5.2网安学习第五阶段第二周回顾(个人学习记录使用)

本周重点

①HIDS的基本应用(suricata)

②Suricata的基本应用

③Suricata的流量检测

④Suricata的https流量检测

⑤利用Elastic整合Suricata日志

⑥利用Wazuh对Suricata主动响应

本周主要内容

①HIDS的基本应用(suricata)

1、NIDS

1、定义:网络入侵检测系统

2、工作机制:网络流量需要经过NIDS系统,如果通过NIDS的检测规则,没有发现问题,则可以进入后续的设备。类似于在服务器的前面加入一层过滤器。

2、suricata的安装

1、安装:按照官方文档的提示,使用提供的命令进行在线安装

yum install epel-release yum-plugin-copr
yum copr enable @oisf/suricata-6.0
yum install suricata# 安装完成后,对应的路径如下:
Suricata主程序路径:/usr/sbin/suricata
Suricata核心配置目录:/etc/suricata/
Suricata日志目录:/var/log/suricata/
Suricata附属程序目录:/usr/bin# 日志目录下的4个文件的功能
eve.json:以JSON格式存储预警信息或附加信息
fast.log:预警核心文件,只用于存储警告信息,非结构化数据
stats.log:Suricata的统计信息
suricata.log:Suricata程序的运行日志#Linux安装
# yum install libjansson, libpcap, libpcre2, libmagic, zlib, libyaml, gcc, pkg-config,libgeoip, liblua5.1, libhiredis, libevent

2、修改基础配置信息

直接编辑/etc/suricata/suricata.yaml

vars:# more specific is better for alert accuracy and performanceaddress-groups:#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"#HOME_NET: "[192.168.0.0/16]"#HOME_NET: "[10.0.0.0/8]"#HOME_NET: "[172.16.0.0/12]"#HOME_NET: "any"HOME_NET: "[192.168.112.0/24]"     # 指定192.168.112.0/24网段属于本地网络#EXTERNAL_NET: "!$HOME_NET"           # 指定非HOME_NET的IP为外部网络EXTERNAL_NET: "any"                   # 指定任意IP地址,只要是源IP,均视为外部网络

3、手工创建一个规则文件(没有规则文件启动会报错)

touch /etc/suricata/rules/suricata.rules
再指定 default-rule-path: /etc/suricata/rules  或   /var/lib/suricata/rules 均可#加入一条规则
alert http $EXTERNAL_NET any <> $HOME_NET 80 (msg:"出现404错误"; content: "404"; http_stat_code; sid:561001;)

4、启动

cd /etc/suricata && suricata -c suricata.yaml -i ens33-c <path> 指定配置文件的路径
-i  ens33  指定网络接口,凡是拦截网络流量的工具,都需要设定网卡
-D daemon 守护线程,所以这里的-D就是将suricata切到守护模式(后台启动)
-r <path>  作用就是导入离线的流量包,比如用wireshake抓包,然后保存成一个pcap文件, 可以用  -r  ../../xxx.pcap

3、规则语法基础

  1. 预警规则

()中的内容,使用key:value的方式来设置元素,元素之间使用“;”隔开。如果规则中存在特色字符,使用转移字符\来解决

alert  http  $External_net  any  <> $HOME_NET 80 (msg:"提示信息";content:"404";target;sid:1232;rev:123)

action: 比如alert,drop,reject

协议字符:http,tcp,ssh

src_ip: $External_net

src_port: any 代表任意,一般来说源端口是任意的

方向:请求流量使用-> , 既有请求流量又需要响应流量,使用 <> ; 只有这么两种

dest_ip:$HOME_NET

dest_port: 80 目标端口

  1. IP地址的规则
../..   IP范围 , 192.168.211.1/24
!IP  代表取反,比如 !192.168.211.10  表示除掉192.168.211.10的地址
[...,...,....] 分组IP地址,[172.12.2.2,192.168.211.0/24]
IP 指定IP地址,就是写死IP地址
  1. 端口规则
[80,81,82] 分组写法,表示在[]中存在IP即可,类似SQL中的 in
[80:100] 表示从80到100的范围
[80:] 从80端口开始到最高的端口65535
!80 取反,排除80端口
[80:100,!99] 复合写法,表示80到100的端口,去掉99号端口
  1. meta keyword 元关键字

msg:预警描述信息

sid:规则编号:唯一

rev:规则的版本,默认为0,可以自由设定

classtype:规则的归类,在文件classification.config中定义

reference:引用参考,一般用于引用CVE编号

priority:优先级,如果设定了优先级,则可能会覆盖classtype中定义的优先级,这个关键字的取值范围1~255,建议设定为 1-4,1级最高

metadata:元素据,用于添加非功能性的数据

target:允许指定警报的是那一侧的攻击目标,target:[src_ip | dest_ip]

②Suricata的基本应用

1、识别HTTP攻击

1、定义攻击类型

修改类型定义文件classification.config

# custom define web classtype
config classification: web_status_error,WEB服务器状态异常,4
config classification: web_scan_attack,WEB页面扫描攻击,2
config classification: web_sql_injection,SQL注入攻击,1
config classification: web_shell_attack,木马植入攻击,1

2、编写检查的规则

检查规则在文件/var/lib/suricata/rules目录下面,文件名suricata.rules;/var/log/suricata

## Configure Suricata to load Suricata-Update managed rules.
##
default-rule-path: /var/lib/suricata/rules
rule-files:- suricata.rules

3、编写规则

alert http any any <> $HOME_NET 80 (msg:"WEB服务器404异常";content:"404";http_stat_code;classtype:web_status_error;sid:5610001;rev:1;)
alert http any any <> $HOME_NET 80 (msg:"SQL注入攻击-union";content:"union";http_uri;classtype:web_sql_injection;sid:5610002;rev:1;)

4、重启suricata,验证规则是否生效

在浏览器中输入:[http://192.168.230.138/dashboard/phpinfo.php?id=1%20union%20select%201,2,3,4%20#](http://192.168.230.138/dashboard/phpinfo.php?id=1 union select 1,2,3,4 #)

监控日志:/var/log/suricata/fast.log

05/20/2024-11:39:51.470394  [**] [1:5610002:1] SQL注入攻击-union [**] [Classification: SQL注入攻击] [Priority: 1] {TCP} 192.168.230.1:59589 -> 192.168.230.138:80

5、练习:

  1. SQL注入检测:database(),version(),char()
  2. web403异常,web 500异常

2、识别频率类的攻击的规则

404错误,当在一个时间范围内,连续多次的出现404,判定可能存在路径扫描

规则编写:

alert http any any <> $HOME_NET 80 (msg:"频繁出现404,疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)

threshold: 阈值

  • 类型:type threshold 达到阈值则生成报警,limit 达到阈值后,最多生成多少次报警,这里的多少次由count决定,both照顾前面两种情况
  • 追踪方向:track \
  • 阈值:count \ 设定匹配规则的次数
  • 时间窗口: seconds \ 设定n秒

练习:

1、识别登录的暴力破解密码的攻击

规则编写

alert http any any <> $HOME_NET 8080 (msg:"疑似登录爆破攻击";http.response_body;content:"login-fail";classtype:web_brute_attack;threshold:type threshold,track by_src,count 5,seconds 20;sid:561004;rev:1;)

增加检测的类型

config classification: web_brute_attack,暴力破解攻击,1

重启之后,进行验证;这里使用的目标web系统是woniusales

3、content规则字段解析

1、content字节表达方式

"     |22|
;     |3B|
:     |3A|
|     |7C|

例子:

content:"a|0D|bc";
content:"|61 0D 62 63|";
content:"a|0D|b|63|";

content在匹配的时候,区分大小写

如果不区分大小写,就需要是nocase关键字,告诉suricata在做匹配的时候不需要区分大小写

content: "abc"; nocase;

注意:nocase必须放在content的后面

2、深度:depth,表示从payload的有效载荷开始取指定的数目的字符

比如:payload=”abcdefghijk”,如果content=”def”;depth:3 这样就匹配不到

image-20240520152637766

3、开始和结束字符

startswith: 检查content的值作为前缀;比如: content:” G E T ” ; s t a r t s w i t h ; 表示被检测的内容必须以 GET”;startswith; 表示被检测的内容必须以 GET;startswith;表示被检测的内容必须以GET作为开始。

endswith:检查content的值作为后缀;比如:content:”.png”;endswith; 表示被检测的内容必须以.png结束

4、偏移量offset

从有效载荷的开始数offset个字节然后才开始匹配content的内容

image-20240520153633182\

4、检测XSS攻击流量

规则:

alert http any any <> $HOME_NET 8080 (msg:"疑似XSS攻击";http.uri;content:"<script";nocase;classtype:web_sql_injection;sid:561005;rev:1;)

5、使用pcre进行复杂内容验证

pcre是兼容perl的正则表达式的一个标准,可以使用perl的规则来编写正则表达式

语法:pcre:”/regex/正则匹配的类型”

正则匹配的类型: i 表示忽略大小写,A,G

练习:

检测流量中包含一句话木马

php的一句话木马:

<php eval($_GET[0]);?>

jsp的一句话木马:

<% Process process = Runtime.getRuntime().exec(request.getParameter("cmd")); %>

规则

alert http any any <> $HOME_NET 80 (msg:"流量中存在一句话木马";http.uri;content:"<?";pcre:"/eval|assert|system\(|exec|$_GET|$_POST/i";classtype:web_shell_attack;sid:561006;rev:1;)

如果是在post的正文里面使用了一句话木马,如何检测?

检测的目标从http.uri变成请求正文内容,请求的正文关键字是: http.request_body 或 http_client_body

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)

4、一个规则中进行多个字段的匹配

规则描述

先匹配请求方法,如果是post,再匹配正文中是否存在一句话木马

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561009;rev:1;)

5、检测文件上传流量

1、文件上传的流量特征

  • 方法是POST
  • content_type必须是multipart/form-data
  • 正文中必须要有: Content-Disposition

2、规则

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";classtype:web_file_upload;sid=561010;rev:1;)

3、文件上传的时候,包含一句话木马

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";http.request_body;pcre:"/eval|assert|system\(exec|$_POST|$_GET\(/i";classtype:web_file_upload;sid=561010;rev:1;)

3、练习:

编写一个上传文件的一句话木马检测规则

③Suricata的流量检测

1、icmp流量监测

规则:

alert icmp any any -> $HOME_NET any (msg:"检测到死亡ping攻击";dsize:>30;itype:8;threshold: type both,track by_src,count 20,seconds 5;sid:561011;rev:1;)

解释:

协议使用icmp, 目标端口设置为any,dsize关键字的作用判断有效载荷的字节数,>n,<n,!n; itype是icmp协议的类型type,这里的取8.

2、tcp flood

规则

alert  tcp  any any -> $HOME_NET any (msg:"TCP泛洪";flow: established,to_server;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1;)

解释:

协议使用tcp,

关键字flow:

关键字可用于匹配流的方向,例如到/从客户端或到/从服务器。它还可以匹配是否建立了流。流关键字还可以用来表示签名必须只在流上匹配(只在流上匹配)或只在包上匹配(不在流上匹配)。
因此,使用Flow关键字可以匹配:
to_client
在从服务器到客户端的数据包上匹配。
to_server
在从客户端到服务器的数据包上匹配。
from_client
在从客户机到服务器的数据包上匹配(与到服务器相同)。
from_server
在从服务器到客户机的数据包上进行匹配(与“客户机”相同)。
已建立
匹配已建立的连接。
not_established
匹配不属于已建立连接的数据包。
无状态 stateless
匹配属于或不属于已建立连接的数据包。

3、SYN Flood

规则

alert  tcp any  any -> $HOME_NET any (msg:"SYN flood";flags:S;flow:stateless,to_server;dsize:>100;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1)

flags:

F:finished 结束

S:syn 同步,会话开始

R:rst,reset 复位

A:ack 应答

U:urg 紧急

4、检测CC攻击流量

规则

alert http any any -> $HOME_NET 8080 (msg:"CC攻击";flow:established,to_server;threshold:type both,track by_src,count 20,seconds 1;http:method;content:"POST";http.request_body;content:"barcode";sid:561013;rev:1;)

这里使用了关键字flow,表示请求的发送是基于先建立的tcp的连接

5、MySQL爆破流量检测

规则

alert tcp any any <> $HOME_NET 3306 (msg:"MySQL爆破攻击";content:"Access denied for user";threshold: type threshold,track by_src,count 10,seconds 10;sid:561014;rev:1;)

6、MySQL木马写入流量检测

select "<?php eval($_POST[1]);?>" into outfile  "/opt/shell.php"

规则

alert tcp any any <> $HOME_NET 3306 (msg:"MySQL木马写入攻击";content:"into outfile";nocase;pcre:"/eval|assert|system|_POST|_GET/i";classtype:web_shell_attackl;sid:561015;rev:1;)

7、SSH流量检测

特征

image-20240521163623885

规则:

alert  ssh any  any <> $HOME_NET 22 (msg:"SSH爆破";content:"|15 00 00 00 00 00 00 00 00 00 00|";threshold: type threshold,track by_src,count 3,seconds 10;sid:561016;rev:1;)

④Suricata的https流量检测

1、suricata是没有办法分析加密流量,所以只能通过其他的软件先将流量进行解密,然后传递给suricata

image-20240521170232137

2、构造实验环境

  • 一台客户机,模拟客户发送https请求,发给nginx
  • 一台Linux,安装nginx服务,该设备上必须要安装https的证书,并且反向代理远程的tomcat
  • 一台tomcat服务器,
  • suricata可以安装在nginx或tomcat的服务器上

一、代理检测HTTPS的流量

原理:因为NIDS没有办法去检测加密的流量,所以需要通过代理的方式,先将加密的流量解密再进行检测。使用nginx来代理,然后suricata去检测nginx的流量。

1、准备好实验环境

  • tomcat:192.168.230.13
  • nginx:192.168.230.139
  • suricata:192.168.230.138

2、给nginx生成证书

这里的证书的作用是用于解密浏览器传递过来的https加密流量

# 确认openssl是否安装好
openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
# 生成私钥
openssl genrsa -des3 -out server.pass.key 2048
# 去除私钥中的密码
rsa -in server.pass.key -out server.key
# 生成CSR证书
req -new -key server.key -out server.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=dev/OU=dev/CN=localhost"
# 生成SSL的证书
openssl x509 -req -day 365 -in server.csr -signkey server.key -out server.crt# 将 server.key  ,server.csr ,server.crt 复制到/usr/local/nginx/conf下面去
cp -p server.crt server.csr server.key    /usr/local/nginx/conf/

3、修改nginx.conf文件,对tomcat进行反向代理

user nginx;
#user  nobody;
worker_processes  1;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;error_log /var/log/nginx/error.log;
#pid        logs/nginx.pid;
pid /run/nginx.pid;events {worker_connections  1024;
}http {#include       mime.types;default_type  application/octet-stream;#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '#                  '$status $body_bytes_sent "$http_referer" '#                  '"$http_user_agent" "$http_x_forwarded_for"';#access_log  logs/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;upstream mytomcat{server 192.168.230.138:8080 weight=1;}# HTTPS server#server {listen       443 ssl;server_name  localhost;ssl_certificate      /usr/local/nginx/conf/server.crt;ssl_certificate_key  /usr/local/nginx/conf/server.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {root   html;index  index.html index.htm;}location /woniusales/{proxy_pass http://mytomcat/woniusales/;proxy_redirect default;}error_page 404 /404.html;error_page 500 502 503 504 /50x.html;location =/50x.html{root html;}}}

4、启动nginx和tomcat,然后验证环境是否配置成果

image-20240522110152912

5、准备suricata的规则

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)

6、重启suricata,在浏览器这边去输入含有敏感的关键字的请求,检测suricata是否能够正确的拦截流量

05/21/2024-06:25:02.489259  [**] [1:561008:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080
05/21/2024-06:25:02.489259  [**] [1:561009:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080

练习:

按照上述过程,编写一个检测流量中含有MySQL注入的规则

二、在suricata中实现ips的功能

suricata自己是没有办法去实现丢弃或者封禁的功能,suricata提供NFQueue的功能,这个功能和iptables的NFQueue结合起来就用实现对流量的管制

NFQueue的用途:iptables将流量放到这个队列中,然后等待用户程序对流量进行分析做出处置的决策,然后iptables会根据决策来执行处置行为。

实现步骤

1、安装iptables

yum -y install iptables iptables-services
systemctl stop firewalld
systemctl start iptables.service

2、开启iptables的队列功能

iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 8080  -j NFQUEUE

3、suricata启动队列监听

suricata -c suricata.yaml  -q 0

4、指定规则

drop http any any <> $HOME_NET 80 (msg:"频繁出现404,疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)

如果频繁的出现404则丢弃该IP过来的数据包

5、结果,可以看出多了drop标记

05/21/2024-08:40:53.583490  [**] [1:5610001:1] WEB服务器404异常 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941
05/21/2024-08:40:53.771510  [Drop] [**] [1:561003:1] 频繁出现404,疑似路径扫描 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941

⑤利用Elastic整合Suricata日志

一、配置FileBeat
1、查看目前已经启用哪些模块
[root@centqiang filebeat-7.14]# ./filebeat modules list
Error in modules manager: modules management requires 'filebeat.config.modules.path' setting
[root@centqiang filebeat-7.14]# vi filebeat.yml
filebeat.config.modules:path: /opt/filebeat-7.14/modules.d/*.ymlreload.enabled: truereload.period: 10s
2、启用suricata模块
[root@centqiang filebeat-7.14]# ./filebeat modules enable suricata
Enabled suricata
3、对Suricat模块进行初始化

可以直接完成相应模板及Kibana的Dashboard的创建和处理,前提是先启动ES和Kibana。

(1)编辑: modules.d/suricata.yml

- module: suricataeve:enabled: truevar.paths: ["/var/log/suricata/eve.json"]

(2)编辑:filebeat.yml,配置Filebeat连接Elastic和Kibana

setup.kibana:host: "192.168.112.198:5601"protocol: "http"
setup.dashboards.enabled: true

(3)运行 ./filebeat setup -e进行初始化操作,用于连接和配置ElasticSearch和Kibana。

[root@centqiang filebeat-7.14]# ./filebeat setup -e
2021-12-27T14:54:50.670+0800    INFO    instance/beat.go:665    Home path: [/opt/filebeat-7.14] Config path: [/opt/filebeat-7.14] Data path: [/opt/filebeat-7.14/data] Logs path: [/opt/filebeat-7.14/logs]
2021-12-27T14:54:50.670+0800    INFO    instance/beat.go:673    Beat ID: 5ff8de48-96bf-4699-8777-818b8f6e16c0
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1014    Beat info    {"system_info": {"beat": {"path": {"config": "/opt/filebeat-7.14", "data": "/opt/filebeat-7.14/data", "home": "/opt/filebeat-7.14", "logs": "/opt/filebeat-7.14/logs"}, "type": "filebeat", "uuid": "5ff8de48-96bf-4699-8777-818b8f6e16c0"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1023    Build info    {"system_info": {"build": {"commit": "574c21d25ddb65a63665ac26b54799f81a7e9706", "libbeat": "7.14.2", "time": "2021-09-15T10:26:32.000Z", "version": "7.14.2"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1026    Go runtime info    {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.16.6"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1030    Host info    {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-12-27T09:38:40+08:00","containerized":false,"name":"centqiang","ip":["127.0.0.1/8","::1/128","192.168.112.195/24","fe80::c135:a71d:3611:b840/64","fe80::3726:145f:911a:51b2/64","fe80::2b1d:468a:d07a:34bc/64"],"kernel_version":"3.10.0-1160.el7.x86_64","mac":["00:0c:29:30:a6:c8"],"os":{"type":"linux","family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"CST","timezone_offset_sec":28800,"id":"4014b10d46364734aa0c022a21147156"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1059    Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/opt/filebeat-7.14", "exe": "/opt/filebeat-7.14/filebeat", "name": "filebeat", "pid": 10688, "ppid": 7839, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2021-12-27T14:54:50.090+0800"}}}
2021-12-27T14:54:50.671+0800    INFO    instance/beat.go:309    Setup Beat: filebeat; Version: 7.14.2
2021-12-27T14:54:50.672+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.672+0800    INFO    [publisher]    pipeline/module.go:113    Beat name: centqiang
2021-12-27T14:54:50.673+0800    INFO    beater/filebeat.go:117    Enabled modules/filesets: wazuh (alerts),  ()
2021-12-27T14:54:50.674+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.677+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
ILM policy and write alias loading not enabled.
2021-12-27T14:54:50.679+0800    INFO    template/load.go:229    Existing template will be overwritten, as overwrite is enabled.
2021-12-27T14:54:50.680+0800    INFO    template/load.go:132    Try loading template wazuh to Elasticsearch
2021-12-27T14:54:50.747+0800    INFO    template/load.go:124    Template with name "wazuh" loaded.
2021-12-27T14:54:50.747+0800    INFO    [index-management]    idxmgmt/std.go:297    Loaded index template.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
2021-12-27T14:54:50.747+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:54:52.039+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.013+0800    INFO    instance/beat.go:848    Kibana dashboards successfully loaded.
Loaded dashboards
2021-12-27T14:56:10.013+0800    WARN    [cfgwarn]    instance/beat.go:574    DEPRECATED: Setting up ML using Filebeat is going to be removed. Please use the ML app to setup jobs. Will be removed in version: 8.0.0
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
2021-12-27T14:56:10.014+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.018+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.018+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.046+0800    WARN    fileset/modules.go:425    X-Pack Machine Learning is not enabled
2021-12-27T14:56:10.067+0800    WARN    fileset/modules.go:425    X-Pack Machine Learning is not enabled
Loaded machine learning job configurations
2021-12-27T14:56:10.067+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.070+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.072+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.075+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.203+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-pipeline"}
2021-12-27T14:56:10.263+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns"}
2021-12-27T14:56:10.320+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v1"}
2021-12-27T14:56:10.367+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v2"}
2021-12-27T14:56:10.427+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-tls"}
2021-12-27T14:56:10.482+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-http"}
2021-12-27T14:56:10.482+0800    INFO    cfgfile/reload.go:262    Loading of config files completed.
2021-12-27T14:56:10.482+0800    INFO    [load]    cfgfile/list.go:129    Stopping 1 runners ...
2021-12-27T14:56:10.546+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-wazuh-alerts-pipeline"}
Loaded Ingest pipelines

如果上述命令执行过程没有出现错误,说明初始化成功。

二、在Kibana中配置Dashboard
1、确认索引正常

image-20211228102910373

2、搜索Dashboard

image-20211228000530466

2、进入[Filebeat Suricata] Alert Overview

可以看到,Suricata预警在下方以表格的形式正常列出,但是上方的图表却出现了错误。

image-20211228000656483

3、为图表修正错误

将鼠标放在 Error 提示信息上,可以看到,出错的图表的错误主要出现在关联的某个字段已经不存在的情况。

image-20211228000803793

此时,只需要点击图表右上方的齿轮按钮,并在“Edit Visualization”菜单中,为其指定正确的列名即可。

image-20211228000945910

4、Discover搜索并查看

image-20211228002800076

三、利用Wazuh整合Suricata
1、配置Wazuh监控eve.json
<localfile><log_format>json</log_format><location>/var/log/suricata/eve.json</location></localfile>
2、确认内置规则

ruleset/rules/0475-suricata_rules.xml

<group name="ids,suricata,"><rule id="86600" level="0"><decoded_as>json</decoded_as><field name="timestamp">\.+</field><field name="event_type">\.+</field><description>Suricata messages.</description><options>no_full_log</options></rule><rule id="86601" level="3"><if_sid>86600</if_sid><field name="event_type">^alert$</field><description>Suricata: Alert - $(alert.signature)</description><options>no_full_log</options></rule>
</group>
3、自定义规则对应Wazuh级别
<group name="ids,suricata,"><rule id="86601" level="5" overwrite="yes"><if_sid>86600</if_sid><field name="event_type">^alert$</field><description>Suricata普通预警:$(alert.signature)</description><options>no_full_log</options></rule><rule id="86605" level="12"><if_sid>86601</if_sid><field name="alert.severity">^1$</field><description>Suricata严重预警:$(alert.signature)</description><options>no_full_log</options></rule>
</group>
4、启动Wazuh并实时查看alerts.log
5、在Kibana中进行查看

⑥利用Wazuh对Suricata主动响应

一、配置解码器和规则
1、基本思路

从eve.json中可以读取到src_ip,并且通过JSON解码器也能够识别为正常的字段值,但是firewall-drop需要的字段是srcip(Wauzh内置的静态字段),而不是src_ip,所以必须要想办法将src_ip识别和提取出来,变成Wazuh的srcip的字段,才可以正常触发主动响应。

那么如何从eve.json中提取出src_ip,并且赋值给srcip呢?就按照原始Wazuh提取数据字段的方式进行处理即可。

2、解码器
<!-- Suricata主动响应解码器 -->
<decoder name="suricata_eve"><prematch>^{"timestamp</prematch><regex offset="after_prematch">"event_type":"(\w+)"\S+"src_ip":"(\S+)"\S+"signature":"(\S+)"\S+"severity":(\d)</regex><order>event_type,srcip,signature,severity</order>
</decoder>

直接监控fast.log也不是不可以,但是有很多信息无法准确提取,所以建议监控eve.json日志

3、规则
<group name="ids,suricata,"><rule id="562600" level="0"><decoded_as>suricata_eve</decoded_as><description>Suricata预警信息根规则.</description><options>no_full_log</options></rule><rule id="562601" level="3"><if_sid>562600</if_sid><field name="event_type">^alert$</field><description>Suricata-Wazuh预警:$(srcip))</description><options>no_full_log</options></rule><rule id="562602" level="12"><if_sid>562601</if_sid><field name="severity">^1$</field><description>Suricata致命预警:$(srcip) - $(signature)</description><options>no_full_log</options></rule>
</group>
4、禁用json解码器
<decoder name="json"><prematch>^NoUse{\s*"</prematch><plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

由于内置解码器json会先于suricata_eve自定义解码器执行,所以前期可以先通过禁用json解码器的方式进行规则调试,但是后期肯定不能这样做,否则对其他JSON数据的解码就会存在问题,仍然需要寻找解决方案。

5、测试规则
/var/ossec/bin/wazuh-logtest
{"timestamp":"2021-12-28T12:24:18.861779+0800","flow_id":801237179200730,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":1110,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=%3C?eval($_POST[a]);","http_user_agent":"Mozilla/5.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":793,"bytes_toclient":1074,"start":"2021-12-28T12:24:18.816346+0800"}}
二、设计主动响应
1、主动响应
<active-response><command>firewall-drop</command><location>local</location><level>9</level><timeout>600</timeout>
</active-response>
2、进行测试
** Alert 1640685105.129291: - ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,
2021 Dec 28 17:51:45 centqiang->/var/ossec/logs/active-responses.log
Rule: 651 (level 3) -> 'Host Blocked by firewall-drop Active Response'
2021/12/28 17:51:45 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-12-28T17:51:45.954+0800","rule":{"level":12,"description":"Suricata致命预警:URL地址木马","id":"566002","firedtimes":1,"mail":true,"groups":["ids"," suricata_eve"]},"agent":{"id":"000","name":"centqiang"},"manager":{"name":"centqiang"},"id":"1640685105.128130","full_log":"{\"timestamp\":\"2021-12-28T17:51:44.154165+0800\",\"flow_id\":1619038894591458,\"in_iface\":\"ens33\",\"event_type\":\"alert\",\"src_ip\":\"192.168.112.1\",\"src_port\":16996,\"dest_ip\":\"192.168.112.195\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":5613007,\"rev\":1,\"signature\":\"URL地址木马\",\"category\":\"站点木马植入\",\"severity\":1},\"http\":{\"hostname\":\"192.168.112.195\",\"url\":\"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":374},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":820,\"bytes_toclient\":1074,\"start\":\"2021-12-28T17:51:44.101858+0800\"}}","decoder":{"name":"suricata_eve"},"data":{"srcip":"192.168.112.1","event_type":"alert","signature":"URL地址木马","severity":"1"},"location":"/var/log/suricata/eve.json"},"program":"active-response/bin/firewall-drop"}}
version: 1
origin.name: node01
origin.module: wazuh-execd
command: add
parameters.extra_args: []
parameters.alert.timestamp: 2021-12-28T17:51:45.954+0800
parameters.alert.rule.level: 12
parameters.alert.rule.description: Suricata致命预警:URL地址木马
parameters.alert.rule.id: 566002
parameters.alert.rule.firedtimes: 1
parameters.alert.rule.mail: true
parameters.alert.rule.groups: ["ids", " suricata_eve"]
parameters.alert.agent.id: 000
parameters.alert.agent.name: centqiang
parameters.alert.manager.name: centqiang
parameters.alert.id: 1640685105.128130
parameters.alert.full_log: {"timestamp":"2021-12-28T17:51:44.154165+0800","flow_id":1619038894591458,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":16996,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":820,"bytes_toclient":1074,"start":"2021-12-28T17:51:44.101858+0800"}}
parameters.alert.decoder.name: suricata_eve
parameters.alert.data.srcip: 192.168.112.1
parameters.alert.data.event_type: alert
parameters.alert.data.signature: URL地址木马
parameters.alert.data.severity: 1
parameters.alert.location: /var/log/suricata/eve.json
parameters.program: active-response/bin/firewall-drop
三、存在的问题
1、双向流量的srcip问题

Suricata存在双向流量,如果是from_server=>to_client方向的流量,src_ip是服务器IP地址,此时使用Wazuh去提取该IP并且进行主动响应,则IP地址提取错误,应该提取的是dest_ip才是攻击源IP地址。解决方案:

(1)在Suricata规则中使用metadata: key value;来标识方向,进而让Wazuh进行识别(得需要两个解码器)

(2)利用Suricata的target,并设置为target: dest_ip,而不是默认的src_ip。

(3)使用Python实时解析Suricata日志并对Severity=1级别进行主动响应,抛弃Wazuh的规则约束。

以下是通过使用target来定义规则的用法:

第一步:定义解码器

<decoder name="suricata_eve"><prematch>^{"timestamp</prematch><regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex><order>event_type,signature,severity,srcip</order>
</decoder>

第二步:进行测试

[root@centqiang alerts]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
{"timestamp":"2022-07-28T11:28:26.648845+0800","flow_id":1784851008772983,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.195","src_port":80,"dest_ip":"192.168.112.1","dest_port":56009,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":561001,"rev":0,"signature":"出现404错误","category":"","severity":3,"source":{"ip":"192.168.112.1","port":56009},"target":{"ip":"192.168.112.195","port":80}},"http":{"hostname":"192.168.112.195","url":"/dashboard/phpinfo.phpx","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":404,"length":692},"files":[{"filename":"/dashboard/phpinfo.phpx","sid":[],"gaps":false,"state":"UNKNOWN","stored":false,"size":645,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":6,"bytes_toserver":692,"bytes_toclient":1837,"start":"2022-07-28T11:28:26.646007+0800"}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.name: 'suricata_eve'event_type: 'alert'severity: '3'signature: '出现404错误'srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).id: '562601'level: '3'description: 'Suricata-Wazuh预警:192.168.112.1)'groups: '['ids', 'suricata']'firedtimes: '1'mail: 'False'
**Alert to be generated.
2、json解码器被禁用问题

为了不禁用json解码器,可以将suricata_eve解码器直接定义成json解码器的子解码器

<decoder name="json"><prematch>^{\s*"</prematch><plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
<decoder name="suricata_eve"><parent>json</parent><prematch>^{"timestamp</prematch><regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex><order>event_type,signature,severity,srcip</order>
</decoder>

在定义规则时将解码器直接指定为json即可

<rule id="562600" level="0"><decoded_as>json</decoded_as><description>Suricata预警信息根规则.</description><options>no_full_log</options>
</rule>

此时再进行日志测试,结果如下:

**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.name: 'json'parent: 'json'event_type: 'alert'severity: '3'signature: '出现404错误'srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).id: '562601'level: '3'description: 'Suricata-Wazuh预警:192.168.112.1'groups: '['ids', 'suricata']'firedtimes: '1'mail: 'False'
**Alert to be generated.

prematch>^{\s*“
<plugin_decoder>JSON_Decoder</plugin_decoder>


json
^{“timestamp
“event_type”:”(\w+)”\S+“signature”:“(\S+)”\S+“severity”😦\d+)\S+“source”:{“ip”:“(\S+)”
event_type,signature,severity,srcip


在定义规则时将解码器直接指定为json即可```xml
<rule id="562600" level="0"><decoded_as>json</decoded_as><description>Suricata预警信息根规则.</description><options>no_full_log</options>
</rule>

此时再进行日志测试,结果如下:

**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.name: 'json'parent: 'json'event_type: 'alert'severity: '3'signature: '出现404错误'srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).id: '562601'level: '3'description: 'Suricata-Wazuh预警:192.168.112.1'groups: '['ids', 'suricata']'firedtimes: '1'mail: 'False'
**Alert to be generated.

事实上,如果不是为了实现主动响应,Wazuh本身就自带Suricata规则,直接使用即可。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/pingmian/16504.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

算法简单笔记

本人大二下学期报了中国大学生计算机设计大赛、珠澳计算机设计大赛、区块链软件设计大赛、蓝桥杯......然后一直准备着设计大赛的比赛&#xff0c;根本没空管蓝桥杯&#xff0c;就省考前准备了一星期&#xff0c;感觉是没有希望了&#xff0c;但是很莫名其妙的就拿了蓝桥杯Java…

通过css实现------简单边框流动特效

效果展示 代码部分 <!DOCTYPE html> <html lang"en"> <head><meta charset"UTF-8"><meta http-equiv"X-UA-Compatible" content"IEedge"><meta name"viewport" content"widthdevice…

C++学习/复习5--构造函数与初始化/static成员/友元/内部类/匿名对象/编译器的拷贝构造优化

一、本章概要 二、再谈构造函数 1.构造体赋初值与初始化 2.初始化列表与初始化 2.1定义 2.2注意事项与举例 3.explicit关键字与构造函数 3.1隐式类型转换 也叫做自动类型转换 这种转换通常是从存储范围小的类型到存储范围大的类型&#xff0c;或者是从低精度的数值类型到高…

引入安全生产培训云平台,实现“人人讲安全、个个会应急”

引入安全生产培训云平台&#xff0c;旨在全面提升企业及员工的安全意识与应急处理能力&#xff0c;通过数字化手段实现“人人讲安全、个个会应急”的目标。这一平台的构建和应用&#xff0c;不仅促进了安全知识的普及&#xff0c;还极大提高了培训的效率与效果。以下是该平台几…

驱动开发之字符设备开发

1.概念 字符设备是 Linux 驱动中最基本的一类设备驱动&#xff0c;字符设备就是一个一个字节&#xff0c;按照字节 流进行读写操作的设备&#xff0c;读写数据是分先后顺序的。比如我们最常见的点灯、按键、IIC、SPI&#xff0c; LCD 等等都是字符设备&#xff0c;这些设备的驱…

实验室课程|基于SprinBoot+vue的实验室课程管理系统(源码+数据库+文档)

实验室课程管理系统 目录 基于SprinBootvue的实验室课程管理系统 一、前言 二、系统设计 三、系统功能设计 1管理员功能模块 2学生功能模块 3教师功能模块 四、数据库设计 五、核心代码 六、论文参考 七、最新计算机毕设选题推荐 八、源码获取&#xff1a; 博主介…

elementui中 表格使用树形数据且固定一列时展开子集移入时背景色不全问题(父级和子级所展示的字段是不一样的时候)

原来的效果 修改后实现效果 解决- 需要修改elementui的依赖包中lib/element-ui.common.js中的源码 将js中此处代码改完下面的代码 watch: {// dont trigger getter of currentRow in getCellClass. see https://jsfiddle.net/oe2b4hqt/// update DOM manually. see https:/…

Oracle实践|内置函数之数学型函数

&#x1f4eb; 作者简介&#xff1a;「六月暴雪飞梨花」&#xff0c;专注于研究Java&#xff0c;就职于科技型公司后端工程师 &#x1f3c6; 近期荣誉&#xff1a;华为云云享专家、阿里云专家博主、腾讯云优秀创作者、ACDU成员 &#x1f525; 三连支持&#xff1a;欢迎 ❤️关注…

【Linux安全】Firewalld防火墙基础

目录 一、Firewalld概述 二、Firewalld和iptables的关系 三、Firewalld网络区域 1、firewalld防火墙预定义了9个区域: 2、firewalld 数据包处理原则 3、firewalld数据处理流程 4、firewalld检查数据包的源地址的规则 四、Firewalld防火墙的配置方法 1、firewalld 命令…

SpringBoot项目热部署-解决html修改后需要重启项目的问题

前言&#xff1a;启动热部署之后修改html无需再次重启项目&#xff0c;每次都要重新重启项目 2022IDEA以下版本 1、打开file->Settings->Compiler,勾选Build project automatically 2、按住ctrlshiftalt/ 选Registry进去吧app.running的勾打上、 2022IDEA及以上

NVIDIA Orin/Jetson 平台+数字同轴GMSL 车载AI视觉方案,应用于车载,机器人等领域

专注于成像和视觉技术于近期正式发布了可适配NVIDIA DRIVE AGX Orin平台的一系列摄像头产品&#xff0c;该产品是自主开发的数字同轴GMSL2摄像头模组&#xff0c;可满足智能汽车的高质量成像需求。 目前&#xff0c;推出可适配于NVIDIA DRIVE AGX Orin平台的摄像头产品一共有11…

Modular military character

角色具有31个模块化骨架网格,每个模块具有多个蒙皮: 3个头(4skins) 3件衬衫(9skins) 3条裤子(9skins) 3只靴子(9skins) 7件战术背心(3skins) 4只手和手臂(2skins) 3顶帽子和头盔(9skins) 2个背包(3skins) 3支步枪(3skins) 模块允许您组装超过200万个不同的…

.NET 分享一款多种方式维持权限的工具

01阅读须知 此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等&#xff08;包括但不限于&#xff09;进行检测或维护参考&#xff0c;未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失&#xf…

第22讲:RBD块存储COW克隆解除父子镜像的依赖关系

RBD块存储COW克隆解除父子镜像的依赖关系 1.COW镜像克隆存在的依赖关系 在前面使用copy-on-write机制基于快照做出来的链接克隆&#xff0c;与快照依赖性很强&#xff0c;如果快照损坏或者丢失&#xff0c;那么克隆的镜像将无法使用&#xff0c;使用这个镜像创建的虚拟机也会…

深度学习模型

深度学习模型 深度学习网络模型是人工智能领域的重要分支&#xff0c;它通过模拟人脑神经网络的工作方式来处理数据并识别模式。以下是对深度学习网络模型的一些主要类型的详细概述&#xff1a; 卷积神经网络&#xff08;Convolutional Neural Network, CNN&#xff09; 结构&a…

MyBatis中的Where标签:提升你的SQL查询效率

哈喽&#xff0c;大家好&#xff0c;我是木头左&#xff01; 理解MyBatis的Where标签 MyBatis是一款优秀的持久层框架&#xff0c;它提供了许多强大的标签来帮助编写更优雅、高效的SQL语句。其中&#xff0c;<where>标签是使用频率极高的一个&#xff0c;它能够自动处理…

Mac配置node环境

1.下载nvm(node版本管理工具&#xff0c;同Anaconda对Python的关系&#xff09;。 curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash 2.配置vi ~/.zshrc文件&#xff0c;添加如下配置&#xff1a; export NVM_DIR"$HOME/.nvm" [ -…

pytest:指定测试用例执行顺序

在自动化测试中&#xff0c;测试用例的执行顺序有时对测试结果具有重要影响。本文将介绍如何在pytest框架中使用pytest-ordering插件以及Collection hooks来控制测试用例的执行顺序。 方式1&#xff1a; 使用pytest-ordering插件控制执行顺序 1.1 安装pytest-ordering插件 首…

生命在于学习——Python人工智能原理(1.1)

说明&#xff1a;今年学一部分人工智能方向的知识&#xff0c;网安也会穿插&#xff0c;看后续如何将二者结合起来。 一、人工智能的基本知识 1、人工智能的起源 1956年美国达特茅斯学院召开了一个夏季论班&#xff0c;首次提出人工智能的概念。 1950年图灵提出了图灵测试&a…

Thinkphp5内核宠物领养平台H5源码

源码介绍 Thinkphp5内核流浪猫流浪狗宠物领养平台H5源码 可封装APP&#xff0c;适合做猫狗宠物类的发信息发布&#xff0c;当然懂的修改一下&#xff0c;做其他信息发布也是可以的。 源码预览 源码下载 https://download.csdn.net/download/huayula/89361685