[Guest Diary: Xavier Mertens] [Playing with IP Reputation with Dshield & OSSEC] When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increase the reliability of generated alerts. It can help to prioritize incidents. Let's take an example with a Wordpress blog. It will, sooner or later, be targeted by a brute-force attack on the default /wp-admin page. In this case, IP reputation can be helpful: An attack performed from an IP address reported as actively scanning the Internet will not (or less) attract my attention. On the contrary, if the same kind of attack is coming from an unkown IP address, this could be more suspicious... (Check the Active-Response (http://ossec-docs.readthedocs.org/en/latest/manual/ar/) documentation for details)
The ISC API can be used to query information about an IP address. The returned results are: $ wget -O - -q https://isc.sans.edu/api/ip/195.154.243.219?json
{"ip":{"abusecontact":"unknown","number":"195.154.243.219","country":" FR ","as":"12876 ","asname":" AS12876 ONLINE S.A.S.,FR","network":" 195.154.0.0\/16 ","comment":null}}The most interesting fields are:
• count - the number of times the IP address has been reported as an attacker
• attacks - the number of targeted IP addresses
• mindate - the first report
• maxdata - the last report
$ tail -f /var/log/ipreputation.log
[2015-05-27 23:30:07,769] DEBUG No data found, fetching from ISC
[2015-05-27 23:30:07,770] DEBUG Using proxy: 192.168.254.8:3128
[2015-05-27 23:30:07,772] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be)
[2015-05-27 23:30:09,760] DEBUG No data found, fetching from ISC
[2015-05-27 23:30:09,761] DEBUG Using proxy: 192.168.254.8:3128
[2015-05-27 23:30:09,762] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be)
[2015-05-27 23:30:10,138] DEBUG Saving 178.119.0.173
[2015-05-27 23:30:10,145] INFO IP=178.119.0.173, AS=6848("TELENET-AS Telenet N.V.,BE"), Network=178.116.0.0/14, Country=BE, Count=148, AttackedIP=97, Trend=0, FirstSeen=2015-04-21, LastSeen=2015-05-27, Updated=2015-05-27 18:37:15In this example, you can see that this IP address started to attack on the 21st of April. It was reported 148 times while attacking 97 different IP addresses (This IP is certainly part of a botnet).
The script can be configuration with a YAML configuration file (default to /etc/isc-ipreputation.conf) which is very easy to understand: logging:
debug: yesdatabase: path: '/data/ossec/logs/isc-ipreputation.db'
network: exclude-ip: '192\.168\..*|172\.16\..*|10\..*|fe80:.*’
ttl-days: 5
http:
Finally, the SQLite database can use used to get interesting statistics. Example, to get the top-10 of suspicious IP addresses that attacked me (and their associated country):
$ sqlite3 isc-ipreputation.db
SQLite version 3.8.2 2013-12-06 14:53:30
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select ip, count, attacks,country from ip order by count desc limit 10;
61.240.144.66|4507455|32533|CN
218.77.79.43|2947146|63295|CN
61.240.144.65|2408418|24185|CN
61.240.144.64|1947038|22054|CN
61.240.144.67|1759210|25421|CN
184.105.139.67|1678608|63055|US
61.160.224.130|1553361|62140|CN
61.183.128.6|1385025|13829|CN
61.160.224.129|1312580|15202|CN
61.160.224.128|1209176|61006|CN
sqlite>It is also very easy to generate dynamic lists of IP addresses (or CDB (http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html) as called by OSSEC). The following command will generate a CDB list with my top-10 of malicious IP addresses: $ sqlite3 isc-ipreputation.db \
"select ip from ip order by count desc limit 10;"| \
while read IP;
do
echo "$IP:Suspicious”;
done >/data/ossec/lists/bad-ips
$ cat /data/ossec/lists/bad-ips
61.240.144.66:Suspicious
218.77.79.43:Suspicious
61.240.144.65:Suspicious
61.240.144.64:Suspicious
61.240.144.67:Suspicious
184.105.139.67:Suspicious
61.160.224.130:Suspicious
61.183.128.6:Suspicious
61.160.224.129:Suspicious
61.160.224.128:Suspicious
$ ossec-makelists
* File lists/bad-ips.cdb needs to be updated
The script is available on my github repository (https://github.com/xme/toolbox/blob/master/isc-ipreputation.py). --
"If the enemy leaves a door open, you must rush in." - Sun Tzu
|
Alex Stanford 136 Posts Jun 2nd 2015 |
Thread locked Subscribe |
Jun 2nd 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!