Wazuh通过在agent服务器上执行指定的命令,并收集命令结果,可以在一定程度上发现反弹shell的入侵行为。
目前有2中常见的检测方法,一种是通过netstat输出网络连接中的shell进程来识别,另一种是通过ps输出进程信息中的反弹shell命令特征来识别。
1. 在agent的/var/ossec/etc/ossec.conf文件末尾增加自定义的命令,并重启
<ossec_config>
<localfile>
<log_format>command</log_format>
<command>ps -eo user,pid,cmd</command>
<frequency>60</frequency>
</localfile>
<localfile>
<log_format>command</log_format>
<command>netstat -anptl</command>
<frequency>60</frequency>
</localfile>
</ossec_config>
2. 在wazuh-manager端修改/var/ossec/etc/rules/local_rules.xml,增加自定义规则,并重启
<group name="ossec,">
<rule id="100050" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'ps -eo user,pid,cmd'</match>
<description>List of running process.</description>
<group>process_monitor,</group>
</rule>
<rule id="100051" level="15">
<if_sid>100050</if_sid>
<match>bash -i|dash -i|sh -i$|perl -e|perl -MIO -e|php -r|ruby -rsocket|xterm -display|Xnest |xhost |nc -e /bin/|lua -e require|python -c import socket|python -c import subprocess|python -c import os|python -c exec</match>
<description>Reverse shell listening for incoming connections.</description>
<group>process_monitor,attacks</group>
</rule>
<rule id="100052" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'netstat -anptl'</match>
<description>List of listening tcp ports.</description>
<group>process_monitor,</group>
</rule>
<rule id="100053" level="0">
<if_sid>100052</if_sid>
<match>/bash|/dash|/sh|/nc</match>
<description>Find shell processes that have open sockets.</description>
<group>process_monitor,attacks</group>
</rule>
</group>
3. 进行反弹shell,收到告警