\n\n\n\n
\u6838\u5fc3\u67b6\u6784<\/h2>\n\n\n\n1\u3001\u6570\u636e\u91c7\u96c6\u5c42<\/h3>\n\n\n\n\n- \u4ece\u5404\u4e2a\u6765\u6e90\u6536\u96c6\u65e5\u5fd7\u548c\u65f6\u95f4\u6570\u636e<\/li>\n\n\n\n
- \u652f\u6301\u591a\u79cd\u534f\u8bae\uff0c\u5982Syslog\u3001SNMP\u3001API\u3001\u6587\u4ef6\u4f20\u8f93\u7b49\u3002\u91c7\u96c6\u5668\u90e8\u7f72\u5728\u6570\u636e\u6e90\u7aef\u6216\u96c6\u4e2d\u5f0f\u670d\u52a1\u5668\u4e0a\uff0c\u786e\u4fdd\u6570\u636e\u4f20\u8f93<\/li>\n<\/ul>\n\n\n\n
\u673a\u5236<\/h4>\n\n\n\n
\u901a\u5e38\u91c7\u7528push-pull\u6df7\u5408\uff1a<\/p>\n\n\n\n
\n\nPush\u6a21\u5f0f\u7531\u6570\u636e\u6e90\u4e3b\u52a8\u53d1\u9001\u65e5\u5fd7\uff0c\u9002\u5408\u5b9e\u65f6\u6027<\/strong><\/p>\n<\/div>\n\n\n\n\nPull\u6a21\u5f0f\u7531SIEM\u670d\u52a1\u5668\u5b9a\u671f\u62c9\u53d6\uff0c\u9002\u5408\u4e91\u73af\u5883<\/strong><\/p>\n<\/div>\n<\/div>\n\n\n\n\n\u5728\u5f02\u5e38\u767b\u5f55\u573a\u666f\uff0c\u91c7\u96c6Windows Event Logs \u6216 Linux auth.log \u65f6\uff0c\u9700\u8981\u5904\u7406\u65e5\u5fd7\u8f6e\u8f6c\uff08log rotation\uff09\u4ee5\u907f\u514d\u6570\u636e\u4e22\u5931<\/p>\n<\/blockquote>\n\n\n\n
\u7f3a\u70b9\uff1a\u6570\u636e\u91cf\u5e9e\u5927\uff0c\u9700\u8981\u538b\u7f29\u4f20\u8f93\u548c\u8fc7\u6ee4\u65e0\u5173\u65e5\u5fd7\u3002Python\u4e2d\uff0c\u53ef\u4ee5\u5229\u7528logging\u6a21\u5757<\/mark>\u6216pywin32<\/mark>\u5904\u7406Windows\u65e5\u5fd7<\/p>\n\n\n\n2\u3001\u6570\u636e\u6807\u51c6\u5316\u4e0e\u89e3\u6790\u5c42<\/h3>\n\n\n\n\n- \u628a\u4e0d\u540c\u683c\u5f0f\u7684\u539f\u59cb\u65e5\u5fd7\u8f6c\u5316\u4e3a\u7edf\u4e00\u7684\u7ed3\u6784\uff0c\u4fbf\u4e8e\u540e\u7eed\u89e3\u6790<\/li>\n\n\n\n
- \u63d0\u53d6\u5173\u952e\u5b57\u6bb5\uff0c\u5982\u65f6\u95f4\u6233\u3001IP\u5730\u5740\u3001\u7528\u6237ID\u3001\u4e8b\u4ef6\u7c7b\u578b\u7b49<\/li>\n\n\n\n
- \u8fc7\u6ee4\u566a\u58f0\u65e5\u5fd7\uff0c\u8fdb\u884c\u6570\u636e\u6e05\u6d17\uff0c\u9632\u6b62\u7cfb\u7edf\u8fc7\u8f7d<\/li>\n<\/ul>\n\n\n\n
\u673a\u5236<\/h4>\n\n\n\n
\u7531\u4e8e\u65e5\u5fd7\u683c\u5f0f\u591a\u6837\u5316\uff08.json\u3001CEF\u3001Syslog\uff09\uff0c\u89e3\u6790\u7528\u6b63\u5219\u6216\u89e3\u6790\u5668\u3002\u63d0\u53d6\u5b57\u6bb5\u540e\uff0c\u6dfb\u52a0\u5143\u6570\u636e\uff08\u5982\u4e8b\u4ef6ID\u3001\u4e25\u91cd\u5ea6\u3001\u9891\u7387\uff09<\/p>\n\n\n\n
\n\u8fd9\u4e00\u5c42\u548c\u5206\u6790\u5173\u8054\u5c42<\/strong>\u9ad8\u5ea6\u7ed1\u5b9a\uff0c\u540c\u65f6\u4f1a\u7275\u626f\u5230\u4e00\u4e2a\u5371\u9669\u5ea6\u9ad8\u7684\u6f5c\u5728\u653b\u51fb\u2014\u2014APT<\/p>\n\n\n\n\u6ca1\u6709\u7ecf\u8fc7\u6807\u51c6\u5316\u7684\u65e5\u5fd7\u65e0\u6cd5\u5173\u8054\uff0c\u9ad8\u9891\u7684\u4e8b\u4ef6\u62a5\u544a\u53ef\u4ee5\u548cAPT\u5173\u8054\u8d77\u6765\uff0c\u9632\u6b62\u540e\u7eedAPT\u6e17\u900f\u5185\u7f51\u9020\u6210\u4e25\u91cd\u8d22\u4ea7\u635f\u5931<\/p>\n<\/blockquote>\n\n\n\n
Python\u5b9e\u73b0\uff1a\u7528re<\/mark>\u6216grok-py<\/mark>\u5e93\u89e3\u6790\uff0c\u7edf\u4e00schema\u5982\uff08\u201ctimestamp\u201d\uff1a\u201c\u2026\u201d\uff1b\u201cevent_type\u201d:”\u2026\u201d\uff1b\uff09\uff0c\u65b9\u4fbf\u56e2\u961f\u67e5\u770b\u548c\u8fa8\u8ba4<\/p>\n\n\n\n3\u3001\u5b58\u50a8\u4e0e\u7d22\u5f15\u5c42<\/h3>\n\n\n\n\n- \u4f7f\u7528\u6570\u636e\u5e93\u5b58\u50a8\u65e5\u5fd7\u6570\u636e\uff0c\u652f\u6301\u5feb\u901f\u67e5\u8be2\u548c\u5f52\u6863<\/li>\n\n\n\n
- \u6570\u636e\u53ef\u4ee5\u6309\u7167\u65f6\u95f4\u5e8f\u5217\u5b58\u50a8\uff0c\u5e76\u6dfb\u52a0\u7d22\u5f15\u65b9\u4fbf\u5feb\u901f\u68c0\u7d22<\/li>\n<\/ul>\n\n\n\n
4\u3001\u5206\u6790\u4e0e\u5173\u8054\u5c42\u2014\u2014\u6838\u5fc3\u5f15\u64ce<\/h3>\n\n\n\n\n- \u53ef\u4ee5\u63a5\u5165\u5927\u6a21\u578b\uff0c\u5229\u7528\u89c4\u5219\u5f15\u64ce\u3001\u8fdb\u884c\u673a\u5668\u5b66\u4e60\u6216\u884c\u4e3a\u5206\u6790\u68c0\u6d4b\u5f02\u5e38<\/li>\n\n\n\n
- \u89c4\u5219\u5173\u8054\uff1a\u5c06\u591a\u6b21\u767b\u5f55\u5931\u8d25\u548c\u5f02\u5e38IP\u8bbf\u95ee\u5173\u8054\u8d77\u6765\uff0c\u5224\u5b9a\u4e3a\u66b4\u529b\u7834\u89e3<\/li>\n\n\n\n
- \u4e8b\u5b9e\u5206\u6790\uff1a\u8bbe\u7f6e\u76d1\u63a7\u9608\u503c\uff0c\u77ed\u65f6\u95f4\u5185\u767b\u5f55\u5931\u8d25\u8fde\u7eed\u8d85\u8fc7\u4e94\u6b21\u81ea\u52a8\u53d1\u9001\u8b66\u62a5<\/li>\n\n\n\n
- \u9ad8\u7ea7SIEM\u96c6\u6210UEBA\uff08User and Entity Behavior Analytics\uff0c\u7528\u6237\u548c\u5b9e\u4f53\u884c\u4e3a\u5206\u6790\uff09\u6765\u68c0\u6d4b\u5f02\u5e38\u6a21\u5f0f<\/li>\n<\/ul>\n\n\n\n
\u89c4\u5219\u5f15\u64ce<\/h4>\n\n\n\n\u7b80\u5355\u89c4\u5219\u7528if-then\uff1b\u590d\u6742\u7528CEP\uff08Complex Event Processing\uff09\u5982Esper<\/strong><\/summary>\nCEP\uff08Complex Event Processing\uff09<\/p>\n\n\n\n
\u6982\u5ff5<\/strong> <\/p>\n\n\n\nComplex Event Processing\uff08\u590d\u6742\u4e8b\u4ef6\u5904\u7406\uff09\u662f\u4e00\u79cd\u5b9e\u65f6\u5904\u7406\u6280\u672f\uff0c\u5b83\u4ece\u591a\u4e2a\u4e8b\u4ef6\u6d41\uff08event streams\uff09\u4e2d\u68c0\u6d4b\u590d\u6742\u6a21\u5f0f<\/strong>\u3001\u65f6\u95f4\u76f8\u5173\u6027<\/strong>\u3001\u56e0\u679c\u5173\u7cfb<\/strong>\u6216\u8d8b\u52bf<\/strong>\uff0c\u800c\u4e0d\u662f\u53ea\u770b\u5355\u4e2a\u4e8b\u4ef6\u3002 \u5b83\u5173\u6ce8\u201c\u4e8b\u4ef6\u7684\u7ec4\u5408\u4e0e\u65f6\u5e8f\u201d\uff0c\u80fd\u8bc6\u522b\u51fa\u7b80\u5355\u89c4\u5219\u5f15\u64ce\u65e0\u6cd5\u53d1\u73b0\u7684\u9ad8\u9636\u5a01\u80c1<\/p>\n\n\n\n\u5178\u578b\u4ee3\u8868\u5de5\u5177<\/strong>\uff1aEsper\uff08\u5f00\u6e90 Java CEP \u5f15\u64ce\uff09\u3001Apache Flink CEP\u3001Drools Fusion\u3001IBM Operational Decision Manager \u7b49<\/p>\n\n\n\n\u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n\n- \u5b9e\u65f6\u4ea7\u751f\u201c\u590d\u6742\u4e8b\u4ef6\u201d\uff08synthesized event\uff09\uff0c\u7528\u4e8e\u89e6\u53d1\u9ad8\u7ea7\u544a\u8b66<\/li>\n\n\n\n
- \u68c0\u6d4b\u591a\u4e8b\u4ef6\u5173\u8054\u7684\u590d\u6742\u573a\u666f\uff08\u4f8b\u5982\uff1a5 \u5206\u949f\u5185 3 \u6b21\u5931\u8d25\u767b\u5f55 + \u6765\u81ea\u540c\u4e00 IP \u7684\u7aef\u53e3\u626b\u63cf + \u5f02\u5e38\u6587\u4ef6\u8bbf\u95ee\uff09<\/li>\n\n\n\n
- \u652f\u6301\u65f6\u95f4\u7a97\u53e3\uff08sliding window\u3001tumbling window\uff09\u3001\u5e8f\u5217\u6a21\u5f0f\uff08A \u540e\u8ddf B \u4f46\u4e0d\u8ddf C\uff09\u3001\u805a\u5408\uff08\u5e73\u5747\u3001\u6700\u5927\u3001\u6700\u5c0f\uff09\u3001\u5426\u5b9a\u6a21\u5f0f\uff08\u67d0\u6bb5\u65f6\u95f4\u5185\u6ca1\u6709\u53d1\u751f\u67d0\u4e8b\u4ef6\uff09<\/li>\n<\/ul>\n\n\n\n
\u793a\u4f8b\u573a\u666f <\/strong><\/p>\n\n\n\n\u7528\u6237 A \u6b63\u5e38\u5de5\u4f5c\u65f6\u95f4\u4ece\u4e1c\u4eac\u767b\u5f55\uff0c\u7a81\u7136\u5728\u51cc\u6668\u4ece\u4fc4\u7f57\u65af IP \u767b\u5f55\uff0c\u4e14 2 \u5206\u949f\u5185\u5c1d\u8bd5\u8bbf\u95ee 10 \u4e2a\u654f\u611f\u670d\u52a1\u5668 \u2192 CEP \u53ef\u4ee5\u7528\u4e00\u6761 EPL\uff08Event Processing Language\uff09\u8bed\u53e5\u68c0\u6d4b\u8fd9\u79cd\u8de8\u65f6\u95f4\u3001\u8de8\u6765\u6e90\u7684\u6a21\u5f0f<\/p>\n<\/details>\n\n\n\n
\u5173\u8054\u793a\u4f8b\uff1a192.168.xxx.xxx\u5728\u4e94\u5206\u949f\u5185\u767b\u5f55\u5931\u8d25\u8d85\u8fc710\u6b21+\u7aef\u53e3\u626b\u63cf=\u9ad8\u5371\u544a\u8b66<\/p>\n\n\n\n
ML\u96c6\u6210<\/h4>\n\n\n\n\u7528 UEBA \u68c0\u6d4b\u5f02\u5e38\uff08\u5982\u7528\u6237\u5e73\u65f6\u4ece US \u767b\u5f55\uff0c\u7a81\u7136\u4ece RU\uff0c\u9700\u57fa\u7ebf\u6a21\u578b\uff09<\/strong><\/summary>\n\u6982\u5ff5<\/strong> UEBA = User and Entity Behavior Analytics<\/strong>\uff08\u7528\u6237\u4e0e\u5b9e\u4f53\u884c\u4e3a\u5206\u6790\uff09\u3002 \u5b83\u5229\u7528\u673a\u5668\u5b66\u4e60<\/strong>\uff08\u800c\u975e\u56fa\u5b9a\u89c4\u5219\uff09\u4e3a\u6bcf\u4e2a\u7528\u6237\u3001\u4e3b\u673a\u3001IP\u3001\u5e94\u7528\u7b49\u5b9e\u4f53\u5efa\u7acb\u52a8\u6001\u884c\u4e3a\u57fa\u7ebf<\/strong>\uff08baseline\uff09\uff0c\u7136\u540e\u6301\u7eed\u76d1\u63a7\u5f53\u524d\u884c\u4e3a\u4e0e\u57fa\u7ebf\u7684\u504f\u79bb\u7a0b\u5ea6\uff0c\u68c0\u6d4b\u5f02\u5e38<\/p>\n\n\n\n\u6838\u5fc3\u673a\u5236<\/strong><\/p>\n\n\n\n\n- \u5b66\u4e60\u9636\u6bb5<\/strong>\uff1a\u6536\u96c6\u5386\u53f2\u6570\u636e\uff08\u767b\u5f55\u65f6\u95f4\u3001\u5730\u70b9\u3001\u8bbf\u95ee\u8d44\u6e90\u3001\u64cd\u4f5c\u9891\u7387\u7b49\uff09\uff0c\u7528 ML\uff08\u5982\u805a\u7c7b\u3001Isolation Forest\u3001Autoencoder\u3001\u7edf\u8ba1\u6a21\u578b\uff09\u6784\u5efa\u201c\u6b63\u5e38\u201d\u753b\u50cf<\/li>\n\n\n\n
- \u68c0\u6d4b\u9636\u6bb5<\/strong>\uff1a\u5b9e\u65f6\u6253\u5206\uff08risk score\uff09\uff0c\u504f\u79bb\u57fa\u7ebf\u8d8a\u8fdc\u5206\u6570\u8d8a\u9ad8<\/li>\n\n\n\n
- \u52a8\u6001\u66f4\u65b0<\/strong>\uff1a\u57fa\u7ebf\u4f1a\u968f\u65f6\u95f4\u7f13\u6162\u6f14\u5316\uff08\u4f8b\u5982\u7528\u6237\u6362\u4e86\u5de5\u4f5c\u5730\u70b9\uff09<\/li>\n<\/ol>\n\n\n\n
\u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n\n- \u53d1\u73b0\u672a\u77e5\u5a01\u80c1<\/strong>\uff08zero-day\u3001\u6162\u901f APT\u3001\u4f4e\u901f\u6570\u636e\u7a83\u53d6\u3001\u5185\u90e8\u5a01\u80c1\uff09<\/li>\n\n\n\n
- \u5f25\u8865\u89c4\u5219-based \u68c0\u6d4b\u7684\u76f2\u533a\uff08\u89c4\u5219\u5199\u4e0d\u5168\u6240\u6709\u53ef\u80fd\u653b\u51fb\uff09<\/li>\n\n\n\n
- \u5178\u578b\u5f02\u5e38\u793a\u4f8b\uff1a\n
\n- \u7528\u6237\u5e73\u65f6\u53ea\u5728\u7f8e\u56fd\u5de5\u4f5c\u65f6\u95f4\u4ece\u516c\u53f8 VPN \u767b\u5f55\uff0c\u7a81\u7136\u4ece\u4fc4\u7f57\u65af IP \u51cc\u6668\u767b\u5f55<\/li>\n\n\n\n
- \u8d22\u52a1\u4eba\u5458\u7a81\u7136\u5927\u91cf\u4e0b\u8f7d HR \u76ee\u5f55\u6587\u4ef6<\/li>\n\n\n\n
- \u670d\u52a1\u5668\u5e73\u65f6\u53ea\u8dd1 Web \u670d\u52a1\uff0c\u7a81\u7136\u542f\u52a8\u6316\u77ff\u8fdb\u7a0b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
\u5b9e\u4f8b<\/strong><\/p>\n\n\n\n\u7528\u6237\u5e73\u65f6 9:00\u201318:00 \u4ece\u4e1c\u4eac IP \u767b\u5f55\u516c\u53f8\u90ae\u7bb1\uff0c\u7a81\u7136 03:00 \u4ece\u4fc4\u7f57\u65af IP \u767b\u5f55 \u2192 UEBA \u4f1a\u7ed9\u8be5\u884c\u4e3a\u6253\u9ad8\u98ce\u9669\u5206\uff0c\u751f\u6210\u5f02\u5e38\u4e8b\u4ef6\uff0c\u4f9b\u7b2c 5 \u5c42\u544a\u8b66\u3002<\/p>\n<\/details>\n\n\n\n
5\u3001\u544a\u8b66\u4e0e\u54cd\u5e94\u5c42<\/h3>\n\n\n\n\n- \u751f\u6210\u544a\u8b66\u901a\u77e5\uff0c\u4f8b\u5982\u53d1\u9001\u90ae\u4ef6\u3001SMS\u3001\u540e\u53f0\u7968\u52a1\u7cfb\u7edf<\/li>\n\n\n\n
- \u652f\u6301\u81ea\u52a8\u5316\u54cd\u5e94\uff0c\u4f8b\u5982\u5c01\u7981IP\u6216\u811a\u672c\u5229\u7528<\/li>\n\n\n\n
- \u63d0\u4f9b\u53ef\u89c6\u5316\u754c\u9762\u62a5\u544a\u2014\u2014\u8fde\u63a5\u4eea\u8868\u76d8\uff0c\u5c55\u793a\u4e8b\u4ef6\u3001\u5386\u53f2\u8d8b\u52bf\u5e76\u5408\u6210\u76f8\u5173\u62a5\u544a<\/li>\n<\/ul>\n\n\n\n
\u673a\u5236<\/h4>\n\n\n\n\u544a\u8b66\u5206\u7ea7\uff08\u9ad8\u5371\/\u4e2d\u5371\/\u4f4e\u5371\/\u65e0\u98ce\u9669\uff09\uff0c\u96c6\u6210SOAR\u81ea\u52a8\u5316\u54cd\u5e94<\/strong><\/summary>\n\u6982\u5ff5<\/strong> SOAR = Security Orchestration, Automation and Response<\/strong>\uff08\u5b89\u5168\u7f16\u6392\u3001\u81ea\u52a8\u5316\u4e0e\u54cd\u5e94\uff09\u3002 \u5b83\u662f\u4e00\u4e2a\u6d41\u7a0b\u81ea\u52a8\u5316\u5e73\u53f0<\/strong>\uff0c\u628a\u5b89\u5168\u5de5\u5177\uff08SIEM\u3001EDR\u3001\u9632\u706b\u5899\u3001\u7968\u52a1\u7cfb\u7edf\u3001\u90ae\u4ef6\u7b49\uff09\u4e32\u8054\u8d77\u6765\uff0c\u901a\u8fc7\u9884\u5b9a\u4e49\u7684playbook<\/strong>\uff08\u5267\u672c\uff09\u81ea\u52a8\u6216\u534a\u81ea\u52a8\u6267\u884c\u54cd\u5e94\u52a8\u4f5c<\/p>\n\n\n\n\u5178\u578b\u4ee3\u8868\u5de5\u5177<\/strong><\/p>\n\n\n\n\n- \u5f00\u6e90\uff1aTheHive + Cortex\uff08\u5206\u6790\u5668\uff09\u3001Shuffle\u3001Demisto\uff08\u73b0 Palo Alto XSOAR \u7684\u524d\u8eab\u5f00\u6e90\u90e8\u5206\uff09<\/li>\n\n\n\n
- \u5546\u7528\uff1aSplunk SOAR\u3001Swimlane\u3001IBM Resilient\u3001ServiceNow SecOps \u7b49<\/li>\n<\/ul>\n\n\n\n
\u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n\n- Response<\/strong>\uff1a\u63d0\u4f9b\u6807\u51c6\u5316\u7684\u54cd\u5e94\u6d41\u7a0b\uff0c\u51cf\u5c11\u4eba\u4e3a\u9519\u8bef\uff0c\u63d0\u9ad8\u54cd\u5e94\u901f\u5ea6<\/li>\n\n\n\n
- Orchestration<\/strong>\uff1a\u628a\u5206\u6563\u5de5\u5177\u8fde\u6210\u5de5\u4f5c\u6d41<\/li>\n\n\n\n
- Automation<\/strong>\uff1a\u81ea\u52a8\u6267\u884c\u91cd\u590d\u3001\u4f4e\u4ef7\u503c\u52a8\u4f5c\uff08\u67e5 VirusTotal\u3001\u5c01 IP\u3001\u521b\u5efa Jira ticket\u3001\u9694\u79bb\u4e3b\u673a\uff09<\/li>\n<\/ul>\n\n\n\n
\u793a\u4f8b\u573a\u666f<\/strong>\uff08TheHive \u96c6\u6210\uff09 SIEM \u68c0\u6d4b\u5230\u66b4\u529b\u7834\u89e3 \u2192 \u81ea\u52a8\u89e6\u53d1 Shuffle\/TheHive playbook\uff1a<\/p>\n\n\n\n\n- \u901a\u77e5 Slack\/\u90ae\u4ef6 + \u521b\u5efa\u5de5\u5355<\/li>\n\n\n\n
- \u67e5 AbuseIPDB \/ VirusTotal \u8bc4\u5206<\/li>\n\n\n\n
- \u5982\u679c\u5206\u6570\u9ad8 \u2192 \u81ea\u52a8\u521b\u5efa TheHive Case<\/li>\n\n\n\n
- \u81ea\u52a8\u8c03\u7528 Cortex Analyzer \u5206\u6790 IP<\/li>\n\n\n\n
- \u81ea\u52a8\u901a\u8fc7 API \u8ba9\u9632\u706b\u5899\u5c01\u7981 IP<\/li>\n<\/ol>\n<\/details>\n\n\n\n
\u96c6\u6210<\/h4>\n\n\n\n
Python\u53ef\u8c03\u7528\u5916\u90e8API\uff08Slack for\u901a\u77e5\u3001iptables for\u5c01\u7981\uff09<\/p>\n\n\n\n
6\u3001\u7ba1\u7406\u4e0e\u5408\u89c4\u5c42<\/h3>\n\n\n\n\n- \u914d\u7f6e\u89c4\u5219\u3001\u7528\u6237\u8bbf\u95ee\u63a7\u5236\u3001\u5ba1\u8ba1\u65e5\u5fd7<\/li>\n\n\n\n
- \u786e\u4fdd\u7b26\u5408\u6cd5\u89c4\uff0c\u6cd5\u89c4\u5305\u62ec\u4e14\u4e0d\u9650\u4e8eGDPR\u3001HIPAA<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\u5de5\u4f5c\u673a\u5236<\/h2>\n\n\n\n
SIEM\u91c7\u7528\u95ed\u73af\u6d41\u7a0b\u7684\u5de5\u4f5c\u673a\u5236\uff1a<\/p>\n\n\n\n
\n- \u91c7\u96c6\u4e0e\u4f20\u8f93\uff1a\u6570\u636e\u6e90\u751f\u6210\u65e5\u5fd7\uff0c\u91c7\u96c6\u5668\u63a8\u9001\u6216\u62c9\u53d6\u6570\u636e\u5230\u4e2d\u592e\u670d\u52a1\u5668<\/li>\n\n\n\n
- \u5904\u7406\u4e0e\u5206\u6790\uff1a\u65e5\u5fd7\u8fdb\u5165\u7ba1\u9053\uff0c\u7ecf\u8fc7\u5206\u6790\u3001\u6807\u51c6\u5316\u540e\u8fdb\u5165\u89c4\u5219\u5f15\u64ce\n
\n- \u89e6\u53d1\u89c4\u5219\u5339\u914d\u65f6\u95f4\u4f1a\u8bc6\u522b\u4e8b\u4ef6<\/li>\n\n\n\n
- \u89e6\u53d1\u76f8\u5173\u8054\u4e8b\u4ef6\u4f1a\u63d0\u5347\u4f18\u5148\u7ea7<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- \u68c0\u6d4b\u5f02\u5e38\uff1a\u9488\u5bf9\u5f02\u5e38\u767b\u5f55\uff0c\u673a\u5236\u5305\u62ec\uff1a\n
\n- \u9608\u503c\u68c0\u6d4b\uff1a1\u5206\u949f\u51853\u6b21\u767b\u5f55\u5931\u8d25<\/li>\n\n\n\n
- \u5730\u7406\u4f4d\u7f6e\u68c0\u67e5\uff1a\u767b\u5f55IP\u4e0d\u5339\u914d\u5386\u53f2\u4f4d\u7f6e<\/li>\n\n\n\n
- \u884c\u4e3a\u57fa\u7ebf\uff1a\u63a5\u5165\u5927\u6a21\u578b\u5b66\u4e60\u5386\u53f2\u6d4f\u89c8\u884c\u4e3a\uff0c\u6bd4\u5bf9\u5f53\u524d\u884c\u4e3a\u548c\u5386\u53f2\u884c\u4e3a\u5dee\u5f02<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- \u544a\u8b66\u751f\u6210\uff1a\u4e00\u65e6\u68c0\u6d4b\u5230\u5a01\u80c1\uff0c\u751f\u6210\u4e8b\u4ef6\u7968\u636e\uff08Ticket\uff09\uff0c\u901a\u77e5\u5b89\u5168\u56e2\u961f\u3002\u4e25\u91cd\u4e8b\u4ef6\u53ef\u89e6\u53d1SOAR\uff08Security Orchestration, Automation and Response\uff09\u81ea\u52a8\u5316\u54cd\u5e94\u3002<\/li>\n\n\n\n
- \u56de\u987e\u548c\u4f18\u5316\uff1a\u901a\u8fc7forensic\u5206\u6790\u5386\u53f2\u6570\u636e\uff0c\u4f18\u5316\u68c0\u6d4b\uff0c\u51cf\u5c11\u8bef\u62a5\uff08False Positives\uff09<\/li>\n<\/ol>\n\n\n\n
graph TB\nA((\u91c7\u96c6\u4e0e\u4f20\u8f93))\nB[\u5904\u7406\u4e0e\u5206\u6790]\nC[\u68c0\u6d4b\u5f02\u5e38]\nD[\u544a\u8b66\u751f\u6210]\nE((\u56de\u987e\u548c\u4f18\u5316))\nA--\u63a8\u9001\u5230\u670d\u52a1\u5668-->B\nB--\u65e5\u5fd7\u8fdb\u5165\u7ba1\u9053-->C\nC--\u89c4\u5219\u5339\u914d\u3001\u9608\u503c\u68c0\u6d4b\u3001\u884c\u4e3a\u5339\u914d-->D\nD--\u751f\u6210\u7968\u636e\uff0c\u544a\u77e5\u56e2\u961f-->E\nE--\u6a21\u578b\u5b66\u4e60\u3001\u5206\u6790\u5386\u53f2-->A<\/pre><\/div>\n\n\n\n
\n\n\n\nPython\u6a21\u5757\u793a\u4f8b<\/h2>\n\n\n\n
\u73b0\u5047\u8bbe\u9700\u8981\u5f00\u53d1\u4e00\u4e2a\u6a21\u5757\u6765\u76d1\u63a7Linux\u7cfb\u7edf\u4e0b\u7684\/var\/log\/auth.log<\/code><\/strong><\/mark>\u6587\u4ef6\uff0c\u5b9e\u65f6\u91c7\u96c6\u65e5\u5fd7\uff0c\u68c0\u6d4b\u5f02\u5e38\u767b\u5f55\uff0c\u5e76\u901a\u8fc7\u90ae\u4ef6\u53d1\u9001\u544a\u8b66<\/p>\n\n\n\n\u8fd9\u4e2a\u5b9e\u4f8b\u4f7f\u7528Python\u6807\u51c6\u5e93\u548c\u5c11\u91cf\u5185\u7f6e\u6a21\u5757\uff08\u5982re<\/strong><\/mark>\u7528\u4e8e\u89e3\u6790\u3001smtplib<\/strong><\/mark>\u7528\u4e8e\u90ae\u4ef6\uff09\u91c7\u7528\u6587\u4ef6\u5c3e\u968f\uff08tailing\uff09\u673a\u5236\u6a21\u62df\u5b9e\u65f6\u91c7\u96c6\uff08\u7c7b\u4f3clinux\u7684tail -f\u547d\u4ee4\uff09\uff0c\u907f\u514d\u4f9d\u8d56\u5916\u90e8\u5e93<\/p>\n\n\n\n\u4ee3\u7801\u793a\u4f8b\uff1a<\/p>\n\n\n\n
import re\nimport time\nimport smtplib\nfrom email.mime.text import MIMEText # \u7528\u4e8e\u6784\u5efa\u90ae\u4ef6\u5185\u5bb9\nfrom collections import defaultdict # \u7528\u4e8e\u5b58\u50a8\u767b\u5f55\u5931\u8d25\u7684\u65f6\u95f4\u6233\u5217\u8868\nfrom datetime import datetime, timedelta # \u7528\u4e8e\u5904\u7406\u65f6\u95f4\u7a97\u53e3\n\n# \u914d\u7f6e\u53c2\u6570\nLOG_FILE = '\/var\/log\/auth.log' # \u66ff\u6362\u4e3a\u5b9e\u9645\u65e5\u5fd7\u8def\u5f84\uff08\u9700\u8bfb\u6743\u9650\uff09\nALERT_THRESHOLD = 3 # \u5931\u8d25\u767b\u5f55\u9608\u503c\nTIME_WINDOW = timedelta(minutes=1) # \u65f6\u95f4\u7a97\u53e3\nSMTP_SERVER = 'smtp.example.com' # \u66ff\u6362\u4e3a\u4f60\u7684 SMTP \u670d\u52a1\u5668\nSMTP_PORT = 587 # \u66ff\u6362\u4e3a\u4f60\u7684 SMTP \u7aef\u53e3\nSENDER_EMAIL = 'alert@example.com' # \u66ff\u6362\u4e3a\u4f60\u7684\u53d1\u9001\u90ae\u7bb1\nSENDER_PASSWORD = 'your_password' # \u66ff\u6362\u4e3a\u4f60\u7684\u53d1\u9001\u90ae\u7bb1\u5bc6\u7801\nRECIPIENT_EMAIL = 'admin@example.com' # \u66ff\u6362\u4e3a\u4f60\u7684\u63a5\u6536\u90ae\u7bb1\n\n# \u6b63\u5219\u8868\u8fbe\u5f0f\u89e3\u6790 sshd \u767b\u5f55\u65e5\u5fd7\uff08\u793a\u4f8b\uff1aFailed password for user from IP\uff09\nFAILED_LOGIN_PATTERN = re.compile(r'Failed password for (\\w+) from ([\\d.]+) port \\d+ ssh2')\nSUCCESS_LOGIN_PATTERN = re.compile(r'Accepted password for (\\w+) from ([\\d.]+) port \\d+ ssh2')\n\nclass LoginTracker: # \u8ffd\u8e2a\u767b\u5f55\u5931\u8d25\u7684\u7c7b\n def __init__(self):\n self.failures = defaultdict(list) # IP -> list of failure timestamps\n\n def process_log_line(self, line):\n failed_match = FAILED_LOGIN_PATTERN.search(line)\n if failed_match: # \u5982\u679c\u5339\u914d\u5230\u5931\u8d25\u767b\u5f55\n user, ip = failed_match.groups()\n now = datetime.now() # \u5f53\u524d\u65f6\u95f4\n self.failures[ip].append(now) # \u8bb0\u5f55\u5931\u8d25\u65f6\u95f4\n # \u6e05\u7406\u8fc7\u671f\u8bb0\u5f55\n self.failures[ip] = [t for t in self.failures[ip] if now - t < TIME_WINDOW] # \u4fdd\u7559\u65f6\u95f4\u7a97\u53e3\u5185\u7684\u8bb0\u5f55\n # \u68c0\u67e5\u9608\u503c\n if len(self.failures[ip]) >= ALERT_THRESHOLD:\n self.send_alert(ip, user, len(self.failures[ip]))\n self.failures[ip] = [] # \u91cd\u7f6e\u8ba1\u6570\u4ee5\u907f\u514d\u91cd\u590d\u544a\u8b66\n\n success_match = SUCCESS_LOGIN_PATTERN.search(line)\n if success_match:\n user, ip = success_match.groups()\n print(f\"Successful login: User {user} from {ip}\")\n\n def send_alert(self, ip, user, count): # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6\n msg = MIMEText(f\"Abnormal login detected: {count} failed attempts for user {user} from IP {ip}\") # \u90ae\u4ef6\u5185\u5bb9\n msg['Subject'] = 'Security Alert: Abnormal Login'\n msg['From'] = SENDER_EMAIL # \u90ae\u4ef6\u53d1\u9001\u8005\n msg['To'] = RECIPIENT_EMAIL # \u90ae\u4ef6\u63a5\u6536\u8005\n\n try: # \u8fde\u63a5 SMTP \u670d\u52a1\u5668\u5e76\u53d1\u9001\u90ae\u4ef6\n server = smtplib.SMTP(SMTP_SERVER, SMTP_PORT) # \u8fde\u63a5 SMTP \u670d\u52a1\u5668\n server.starttls() # \u542f\u7528 TLS\n server.login(SENDER_EMAIL, SENDER_PASSWORD) # \u767b\u5f55 SMTP \u670d\u52a1\u5668\n server.sendmail(SENDER_EMAIL, RECIPIENT_EMAIL, msg.as_string())\n server.quit()\n print(\"Alert sent successfully\") \n except Exception as e:\n print(f\"Failed to send alert: {e}\")\n\ndef tail_log_file(file_path): # \u5b9e\u65f6\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\n with open(file_path, 'r') as f:\n # \u79fb\u52a8\u5230\u6587\u4ef6\u672b\u5c3e\n f.seek(0, 2) \n while True:\n line = f.readline()\n if not line:\n time.sleep(0.1) # \u8f6e\u8be2\u95f4\u9694\n continue\n yield line.strip() # \u8fd4\u56de\u65b0\u884c\n\n# \u4e3b\u51fd\u6570\nif __name__ == '__main__':\n tracker = LoginTracker()\n print(\"Starting log monitoring...\")\n for line in tail_log_file(LOG_FILE): # \u5904\u7406\u6bcf\u4e00\u884c\u65e5\u5fd7\n tracker.process_log_line(line) # \u89e3\u6790\u65e5\u5fd7\u884c\u5e76\u66f4\u65b0\u767b\u5f55\u72b6\u6001<\/code><\/pre>\n\n\n\n
\n\n\n\nPython\u4ee3\u7801\u7247\u6bb5\u793a\u4f8b<\/h2>\n\n\n\n
SIEM\u7684\u6838\u5fc3\u67b6\u6784\u901a\u5e38\u88ab\u63cf\u8ff0\u4e3a\u5206\u5c42\u7ba1\u9053\uff08pipeline\uff09\u5f0f\u7ed3\u6784\uff0c\u4ece\u903b\u8f91\u4e0a\u770b\uff0c\u516d\u5c42\u67b6\u6784\u6bcf\u5c42\u5b9e\u73b0\u7684\u6a21\u5757\u5206\u522b\u72ec\u7acb\u8fd0\u884c\u540e\u4ea4\u7ed9\u4e0b\u4e00\u5c42\uff0c\u7ecf\u8fc7\u95ed\u73af\u6d41\u7a0b\u5b9e\u73b0\u8bb0\u5f55\u3001\u7edf\u4e00\u3001\u5b58\u50a8\u3001\u5206\u6790\u3001\u54cd\u5e94\u3001\u4f18\u5316\u3002\u4f46\u4ece\u5b9e\u9645\u7cfb\u7edf\u8fd0\u884c\u4e2d\uff0c\u8fd9\u4e9b\u5c42\u90fd\u662f\u9ad8\u5ea6\u5e76\u884c\u3001\u5f02\u6b65\u3001\u6d41\u5f0f\u5904\u7406\uff0c\u5373\u540c\u4e00\u65f6\u523b\u6210\u5343\u4e0a\u4e07\u5404\u4e8b\u4ef6\u5728\u4e0d\u540c\u5c42\u3001\u4e0d\u540c\u8282\u70b9\u540c\u65f6\u88ab\u5904\u7406\u3002\u4e0b\u9762\u5c06\u9488\u5bf9\u5404\u5c42\u5355\u72ec\u7528\u4ee3\u7801\u4e3e\u4f8b\u89e3\u91ca\uff1a<\/p>\n\n\n\n
\u6570\u636e\u91c7\u96c6\u5c42\uff08Data Collection \/ Ingestion\uff09<\/h3>\n\n\n\n
\u8d1f\u8d23\u4ece\u5404\u79cd\u6e90\u5934\u5b9e\u65f6\/\u6279\u91cf\u62c9\u53d6\u6216\u63a5\u6536\u65e5\u5fd7\uff0c\u5178\u578b\u7684\u5b9e\u73b0\u65b9\u5f0f<\/strong>\u6709\uff1a<\/p>\n\n\n\n\u6587\u4ef6tail\u3001Syslog UDP\/TCP\u63a5\u6536\u3001Beats\/Filebeat\u3001API polling\u7b49<\/p>\n\n\n\n
Python\u793a\u4f8b<\/strong>\uff08\u6587\u4ef6tail+\u7b80\u5355Syslog UDP\u670d\u52a1\u5668\uff09<\/span><\/i><\/div># collector.py - \u91c7\u96c6\u5c42\u793a\u4f8b
import socket
import threading
from pathlib import Path
import time
def tail_file(log_path: str, callback): # \u5b9a\u4e49\u4e00\u4e2a\u51fd\u6570\u6765\u6a21\u62df tail -f \u529f\u80fd\uff0c\u5b9e\u65f6\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u65b0\u884c
\"\"\"\u6a21\u62df tail -f\"\"\"
path = Path(log_path)
last_size = path.stat().st_size # \u83b7\u53d6\u6587\u4ef6\u521d\u59cb\u5927\u5c0f\uff0c\u4ee5\u4fbf\u540e\u7eed\u8bfb\u53d6\u65b0\u589e\u5185\u5bb9
while True:
time.sleep(0.2)
current_size = path.stat().st_size # \u83b7\u53d6\u5f53\u524d\u6587\u4ef6\u5927\u5c0f\uff0c\u5982\u679c\u6709\u65b0\u589e\u5185\u5bb9\uff0c\u5219\u8bfb\u53d6\u65b0\u589e\u90e8\u5206\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406
if current_size > last_size: # \u5982\u679c\u6587\u4ef6\u6709\u65b0\u589e\u5185\u5bb9\uff0c\u5219\u8bfb\u53d6\u65b0\u589e\u90e8\u5206\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406
with open(path, 'r') as f:
f.seek(last_size) # \u79fb\u52a8\u6587\u4ef6\u6307\u9488\u5230\u4e0a\u6b21\u8bfb\u53d6\u7684\u4f4d\u7f6e
new_lines = f.readlines()
for line in new_lines: # \u5904\u7406\u6bcf\u4e00\u884c\u65b0\u589e\u65e5\u5fd7\uff0c\u8c03\u7528\u56de\u8c03\u51fd\u6570
callback(line.strip()) # \u53bb\u9664\u884c\u672b\u7684\u6362\u884c\u7b26\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570
last_size = current_size
def start_syslog_udp_server(port=514, callback=None): # \u5b9a\u4e49\u4e00\u4e2a\u51fd\u6570\u6765\u542f\u52a8\u4e00\u4e2a\u7b80\u5355\u7684 UDP Syslog \u670d\u52a1\u5668\uff0c\u76d1\u542c\u6307\u5b9a\u7aef\u53e3\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u63a5\u6536\u5230\u7684\u65e5\u5fd7\u6d88\u606f
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # \u521b\u5efa\u4e00\u4e2a UDP \u5957\u63a5\u5b57
sock.bind(('0.0.0.0', port))
print(f\"Syslog UDP listening on :{port}\")
while True:
data, addr = sock.recvfrom(4096) # \u63a5\u6536 UDP \u6d88\u606f
line = data.decode('utf-8', errors='ignore').strip() # \u89e3\u7801\u6d88\u606f\u5e76\u53bb\u9664\u884c\u672b\u7684\u6362\u884c\u7b26
if callback:
callback(line) # \u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u63a5\u6536\u5230\u7684\u65e5\u5fd7\u6d88\u606f
# \u4f7f\u7528\u793a\u4f8b
if __name__ == \"__main__\": # \u5b9a\u4e49\u4e00\u4e2a\u7b80\u5355\u7684\u56de\u8c03\u51fd\u6570\u6765\u6253\u5370\u91c7\u96c6\u5230\u7684\u65e5\u5fd7\u884c
def print_line(line):
print(f\"[\u91c7\u96c6] {line}\")
# \u542f\u52a8\u6587\u4ef6 tail
threading.Thread(target=tail_file, args=(\"\/var\/log\/auth.log\", print_line), daemon=True).start()
# \u542f\u52a8 UDP Syslog \u63a5\u6536\uff08\u53ef\u9009\uff09
# threading.Thread(target=start_syslog_udp_server, args=(514, print_line), daemon=True).start()
while True:
time.sleep(10) # \u4e3b\u7ebf\u7a0b\u4fdd\u6301\u8fd0\u884c\uff0c\u91c7\u96c6\u7ebf\u7a0b\u5728\u540e\u53f0\u5de5\u4f5c # \u53ef\u4ee5\u6839\u636e\u9700\u8981\u6dfb\u52a0\u66f4\u591a\u7684\u91c7\u96c6\u65b9\u5f0f\uff0c\u5982 TCP Syslog\u3001API \u91c7\u96c6\u7b49<\/code><\/div><\/div>\n\n\n\n\u6570\u636e\u6807\u51c6\u5316\u4e0e\u89e3\u6790\u5c42\uff08Normalization & Parsing\uff09<\/h3>\n\n\n\n
\u628a\u539f\u59cb\u65e5\u5fd7\u8f6c\u5316\u6210\u540c\u4e00\u7ed3\u6784\uff0c\u63d0\u53d6\u5173\u952e\u5b57\u6bb5<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f\uff1a<\/strong>\u6b63\u5219\/Grok\/CEF\/JSON schema\u6620\u5c04<\/p>\n\n\n\nPython\u5b9e\u4f8b<\/strong>\uff08\u7b80\u5355\u6b63\u5219 + CEF-like \u8f93\u51fa\uff09<\/span><\/i><\/div># parser.py
import re
import json
from datetime import datetime
# \u793a\u4f8b\uff1asshd \u5931\u8d25\u767b\u5f55\u6b63\u5219
FAIL_PATTERN = re.compile(r'Failed password for (\\S+) from ([\\d.]+) port \\d+ ssh2')
def parse_line(raw_line: str) -> dict | None: # \u89e3\u6790\u65e5\u5fd7\u884c\uff0c\u63d0\u53d6\u4e8b\u4ef6\u4fe1\u606f
ts = datetime.utcnow().isoformat() + \"Z\" # \u5b9e\u9645\u5e94\u4ece\u65e5\u5fd7\u63d0\u53d6\u65f6\u95f4
event = {
\"timestamp\": ts,
\"raw\": raw_line,
\"source\": \"auth.log\",
\"event_type\": \"unknown\"
}
m = FAIL_PATTERN.search(raw_line) # \u5339\u914d\u5931\u8d25\u767b\u5f55\u4e8b\u4ef6
if m:
user, src_ip = m.groups()
event.update({
\"event_type\": \"authentication_failure\",
\"user\": user,
\"src_ip\": src_ip,
\"severity\": \"medium\",
\"category\": \"authentication\"
})
return event
# \u53ef\u7ee7\u7eed\u6dfb\u52a0\u6210\u529f\u767b\u5f55\u3001sudo\u3001cron \u7b49\u591a\u79cd\u6a21\u5f0f...
return None # \u5ffd\u7565\u4e0d\u5173\u5fc3\u7684\u65e5\u5fd7
# \u4f7f\u7528\u793a\u4f8b
if __name__ == \"__main__\": # \u6d4b\u8bd5\u89e3\u6790\u529f\u80fd
test_lines = [
'Sep 4 10:15:23 server sshd[1234]: Failed password for invalid user admin from 192.168.1.100 port 12345 ssh2',
'Sep 4 10:16:01 server sshd[5678]: Accepted password for rain from 203.0.113.50 port 54321 ssh2'
]
for line in test_lines:
parsed = parse_line(line) # \u89e3\u6790\u65e5\u5fd7\u884c,\u8f93\u51fa\u7ed3\u679c
if parsed:
print(json.dumps(parsed, indent=2, ensure_ascii=False))<\/code><\/div><\/div>\n\n\n\n\u5b58\u50a8\u4e0e\u7d22\u5f15\u5c42\uff08Storage & Indexing\uff09<\/h3>\n\n\n\n
\u628a\u89e3\u6790\u540e\u7684\u4e8b\u4ef6\u5b58\u4e0b\u6765\uff0c\u652f\u6301\u5feb\u901f\u68c0\u7d22\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1aElasticsearch\u3001OpenSearch\u3001ClickHouse\u3001PostgreSQL + TimescaleDB\u3001SQLite\uff08\u539f\u578b\uff09\u3002<\/p>\n\n\n\nPython \u793a\u4f8b<\/strong>\uff08\u4f7f\u7528 SQLite + \u7b80\u5355\u65f6\u95f4\u5206\u533a\u8868\uff09<\/span><\/i><\/div># storage.py
import sqlite3
import json
from parser import parse_line # \u4ece parser \u6a21\u5757\u5bfc\u5165\u89e3\u6790\u51fd\u6570
from datetime import datetime
DB_PATH = \"siem_events.db\"
def init_db(): # \u521d\u59cb\u5316\u6570\u636e\u5e93\uff0c\u521b\u5efa\u4e8b\u4ef6\u8868
conn = sqlite3.connect(DB_PATH)
conn.execute(\"\"\"
CREATE TABLE IF NOT EXISTS events (
id INTEGER PRIMARY KEY AUTOINCREMENT,
timestamp TEXT,
event_type TEXT,
src_ip TEXT,
user TEXT,
severity TEXT,
raw TEXT,
json_data TEXT
)
\"\"\")
conn.commit()
return conn
def store_event(event: dict): # \u5b58\u50a8\u4e8b\u4ef6\u5230\u6570\u636e\u5e93
conn = sqlite3.connect(DB_PATH) # \u8fde\u63a5\u6570\u636e\u5e93
conn.execute(\"\"\"
INSERT INTO events (timestamp, event_type, src_ip, user, severity, raw, json_data)
VALUES (?, ?, ?, ?, ?, ?, ?) # \u4f7f\u7528\u53c2\u6570\u5316\u67e5\u8be2\u9632\u6b62 SQL \u6ce8\u5165
\"\"\", (
event[\"timestamp\"],
event.get(\"event_type\"),
event.get(\"src_ip\"),
event.get(\"user\"),
event.get(\"severity\"),
event[\"raw\"],
json.dumps(event)
)) # \u5c06\u4e8b\u4ef6\u5b57\u5178\u8f6c\u6362\u4e3a JSON \u5b58\u50a8
conn.commit()
conn.close()
# \u4f7f\u7528\u793a\u4f8b\uff1a\u7ed3\u5408 parser
if __name__ == \"__main__\":
init_db()
sample_event = parse_line(\"Failed password for test from 1.2.3.4 port 22 ssh2\") # \u4ece parser \u5bfc\u5165\u89e3\u6790\u51fd\u6570\uff0c\u89e3\u6790\u793a\u4f8b\u65e5\u5fd7\u884c
if sample_event:
store_event(sample_event)<\/code><\/div><\/div>\n\n\n\n\u5206\u6790\u4e0e\u5173\u8054\u5c42\uff08Analysis & Correlation\uff09<\/h3>\n\n\n\n
\u6838\u5fc3\u68c0\u6d4b\u5f15\u64ce\uff1a\u89c4\u5219\u5339\u914d\u3001\u9608\u503c\u3001\u65f6\u95f4\u7a97\u53e3\u5173\u8054\u3001\u7b80\u5355 ML\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1a\u89c4\u5219\u5f15\u64ce\uff08Sigma\uff09\u3001CEP\u3001\u72b6\u6001\u673a\u3001ML \u5f02\u5e38\u68c0\u6d4b\u3002<\/p>\n\n\n\nPython \u793a\u4f8b<\/strong>\uff08\u7b80\u5355\u6ed1\u52a8\u7a97\u53e3 + \u89c4\u5219\uff09<\/span><\/i><\/div># analyzer.py
from collections import defaultdict, deque
from datetime import datetime, timedelta
class FailureWindow: # \u76d1\u63a7\u77ed\u65f6\u95f4\u5185\u7684\u5931\u8d25\u4e8b\u4ef6
def __init__(self, threshold=5, window_sec=300): # threshold: \u5931\u8d25\u6b21\u6570\u9608\u503c, window_sec: \u65f6\u95f4\u7a97\u53e3\u957f\u5ea6\uff08\u79d2\uff09
self.failures = defaultdict(lambda: deque(maxlen=100)) # \u5b58\u50a8\u6bcf\u4e2aIP\u7684\u5931\u8d25\u4e8b\u4ef6\u65f6\u95f4\u6233\uff0c\u4f7f\u7528deque\u81ea\u52a8\u4e22\u5f03\u8fc7\u65e7\u7684\u8bb0\u5f55
self.threshold = threshold
self.window = timedelta(seconds=window_sec) # \u8f6c\u6362\u4e3atimedelta\u5bf9\u8c61\uff0c\u65b9\u4fbf\u65f6\u95f4\u6bd4\u8f83
def add_failure(self, ip: str, ts: datetime): # \u6dfb\u52a0\u5931\u8d25\u4e8b\u4ef6
self.failures[ip].append(ts) # \u6dfb\u52a0\u5f53\u524d\u5931\u8d25\u4e8b\u4ef6\u7684\u65f6\u95f4\u6233
# \u6e05\u7406\u8fc7\u671f
while self.failures[ip] and ts - self.failures[ip][0] > self.window: # \u79fb\u9664\u7a97\u53e3\u5916\u7684\u65e7\u8bb0\u5f55
self.failures[ip].popleft()
def is_brute_force(self, ip: str) -> bool: # \u5224\u65ad\u662f\u5426\u8fbe\u5230\u66b4\u529b\u653b\u51fb\u7684\u6761\u4ef6
if len(self.failures[ip]) >= self.threshold: # \u5982\u679c\u5f53\u524dIP\u7684\u5931\u8d25\u4e8b\u4ef6\u6570\u91cf\u8d85\u8fc7\u9608\u503c\uff0c\u8ba4\u4e3a\u53ef\u80fd\u662f\u66b4\u529b\u653b\u51fb
return True
return False
# \u89c4\u5219\u793a\u4f8b\uff1a\u77ed\u65f6\u95f4\u591a\u6b21\u5931\u8d25\u767b\u5f55
analyzer = FailureWindow(threshold=4, window_sec=120)
def analyze_event(event: dict): # \u5206\u6790\u4e8b\u4ef6\uff0c\u5224\u65ad\u662f\u5426\u89e6\u53d1\u66b4\u529b\u653b\u51fb\u89c4\u5219
if event.get(\"event_type\") == \"authentication_failure\":
ts = datetime.fromisoformat(event[\"timestamp\"].replace(\"Z\", \"+00:00\")) # \u89e3\u6790\u65f6\u95f4\u6233\uff0c\u5904\u7406UTC\u683c\u5f0f
ip = event[\"src_ip\"]
analyzer.add_failure(ip, ts)
if analyzer.is_brute_force(ip):
return {
\"alert\": True,
\"type\": \"brute_force_attempt\",
\"ip\": ip,
\"count\": len(analyzer.failures[ip]),
\"time_window\": \"2\u5206\u949f\"
}
return None<\/code><\/div><\/div>\n\n\n\n\u544a\u8b66\u4e0e\u54cd\u5e94\u5c42\uff08Alerting & Response\uff09<\/h3>\n\n\n\n
\u4ea7\u751f\u544a\u8b66\u3001\u901a\u77e5\u3001\u81ea\u52a8\u5316\u52a8\u4f5c\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1a\u90ae\u4ef6\u3001Slack\/Webhook\u3001SOAR \u811a\u672c\u3001\u9632\u706b\u5899 API\u3002<\/p>\n\n\n\nPython \u793a\u4f8b<\/strong>\uff08\u90ae\u4ef6 + \u7b80\u5355 iptables \u5c01\u7981\uff09<\/span><\/i><\/div>#alerter.py
import smtplib
from email.mime.text import MIMEText
import subprocess
def send_email_alert(alert_data: dict, to_email=\"admin@example.com\"): # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6
msg = MIMEText(f\"\u9ad8\u5371\u544a\u8b66\uff1a{alert_data}\")
msg['Subject'] = f\"SIEM Alert - {alert_data.get('type', '\u672a\u77e5')}\"
msg['From'] = \"siem@example.com\"
msg['To'] = to_email
with smtplib.SMTP(\"smtp.example.com\", 587) as server: # \u8fde\u63a5SMTP\u670d\u52a1\u5668
server.starttls()
server.login(\"siem@example.com\", \"password\")
server.send_message(msg)
def auto_block_ip(ip: str): # \u81ea\u52a8\u5c01\u7981IP\u5730\u5740
try:
# \u6ce8\u610f\uff1a\u751f\u4ea7\u73af\u5883\u9700\u8c28\u614e\uff0c\u6700\u597d\u7528 nftables \u6216\u4e13\u7528\u9632\u706b\u5899\u63a5\u53e3
subprocess.run([\"sudo\", \"iptables\", \"-A\", \"INPUT\", \"-s\", ip, \"-j\", \"DROP\"], check=True, timeout=10) # \u4f7f\u7528iptables\u5c01\u7981IP\uff0c\u8bbe\u7f6e\u8d85\u65f6\u907f\u514d\u6302\u8d77
print(f\"\u5df2\u81ea\u52a8\u5c01\u7981 IP: {ip}\")
except Exception as e:
print(f\"\u5c01\u7981\u5931\u8d25: {e}\")
# \u4f7f\u7528\u793a\u4f8b
if __name__ == \"__main__\": # \u6a21\u62df\u63a5\u6536\u5230\u4e00\u4e2a\u9ad8\u5371\u544a\u8b66
sample_alert = {\"type\": \"brute_force_attempt\", \"ip\": \"1.2.3.4\", \"count\": 7} # \u6a21\u62df\u4e00\u4e2a\u66b4\u529b\u653b\u51fb\u544a\u8b66
send_email_alert(sample_alert) # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6
auto_block_ip(sample_alert[\"ip\"]) # \u81ea\u52a8\u5c01\u7981\u653b\u51fbIP<\/code><\/div><\/div>\n\n\n\n\u5c55\u793a\u3001\u7ba1\u7406\u4e0e\u5408\u89c4\u5c42\uff08Visualization, Management & Compliance\uff09<\/h3>\n\n\n\n
\u4eea\u8868\u76d8\u3001\u67e5\u8be2\u3001\u62a5\u544a\u3001\u7528\u6237\u6743\u9650\u3001\u5ba1\u8ba1\u3001\u5f52\u6863\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1aKibana\/ Grafana\u3001\u81ea\u5b9a\u4e49 Flask\/Dash \u754c\u9762\u3001RBAC\u3002<\/p>\n\n\n\nPython \u793a\u4f8b<\/strong>\uff08\u7b80\u5355 Flask + SQLite \u67e5\u8be2 dashboard\uff09<\/span><\/i><\/div># dashboard.py - \u6781\u7b80 Web \u5c55\u793a
from flask import Flask, render_template_string
import sqlite3
app = Flask(__name__)
HTML = \"\"\"
<!doctype html>
<title>SIEM Mini Dashboard<\/title>
<h1>\u6700\u8fd1\u544a\u8b66\u4e8b\u4ef6<\/h1>
<table border=1>
<tr><th>\u65f6\u95f4<\/th><th>\u7c7b\u578b<\/th><th>IP<\/th><th>\u7528\u6237<\/th><th>\u539f\u59cb\u65e5\u5fd7<\/th><\/tr>
{% for row in events %}
<tr><td>{{ row[0] }}<\/td><td>{{ row[1] }}<\/td><td>{{ row[2] }}<\/td><td>{{ row[3] }}<\/td><td>{{ row[6][:100] }}<\/td><\/tr>
{% endfor %}
<\/table>
\"\"\"
@app.route(\"\/\") # \u9996\u9875\u663e\u793a\u6700\u8fd1\u7684\u544a\u8b66\u4e8b\u4ef6
def dashboard(): # \u4ece\u6570\u636e\u5e93\u8bfb\u53d6\u6700\u8fd1\u7684\u4e8b\u4ef6\u5e76\u5c55\u793a
conn = sqlite3.connect(\"siem_events.db\")
cur = conn.cursor() # \u67e5\u8be2\u6700\u8fd1\u7684\u4e8b\u4ef6
cur.execute(\"SELECT timestamp, event_type, src_ip, user, severity, raw FROM events ORDER BY timestamp DESC LIMIT 20\")
events = cur.fetchall() # \u5173\u95ed\u6570\u636e\u5e93\u8fde\u63a5
conn.close()
return render_template_string(HTML, events=events) # \u6e32\u67d3 HTML \u6a21\u677f\u5e76\u8fd4\u56de
if __name__ == \"__main__\": # \u542f\u52a8 Flask \u5e94\u7528
app.run(debug=True, port=5005)
\u4e4b\u540e\u7ec4\u5408\uff0c\u5f62\u6210\u4e00\u4e2a\u5c0f\u578b\u7ba1\u9053\uff1a
# main.py \u793a\u4f8b\u7ec4\u5408
from collector import tail_file
from parser import parse_line
from storage import store_event
from analyzer import analyze_event
from alerter import send_email_alert # \u6216\u5176\u4ed6\u52a8\u4f5c
def process_line(raw): # \u5904\u7406\u6bcf\u4e00\u884c\u65e5\u5fd7
event = parse_line(raw)
if event:
store_event(event)
alert = analyze_event(event)
if alert and alert.get(\"alert\"):
send_email_alert(alert)
tail_file(\"\/var\/log\/auth.log\", process_line) # \u76d1\u63a7\u65e5\u5fd7\u6587\u4ef6\u5e76\u5904\u7406\u65b0\u884c<\/code><\/div><\/div>\n\n\n\nSecurity Onion\uff08SO\uff09<\/h1>\n\n\n\n
SO\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u7f51\u7edc\u5b89\u5168\u76d1\u63a7\u3001\u5a01\u80c1\u68c0\u6d4b\u4e0e\u65e5\u5fd7\u5206\u6790\u5e73\u53f0\uff0c\u5e38\u7528\u4e8e\u4f01\u4e1a\u5b89\u5168\u8fd0\u8425\u4e2d\u5fc3\uff08SOC\uff09\u3001\u5165\u4fb5\u68c0\u6d4b\u3001\u5a01\u80c1\u72e9\u730e\u548c\u5e94\u6025\u54cd\u5e94\u573a\u666f\u3002\u8be5\u5e73\u53f0\u6574\u5408\u4e86\u591a\u79cd\u5b89\u5168\u5de5\u5177\uff0c\u5e2e\u52a9\u5b89\u5168\u56e2\u961f\u96c6\u4e2d\u91c7\u96c6\u3001\u5206\u6790\u548c\u544a\u8b66\u7f51\u7edc\u6d41\u91cf\u3001\u4e3b\u673a\u65e5\u5fd7\u4ee5\u53ca\u5b89\u5168\u4e8b\u4ef6\u3002<\/p>\n\n\n\n
\u4e3b\u8981\u529f\u80fd<\/h2>\n\n\n\n
\u4eceSIEM\u7684\u6838\u5fc3\u67b6\u6784\u51fa\u53d1\u4e0d\u96be\u7406\u89e3SO\u7684\u4e3b\u8981\u529f\u80fd\u548c\u8fd0\u4f5c\u65b9\u5f0f\uff1a<\/p>\n\n\n\n
1. \u7f51\u7edc\u6d41\u91cf\u76d1\u63a7<\/h3>\n\n\n\n
Security Onion \u53ef\u4ee5\u63a5\u5165\u955c\u50cf\u6d41\u91cf\uff0c\u4f8b\u5982\u4ea4\u6362\u673a SPAN \u53e3\u3001TAP \u8bbe\u5907\u7b49\uff0c\u5bf9\u7f51\u7edc\u6570\u636e\u5305\u8fdb\u884c\u5206\u6790\u3002\u5b83\u53ef\u4ee5\u53d1\u73b0\uff1a<\/p>\n\n\n\n
\n- \u7aef\u53e3\u626b\u63cf<\/li>\n\n\n\n
- \u6f0f\u6d1e\u5229\u7528\u884c\u4e3a<\/li>\n\n\n\n
- \u6076\u610f\u8f6f\u4ef6\u901a\u4fe1<\/li>\n\n\n\n
- C2 \u56de\u8fde<\/li>\n\n\n\n
- \u6a2a\u5411\u79fb\u52a8<\/li>\n\n\n\n
- \u5f02\u5e38 DNS \u8bf7\u6c42<\/li>\n\n\n\n
- \u53ef\u7591 HTTP\/HTTPS \u884c\u4e3a<\/li>\n\n\n\n
- \u6570\u636e\u5916\u4f20\u884c\u4e3a<\/li>\n<\/ul>\n\n\n\n
2.\u5165\u4fb5\u68c0\u6d4b<\/h3>\n\n\n\n
Security Onion \u652f\u6301\u57fa\u4e8e\u89c4\u5219\u7684\u5165\u4fb5\u68c0\u6d4b\u3002\u5e38\u89c1\u68c0\u6d4b\u5f15\u64ce\u5305\u62ec\uff1a<\/p>\n\n\n\n
\n\n\n- Suricata<\/li>\n\n\n\n
- Zeek<\/li>\n\n\n\n
- Sigma<\/li>\n\n\n\n
- YARA\uff0c\u90e8\u5206\u573a\u666f\u4f7f\u7528<\/li>\n\n\n\n
- Elastic \u76f8\u5173\u67e5\u8be2\u89c4\u5219<\/li>\n<\/ul>\n<\/div>\n\n\n\n\n
\u5176\u4e2d\uff1a<\/p>\n\n\n\n
\n- Suricata \u504f\u91cd\u4e8e\u57fa\u4e8e\u7b7e\u540d\u7684\u7f51\u7edc\u5165\u4fb5\u68c0\u6d4b<\/li>\n\n\n\n
- Zeek \u504f\u91cd\u4e8e\u7f51\u7edc\u884c\u4e3a\u5206\u6790\u548c\u534f\u8bae\u65e5\u5fd7\u89e3\u6790<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n
3.\u65e5\u5fd7\u96c6\u4e2d\u5206\u6790<\/h3>\n\n\n\n
Security Onion \u53ef\u4ee5\u6536\u96c6\u6765\u81ea\u591a\u79cd\u6765\u6e90\u7684\u65e5\u5fd7\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n
\n- Windows \u4e8b\u4ef6\u65e5\u5fd7<\/li>\n\n\n\n
- Linux \u7cfb\u7edf\u65e5\u5fd7<\/li>\n\n\n\n
- \u9632\u706b\u5899\u65e5\u5fd7<\/li>\n\n\n\n
- VPN \u65e5\u5fd7<\/li>\n\n\n\n
- DNS \u65e5\u5fd7<\/li>\n\n\n\n
- \u4ee3\u7406\u670d\u52a1\u5668\u65e5\u5fd7<\/li>\n\n\n\n
- EDR \u6216\u6740\u6bd2\u8f6f\u4ef6\u65e5\u5fd7<\/li>\n\n\n\n
- \u4e91\u5e73\u53f0\u65e5\u5fd7<\/li>\n\n\n\n
- \u5e94\u7528\u7cfb\u7edf\u65e5\u5fd7<\/li>\n<\/ul>\n\n\n\n
4.\u5a01\u80c1\u72e9\u730e<\/h3>\n\n\n\n
\u5b89\u5168\u5206\u6790\u5e08\u53ef\u4ee5\u901a\u8fc7 Security Onion \u7684\u754c\u9762\u67e5\u8be2\u7f51\u7edc\u548c\u4e3b\u673a\u6d3b\u52a8\u3002\u53ef\u4ee5\u8ffd\u8e2a\uff1a<\/p>\n\n\n\n
\n- \u67d0\u4e2a IP \u8bbf\u95ee\u4e86\u54ea\u4e9b\u57df\u540d<\/li>\n\n\n\n
- \u67d0\u4e2a\u4e3b\u673a\u662f\u5426\u8fde\u63a5\u8fc7\u6076\u610f IP<\/li>\n\n\n\n
- \u67d0\u4e2a\u8d26\u6237\u662f\u5426\u5b58\u5728\u5f02\u5e38\u767b\u5f55<\/li>\n\n\n\n
- \u67d0\u4e2a\u6587\u4ef6\u54c8\u5e0c\u662f\u5426\u51fa\u73b0\u8fc7<\/li>\n\n\n\n
- \u67d0\u4e2a\u5185\u7f51\u4e3b\u673a\u662f\u5426\u5b58\u5728\u626b\u63cf\u884c\u4e3a<\/li>\n\n\n\n
- \u653b\u51fb\u8005\u662f\u5426\u8fdb\u884c\u4e86\u6a2a\u5411\u79fb\u52a8<\/li>\n<\/ul>\n\n\n\n
5.\u544a\u8b66\u7ba1\u7406<\/h3>\n\n\n\n\n\n\n- \u67e5\u770b\u544a\u8b66\u8be6\u60c5<\/li>\n\n\n\n
- \u5173\u8054\u4e0a\u4e0b\u6587\u4fe1\u606f<\/li>\n\n\n\n
- \u6807\u8bb0\u4e8b\u4ef6\u72b6\u6001<\/li>\n\n\n\n
- \u8fdb\u884c\u8c03\u67e5\u5206\u6790<\/li>\n\n\n\n
- \u5c06\u4e8b\u4ef6\u5347\u7ea7\u4e3a Case<\/li>\n\n\n\n
- \u5bf9\u8bef\u62a5\u8fdb\u884c\u89c4\u5219\u8c03\u6574<\/li>\n<\/ul>\n<\/div>\n\n\n\n\n
\u5de6\u4fa7\u548cSIEM\u7684\u544a\u8b66\u7ba1\u7406\u90e8\u5206\u5f88\u76f8\u4f3c\uff0c\u8fd9\u4e5f\u662f\u535a\u4e3b\u79f0\u4e4b\u4e3a\u201c\u96c6\u6210\u5f0f\u5f00\u6e90\u5b89\u5168\u76d1\u63a7\u4e0e\u5a01\u80c1\u72e9\u730e\u5e73\u53f0\u201d\u7684\u539f\u56e0<\/p>\n<\/div>\n<\/div>\n\n\n\n
\u90e8\u7f72\u65b9\u5f0f<\/h2>\n\n\n\n
\u90e8\u7f72SO\u7684\u65f6\u5019\uff0c\u9700\u8981\u786e\u8ba4\u90e8\u7f72\u7684\u73af\u5883\u548c\u914d\u7f6e\u7684\u9ad8\u4f4e\uff0c\u907f\u514d\u9009\u62e9\u9519\u8bef\u7684\u90e8\u7f72\u65b9\u5f0f\u5bfc\u81f4\u65f6\u95f4\u6210\u672c\u589e\u52a0\u548c\u52a0\u5927\u670d\u52a1\u5668\u7684\u8d1f\u8377\u3002<\/p>\n\n\n\n
\n- standalone\u5355\u673a\u90e8\u7f72\u9002\u5408\u5355\u670d\u52a1\u5668\u4e0b\u7684\u5b9e\u9a8c\u73af\u5883\u4e2d\u3002\u8fd9\u6837\u505a\u7684\u4f18\u70b9\u5c31\u662f\u90e8\u7f72\u7b80\u5355\uff0c\u8fc5\u901f\uff0c\u4e0d\u9700\u8981\u7e41\u7410\u7684\u914d\u7f6e\u6b65\u9aa4\uff0c\u53ea\u9700\u8981\u6309\u7167\u9ed8\u8ba4\u914d\u7f6e\u6765\u8bbe\u7f6e\u5373\u53ef\u3002<\/li>\n\n\n\n
- Distributed\u5206\u5e03\u5f0f\u90e8\u7f72\u9002\u5408\u4e2d\u5927\u578b\u4f01\u4e1a\u4e2d\u7684\u751f\u6210\u73af\u5883\uff0c\u52a0\u5f3a\u751f\u4ea7\u73af\u5883\u7684\u5b89\u5168\u3002\u7f3a\u70b9\u663e\u800c\u6613\u89c1\uff0c\u4f46\u662f\u4f18\u70b9\u4e5f\u5f88\u663e\u8457\uff1a\u6269\u5c55\u80fd\u529b\u5f3a\uff0c\u53ef\u4ee5\u968f\u65f6\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u8c03\u6574\u4f20\u611f\u5668\u548c\u5b58\u50a8\u8282\u70b9\u7684\u6570\u91cf\u3002<\/li>\n\n\n\n
- Sensor\u4f20\u611f\u5668\u90e8\u7f72\u4e00\u822c\u7528\u5728\u5173\u952e\u7f51\u7edc\u4f4d\u7f6e\uff0c\u901a\u8fc7\u955c\u50cf\u6d41\u91cf\u6765\u76d1\u63a7\u6570\u636e\u4f20\u8f93\u3002\u5e38\u89c1\u7684\u4f4d\u7f6e\u5c31\u6709\u4e92\u8054\u7f51\u51fa\u53e3\u3001\u670d\u52a1\u533a\u6838\u5fc3\u3001\u6570\u636e\u6838\u5fc3\u4ea4\u6362\u533a\u7b49\u3002<\/li>\n<\/ul>\n\n\n\n
\u7b80\u5355\u7684\u4f7f\u7528\u6d41\u7a0b<\/h2>\n\n\n\n
SO\u4e0a\u624b\u4e5f\u5f88\u5bb9\u6613\uff0c\u4e00\u4e2a\u5178\u578b\u6d41\u7a0b\u5982\u4e0b\uff1a<\/p>\n\n\n\n
\n- \u5728\u5173\u952e\u7f51\u7edc\u4f4d\u7f6e\u90e8\u7f72 Sensor<\/li>\n\n\n\n
- \u63a5\u5165\u955c\u50cf\u6d41\u91cf<\/li>\n\n\n\n
- \u91c7\u96c6\u4e3b\u673a\u548c\u8bbe\u5907\u65e5\u5fd7<\/li>\n\n\n\n
- Suricata \u68c0\u6d4b\u6076\u610f\u6d41\u91cf<\/li>\n\n\n\n
- Zeek \u751f\u6210\u7f51\u7edc\u534f\u8bae\u65e5\u5fd7<\/li>\n\n\n\n
- Elastic \u5b58\u50a8\u548c\u7d22\u5f15\u65e5\u5fd7<\/li>\n\n\n\n
- Security Onion Console \u5c55\u793a\u544a\u8b66<\/li>\n\n\n\n
- \u5206\u6790\u4eba\u5458\u8c03\u67e5\u4e8b\u4ef6<\/li>\n\n\n\n
- \u6839\u636e\u7ed3\u679c\u8c03\u6574\u89c4\u5219\u6216\u5c01\u5835\u5a01\u80c1<\/li>\n<\/ol>\n\n\n\n
\u90e8\u7f72\u6d41\u7a0b\u793a\u4f8b<\/h2>\n\n\n\n
\u6ce8\uff1a\u7531\u4e8eSO\u7684\u914d\u7f6e\u811a\u672c\uff0c\u8be5\u811a\u672c\u68c0\u6d4b\u5230\u7f51\u5361\uff0c\u4f1a\u81ea\u52a8\u89e6\u53d1repo\u5f3a\u540c\u6b65\u3002\u5982\u679c\u5185\u7f51\u914d\u7f6e\u4e0d\u5f53\uff0c\u4f1a\u51fa\u73b0DNS\u89e3\u6790\u5931\u8d25\uff0c\u5bfc\u81f4\u65e0\u6cd5\u4ece\u5b98\u65b9\u4ed3\u5e93securityonion.net<\/strong>\u62c9\u53d6\u914d\u7f6e\u3002\u6240\u4ee5\u5728\u5185\u7f51\u73af\u5883\u90e8\u7f72\u7684\u65f6\u5019\uff0c\u5efa\u8bae\u9009\u62e9Airgap\u95ed\u7f51\u73af\u5883\u8fdb\u884c\u90e8\u7f72\u3002<\/p>\n\n\n\n\u672c\u6b21\u793a\u4f8b\u662f\u5728Proxmox Virtual Environment\uff08PVE\uff09\u4e2d\u90e8\u7f72\uff0c\u5177\u4f53\u7684\u5b9e\u9645\u60c5\u51b5\u8bf7\u53c2\u8003\u5185\u7f51\u4e2d\u7684\u5907\u6ce8\u3002\u5728\u6b64\u53ea\u7b80\u5355\u5730\u9610\u8ff0\u6b65\u9aa4\u6d41\u7a0b\u3002<\/p>\n\n\n\n
1.\u5bfc\u5165<\/h3>\n\n\n\n
- \n
- \u4ece\u5404\u4e2a\u6765\u6e90\u6536\u96c6\u65e5\u5fd7\u548c\u65f6\u95f4\u6570\u636e<\/li>\n\n\n\n
- \u652f\u6301\u591a\u79cd\u534f\u8bae\uff0c\u5982Syslog\u3001SNMP\u3001API\u3001\u6587\u4ef6\u4f20\u8f93\u7b49\u3002\u91c7\u96c6\u5668\u90e8\u7f72\u5728\u6570\u636e\u6e90\u7aef\u6216\u96c6\u4e2d\u5f0f\u670d\u52a1\u5668\u4e0a\uff0c\u786e\u4fdd\u6570\u636e\u4f20\u8f93<\/li>\n<\/ul>\n\n\n\n
\u673a\u5236<\/h4>\n\n\n\n
\u901a\u5e38\u91c7\u7528push-pull\u6df7\u5408\uff1a<\/p>\n\n\n\n
\n\nPush\u6a21\u5f0f\u7531\u6570\u636e\u6e90\u4e3b\u52a8\u53d1\u9001\u65e5\u5fd7\uff0c\u9002\u5408\u5b9e\u65f6\u6027<\/strong><\/p>\n<\/div>\n\n\n\n
\nPull\u6a21\u5f0f\u7531SIEM\u670d\u52a1\u5668\u5b9a\u671f\u62c9\u53d6\uff0c\u9002\u5408\u4e91\u73af\u5883<\/strong><\/p>\n<\/div>\n<\/div>\n\n\n\n
\n
\u5728\u5f02\u5e38\u767b\u5f55\u573a\u666f\uff0c\u91c7\u96c6Windows Event Logs \u6216 Linux auth.log \u65f6\uff0c\u9700\u8981\u5904\u7406\u65e5\u5fd7\u8f6e\u8f6c\uff08log rotation\uff09\u4ee5\u907f\u514d\u6570\u636e\u4e22\u5931<\/p>\n<\/blockquote>\n\n\n\n
\u7f3a\u70b9\uff1a\u6570\u636e\u91cf\u5e9e\u5927\uff0c\u9700\u8981\u538b\u7f29\u4f20\u8f93\u548c\u8fc7\u6ee4\u65e0\u5173\u65e5\u5fd7\u3002Python\u4e2d\uff0c\u53ef\u4ee5\u5229\u7528logging\u6a21\u5757<\/mark>\u6216pywin32<\/mark>\u5904\u7406Windows\u65e5\u5fd7<\/p>\n\n\n\n
2\u3001\u6570\u636e\u6807\u51c6\u5316\u4e0e\u89e3\u6790\u5c42<\/h3>\n\n\n\n
- \n
- \u628a\u4e0d\u540c\u683c\u5f0f\u7684\u539f\u59cb\u65e5\u5fd7\u8f6c\u5316\u4e3a\u7edf\u4e00\u7684\u7ed3\u6784\uff0c\u4fbf\u4e8e\u540e\u7eed\u89e3\u6790<\/li>\n\n\n\n
- \u63d0\u53d6\u5173\u952e\u5b57\u6bb5\uff0c\u5982\u65f6\u95f4\u6233\u3001IP\u5730\u5740\u3001\u7528\u6237ID\u3001\u4e8b\u4ef6\u7c7b\u578b\u7b49<\/li>\n\n\n\n
- \u8fc7\u6ee4\u566a\u58f0\u65e5\u5fd7\uff0c\u8fdb\u884c\u6570\u636e\u6e05\u6d17\uff0c\u9632\u6b62\u7cfb\u7edf\u8fc7\u8f7d<\/li>\n<\/ul>\n\n\n\n
\u673a\u5236<\/h4>\n\n\n\n
\u7531\u4e8e\u65e5\u5fd7\u683c\u5f0f\u591a\u6837\u5316\uff08.json\u3001CEF\u3001Syslog\uff09\uff0c\u89e3\u6790\u7528\u6b63\u5219\u6216\u89e3\u6790\u5668\u3002\u63d0\u53d6\u5b57\u6bb5\u540e\uff0c\u6dfb\u52a0\u5143\u6570\u636e\uff08\u5982\u4e8b\u4ef6ID\u3001\u4e25\u91cd\u5ea6\u3001\u9891\u7387\uff09<\/p>\n\n\n\n
\n
\u8fd9\u4e00\u5c42\u548c\u5206\u6790\u5173\u8054\u5c42<\/strong>\u9ad8\u5ea6\u7ed1\u5b9a\uff0c\u540c\u65f6\u4f1a\u7275\u626f\u5230\u4e00\u4e2a\u5371\u9669\u5ea6\u9ad8\u7684\u6f5c\u5728\u653b\u51fb\u2014\u2014APT<\/p>\n\n\n\n
\u6ca1\u6709\u7ecf\u8fc7\u6807\u51c6\u5316\u7684\u65e5\u5fd7\u65e0\u6cd5\u5173\u8054\uff0c\u9ad8\u9891\u7684\u4e8b\u4ef6\u62a5\u544a\u53ef\u4ee5\u548cAPT\u5173\u8054\u8d77\u6765\uff0c\u9632\u6b62\u540e\u7eedAPT\u6e17\u900f\u5185\u7f51\u9020\u6210\u4e25\u91cd\u8d22\u4ea7\u635f\u5931<\/p>\n<\/blockquote>\n\n\n\n
Python\u5b9e\u73b0\uff1a\u7528re<\/mark>\u6216grok-py<\/mark>\u5e93\u89e3\u6790\uff0c\u7edf\u4e00schema\u5982\uff08\u201ctimestamp\u201d\uff1a\u201c\u2026\u201d\uff1b\u201cevent_type\u201d:”\u2026\u201d\uff1b\uff09\uff0c\u65b9\u4fbf\u56e2\u961f\u67e5\u770b\u548c\u8fa8\u8ba4<\/p>\n\n\n\n
3\u3001\u5b58\u50a8\u4e0e\u7d22\u5f15\u5c42<\/h3>\n\n\n\n
- \n
- \u4f7f\u7528\u6570\u636e\u5e93\u5b58\u50a8\u65e5\u5fd7\u6570\u636e\uff0c\u652f\u6301\u5feb\u901f\u67e5\u8be2\u548c\u5f52\u6863<\/li>\n\n\n\n
- \u6570\u636e\u53ef\u4ee5\u6309\u7167\u65f6\u95f4\u5e8f\u5217\u5b58\u50a8\uff0c\u5e76\u6dfb\u52a0\u7d22\u5f15\u65b9\u4fbf\u5feb\u901f\u68c0\u7d22<\/li>\n<\/ul>\n\n\n\n
4\u3001\u5206\u6790\u4e0e\u5173\u8054\u5c42\u2014\u2014\u6838\u5fc3\u5f15\u64ce<\/h3>\n\n\n\n
- \n
- \u53ef\u4ee5\u63a5\u5165\u5927\u6a21\u578b\uff0c\u5229\u7528\u89c4\u5219\u5f15\u64ce\u3001\u8fdb\u884c\u673a\u5668\u5b66\u4e60\u6216\u884c\u4e3a\u5206\u6790\u68c0\u6d4b\u5f02\u5e38<\/li>\n\n\n\n
- \u89c4\u5219\u5173\u8054\uff1a\u5c06\u591a\u6b21\u767b\u5f55\u5931\u8d25\u548c\u5f02\u5e38IP\u8bbf\u95ee\u5173\u8054\u8d77\u6765\uff0c\u5224\u5b9a\u4e3a\u66b4\u529b\u7834\u89e3<\/li>\n\n\n\n
- \u4e8b\u5b9e\u5206\u6790\uff1a\u8bbe\u7f6e\u76d1\u63a7\u9608\u503c\uff0c\u77ed\u65f6\u95f4\u5185\u767b\u5f55\u5931\u8d25\u8fde\u7eed\u8d85\u8fc7\u4e94\u6b21\u81ea\u52a8\u53d1\u9001\u8b66\u62a5<\/li>\n\n\n\n
- \u9ad8\u7ea7SIEM\u96c6\u6210UEBA\uff08User and Entity Behavior Analytics\uff0c\u7528\u6237\u548c\u5b9e\u4f53\u884c\u4e3a\u5206\u6790\uff09\u6765\u68c0\u6d4b\u5f02\u5e38\u6a21\u5f0f<\/li>\n<\/ul>\n\n\n\n
\u89c4\u5219\u5f15\u64ce<\/h4>\n\n\n\n
\u7b80\u5355\u89c4\u5219\u7528if-then\uff1b\u590d\u6742\u7528CEP\uff08Complex Event Processing\uff09\u5982Esper<\/strong><\/summary>\n
CEP\uff08Complex Event Processing\uff09<\/p>\n\n\n\n
\u6982\u5ff5<\/strong> <\/p>\n\n\n\n
Complex Event Processing\uff08\u590d\u6742\u4e8b\u4ef6\u5904\u7406\uff09\u662f\u4e00\u79cd\u5b9e\u65f6\u5904\u7406\u6280\u672f\uff0c\u5b83\u4ece\u591a\u4e2a\u4e8b\u4ef6\u6d41\uff08event streams\uff09\u4e2d\u68c0\u6d4b\u590d\u6742\u6a21\u5f0f<\/strong>\u3001\u65f6\u95f4\u76f8\u5173\u6027<\/strong>\u3001\u56e0\u679c\u5173\u7cfb<\/strong>\u6216\u8d8b\u52bf<\/strong>\uff0c\u800c\u4e0d\u662f\u53ea\u770b\u5355\u4e2a\u4e8b\u4ef6\u3002 \u5b83\u5173\u6ce8\u201c\u4e8b\u4ef6\u7684\u7ec4\u5408\u4e0e\u65f6\u5e8f\u201d\uff0c\u80fd\u8bc6\u522b\u51fa\u7b80\u5355\u89c4\u5219\u5f15\u64ce\u65e0\u6cd5\u53d1\u73b0\u7684\u9ad8\u9636\u5a01\u80c1<\/p>\n\n\n\n
\u5178\u578b\u4ee3\u8868\u5de5\u5177<\/strong>\uff1aEsper\uff08\u5f00\u6e90 Java CEP \u5f15\u64ce\uff09\u3001Apache Flink CEP\u3001Drools Fusion\u3001IBM Operational Decision Manager \u7b49<\/p>\n\n\n\n
\u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n
- \n
- \u5b9e\u65f6\u4ea7\u751f\u201c\u590d\u6742\u4e8b\u4ef6\u201d\uff08synthesized event\uff09\uff0c\u7528\u4e8e\u89e6\u53d1\u9ad8\u7ea7\u544a\u8b66<\/li>\n\n\n\n
- \u68c0\u6d4b\u591a\u4e8b\u4ef6\u5173\u8054\u7684\u590d\u6742\u573a\u666f\uff08\u4f8b\u5982\uff1a5 \u5206\u949f\u5185 3 \u6b21\u5931\u8d25\u767b\u5f55 + \u6765\u81ea\u540c\u4e00 IP \u7684\u7aef\u53e3\u626b\u63cf + \u5f02\u5e38\u6587\u4ef6\u8bbf\u95ee\uff09<\/li>\n\n\n\n
- \u652f\u6301\u65f6\u95f4\u7a97\u53e3\uff08sliding window\u3001tumbling window\uff09\u3001\u5e8f\u5217\u6a21\u5f0f\uff08A \u540e\u8ddf B \u4f46\u4e0d\u8ddf C\uff09\u3001\u805a\u5408\uff08\u5e73\u5747\u3001\u6700\u5927\u3001\u6700\u5c0f\uff09\u3001\u5426\u5b9a\u6a21\u5f0f\uff08\u67d0\u6bb5\u65f6\u95f4\u5185\u6ca1\u6709\u53d1\u751f\u67d0\u4e8b\u4ef6\uff09<\/li>\n<\/ul>\n\n\n\n
\u793a\u4f8b\u573a\u666f <\/strong><\/p>\n\n\n\n
\u7528\u6237 A \u6b63\u5e38\u5de5\u4f5c\u65f6\u95f4\u4ece\u4e1c\u4eac\u767b\u5f55\uff0c\u7a81\u7136\u5728\u51cc\u6668\u4ece\u4fc4\u7f57\u65af IP \u767b\u5f55\uff0c\u4e14 2 \u5206\u949f\u5185\u5c1d\u8bd5\u8bbf\u95ee 10 \u4e2a\u654f\u611f\u670d\u52a1\u5668 \u2192 CEP \u53ef\u4ee5\u7528\u4e00\u6761 EPL\uff08Event Processing Language\uff09\u8bed\u53e5\u68c0\u6d4b\u8fd9\u79cd\u8de8\u65f6\u95f4\u3001\u8de8\u6765\u6e90\u7684\u6a21\u5f0f<\/p>\n<\/details>\n\n\n\n
\u5173\u8054\u793a\u4f8b\uff1a192.168.xxx.xxx\u5728\u4e94\u5206\u949f\u5185\u767b\u5f55\u5931\u8d25\u8d85\u8fc710\u6b21+\u7aef\u53e3\u626b\u63cf=\u9ad8\u5371\u544a\u8b66<\/p>\n\n\n\n
ML\u96c6\u6210<\/h4>\n\n\n\n
\u7528 UEBA \u68c0\u6d4b\u5f02\u5e38\uff08\u5982\u7528\u6237\u5e73\u65f6\u4ece US \u767b\u5f55\uff0c\u7a81\u7136\u4ece RU\uff0c\u9700\u57fa\u7ebf\u6a21\u578b\uff09<\/strong><\/summary>\n
\u6982\u5ff5<\/strong> UEBA = User and Entity Behavior Analytics<\/strong>\uff08\u7528\u6237\u4e0e\u5b9e\u4f53\u884c\u4e3a\u5206\u6790\uff09\u3002 \u5b83\u5229\u7528\u673a\u5668\u5b66\u4e60<\/strong>\uff08\u800c\u975e\u56fa\u5b9a\u89c4\u5219\uff09\u4e3a\u6bcf\u4e2a\u7528\u6237\u3001\u4e3b\u673a\u3001IP\u3001\u5e94\u7528\u7b49\u5b9e\u4f53\u5efa\u7acb\u52a8\u6001\u884c\u4e3a\u57fa\u7ebf<\/strong>\uff08baseline\uff09\uff0c\u7136\u540e\u6301\u7eed\u76d1\u63a7\u5f53\u524d\u884c\u4e3a\u4e0e\u57fa\u7ebf\u7684\u504f\u79bb\u7a0b\u5ea6\uff0c\u68c0\u6d4b\u5f02\u5e38<\/p>\n\n\n\n
\u6838\u5fc3\u673a\u5236<\/strong><\/p>\n\n\n\n
- \n
- \u5b66\u4e60\u9636\u6bb5<\/strong>\uff1a\u6536\u96c6\u5386\u53f2\u6570\u636e\uff08\u767b\u5f55\u65f6\u95f4\u3001\u5730\u70b9\u3001\u8bbf\u95ee\u8d44\u6e90\u3001\u64cd\u4f5c\u9891\u7387\u7b49\uff09\uff0c\u7528 ML\uff08\u5982\u805a\u7c7b\u3001Isolation Forest\u3001Autoencoder\u3001\u7edf\u8ba1\u6a21\u578b\uff09\u6784\u5efa\u201c\u6b63\u5e38\u201d\u753b\u50cf<\/li>\n\n\n\n
- \u68c0\u6d4b\u9636\u6bb5<\/strong>\uff1a\u5b9e\u65f6\u6253\u5206\uff08risk score\uff09\uff0c\u504f\u79bb\u57fa\u7ebf\u8d8a\u8fdc\u5206\u6570\u8d8a\u9ad8<\/li>\n\n\n\n
- \u52a8\u6001\u66f4\u65b0<\/strong>\uff1a\u57fa\u7ebf\u4f1a\u968f\u65f6\u95f4\u7f13\u6162\u6f14\u5316\uff08\u4f8b\u5982\u7528\u6237\u6362\u4e86\u5de5\u4f5c\u5730\u70b9\uff09<\/li>\n<\/ol>\n\n\n\n
\u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n
- \n
- \u53d1\u73b0\u672a\u77e5\u5a01\u80c1<\/strong>\uff08zero-day\u3001\u6162\u901f APT\u3001\u4f4e\u901f\u6570\u636e\u7a83\u53d6\u3001\u5185\u90e8\u5a01\u80c1\uff09<\/li>\n\n\n\n
- \u5f25\u8865\u89c4\u5219-based \u68c0\u6d4b\u7684\u76f2\u533a\uff08\u89c4\u5219\u5199\u4e0d\u5168\u6240\u6709\u53ef\u80fd\u653b\u51fb\uff09<\/li>\n\n\n\n
- \u5178\u578b\u5f02\u5e38\u793a\u4f8b\uff1a\n
- \n
- \u7528\u6237\u5e73\u65f6\u53ea\u5728\u7f8e\u56fd\u5de5\u4f5c\u65f6\u95f4\u4ece\u516c\u53f8 VPN \u767b\u5f55\uff0c\u7a81\u7136\u4ece\u4fc4\u7f57\u65af IP \u51cc\u6668\u767b\u5f55<\/li>\n\n\n\n
- \u8d22\u52a1\u4eba\u5458\u7a81\u7136\u5927\u91cf\u4e0b\u8f7d HR \u76ee\u5f55\u6587\u4ef6<\/li>\n\n\n\n
- \u670d\u52a1\u5668\u5e73\u65f6\u53ea\u8dd1 Web \u670d\u52a1\uff0c\u7a81\u7136\u542f\u52a8\u6316\u77ff\u8fdb\u7a0b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
\u5b9e\u4f8b<\/strong><\/p>\n\n\n\n
\u7528\u6237\u5e73\u65f6 9:00\u201318:00 \u4ece\u4e1c\u4eac IP \u767b\u5f55\u516c\u53f8\u90ae\u7bb1\uff0c\u7a81\u7136 03:00 \u4ece\u4fc4\u7f57\u65af IP \u767b\u5f55 \u2192 UEBA \u4f1a\u7ed9\u8be5\u884c\u4e3a\u6253\u9ad8\u98ce\u9669\u5206\uff0c\u751f\u6210\u5f02\u5e38\u4e8b\u4ef6\uff0c\u4f9b\u7b2c 5 \u5c42\u544a\u8b66\u3002<\/p>\n<\/details>\n\n\n\n
5\u3001\u544a\u8b66\u4e0e\u54cd\u5e94\u5c42<\/h3>\n\n\n\n
- \n
- \u751f\u6210\u544a\u8b66\u901a\u77e5\uff0c\u4f8b\u5982\u53d1\u9001\u90ae\u4ef6\u3001SMS\u3001\u540e\u53f0\u7968\u52a1\u7cfb\u7edf<\/li>\n\n\n\n
- \u652f\u6301\u81ea\u52a8\u5316\u54cd\u5e94\uff0c\u4f8b\u5982\u5c01\u7981IP\u6216\u811a\u672c\u5229\u7528<\/li>\n\n\n\n
- \u63d0\u4f9b\u53ef\u89c6\u5316\u754c\u9762\u62a5\u544a\u2014\u2014\u8fde\u63a5\u4eea\u8868\u76d8\uff0c\u5c55\u793a\u4e8b\u4ef6\u3001\u5386\u53f2\u8d8b\u52bf\u5e76\u5408\u6210\u76f8\u5173\u62a5\u544a<\/li>\n<\/ul>\n\n\n\n
\u673a\u5236<\/h4>\n\n\n\n
\u544a\u8b66\u5206\u7ea7\uff08\u9ad8\u5371\/\u4e2d\u5371\/\u4f4e\u5371\/\u65e0\u98ce\u9669\uff09\uff0c\u96c6\u6210SOAR\u81ea\u52a8\u5316\u54cd\u5e94<\/strong><\/summary>\n
\u6982\u5ff5<\/strong> SOAR = Security Orchestration, Automation and Response<\/strong>\uff08\u5b89\u5168\u7f16\u6392\u3001\u81ea\u52a8\u5316\u4e0e\u54cd\u5e94\uff09\u3002 \u5b83\u662f\u4e00\u4e2a\u6d41\u7a0b\u81ea\u52a8\u5316\u5e73\u53f0<\/strong>\uff0c\u628a\u5b89\u5168\u5de5\u5177\uff08SIEM\u3001EDR\u3001\u9632\u706b\u5899\u3001\u7968\u52a1\u7cfb\u7edf\u3001\u90ae\u4ef6\u7b49\uff09\u4e32\u8054\u8d77\u6765\uff0c\u901a\u8fc7\u9884\u5b9a\u4e49\u7684playbook<\/strong>\uff08\u5267\u672c\uff09\u81ea\u52a8\u6216\u534a\u81ea\u52a8\u6267\u884c\u54cd\u5e94\u52a8\u4f5c<\/p>\n\n\n\n
\u5178\u578b\u4ee3\u8868\u5de5\u5177<\/strong><\/p>\n\n\n\n
- \n
- \u5f00\u6e90\uff1aTheHive + Cortex\uff08\u5206\u6790\u5668\uff09\u3001Shuffle\u3001Demisto\uff08\u73b0 Palo Alto XSOAR \u7684\u524d\u8eab\u5f00\u6e90\u90e8\u5206\uff09<\/li>\n\n\n\n
- \u5546\u7528\uff1aSplunk SOAR\u3001Swimlane\u3001IBM Resilient\u3001ServiceNow SecOps \u7b49<\/li>\n<\/ul>\n\n\n\n
\u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n
- \n
- Response<\/strong>\uff1a\u63d0\u4f9b\u6807\u51c6\u5316\u7684\u54cd\u5e94\u6d41\u7a0b\uff0c\u51cf\u5c11\u4eba\u4e3a\u9519\u8bef\uff0c\u63d0\u9ad8\u54cd\u5e94\u901f\u5ea6<\/li>\n\n\n\n
- Orchestration<\/strong>\uff1a\u628a\u5206\u6563\u5de5\u5177\u8fde\u6210\u5de5\u4f5c\u6d41<\/li>\n\n\n\n
- Automation<\/strong>\uff1a\u81ea\u52a8\u6267\u884c\u91cd\u590d\u3001\u4f4e\u4ef7\u503c\u52a8\u4f5c\uff08\u67e5 VirusTotal\u3001\u5c01 IP\u3001\u521b\u5efa Jira ticket\u3001\u9694\u79bb\u4e3b\u673a\uff09<\/li>\n<\/ul>\n\n\n\n
\u793a\u4f8b\u573a\u666f<\/strong>\uff08TheHive \u96c6\u6210\uff09 SIEM \u68c0\u6d4b\u5230\u66b4\u529b\u7834\u89e3 \u2192 \u81ea\u52a8\u89e6\u53d1 Shuffle\/TheHive playbook\uff1a<\/p>\n\n\n\n
- \n
- \u901a\u77e5 Slack\/\u90ae\u4ef6 + \u521b\u5efa\u5de5\u5355<\/li>\n\n\n\n
- \u67e5 AbuseIPDB \/ VirusTotal \u8bc4\u5206<\/li>\n\n\n\n
- \u5982\u679c\u5206\u6570\u9ad8 \u2192 \u81ea\u52a8\u521b\u5efa TheHive Case<\/li>\n\n\n\n
- \u81ea\u52a8\u8c03\u7528 Cortex Analyzer \u5206\u6790 IP<\/li>\n\n\n\n
- \u81ea\u52a8\u901a\u8fc7 API \u8ba9\u9632\u706b\u5899\u5c01\u7981 IP<\/li>\n<\/ol>\n<\/details>\n\n\n\n
\u96c6\u6210<\/h4>\n\n\n\n
Python\u53ef\u8c03\u7528\u5916\u90e8API\uff08Slack for\u901a\u77e5\u3001iptables for\u5c01\u7981\uff09<\/p>\n\n\n\n
6\u3001\u7ba1\u7406\u4e0e\u5408\u89c4\u5c42<\/h3>\n\n\n\n
- \n
- \u914d\u7f6e\u89c4\u5219\u3001\u7528\u6237\u8bbf\u95ee\u63a7\u5236\u3001\u5ba1\u8ba1\u65e5\u5fd7<\/li>\n\n\n\n
- \u786e\u4fdd\u7b26\u5408\u6cd5\u89c4\uff0c\u6cd5\u89c4\u5305\u62ec\u4e14\u4e0d\u9650\u4e8eGDPR\u3001HIPAA<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\u5de5\u4f5c\u673a\u5236<\/h2>\n\n\n\n
SIEM\u91c7\u7528\u95ed\u73af\u6d41\u7a0b\u7684\u5de5\u4f5c\u673a\u5236\uff1a<\/p>\n\n\n\n
- \n
- \u91c7\u96c6\u4e0e\u4f20\u8f93\uff1a\u6570\u636e\u6e90\u751f\u6210\u65e5\u5fd7\uff0c\u91c7\u96c6\u5668\u63a8\u9001\u6216\u62c9\u53d6\u6570\u636e\u5230\u4e2d\u592e\u670d\u52a1\u5668<\/li>\n\n\n\n
- \u5904\u7406\u4e0e\u5206\u6790\uff1a\u65e5\u5fd7\u8fdb\u5165\u7ba1\u9053\uff0c\u7ecf\u8fc7\u5206\u6790\u3001\u6807\u51c6\u5316\u540e\u8fdb\u5165\u89c4\u5219\u5f15\u64ce\n
- \n
- \u89e6\u53d1\u89c4\u5219\u5339\u914d\u65f6\u95f4\u4f1a\u8bc6\u522b\u4e8b\u4ef6<\/li>\n\n\n\n
- \u89e6\u53d1\u76f8\u5173\u8054\u4e8b\u4ef6\u4f1a\u63d0\u5347\u4f18\u5148\u7ea7<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- \u68c0\u6d4b\u5f02\u5e38\uff1a\u9488\u5bf9\u5f02\u5e38\u767b\u5f55\uff0c\u673a\u5236\u5305\u62ec\uff1a\n
- \n
- \u9608\u503c\u68c0\u6d4b\uff1a1\u5206\u949f\u51853\u6b21\u767b\u5f55\u5931\u8d25<\/li>\n\n\n\n
- \u5730\u7406\u4f4d\u7f6e\u68c0\u67e5\uff1a\u767b\u5f55IP\u4e0d\u5339\u914d\u5386\u53f2\u4f4d\u7f6e<\/li>\n\n\n\n
- \u884c\u4e3a\u57fa\u7ebf\uff1a\u63a5\u5165\u5927\u6a21\u578b\u5b66\u4e60\u5386\u53f2\u6d4f\u89c8\u884c\u4e3a\uff0c\u6bd4\u5bf9\u5f53\u524d\u884c\u4e3a\u548c\u5386\u53f2\u884c\u4e3a\u5dee\u5f02<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- \u544a\u8b66\u751f\u6210\uff1a\u4e00\u65e6\u68c0\u6d4b\u5230\u5a01\u80c1\uff0c\u751f\u6210\u4e8b\u4ef6\u7968\u636e\uff08Ticket\uff09\uff0c\u901a\u77e5\u5b89\u5168\u56e2\u961f\u3002\u4e25\u91cd\u4e8b\u4ef6\u53ef\u89e6\u53d1SOAR\uff08Security Orchestration, Automation and Response\uff09\u81ea\u52a8\u5316\u54cd\u5e94\u3002<\/li>\n\n\n\n
- \u56de\u987e\u548c\u4f18\u5316\uff1a\u901a\u8fc7forensic\u5206\u6790\u5386\u53f2\u6570\u636e\uff0c\u4f18\u5316\u68c0\u6d4b\uff0c\u51cf\u5c11\u8bef\u62a5\uff08False Positives\uff09<\/li>\n<\/ol>\n\n\n\n
graph TB\nA((\u91c7\u96c6\u4e0e\u4f20\u8f93))\nB[\u5904\u7406\u4e0e\u5206\u6790]\nC[\u68c0\u6d4b\u5f02\u5e38]\nD[\u544a\u8b66\u751f\u6210]\nE((\u56de\u987e\u548c\u4f18\u5316))\nA--\u63a8\u9001\u5230\u670d\u52a1\u5668-->B\nB--\u65e5\u5fd7\u8fdb\u5165\u7ba1\u9053-->C\nC--\u89c4\u5219\u5339\u914d\u3001\u9608\u503c\u68c0\u6d4b\u3001\u884c\u4e3a\u5339\u914d-->D\nD--\u751f\u6210\u7968\u636e\uff0c\u544a\u77e5\u56e2\u961f-->E\nE--\u6a21\u578b\u5b66\u4e60\u3001\u5206\u6790\u5386\u53f2-->A<\/pre><\/div>\n\n\n\n
\n\n\n\nPython\u6a21\u5757\u793a\u4f8b<\/h2>\n\n\n\n
\u73b0\u5047\u8bbe\u9700\u8981\u5f00\u53d1\u4e00\u4e2a\u6a21\u5757\u6765\u76d1\u63a7Linux\u7cfb\u7edf\u4e0b\u7684
\/var\/log\/auth.log<\/code><\/strong><\/mark>\u6587\u4ef6\uff0c\u5b9e\u65f6\u91c7\u96c6\u65e5\u5fd7\uff0c\u68c0\u6d4b\u5f02\u5e38\u767b\u5f55\uff0c\u5e76\u901a\u8fc7\u90ae\u4ef6\u53d1\u9001\u544a\u8b66<\/p>\n\n\n\n\u8fd9\u4e2a\u5b9e\u4f8b\u4f7f\u7528Python\u6807\u51c6\u5e93\u548c\u5c11\u91cf\u5185\u7f6e\u6a21\u5757\uff08\u5982re<\/strong><\/mark>\u7528\u4e8e\u89e3\u6790\u3001smtplib<\/strong><\/mark>\u7528\u4e8e\u90ae\u4ef6\uff09\u91c7\u7528\u6587\u4ef6\u5c3e\u968f\uff08tailing\uff09\u673a\u5236\u6a21\u62df\u5b9e\u65f6\u91c7\u96c6\uff08\u7c7b\u4f3clinux\u7684tail -f\u547d\u4ee4\uff09\uff0c\u907f\u514d\u4f9d\u8d56\u5916\u90e8\u5e93<\/p>\n\n\n\n
\u4ee3\u7801\u793a\u4f8b\uff1a<\/p>\n\n\n\n
import re\nimport time\nimport smtplib\nfrom email.mime.text import MIMEText # \u7528\u4e8e\u6784\u5efa\u90ae\u4ef6\u5185\u5bb9\nfrom collections import defaultdict # \u7528\u4e8e\u5b58\u50a8\u767b\u5f55\u5931\u8d25\u7684\u65f6\u95f4\u6233\u5217\u8868\nfrom datetime import datetime, timedelta # \u7528\u4e8e\u5904\u7406\u65f6\u95f4\u7a97\u53e3\n\n# \u914d\u7f6e\u53c2\u6570\nLOG_FILE = '\/var\/log\/auth.log' # \u66ff\u6362\u4e3a\u5b9e\u9645\u65e5\u5fd7\u8def\u5f84\uff08\u9700\u8bfb\u6743\u9650\uff09\nALERT_THRESHOLD = 3 # \u5931\u8d25\u767b\u5f55\u9608\u503c\nTIME_WINDOW = timedelta(minutes=1) # \u65f6\u95f4\u7a97\u53e3\nSMTP_SERVER = 'smtp.example.com' # \u66ff\u6362\u4e3a\u4f60\u7684 SMTP \u670d\u52a1\u5668\nSMTP_PORT = 587 # \u66ff\u6362\u4e3a\u4f60\u7684 SMTP \u7aef\u53e3\nSENDER_EMAIL = 'alert@example.com' # \u66ff\u6362\u4e3a\u4f60\u7684\u53d1\u9001\u90ae\u7bb1\nSENDER_PASSWORD = 'your_password' # \u66ff\u6362\u4e3a\u4f60\u7684\u53d1\u9001\u90ae\u7bb1\u5bc6\u7801\nRECIPIENT_EMAIL = 'admin@example.com' # \u66ff\u6362\u4e3a\u4f60\u7684\u63a5\u6536\u90ae\u7bb1\n\n# \u6b63\u5219\u8868\u8fbe\u5f0f\u89e3\u6790 sshd \u767b\u5f55\u65e5\u5fd7\uff08\u793a\u4f8b\uff1aFailed password for user from IP\uff09\nFAILED_LOGIN_PATTERN = re.compile(r'Failed password for (\\w+) from ([\\d.]+) port \\d+ ssh2')\nSUCCESS_LOGIN_PATTERN = re.compile(r'Accepted password for (\\w+) from ([\\d.]+) port \\d+ ssh2')\n\nclass LoginTracker: # \u8ffd\u8e2a\u767b\u5f55\u5931\u8d25\u7684\u7c7b\n def __init__(self):\n self.failures = defaultdict(list) # IP -> list of failure timestamps\n\n def process_log_line(self, line):\n failed_match = FAILED_LOGIN_PATTERN.search(line)\n if failed_match: # \u5982\u679c\u5339\u914d\u5230\u5931\u8d25\u767b\u5f55\n user, ip = failed_match.groups()\n now = datetime.now() # \u5f53\u524d\u65f6\u95f4\n self.failures[ip].append(now) # \u8bb0\u5f55\u5931\u8d25\u65f6\u95f4\n # \u6e05\u7406\u8fc7\u671f\u8bb0\u5f55\n self.failures[ip] = [t for t in self.failures[ip] if now - t < TIME_WINDOW] # \u4fdd\u7559\u65f6\u95f4\u7a97\u53e3\u5185\u7684\u8bb0\u5f55\n # \u68c0\u67e5\u9608\u503c\n if len(self.failures[ip]) >= ALERT_THRESHOLD:\n self.send_alert(ip, user, len(self.failures[ip]))\n self.failures[ip] = [] # \u91cd\u7f6e\u8ba1\u6570\u4ee5\u907f\u514d\u91cd\u590d\u544a\u8b66\n\n success_match = SUCCESS_LOGIN_PATTERN.search(line)\n if success_match:\n user, ip = success_match.groups()\n print(f\"Successful login: User {user} from {ip}\")\n\n def send_alert(self, ip, user, count): # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6\n msg = MIMEText(f\"Abnormal login detected: {count} failed attempts for user {user} from IP {ip}\") # \u90ae\u4ef6\u5185\u5bb9\n msg['Subject'] = 'Security Alert: Abnormal Login'\n msg['From'] = SENDER_EMAIL # \u90ae\u4ef6\u53d1\u9001\u8005\n msg['To'] = RECIPIENT_EMAIL # \u90ae\u4ef6\u63a5\u6536\u8005\n\n try: # \u8fde\u63a5 SMTP \u670d\u52a1\u5668\u5e76\u53d1\u9001\u90ae\u4ef6\n server = smtplib.SMTP(SMTP_SERVER, SMTP_PORT) # \u8fde\u63a5 SMTP \u670d\u52a1\u5668\n server.starttls() # \u542f\u7528 TLS\n server.login(SENDER_EMAIL, SENDER_PASSWORD) # \u767b\u5f55 SMTP \u670d\u52a1\u5668\n server.sendmail(SENDER_EMAIL, RECIPIENT_EMAIL, msg.as_string())\n server.quit()\n print(\"Alert sent successfully\") \n except Exception as e:\n print(f\"Failed to send alert: {e}\")\n\ndef tail_log_file(file_path): # \u5b9e\u65f6\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\n with open(file_path, 'r') as f:\n # \u79fb\u52a8\u5230\u6587\u4ef6\u672b\u5c3e\n f.seek(0, 2) \n while True:\n line = f.readline()\n if not line:\n time.sleep(0.1) # \u8f6e\u8be2\u95f4\u9694\n continue\n yield line.strip() # \u8fd4\u56de\u65b0\u884c\n\n# \u4e3b\u51fd\u6570\nif __name__ == '__main__':\n tracker = LoginTracker()\n print(\"Starting log monitoring...\")\n for line in tail_log_file(LOG_FILE): # \u5904\u7406\u6bcf\u4e00\u884c\u65e5\u5fd7\n tracker.process_log_line(line) # \u89e3\u6790\u65e5\u5fd7\u884c\u5e76\u66f4\u65b0\u767b\u5f55\u72b6\u6001<\/code><\/pre>\n\n\n\n
\n\n\n\nPython\u4ee3\u7801\u7247\u6bb5\u793a\u4f8b<\/h2>\n\n\n\n
SIEM\u7684\u6838\u5fc3\u67b6\u6784\u901a\u5e38\u88ab\u63cf\u8ff0\u4e3a\u5206\u5c42\u7ba1\u9053\uff08pipeline\uff09\u5f0f\u7ed3\u6784\uff0c\u4ece\u903b\u8f91\u4e0a\u770b\uff0c\u516d\u5c42\u67b6\u6784\u6bcf\u5c42\u5b9e\u73b0\u7684\u6a21\u5757\u5206\u522b\u72ec\u7acb\u8fd0\u884c\u540e\u4ea4\u7ed9\u4e0b\u4e00\u5c42\uff0c\u7ecf\u8fc7\u95ed\u73af\u6d41\u7a0b\u5b9e\u73b0\u8bb0\u5f55\u3001\u7edf\u4e00\u3001\u5b58\u50a8\u3001\u5206\u6790\u3001\u54cd\u5e94\u3001\u4f18\u5316\u3002\u4f46\u4ece\u5b9e\u9645\u7cfb\u7edf\u8fd0\u884c\u4e2d\uff0c\u8fd9\u4e9b\u5c42\u90fd\u662f\u9ad8\u5ea6\u5e76\u884c\u3001\u5f02\u6b65\u3001\u6d41\u5f0f\u5904\u7406\uff0c\u5373\u540c\u4e00\u65f6\u523b\u6210\u5343\u4e0a\u4e07\u5404\u4e8b\u4ef6\u5728\u4e0d\u540c\u5c42\u3001\u4e0d\u540c\u8282\u70b9\u540c\u65f6\u88ab\u5904\u7406\u3002\u4e0b\u9762\u5c06\u9488\u5bf9\u5404\u5c42\u5355\u72ec\u7528\u4ee3\u7801\u4e3e\u4f8b\u89e3\u91ca\uff1a<\/p>\n\n\n\n
\u6570\u636e\u91c7\u96c6\u5c42\uff08Data Collection \/ Ingestion\uff09<\/h3>\n\n\n\n
\u8d1f\u8d23\u4ece\u5404\u79cd\u6e90\u5934\u5b9e\u65f6\/\u6279\u91cf\u62c9\u53d6\u6216\u63a5\u6536\u65e5\u5fd7\uff0c\u5178\u578b\u7684\u5b9e\u73b0\u65b9\u5f0f<\/strong>\u6709\uff1a<\/p>\n\n\n\n
\u6587\u4ef6tail\u3001Syslog UDP\/TCP\u63a5\u6536\u3001Beats\/Filebeat\u3001API polling\u7b49<\/p>\n\n\n\n
Python\u793a\u4f8b<\/strong>\uff08\u6587\u4ef6tail+\u7b80\u5355Syslog UDP\u670d\u52a1\u5668\uff09<\/span><\/i><\/div># collector.py - \u91c7\u96c6\u5c42\u793a\u4f8b
import socket
import threading
from pathlib import Path
import time
def tail_file(log_path: str, callback): # \u5b9a\u4e49\u4e00\u4e2a\u51fd\u6570\u6765\u6a21\u62df tail -f \u529f\u80fd\uff0c\u5b9e\u65f6\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u65b0\u884c
\"\"\"\u6a21\u62df tail -f\"\"\"
path = Path(log_path)
last_size = path.stat().st_size # \u83b7\u53d6\u6587\u4ef6\u521d\u59cb\u5927\u5c0f\uff0c\u4ee5\u4fbf\u540e\u7eed\u8bfb\u53d6\u65b0\u589e\u5185\u5bb9
while True:
time.sleep(0.2)
current_size = path.stat().st_size # \u83b7\u53d6\u5f53\u524d\u6587\u4ef6\u5927\u5c0f\uff0c\u5982\u679c\u6709\u65b0\u589e\u5185\u5bb9\uff0c\u5219\u8bfb\u53d6\u65b0\u589e\u90e8\u5206\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406
if current_size > last_size: # \u5982\u679c\u6587\u4ef6\u6709\u65b0\u589e\u5185\u5bb9\uff0c\u5219\u8bfb\u53d6\u65b0\u589e\u90e8\u5206\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406
with open(path, 'r') as f:
f.seek(last_size) # \u79fb\u52a8\u6587\u4ef6\u6307\u9488\u5230\u4e0a\u6b21\u8bfb\u53d6\u7684\u4f4d\u7f6e
new_lines = f.readlines()
for line in new_lines: # \u5904\u7406\u6bcf\u4e00\u884c\u65b0\u589e\u65e5\u5fd7\uff0c\u8c03\u7528\u56de\u8c03\u51fd\u6570
callback(line.strip()) # \u53bb\u9664\u884c\u672b\u7684\u6362\u884c\u7b26\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570
last_size = current_size
def start_syslog_udp_server(port=514, callback=None): # \u5b9a\u4e49\u4e00\u4e2a\u51fd\u6570\u6765\u542f\u52a8\u4e00\u4e2a\u7b80\u5355\u7684 UDP Syslog \u670d\u52a1\u5668\uff0c\u76d1\u542c\u6307\u5b9a\u7aef\u53e3\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u63a5\u6536\u5230\u7684\u65e5\u5fd7\u6d88\u606f
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # \u521b\u5efa\u4e00\u4e2a UDP \u5957\u63a5\u5b57
sock.bind(('0.0.0.0', port))
print(f\"Syslog UDP listening on :{port}\")
while True:
data, addr = sock.recvfrom(4096) # \u63a5\u6536 UDP \u6d88\u606f
line = data.decode('utf-8', errors='ignore').strip() # \u89e3\u7801\u6d88\u606f\u5e76\u53bb\u9664\u884c\u672b\u7684\u6362\u884c\u7b26
if callback:
callback(line) # \u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u63a5\u6536\u5230\u7684\u65e5\u5fd7\u6d88\u606f
# \u4f7f\u7528\u793a\u4f8b
if __name__ == \"__main__\": # \u5b9a\u4e49\u4e00\u4e2a\u7b80\u5355\u7684\u56de\u8c03\u51fd\u6570\u6765\u6253\u5370\u91c7\u96c6\u5230\u7684\u65e5\u5fd7\u884c
def print_line(line):
print(f\"[\u91c7\u96c6] {line}\")
# \u542f\u52a8\u6587\u4ef6 tail
threading.Thread(target=tail_file, args=(\"\/var\/log\/auth.log\", print_line), daemon=True).start()
# \u542f\u52a8 UDP Syslog \u63a5\u6536\uff08\u53ef\u9009\uff09
# threading.Thread(target=start_syslog_udp_server, args=(514, print_line), daemon=True).start()
while True:
time.sleep(10) # \u4e3b\u7ebf\u7a0b\u4fdd\u6301\u8fd0\u884c\uff0c\u91c7\u96c6\u7ebf\u7a0b\u5728\u540e\u53f0\u5de5\u4f5c # \u53ef\u4ee5\u6839\u636e\u9700\u8981\u6dfb\u52a0\u66f4\u591a\u7684\u91c7\u96c6\u65b9\u5f0f\uff0c\u5982 TCP Syslog\u3001API \u91c7\u96c6\u7b49<\/code><\/div><\/div>\n\n\n\n\u6570\u636e\u6807\u51c6\u5316\u4e0e\u89e3\u6790\u5c42\uff08Normalization & Parsing\uff09<\/h3>\n\n\n\n
\u628a\u539f\u59cb\u65e5\u5fd7\u8f6c\u5316\u6210\u540c\u4e00\u7ed3\u6784\uff0c\u63d0\u53d6\u5173\u952e\u5b57\u6bb5<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f\uff1a<\/strong>\u6b63\u5219\/Grok\/CEF\/JSON schema\u6620\u5c04<\/p>\n\n\n\n
Python\u5b9e\u4f8b<\/strong>\uff08\u7b80\u5355\u6b63\u5219 + CEF-like \u8f93\u51fa\uff09<\/span><\/i><\/div># parser.py
import re
import json
from datetime import datetime
# \u793a\u4f8b\uff1asshd \u5931\u8d25\u767b\u5f55\u6b63\u5219
FAIL_PATTERN = re.compile(r'Failed password for (\\S+) from ([\\d.]+) port \\d+ ssh2')
def parse_line(raw_line: str) -> dict | None: # \u89e3\u6790\u65e5\u5fd7\u884c\uff0c\u63d0\u53d6\u4e8b\u4ef6\u4fe1\u606f
ts = datetime.utcnow().isoformat() + \"Z\" # \u5b9e\u9645\u5e94\u4ece\u65e5\u5fd7\u63d0\u53d6\u65f6\u95f4
event = {
\"timestamp\": ts,
\"raw\": raw_line,
\"source\": \"auth.log\",
\"event_type\": \"unknown\"
}
m = FAIL_PATTERN.search(raw_line) # \u5339\u914d\u5931\u8d25\u767b\u5f55\u4e8b\u4ef6
if m:
user, src_ip = m.groups()
event.update({
\"event_type\": \"authentication_failure\",
\"user\": user,
\"src_ip\": src_ip,
\"severity\": \"medium\",
\"category\": \"authentication\"
})
return event
# \u53ef\u7ee7\u7eed\u6dfb\u52a0\u6210\u529f\u767b\u5f55\u3001sudo\u3001cron \u7b49\u591a\u79cd\u6a21\u5f0f...
return None # \u5ffd\u7565\u4e0d\u5173\u5fc3\u7684\u65e5\u5fd7
# \u4f7f\u7528\u793a\u4f8b
if __name__ == \"__main__\": # \u6d4b\u8bd5\u89e3\u6790\u529f\u80fd
test_lines = [
'Sep 4 10:15:23 server sshd[1234]: Failed password for invalid user admin from 192.168.1.100 port 12345 ssh2',
'Sep 4 10:16:01 server sshd[5678]: Accepted password for rain from 203.0.113.50 port 54321 ssh2'
]
for line in test_lines:
parsed = parse_line(line) # \u89e3\u6790\u65e5\u5fd7\u884c,\u8f93\u51fa\u7ed3\u679c
if parsed:
print(json.dumps(parsed, indent=2, ensure_ascii=False))<\/code><\/div><\/div>\n\n\n\n\u5b58\u50a8\u4e0e\u7d22\u5f15\u5c42\uff08Storage & Indexing\uff09<\/h3>\n\n\n\n
\u628a\u89e3\u6790\u540e\u7684\u4e8b\u4ef6\u5b58\u4e0b\u6765\uff0c\u652f\u6301\u5feb\u901f\u68c0\u7d22\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1aElasticsearch\u3001OpenSearch\u3001ClickHouse\u3001PostgreSQL + TimescaleDB\u3001SQLite\uff08\u539f\u578b\uff09\u3002<\/p>\n\n\n\n
Python \u793a\u4f8b<\/strong>\uff08\u4f7f\u7528 SQLite + \u7b80\u5355\u65f6\u95f4\u5206\u533a\u8868\uff09<\/span><\/i><\/div># storage.py
import sqlite3
import json
from parser import parse_line # \u4ece parser \u6a21\u5757\u5bfc\u5165\u89e3\u6790\u51fd\u6570
from datetime import datetime
DB_PATH = \"siem_events.db\"
def init_db(): # \u521d\u59cb\u5316\u6570\u636e\u5e93\uff0c\u521b\u5efa\u4e8b\u4ef6\u8868
conn = sqlite3.connect(DB_PATH)
conn.execute(\"\"\"
CREATE TABLE IF NOT EXISTS events (
id INTEGER PRIMARY KEY AUTOINCREMENT,
timestamp TEXT,
event_type TEXT,
src_ip TEXT,
user TEXT,
severity TEXT,
raw TEXT,
json_data TEXT
)
\"\"\")
conn.commit()
return conn
def store_event(event: dict): # \u5b58\u50a8\u4e8b\u4ef6\u5230\u6570\u636e\u5e93
conn = sqlite3.connect(DB_PATH) # \u8fde\u63a5\u6570\u636e\u5e93
conn.execute(\"\"\"
INSERT INTO events (timestamp, event_type, src_ip, user, severity, raw, json_data)
VALUES (?, ?, ?, ?, ?, ?, ?) # \u4f7f\u7528\u53c2\u6570\u5316\u67e5\u8be2\u9632\u6b62 SQL \u6ce8\u5165
\"\"\", (
event[\"timestamp\"],
event.get(\"event_type\"),
event.get(\"src_ip\"),
event.get(\"user\"),
event.get(\"severity\"),
event[\"raw\"],
json.dumps(event)
)) # \u5c06\u4e8b\u4ef6\u5b57\u5178\u8f6c\u6362\u4e3a JSON \u5b58\u50a8
conn.commit()
conn.close()
# \u4f7f\u7528\u793a\u4f8b\uff1a\u7ed3\u5408 parser
if __name__ == \"__main__\":
init_db()
sample_event = parse_line(\"Failed password for test from 1.2.3.4 port 22 ssh2\") # \u4ece parser \u5bfc\u5165\u89e3\u6790\u51fd\u6570\uff0c\u89e3\u6790\u793a\u4f8b\u65e5\u5fd7\u884c
if sample_event:
store_event(sample_event)<\/code><\/div><\/div>\n\n\n\n\u5206\u6790\u4e0e\u5173\u8054\u5c42\uff08Analysis & Correlation\uff09<\/h3>\n\n\n\n
\u6838\u5fc3\u68c0\u6d4b\u5f15\u64ce\uff1a\u89c4\u5219\u5339\u914d\u3001\u9608\u503c\u3001\u65f6\u95f4\u7a97\u53e3\u5173\u8054\u3001\u7b80\u5355 ML\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1a\u89c4\u5219\u5f15\u64ce\uff08Sigma\uff09\u3001CEP\u3001\u72b6\u6001\u673a\u3001ML \u5f02\u5e38\u68c0\u6d4b\u3002<\/p>\n\n\n\n
Python \u793a\u4f8b<\/strong>\uff08\u7b80\u5355\u6ed1\u52a8\u7a97\u53e3 + \u89c4\u5219\uff09<\/span><\/i><\/div># analyzer.py
from collections import defaultdict, deque
from datetime import datetime, timedelta
class FailureWindow: # \u76d1\u63a7\u77ed\u65f6\u95f4\u5185\u7684\u5931\u8d25\u4e8b\u4ef6
def __init__(self, threshold=5, window_sec=300): # threshold: \u5931\u8d25\u6b21\u6570\u9608\u503c, window_sec: \u65f6\u95f4\u7a97\u53e3\u957f\u5ea6\uff08\u79d2\uff09
self.failures = defaultdict(lambda: deque(maxlen=100)) # \u5b58\u50a8\u6bcf\u4e2aIP\u7684\u5931\u8d25\u4e8b\u4ef6\u65f6\u95f4\u6233\uff0c\u4f7f\u7528deque\u81ea\u52a8\u4e22\u5f03\u8fc7\u65e7\u7684\u8bb0\u5f55
self.threshold = threshold
self.window = timedelta(seconds=window_sec) # \u8f6c\u6362\u4e3atimedelta\u5bf9\u8c61\uff0c\u65b9\u4fbf\u65f6\u95f4\u6bd4\u8f83
def add_failure(self, ip: str, ts: datetime): # \u6dfb\u52a0\u5931\u8d25\u4e8b\u4ef6
self.failures[ip].append(ts) # \u6dfb\u52a0\u5f53\u524d\u5931\u8d25\u4e8b\u4ef6\u7684\u65f6\u95f4\u6233
# \u6e05\u7406\u8fc7\u671f
while self.failures[ip] and ts - self.failures[ip][0] > self.window: # \u79fb\u9664\u7a97\u53e3\u5916\u7684\u65e7\u8bb0\u5f55
self.failures[ip].popleft()
def is_brute_force(self, ip: str) -> bool: # \u5224\u65ad\u662f\u5426\u8fbe\u5230\u66b4\u529b\u653b\u51fb\u7684\u6761\u4ef6
if len(self.failures[ip]) >= self.threshold: # \u5982\u679c\u5f53\u524dIP\u7684\u5931\u8d25\u4e8b\u4ef6\u6570\u91cf\u8d85\u8fc7\u9608\u503c\uff0c\u8ba4\u4e3a\u53ef\u80fd\u662f\u66b4\u529b\u653b\u51fb
return True
return False
# \u89c4\u5219\u793a\u4f8b\uff1a\u77ed\u65f6\u95f4\u591a\u6b21\u5931\u8d25\u767b\u5f55
analyzer = FailureWindow(threshold=4, window_sec=120)
def analyze_event(event: dict): # \u5206\u6790\u4e8b\u4ef6\uff0c\u5224\u65ad\u662f\u5426\u89e6\u53d1\u66b4\u529b\u653b\u51fb\u89c4\u5219
if event.get(\"event_type\") == \"authentication_failure\":
ts = datetime.fromisoformat(event[\"timestamp\"].replace(\"Z\", \"+00:00\")) # \u89e3\u6790\u65f6\u95f4\u6233\uff0c\u5904\u7406UTC\u683c\u5f0f
ip = event[\"src_ip\"]
analyzer.add_failure(ip, ts)
if analyzer.is_brute_force(ip):
return {
\"alert\": True,
\"type\": \"brute_force_attempt\",
\"ip\": ip,
\"count\": len(analyzer.failures[ip]),
\"time_window\": \"2\u5206\u949f\"
}
return None<\/code><\/div><\/div>\n\n\n\n\u544a\u8b66\u4e0e\u54cd\u5e94\u5c42\uff08Alerting & Response\uff09<\/h3>\n\n\n\n
\u4ea7\u751f\u544a\u8b66\u3001\u901a\u77e5\u3001\u81ea\u52a8\u5316\u52a8\u4f5c\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1a\u90ae\u4ef6\u3001Slack\/Webhook\u3001SOAR \u811a\u672c\u3001\u9632\u706b\u5899 API\u3002<\/p>\n\n\n\n
Python \u793a\u4f8b<\/strong>\uff08\u90ae\u4ef6 + \u7b80\u5355 iptables \u5c01\u7981\uff09<\/span><\/i><\/div>#alerter.py
import smtplib
from email.mime.text import MIMEText
import subprocess
def send_email_alert(alert_data: dict, to_email=\"admin@example.com\"): # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6
msg = MIMEText(f\"\u9ad8\u5371\u544a\u8b66\uff1a{alert_data}\")
msg['Subject'] = f\"SIEM Alert - {alert_data.get('type', '\u672a\u77e5')}\"
msg['From'] = \"siem@example.com\"
msg['To'] = to_email
with smtplib.SMTP(\"smtp.example.com\", 587) as server: # \u8fde\u63a5SMTP\u670d\u52a1\u5668
server.starttls()
server.login(\"siem@example.com\", \"password\")
server.send_message(msg)
def auto_block_ip(ip: str): # \u81ea\u52a8\u5c01\u7981IP\u5730\u5740
try:
# \u6ce8\u610f\uff1a\u751f\u4ea7\u73af\u5883\u9700\u8c28\u614e\uff0c\u6700\u597d\u7528 nftables \u6216\u4e13\u7528\u9632\u706b\u5899\u63a5\u53e3
subprocess.run([\"sudo\", \"iptables\", \"-A\", \"INPUT\", \"-s\", ip, \"-j\", \"DROP\"], check=True, timeout=10) # \u4f7f\u7528iptables\u5c01\u7981IP\uff0c\u8bbe\u7f6e\u8d85\u65f6\u907f\u514d\u6302\u8d77
print(f\"\u5df2\u81ea\u52a8\u5c01\u7981 IP: {ip}\")
except Exception as e:
print(f\"\u5c01\u7981\u5931\u8d25: {e}\")
# \u4f7f\u7528\u793a\u4f8b
if __name__ == \"__main__\": # \u6a21\u62df\u63a5\u6536\u5230\u4e00\u4e2a\u9ad8\u5371\u544a\u8b66
sample_alert = {\"type\": \"brute_force_attempt\", \"ip\": \"1.2.3.4\", \"count\": 7} # \u6a21\u62df\u4e00\u4e2a\u66b4\u529b\u653b\u51fb\u544a\u8b66
send_email_alert(sample_alert) # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6
auto_block_ip(sample_alert[\"ip\"]) # \u81ea\u52a8\u5c01\u7981\u653b\u51fbIP<\/code><\/div><\/div>\n\n\n\n\u5c55\u793a\u3001\u7ba1\u7406\u4e0e\u5408\u89c4\u5c42\uff08Visualization, Management & Compliance\uff09<\/h3>\n\n\n\n
\u4eea\u8868\u76d8\u3001\u67e5\u8be2\u3001\u62a5\u544a\u3001\u7528\u6237\u6743\u9650\u3001\u5ba1\u8ba1\u3001\u5f52\u6863\u3002<\/p>\n\n\n\n
\u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1aKibana\/ Grafana\u3001\u81ea\u5b9a\u4e49 Flask\/Dash \u754c\u9762\u3001RBAC\u3002<\/p>\n\n\n\n
Python \u793a\u4f8b<\/strong>\uff08\u7b80\u5355 Flask + SQLite \u67e5\u8be2 dashboard\uff09<\/span><\/i><\/div># dashboard.py - \u6781\u7b80 Web \u5c55\u793a
from flask import Flask, render_template_string
import sqlite3
app = Flask(__name__)
HTML = \"\"\"
<!doctype html>
<title>SIEM Mini Dashboard<\/title>
<h1>\u6700\u8fd1\u544a\u8b66\u4e8b\u4ef6<\/h1>
<table border=1>
<tr><th>\u65f6\u95f4<\/th><th>\u7c7b\u578b<\/th><th>IP<\/th><th>\u7528\u6237<\/th><th>\u539f\u59cb\u65e5\u5fd7<\/th><\/tr>
{% for row in events %}
<tr><td>{{ row[0] }}<\/td><td>{{ row[1] }}<\/td><td>{{ row[2] }}<\/td><td>{{ row[3] }}<\/td><td>{{ row[6][:100] }}<\/td><\/tr>
{% endfor %}
<\/table>
\"\"\"
@app.route(\"\/\") # \u9996\u9875\u663e\u793a\u6700\u8fd1\u7684\u544a\u8b66\u4e8b\u4ef6
def dashboard(): # \u4ece\u6570\u636e\u5e93\u8bfb\u53d6\u6700\u8fd1\u7684\u4e8b\u4ef6\u5e76\u5c55\u793a
conn = sqlite3.connect(\"siem_events.db\")
cur = conn.cursor() # \u67e5\u8be2\u6700\u8fd1\u7684\u4e8b\u4ef6
cur.execute(\"SELECT timestamp, event_type, src_ip, user, severity, raw FROM events ORDER BY timestamp DESC LIMIT 20\")
events = cur.fetchall() # \u5173\u95ed\u6570\u636e\u5e93\u8fde\u63a5
conn.close()
return render_template_string(HTML, events=events) # \u6e32\u67d3 HTML \u6a21\u677f\u5e76\u8fd4\u56de
if __name__ == \"__main__\": # \u542f\u52a8 Flask \u5e94\u7528
app.run(debug=True, port=5005)
\u4e4b\u540e\u7ec4\u5408\uff0c\u5f62\u6210\u4e00\u4e2a\u5c0f\u578b\u7ba1\u9053\uff1a
# main.py \u793a\u4f8b\u7ec4\u5408
from collector import tail_file
from parser import parse_line
from storage import store_event
from analyzer import analyze_event
from alerter import send_email_alert # \u6216\u5176\u4ed6\u52a8\u4f5c
def process_line(raw): # \u5904\u7406\u6bcf\u4e00\u884c\u65e5\u5fd7
event = parse_line(raw)
if event:
store_event(event)
alert = analyze_event(event)
if alert and alert.get(\"alert\"):
send_email_alert(alert)
tail_file(\"\/var\/log\/auth.log\", process_line) # \u76d1\u63a7\u65e5\u5fd7\u6587\u4ef6\u5e76\u5904\u7406\u65b0\u884c<\/code><\/div><\/div>\n\n\n\nSecurity Onion\uff08SO\uff09<\/h1>\n\n\n\n
SO\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u7f51\u7edc\u5b89\u5168\u76d1\u63a7\u3001\u5a01\u80c1\u68c0\u6d4b\u4e0e\u65e5\u5fd7\u5206\u6790\u5e73\u53f0\uff0c\u5e38\u7528\u4e8e\u4f01\u4e1a\u5b89\u5168\u8fd0\u8425\u4e2d\u5fc3\uff08SOC\uff09\u3001\u5165\u4fb5\u68c0\u6d4b\u3001\u5a01\u80c1\u72e9\u730e\u548c\u5e94\u6025\u54cd\u5e94\u573a\u666f\u3002\u8be5\u5e73\u53f0\u6574\u5408\u4e86\u591a\u79cd\u5b89\u5168\u5de5\u5177\uff0c\u5e2e\u52a9\u5b89\u5168\u56e2\u961f\u96c6\u4e2d\u91c7\u96c6\u3001\u5206\u6790\u548c\u544a\u8b66\u7f51\u7edc\u6d41\u91cf\u3001\u4e3b\u673a\u65e5\u5fd7\u4ee5\u53ca\u5b89\u5168\u4e8b\u4ef6\u3002<\/p>\n\n\n\n
\u4e3b\u8981\u529f\u80fd<\/h2>\n\n\n\n
\u4eceSIEM\u7684\u6838\u5fc3\u67b6\u6784\u51fa\u53d1\u4e0d\u96be\u7406\u89e3SO\u7684\u4e3b\u8981\u529f\u80fd\u548c\u8fd0\u4f5c\u65b9\u5f0f\uff1a<\/p>\n\n\n\n
1. \u7f51\u7edc\u6d41\u91cf\u76d1\u63a7<\/h3>\n\n\n\n
Security Onion \u53ef\u4ee5\u63a5\u5165\u955c\u50cf\u6d41\u91cf\uff0c\u4f8b\u5982\u4ea4\u6362\u673a SPAN \u53e3\u3001TAP \u8bbe\u5907\u7b49\uff0c\u5bf9\u7f51\u7edc\u6570\u636e\u5305\u8fdb\u884c\u5206\u6790\u3002\u5b83\u53ef\u4ee5\u53d1\u73b0\uff1a<\/p>\n\n\n\n
- \n
- \u7aef\u53e3\u626b\u63cf<\/li>\n\n\n\n
- \u6f0f\u6d1e\u5229\u7528\u884c\u4e3a<\/li>\n\n\n\n
- \u6076\u610f\u8f6f\u4ef6\u901a\u4fe1<\/li>\n\n\n\n
- C2 \u56de\u8fde<\/li>\n\n\n\n
- \u6a2a\u5411\u79fb\u52a8<\/li>\n\n\n\n
- \u5f02\u5e38 DNS \u8bf7\u6c42<\/li>\n\n\n\n
- \u53ef\u7591 HTTP\/HTTPS \u884c\u4e3a<\/li>\n\n\n\n
- \u6570\u636e\u5916\u4f20\u884c\u4e3a<\/li>\n<\/ul>\n\n\n\n
2.\u5165\u4fb5\u68c0\u6d4b<\/h3>\n\n\n\n
Security Onion \u652f\u6301\u57fa\u4e8e\u89c4\u5219\u7684\u5165\u4fb5\u68c0\u6d4b\u3002\u5e38\u89c1\u68c0\u6d4b\u5f15\u64ce\u5305\u62ec\uff1a<\/p>\n\n\n\n
\n\n- \n
- Suricata<\/li>\n\n\n\n
- Zeek<\/li>\n\n\n\n
- Sigma<\/li>\n\n\n\n
- YARA\uff0c\u90e8\u5206\u573a\u666f\u4f7f\u7528<\/li>\n\n\n\n
- Elastic \u76f8\u5173\u67e5\u8be2\u89c4\u5219<\/li>\n<\/ul>\n<\/div>\n\n\n\n\n
\u5176\u4e2d\uff1a<\/p>\n\n\n\n
- \n
- Suricata \u504f\u91cd\u4e8e\u57fa\u4e8e\u7b7e\u540d\u7684\u7f51\u7edc\u5165\u4fb5\u68c0\u6d4b<\/li>\n\n\n\n
- Zeek \u504f\u91cd\u4e8e\u7f51\u7edc\u884c\u4e3a\u5206\u6790\u548c\u534f\u8bae\u65e5\u5fd7\u89e3\u6790<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n
3.\u65e5\u5fd7\u96c6\u4e2d\u5206\u6790<\/h3>\n\n\n\n
Security Onion \u53ef\u4ee5\u6536\u96c6\u6765\u81ea\u591a\u79cd\u6765\u6e90\u7684\u65e5\u5fd7\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n
- \n
- Windows \u4e8b\u4ef6\u65e5\u5fd7<\/li>\n\n\n\n
- Linux \u7cfb\u7edf\u65e5\u5fd7<\/li>\n\n\n\n
- \u9632\u706b\u5899\u65e5\u5fd7<\/li>\n\n\n\n
- VPN \u65e5\u5fd7<\/li>\n\n\n\n
- DNS \u65e5\u5fd7<\/li>\n\n\n\n
- \u4ee3\u7406\u670d\u52a1\u5668\u65e5\u5fd7<\/li>\n\n\n\n
- EDR \u6216\u6740\u6bd2\u8f6f\u4ef6\u65e5\u5fd7<\/li>\n\n\n\n
- \u4e91\u5e73\u53f0\u65e5\u5fd7<\/li>\n\n\n\n
- \u5e94\u7528\u7cfb\u7edf\u65e5\u5fd7<\/li>\n<\/ul>\n\n\n\n
4.\u5a01\u80c1\u72e9\u730e<\/h3>\n\n\n\n
\u5b89\u5168\u5206\u6790\u5e08\u53ef\u4ee5\u901a\u8fc7 Security Onion \u7684\u754c\u9762\u67e5\u8be2\u7f51\u7edc\u548c\u4e3b\u673a\u6d3b\u52a8\u3002\u53ef\u4ee5\u8ffd\u8e2a\uff1a<\/p>\n\n\n\n
- \n
- \u67d0\u4e2a IP \u8bbf\u95ee\u4e86\u54ea\u4e9b\u57df\u540d<\/li>\n\n\n\n
- \u67d0\u4e2a\u4e3b\u673a\u662f\u5426\u8fde\u63a5\u8fc7\u6076\u610f IP<\/li>\n\n\n\n
- \u67d0\u4e2a\u8d26\u6237\u662f\u5426\u5b58\u5728\u5f02\u5e38\u767b\u5f55<\/li>\n\n\n\n
- \u67d0\u4e2a\u6587\u4ef6\u54c8\u5e0c\u662f\u5426\u51fa\u73b0\u8fc7<\/li>\n\n\n\n
- \u67d0\u4e2a\u5185\u7f51\u4e3b\u673a\u662f\u5426\u5b58\u5728\u626b\u63cf\u884c\u4e3a<\/li>\n\n\n\n
- \u653b\u51fb\u8005\u662f\u5426\u8fdb\u884c\u4e86\u6a2a\u5411\u79fb\u52a8<\/li>\n<\/ul>\n\n\n\n
5.\u544a\u8b66\u7ba1\u7406<\/h3>\n\n\n\n
\n\n- \n
- \u67e5\u770b\u544a\u8b66\u8be6\u60c5<\/li>\n\n\n\n
- \u5173\u8054\u4e0a\u4e0b\u6587\u4fe1\u606f<\/li>\n\n\n\n
- \u6807\u8bb0\u4e8b\u4ef6\u72b6\u6001<\/li>\n\n\n\n
- \u8fdb\u884c\u8c03\u67e5\u5206\u6790<\/li>\n\n\n\n
- \u5c06\u4e8b\u4ef6\u5347\u7ea7\u4e3a Case<\/li>\n\n\n\n
- \u5bf9\u8bef\u62a5\u8fdb\u884c\u89c4\u5219\u8c03\u6574<\/li>\n<\/ul>\n<\/div>\n\n\n\n\n
\u5de6\u4fa7\u548cSIEM\u7684\u544a\u8b66\u7ba1\u7406\u90e8\u5206\u5f88\u76f8\u4f3c\uff0c\u8fd9\u4e5f\u662f\u535a\u4e3b\u79f0\u4e4b\u4e3a\u201c\u96c6\u6210\u5f0f\u5f00\u6e90\u5b89\u5168\u76d1\u63a7\u4e0e\u5a01\u80c1\u72e9\u730e\u5e73\u53f0\u201d\u7684\u539f\u56e0<\/p>\n<\/div>\n<\/div>\n\n\n\n
\u90e8\u7f72\u65b9\u5f0f<\/h2>\n\n\n\n
\u90e8\u7f72SO\u7684\u65f6\u5019\uff0c\u9700\u8981\u786e\u8ba4\u90e8\u7f72\u7684\u73af\u5883\u548c\u914d\u7f6e\u7684\u9ad8\u4f4e\uff0c\u907f\u514d\u9009\u62e9\u9519\u8bef\u7684\u90e8\u7f72\u65b9\u5f0f\u5bfc\u81f4\u65f6\u95f4\u6210\u672c\u589e\u52a0\u548c\u52a0\u5927\u670d\u52a1\u5668\u7684\u8d1f\u8377\u3002<\/p>\n\n\n\n
- \n
- standalone\u5355\u673a\u90e8\u7f72\u9002\u5408\u5355\u670d\u52a1\u5668\u4e0b\u7684\u5b9e\u9a8c\u73af\u5883\u4e2d\u3002\u8fd9\u6837\u505a\u7684\u4f18\u70b9\u5c31\u662f\u90e8\u7f72\u7b80\u5355\uff0c\u8fc5\u901f\uff0c\u4e0d\u9700\u8981\u7e41\u7410\u7684\u914d\u7f6e\u6b65\u9aa4\uff0c\u53ea\u9700\u8981\u6309\u7167\u9ed8\u8ba4\u914d\u7f6e\u6765\u8bbe\u7f6e\u5373\u53ef\u3002<\/li>\n\n\n\n
- Distributed\u5206\u5e03\u5f0f\u90e8\u7f72\u9002\u5408\u4e2d\u5927\u578b\u4f01\u4e1a\u4e2d\u7684\u751f\u6210\u73af\u5883\uff0c\u52a0\u5f3a\u751f\u4ea7\u73af\u5883\u7684\u5b89\u5168\u3002\u7f3a\u70b9\u663e\u800c\u6613\u89c1\uff0c\u4f46\u662f\u4f18\u70b9\u4e5f\u5f88\u663e\u8457\uff1a\u6269\u5c55\u80fd\u529b\u5f3a\uff0c\u53ef\u4ee5\u968f\u65f6\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u8c03\u6574\u4f20\u611f\u5668\u548c\u5b58\u50a8\u8282\u70b9\u7684\u6570\u91cf\u3002<\/li>\n\n\n\n
- Sensor\u4f20\u611f\u5668\u90e8\u7f72\u4e00\u822c\u7528\u5728\u5173\u952e\u7f51\u7edc\u4f4d\u7f6e\uff0c\u901a\u8fc7\u955c\u50cf\u6d41\u91cf\u6765\u76d1\u63a7\u6570\u636e\u4f20\u8f93\u3002\u5e38\u89c1\u7684\u4f4d\u7f6e\u5c31\u6709\u4e92\u8054\u7f51\u51fa\u53e3\u3001\u670d\u52a1\u533a\u6838\u5fc3\u3001\u6570\u636e\u6838\u5fc3\u4ea4\u6362\u533a\u7b49\u3002<\/li>\n<\/ul>\n\n\n\n
\u7b80\u5355\u7684\u4f7f\u7528\u6d41\u7a0b<\/h2>\n\n\n\n
SO\u4e0a\u624b\u4e5f\u5f88\u5bb9\u6613\uff0c\u4e00\u4e2a\u5178\u578b\u6d41\u7a0b\u5982\u4e0b\uff1a<\/p>\n\n\n\n
- \n
- \u5728\u5173\u952e\u7f51\u7edc\u4f4d\u7f6e\u90e8\u7f72 Sensor<\/li>\n\n\n\n
- \u63a5\u5165\u955c\u50cf\u6d41\u91cf<\/li>\n\n\n\n
- \u91c7\u96c6\u4e3b\u673a\u548c\u8bbe\u5907\u65e5\u5fd7<\/li>\n\n\n\n
- Suricata \u68c0\u6d4b\u6076\u610f\u6d41\u91cf<\/li>\n\n\n\n
- Zeek \u751f\u6210\u7f51\u7edc\u534f\u8bae\u65e5\u5fd7<\/li>\n\n\n\n
- Elastic \u5b58\u50a8\u548c\u7d22\u5f15\u65e5\u5fd7<\/li>\n\n\n\n
- Security Onion Console \u5c55\u793a\u544a\u8b66<\/li>\n\n\n\n
- \u5206\u6790\u4eba\u5458\u8c03\u67e5\u4e8b\u4ef6<\/li>\n\n\n\n
- \u6839\u636e\u7ed3\u679c\u8c03\u6574\u89c4\u5219\u6216\u5c01\u5835\u5a01\u80c1<\/li>\n<\/ol>\n\n\n\n
\u90e8\u7f72\u6d41\u7a0b\u793a\u4f8b<\/h2>\n\n\n\n
\u6ce8\uff1a\u7531\u4e8eSO\u7684\u914d\u7f6e\u811a\u672c\uff0c\u8be5\u811a\u672c\u68c0\u6d4b\u5230\u7f51\u5361\uff0c\u4f1a\u81ea\u52a8\u89e6\u53d1repo\u5f3a\u540c\u6b65\u3002\u5982\u679c\u5185\u7f51\u914d\u7f6e\u4e0d\u5f53\uff0c\u4f1a\u51fa\u73b0DNS\u89e3\u6790\u5931\u8d25\uff0c\u5bfc\u81f4\u65e0\u6cd5\u4ece\u5b98\u65b9\u4ed3\u5e93securityonion.net<\/strong>\u62c9\u53d6\u914d\u7f6e\u3002\u6240\u4ee5\u5728\u5185\u7f51\u73af\u5883\u90e8\u7f72\u7684\u65f6\u5019\uff0c\u5efa\u8bae\u9009\u62e9Airgap\u95ed\u7f51\u73af\u5883\u8fdb\u884c\u90e8\u7f72\u3002<\/p>\n\n\n\n
\u672c\u6b21\u793a\u4f8b\u662f\u5728Proxmox Virtual Environment\uff08PVE\uff09\u4e2d\u90e8\u7f72\uff0c\u5177\u4f53\u7684\u5b9e\u9645\u60c5\u51b5\u8bf7\u53c2\u8003\u5185\u7f51\u4e2d\u7684\u5907\u6ce8\u3002\u5728\u6b64\u53ea\u7b80\u5355\u5730\u9610\u8ff0\u6b65\u9aa4\u6d41\u7a0b\u3002<\/p>\n\n\n\n
1.\u5bfc\u5165<\/h3>\n\n\n\n
- Orchestration<\/strong>\uff1a\u628a\u5206\u6563\u5de5\u5177\u8fde\u6210\u5de5\u4f5c\u6d41<\/li>\n\n\n\n
- Response<\/strong>\uff1a\u63d0\u4f9b\u6807\u51c6\u5316\u7684\u54cd\u5e94\u6d41\u7a0b\uff0c\u51cf\u5c11\u4eba\u4e3a\u9519\u8bef\uff0c\u63d0\u9ad8\u54cd\u5e94\u901f\u5ea6<\/li>\n\n\n\n
- \u68c0\u6d4b\u9636\u6bb5<\/strong>\uff1a\u5b9e\u65f6\u6253\u5206\uff08risk score\uff09\uff0c\u504f\u79bb\u57fa\u7ebf\u8d8a\u8fdc\u5206\u6570\u8d8a\u9ad8<\/li>\n\n\n\n
- \u5b66\u4e60\u9636\u6bb5<\/strong>\uff1a\u6536\u96c6\u5386\u53f2\u6570\u636e\uff08\u767b\u5f55\u65f6\u95f4\u3001\u5730\u70b9\u3001\u8bbf\u95ee\u8d44\u6e90\u3001\u64cd\u4f5c\u9891\u7387\u7b49\uff09\uff0c\u7528 ML\uff08\u5982\u805a\u7c7b\u3001Isolation Forest\u3001Autoencoder\u3001\u7edf\u8ba1\u6a21\u578b\uff09\u6784\u5efa\u201c\u6b63\u5e38\u201d\u753b\u50cf<\/li>\n\n\n\n
![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-53-1024x693.png\")
<\/div>![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-55-1024x555.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-56-1024x555.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-57-1024x578.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-63-1024x269.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-58.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-62.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-61.png\")
<\/div><\/figure>\n\n\n\n