标签归档:ssdeep

【企业安全实战】infotify配合ssdeep实现webshell监控

ssdeep安装:

tar zxvf ssdeep-2.12.tar.gz
cd ssdeep-2.12
./configure
make
make install

或者

yum install ssdeep

ssdeep参数:

[root@zaojiasys_31 ~]# ssdeep -h
ssdeep version 2.13 by Jesse Kornblum
Copyright (C) 2014 Facebook

Usage: ssdeep [-m file] [-k file] [-dpgvrsblcxa] [-t val] [-h|-V] [FILES]
-m - Match FILES against known hashes in file
-k - Match signatures in FILES against signatures in file
-d - Directory mode, compare all files in a directory
-p - Pretty matching mode. Similar to -d but includes all matches
-g - Cluster matches together
-v - Verbose mode. Displays filename as its being processed
-r - Recursive mode
-s - Silent mode; all errors are supressed
-b - Uses only the bare name of files; all path information omitted
-l - Uses relative paths for filenames
-c - Prints output in CSV format
-x - Compare FILES as signature files
-a - Display all matches, regardless of score
-t - Only displays matches above the given threshold
-h - Display this help message
-V - Display version number and exit

 

ssdeep使用:
获取JSP菜刀马的Hash值,并存储到hash.txt中

[root@server120 tmp]# ssdeep -b webshell/caidao.jsp > hash.txt
[root@server120 tmp]# cat hash.txt 
ssdeep,1.1--blocksize:hash:hash,filename
96:i8sShQnlyxavFlyGHXZjaQY2lpI9kPEDGgH:PsHZVHNax2lpqrD5H,"caidao.jsp"

然后使用这个值来获得相似度,我们讲菜刀马复制为xxoo.jsp,然后做比对

[root@server120 tmp]# ssdeep -bm hash.txt /tmp/webshell/xxoo.jsp 
xxoo.jsp matches hash.txt:caidao.jsp (100)

可以看到相似度为100
然后我们修改一下菜刀马的密码为vinc

[root@server120 tmp]# ssdeep -bm hash.txt /tmp/webshell/xxoo.jsp 
xxoo.jsp matches hash.txt:caidao.jsp (99)

发现相似度为99
所以对于一些大的webshell,如果只是修改密码或者title的话,通过相似度基本可以判断为是webshell了。
只筛选相似度50以上的文件

ssdeep -t 50 -bm hash.txt webshell/xxoo.jsp

从Git上下载Webshell的汇总,然后把所有的jsp、jspx、php文件做一个hash库。

[root@server120 jspx]# find ./ -name "*.jspx" -exec cp {} /tmp/webshell/ \;
[root@server120 jsp]# find ./ -name "*.jsp" -exec cp {} /tmp/webshell/ \;
[root@server120 php]# find ./ -name "*.php" -exec cp {} /tmp/webshell/ \;

制作hash库。

ssdeep -b /tmp/jsp/* > hash.txt

OSSEC告警:
编辑agent端的ossec.conf,新增:

  <localfile>
    <log_format>command</log_format>
    <command>ps axu | grep 'find /web/project/' | grep -v grep || find /web/project/ -path "$(df -h | grep -o '/web/project/.*')" -prune -o -name "*.jsp" -mmin -60 -size +10c -exec ssdeep -t 60 -bm /root/hash.txt {} \;</command>    
    <frequency>3600</frequency>
  </localfile>

这里我们每小时执行一次,使用Find查找最近60分钟内修改的JSP文件,使用ssdeep比对,考虑到两个问题:
1)当前如果仍然在执行Find操作,那么不会再次执行
2)我们使用find查找时需要排除掉挂载的存储目录,之前遇到过Find存储导致存储不可用的问题。另外Find不会查看软链目录,即便是有存储目录软链到/web/project下的项目下,也不会有影响。

编辑rules/ossec_rules.xml,新增:

  <rule id="536" level="10">
    <if_sid>530</if_sid>
    <match>ossec: output: '/usr/local/bin/ssdeep</match>
    <regex>matches</regex>
    <description>Possible Webshell Found</description>
  </rule>

邮件告警如下: