wazuh配置

安装wazuh有二种方法

第一种

在官网下载ova文件

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EtMADld3-1692776916429)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823150532420.png)]$

打开VMware进行虚拟机安装

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-HmIyeWX6-1692776916430)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823140739800.png)]$

账号:wazuh-user

密码:wazuh

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-hUtfQmOu-1692776916431)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823140835080.png)]$

将网络设置为net模式

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-zkZBozF4-1692776916431)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823151915748.png)]$

重启网卡

systemctl network restart

查看ip

ip add

启动小皮

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-XAakIm5A-1692776916431)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823152126683.png)]$

远程连接

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wdJTdbMy-1692776916432)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823152208991.png)]$

默认账号和密码admin admin

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PvFdyFyn-1692776916432)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823152251072.png)]$

第二种

yum安装根据官方文件的步骤进行安装wazuh

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-DCskcGTr-1692776916433)(C:\Users\Lin\AppData\Roaming\Typora\typora-user-images\image-20230823152922696.png)]$

具体步骤我就不演示了,官方文件上是十分完整的

wazuh案例复现

wazuh初体验理解

当我们使用本地的cmd通过ssh一直连接wazuh的时候便会出现十级报错，此次在后台可以明显的看到有爆破的提示扫描，通过分析其具体的数据包以及对应的规则理解到wuzuh在外来访问的时候，会触发到解码器，其作用是用来抓取关键信息，其中核心便是正则表达式进行正则匹配，当数据来了之后，wazuh程序会分析我们的日志，把这些日志信息发到相对应的解码器去，通过解码器去进行解码，解码完后，再发送到相应的规则，然后把解码完的数据通过规则，再次进行匹配，最终展示到仪表盘的Modules里的Security events里

在Nginx目录下/var/www/html创建index.php并写入案例

<?php
function fun($var): bool{
    $blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];
 
    foreach($blacklist as $blackword){
        if(strstr($var, $blackword)) return True;
    }
 
    
    return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}
 
$content = file_get_contents($temp_file);
if(fun($content)){
    die("诶，被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;
 
 
        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
            die();
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}

前端页面

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <div class="light"><span class="glow">
            <form enctype="multipart/form-data" method="post" action="./index.php">
                嘿伙计,传个火,点支烟，快活人生？！
                <input class="input_file" type="file" name="upload_file" />
                <input class="button" type="submit" name="submit" value="upload" />
            </form>
    </span><span class="flare"></span>
    </div>
</body>
</html>