标签归档:Clamav

Linux下部署CLamAV并结合OSSEC告警

[root@server120 local]# yum install gcc openssl openssl-devel pcre pcre-devel clamav clamd -y

安装完成后,需要升级病毒库。
升级程序为/usr/bin/freshclam。
默认的配置文件为/etc/freshclam.conf,内容如下

[root@localhost ossec]# grep -v '^$' /etc/freshclam.conf | grep -v '^#'
/var/lib/clamav #病毒库的位置
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
DatabaseOwner clam
DatabaseMirror db.local.clamav.net #病毒同步的请求地址
DatabaseMirror db.local.clamav.net #病毒同步的请求地址

这里修改一下配置文件:

[root@localhost ossec]# grep -v '^$' /etc/freshclam.conf | grep -v '^#'
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
DatabaseOwner clam
DatabaseMirror db.cn.clamav.net
DatabaseMirror db.local.clamav.net

然后更新一下病毒库

[root@localhost ossec]# /usr/bin/freshclam
[root@localhost clamav]# ll /var/lib/clamav/
total 341836
-rw-r--r-- 1 clam clam 693248 Jul 14 10:20 bytecode.cld
-rw-r--r-- 1 clam clam 41839208 Jul 14 10:20 daily.cvd
-rw-r--r-- 1 clam clam 307499008 Jul 14 10:03 main.cld
-rw------- 1 clam clam 156 Jul 14 10:22 mirrors.dat

其中daily.cld与daily.cvd相同,只不过daily.cvd是个压缩文件,而daily.cld不是。
freshclam会判断自从上一次检测后是否有新的更新,如果有则会下载diff文件,如果下载diff文件,则会下载一个最新的daily.cvd。

Clamav会添加一个每天执行的定时任务/etc/cron.daily/freshclam,每天更新病毒库文件。

LOG_FILE="/tmp/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
    touch "$LOG_FILE"
    chmod 644 "$LOG_FILE"
    chown clam.clam "$LOG_FILE"
fi

/usr/bin/freshclam \
    --quiet \
    --datadir="/var/lib/clamav" \
    --log="$LOG_FILE"

 

病毒库更新完成后,执行扫描任务。
这里的想法是OSSEC本身已经有了clamav扫描结果的解码和rule文件
etc/decoder.xml如下:

<decoder name="clamd">
  <program_name>^clamd</program_name>
</decoder>

<decoder name="freshclam">
  <program_name>^freshclam</program_name>
</decoder>

rules/clam_av_rules.xml如下:

  <rule id="52502" level="8">
    <if_sid>52500</if_sid>
    <match>FOUND</match>
    <description>Virus detected</description>
    <group>virus</group>
  </rule>

通过decoder可以看到这里匹配的是Syslog头中的程序为clamd,也就是必须是syslog格式才能解析告警,而默认的-l参数输出非syslog格式,如下测试:
test目录下包含了一些测试的样本文件,我拷贝之前应急拿的一个文件放到了/tmp下

[root@localhost ossec]# /usr/bin/clamscan -i -r /tmp/ -l /var/log/clamav.log
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6300501
Engine version: 0.99.2
Scanned directories: 221
Scanned files: 95
Infected files: 1
Data scanned: 2.79 MB
Data read: 2.62 MB (ratio 1.06:1)
Time: 11.918 sec (0 m 11 s)

查看/var/log/clamav.log,可以看到非Syslog格式

[root@localhost ossec]# cat /var/log/clamav.log

-------------------------------------------------------------------------------

/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6300501
Engine version: 0.99.2
Scanned directories: 221
Scanned files: 95
Infected files: 1
Data scanned: 2.79 MB
Data read: 2.62 MB (ratio 1.06:1)
Time: 11.918 sec (0 m 11 s)

通过查看/etc/clamd.conf可以看到里面有参数LogSyslog

[root@localhost ossec]# cat /etc/clamd.conf | grep LogSys
LogSyslog yes

可以配置开启syslog,默认输出到local6,但是测试发现这个配置文件不是默认加载的,写进去的配置无法生效,所以这里用logger来输出syslog。
修改一下rsyslog的配置

*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages #添加local6.none
local6.notice /var/log/clamav.log

[root@localhost ossec]# service rsyslog restart
[root@localhost ossec]# /usr/bin/clamscan --infected -r /tmp -i | logger -it clamd -p local6.notice
[root@localhost ossec]# cat /var/log/clamav.log 
Jul 14 11:22:45 localhost clamd[1723]: /tmp/makeudp: Unix.Trojan.Agent-37008 FOUND
Jul 14 11:22:45 localhost clamd[1723]: 
Jul 14 11:22:45 localhost clamd[1723]: ----------- SCAN SUMMARY -----------
Jul 14 11:22:45 localhost clamd[1723]: Known viruses: 6300501
Jul 14 11:22:45 localhost clamd[1723]: Engine version: 0.99.2
Jul 14 11:22:45 localhost clamd[1723]: Scanned directories: 221
Jul 14 11:22:45 localhost clamd[1723]: Scanned files: 95
Jul 14 11:22:45 localhost clamd[1723]: Infected files: 1
Jul 14 11:22:45 localhost clamd[1723]: Data scanned: 2.79 MB
Jul 14 11:22:45 localhost clamd[1723]: Data read: 2.62 MB (ratio 1.06:1)
Jul 14 11:22:45 localhost clamd[1723]: Time: 11.950 sec (0 m 11 s)

这里我们用OSSEC监控一下这个文件,添加配置

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/clamav.log</location>
  </localfile>

[root@localhost ossec]# /var/ossec/bin/ossec-control restart

可以看到产生的告警如下:

[root@localhost ossec]# tail -n 5 /var/ossec/logs/alerts/alerts.log 
** Alert 1500002954.2336: mail - clamd,freshclam,virus
2017 Jul 14 11:29:14 (192.168.192.1953) any->/var/log/clamav.log
Rule: 52502 (level 8) -> 'Virus detected'
Jul 14 11:29:14 localhost clamd[2077]: /tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

这里另外需要考虑四个问题
1)如何添加病毒库白名单
在病毒库所在目录创建文件:whitelist-signatures.ign2
以脏牛为例,添加内容:Unix.Exploit.CVE_2016_5195-2

2)文件软链问题,是否会重复扫描。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -h
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)

0表示不检测软链;1表示需要向clamscan传递参数指定文件;2表示检测软链。默认值为1。
这里创建软链测试一下

[root@server120 tmp]# ln -s /tmp/makeudp /tmp/makeudp1 

当指定follow-file-symlinks=0时,软链文件没有扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=0 -r /tmp 
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=1时,不传递参数,软链文件没有扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=1 -r /tmp 
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=1时,传递参数/tmp/makeudp,软链文件可以扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=1 -r /tmp /tmp/makeudp
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=2时,软链文件可以扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=2 -r /tmp 
/tmp/makeudp1: Unix.Trojan.Agent-37008 FOUND
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

所以默认就不会扫描软链文件。
3)很多机器都挂载了存储,需要排除存储目录。
可以通过–exclude-dir=”^/sys”来排除掉。
10和192开头的挂载排除掉,如下所示:

df -h | egrep '(^10\.|^192\.)' | awk '{print $6}' | sed 's/^/^/' | xargs | sed 's/ /|/g'

4)因为是定时任务每天凌晨执行,如果扫描到了存储设备,很有可能一天扫描不完,需要做判断,如果扫描任务还存在则不扫描;另外针对这种扫描时间超长的事件也需要告警出来,所以需要新增ossec的检测规则扫描时间超过6小时告警。
rules/clam_av_rules.xml新增:

  <rule id="52510" level="7">
      <if_sid>52500</if_sid>
      <match>Time: </match>      
      <regex>\(\d\d\d\d |\(4\d\d |\(5\d\d |\(6\d\d |\(7\d\d |\(8\d\d |\(9\d\d |\(36\d |\(37\d |\(38\d |\(39\d </regex>
      <description>ClamAV scan time over 6hours</description>
  </rule>

PS:这里的正则写成\d{4}不行,[1-9]也不行,无法匹配到
然后测试一下OSSEC告警:

Jul 14 11:29:15 localhost clamd[2077]: Time: 11.888 sec (360 m 11 s)


**Phase 1: Completed pre-decoding.
       full event: 'Jul 14 11:29:15 localhost clamd[2077]: Time: 11.888 sec (360 m 11 s)'
       hostname: 'localhost'
       program_name: 'clamd'
       log: 'Time: 11.888 sec (360 m 11 s)'

**Phase 2: Completed decoding.
       decoder: 'clamd'

**Phase 3: Completed filtering (rules).
       Rule id: '52510'
       Level: '7'
       Description: 'ClamAV scan time over 6hours'
**Alert to be generated.

 

最终执行的定时任务脚本如下:

#!/bin/bash

WHITEDIR="^/proc/|^/sys/|^/data|^/test|/upload"
ps axu | grep clamscan | grep -v grep > /dev/null
if [[ $? == 0 ]]; then
       exit
fi
NFSDIR=`df -h | egrep '(^10\.|^192\.)' | awk '{print $6}' | sed 's/^/^/' | xargs | sed 's/ /|/g'`

if [[ -n $NFS ]]; then
        WHITEDIR="${WHITEDIR}|${NFSDIR}"
fi
COMMAND="/usr/bin/clamscan  -i --exclude-dir='${WHITEDIR}' -r / | logger -it clamd  -p local6.notice"

if [ -f "/usr/bin/clamscan" ];then
        eval $COMMAND &
fi