====Match====
+Feld muss zutreffen
+<code>
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "size": 10,
+  "query": {
+    "match": {
+      "data.win.eventdata.authenticationPackageName": "NTLM"
+    }
+  }
+}
+</code>
+====Wildcard====
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "size": 10,
+  "query": {
+    "wildcard": {
+      "data.win.eventdata.authenticationPackageName": "NTLM"
+    }
+  }
+}
+====Bool Must====
+Beide Felder müssen zutreffen
+<code>
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "size": 10,
+  "query": {
+    "bool": {
+      "must": [
+        {
+          "match": {
+            "data.win.eventdata.authenticationPackageName": "NTLM"
+          }
+        },
+        {
+          "match": {
+            "data.win.system.eventID": "4624"
+          }
+        }
+      ]
+    }
+  }
+}
+</code>
+====Bool Should====
+should bedeutet, dass mindestens eine der Bedingungen erfüllt sein kann.
+Falls ein Dokument beide Bedingungen erfüllt, wird es höher gewichtet, aber es ist nicht zwingend erforderlich.
+Falls kein weiteres must- oder filter-Kriterium vorhanden ist, kann Elasticsearch hier auch alle Dokumente zurückgeben, selbst wenn keines der should-Bedingungen erfüllt ist.
+Problem: Ohne "minimum_should_match": 1 kann es vorkommen, dass du auch Ergebnisse bekommst, die keines der Kriterien erfüllen.
+<code>
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "size": 10,
+  "query": {
+    "bool": {
+      "should": [
+        {
+          "match": {
+            "data.win.eventdata.authenticationPackageName": "NTLM"
+          }
+        },
+        {
+          "match": {
+            "data.win.system.eventID": "4624"
+          }
+        }
+      ]
+    }
+  }
+}
+</code>
+Mindestens 2 Felder müssen zutreffen
+<code>
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "size": 10,
+  "query": {
+    "bool": {
+      "should": [
+        {
+          "match": {
+            "data.win.eventdata.authenticationPackageName": "NTLM"
+          }
+        },
+        {
+          "match": {
+            "data.win.system.eventID": "4624"
+          }
+        },
+        {
+          "match": {
+            "data.win.eventdata.logonType": "3"
+          }
+        }
+      ],
+      "minimum_should_match": 2
+    }
+  }
+}
+</code>
+====Bool Must Bool Should====
+<code>
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "size": 10,
+  "query": {
+    "bool": {
+      "must": [
+        {
+          "bool": {
+            "should": [
+              {
+                "match": {
+                  "data.win.eventdata.authenticationPackageName": "NTLM"
+                }
+              },
+              {
+                "match": {
+                  "data.win.system.eventID": "4624"
+                }
+              }
+            ],
+            "minimum_should_match": 1
+          }
+        }
+      ]
+    }
+  }
+}
+</code>
+Der äußere must stellt sicher, dass die innere should-Bedingung zwingend zutreffen muss.
+Die should-Bedingung innerhalb des bool-Blocks sorgt dafür, dass mindestens eine der Bedingungen zutreffen kann.
+Falls ein Dokument beide should-Bedingungen erfüllt, wird es höher gewichtet.
+Effekt: Diese Abfrage gibt nur Dokumente zurück, die mindestens eines der should-Kriterien erfüllen. Dokumente, die weder "authenticationPackageName": "NTLM" noch "eventID": "4624" enthalten, werden ausgeschlossen.
+<code>
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "size": 10,
+  "query": {
+    "bool": {
+      "must": [
+        {
+          "bool": {
+            "should": [
+              {
+                "match": {
+                  "data.win.eventdata.authenticationPackageName": "NTLM"
+                }
+              },
+              {
+                "match": {
+                  "data.win.system.eventID": "4624"
+                }
+              }
+            ],
+            "minimum_should_match": 1
+          }
+        },
+        {
+          "bool": {
+            "should": [
+              {
+                "match": {
+                  "data.win.eventdata.logonType": "3"
+                }
+              },
+              {
+                "match": {
+                  "data.win.eventdata.logonType": "10"
+                }
+              }
+            ],
+            "minimum_should_match": 1
+          }
+        }
+      ]
+    }
+  }
+}
+</code>
+^Abfrage^Bedeutung^Kann Ergebnisse ohne Treffer zurückgeben?^Mindestens eine Bedingung muss erfüllt sein?^
+|should direkt in bool|Beide Bedingungen sind optional, erhöhen aber das Ranking|Ja (falls kein minimum_should_match)|(Ergebnisse können auch ohne Übereinstimmung erscheinen)|
+|should innerhalb must|Mindestens eine should-Bedingung muss erfüllt sein|Nein|(Mindestens eine Bedingung muss passen)|
+====More====
+<code>
+GET /wazuh-alerts-4.x-2025.03.0*/_search
+{
+  "size": 10,
+  "query": {
+    "wildcard": {
+      "data.win.eventdata.authenticationPackageName": "NTLM"
+    }
+  }
+}
+GET /wazuh-alerts-4.x-2025.03.0*/_search
+{
+  "size": 10,
+  "query": {
+    "wildcard": {
+      "data.win.eventdata.authenticationPackageName": "NTLM"
+    }
+  },
+  "sort": [{ "@timestamp": "asc" }],
+  "search_after": ["2025-03-04T18:56:45.890+0000"]
+}
+GET /wazuh-alerts-4.x-2025.03.0*/_search
+{
+  "size": 10,
+  "query": {
+    "wildcard": {
+      "data.win.eventdata.authenticationPackageName": "NTLM"
+    }
+  },
+  "sort": [{ "@timestamp": "asc" }]
+}
+GET /wazuh-alerts-4.x-2025*/_search
+{
+  "query": {
+    "bool": {
+      "must": [
+        {
+          "match": {
+            "data.win.eventdata.targetUserName": "dom_docusnap"
+          }
+        },
+        {
+          "wildcard": {
+            "data.win.system.message": "*logged on*"
+          }
+        }
+      ]
+    }
+  }
+}
+</code>
+=====Paging=====
+[[todo]]
+=====Bash Script=====
+<code bash>
+#!/bin/bash
+# Wazuh Indexer URL und Authentifizierung
+WAZUH_INDEXER="https://172.21.0.143:9200"
+USERNAME="admin"
+PASSWORD="SecretPassword"
+# Anfrage ausführen
+curl -k -u "$USERNAME:$PASSWORD" -X GET "$WAZUH_INDEXER/wazuh-alerts-4.x-2025*/_search" -H "Content-Type: application/json" -d @- <<EOF
+{
+  "query": {
+    "bool": {
+      "must": [
+        {
+          "match": {
+            "data.win.eventdata.authenticationPackageName": "NTLM"
+          }
+        },
+        {
+          "match": {
+            "agent.name": "vie-srv-dc01"
+          }
+        }
+      ]
+    }
+  }
+}
+EOF
+</code>
+<code>
+bash wazuh-query.sh | jq -r '.hits.hits[]._source | (.data.win.eventdata.authenticationPackageName)'
+bash wazuh-query.sh | jq -r '.hits.hits[]._source | (.data.win.eventdata.lmPackageName)'
+bash wazuh-query.sh | jq -r '.hits.hits[]._source | (.agent.name)'
+bash wazuh-query.sh | jq -r '.hits.hits[]._source | (.data.win.system.eventID)'
+bash wazuh-query.sh | jq -r '.hits.hits[]._source | "[\(.agent.name)] \(.data.win.eventdata.targetUserName) - (\(.data.win.eventdata.ipAddress):\(.data.win.eventdata.ipPort)) - \(.data.win.eventdata.workstationName) - \(.data.win.eventdata.lmPackageName) "'
+</code>
+=====Python Client=====
+<code python>
+# pip install opensearch-py
+from opensearchpy import OpenSearch
+es = OpenSearch(
+    hosts=["https://localhost:9200"],
+    http_auth=("admin", "SecretPassword"),
+    verify_certs=False
+)
+query = {
+    "query": {"match_all": {}}
+}
+resp = es.search(index="wazuh-alerts-4.x-2025.03.20", body=query, size=1000)
+for hit in resp["hits"]["hits"]:
+    ts = hit["_source"].get("timestamp", "Kein Timestamp")
+    # Sicherstellen, dass die verschachtelten Keys existieren
+    data = hit["_source"].get("data", {})
+    win = data.get("win", {})
+    eventdata = win.get("eventdata", {})
+    targetUserName = eventdata.get("targetUserName", "---")
+    authenticationPackageName = eventdata.get("authenticationPackageName", "---")
+    print(ts, '-', targetUserName, '-', authenticationPackageName)
+</code>
+=====Links=====
+  * [[https://wazuh.com/|Homepage]]
+  * [[https://www.youtube.com/watch?v=5M3-ruCXVfY|Einführung in Wazuh]]
+  * [[https://www.youtube.com/watch?v=naOsPLpG19o|Vulnerabilities Overview]]
+  * [[https://www.youtube.com/watch?v=nSOqU1iX5oQ|Windows Monitoring using Sysmon & Wazuh]]
+  * [[https://www.youtube.com/watch?v=3CaG2GI1kn0|NetworkChuck]]

MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge