我的书签
添加书签
移除书签- 日志说明
- 存储路径
- 日志类型
- 日志格式
- 1. 攻击日志格式
- 2. 安全基线检查日志
日志说明
存储路径
OpenRASP 默认会开启文件日志,存储路径如下:
- Java 版本:
<app_home>/rasp/logs/alarm/.log - PHP 版本:
<openrasp_rootdir>/logs/alarm/*.log值得注意的是,Java 版本当前的报警没有日期,只有 rotate 之后才会有日期,e.g
/tomcat/rasp/logs/alarm/alarm.log/tomcat/rasp/logs/alarm/alarm.log.2018-12-04...
对于 PHP 版本,报警日志总是会带有日期,e.g
/opt/rasp/logs/alarm/alarm.log.2018-12-16
不过,由于 PHP 本身的限制,有些日志还是会打印到 PHP 错误日志里,比如 INI 配置错误。
日志类型
OpenRASP 包含四类日志,
| 文件名 | 文件内容 |
|---|---|
| plugin/plugin-DATE.log | 检测插件的日志,e.g 插件异常、插件调试输出 |
| rasp/rasp-DATE.log | rasp agent 调试日志 |
| alarm/alarm-DATE.log | 攻击报警日志,JSON 格式,一行一个 |
| policy_alarm/policy_alarm-DATE.log | 安全基线检查报警日志,JSON 格式,一行一个 |
日志格式
1. 攻击日志格式
当发生攻击事件时,OpenRASP 将会记录以下信息,
| 字段 | 说明 |
|---|---|
| rasp_id | RASP agent id |
| app_id | 应用ID |
| event_type | 日志类型,固定为 attack 字样 |
| event_time | 事件发生时间 |
| request_id | 当前请求ID |
| request_method | 请求方法 |
| intercept_state | 拦截状态 |
| attack_source | 攻击来源 IP |
| target | 被攻击目标域名 |
| server_hostname | 被攻击的服务器主机名 |
| server_ip | 被攻击目标 IP |
| server_type | 应用服务器类型 |
| server_version | 应用服务器版本 |
| path | 当前URL,不包含参数 |
| url | 当前URL,包含完整GET参数 |
| attack_type | 攻击类型 |
| attack_params | 攻击参数 |
| attack_source | 请求来源 |
| client_ip | 客户端真实IP地址,请参考 其他配置选项 进行配置 |
| plugin_name | 报告攻击插件名称 |
| plugin_confidence | 检测结果可靠性,插件返回 |
| plugin_message | 检测结果信息 |
| plugin_algorithm | 插件检测算法 |
| header | 请求header信息 |
| stack_trace | 当前调用堆栈 |
| body | 当前请求的body,如果有 |
一个完整的 JSON 日志样例如下:
{"attack_type": "xss_userinput","request_method": "get","server_version": "7.0.78.0","path": "/vulns/017-xss.jsp","event_type": "attack","attack_params": {"name": "input","value": "<script>alert(1)</script>"},"server_ip": "127.0.0.1","client_ip": "","attack_source": "127.0.0.1","app_id": "1e46d1ae2cec7966343c1c1455cdb9ea3c356662","server_nic": [{"name": "eth0","ip": "172.24.172.168"}],"intercept_state": "log","plugin_confidence": 100,"plugin_algorithm": "xss_userinput","plugin_name": "java_builtin_plugin","server_hostname": "devnull","url": "http://127.0.0.1:8080/vulns/017-xss.jsp?input=%3cscript%3ealert(1)%3c%2fscript%3e","target": "127.0.0.1","header": {"referer": "http://127.0.0.1:8080/vulns/017-xss.jsp","accept-language": "en-US,en;q=0.9,fr;q=0.8,zh-CN;q=0.7,zh;q=0.6,zh-TW;q=0.5,hr;q=0.4,ja;q=0.3,pt;q=0.2,la;q=0.1","cookie": "JSESSIONID=E51A4982D9E62B1C49F1B522404C6AA7; 89facc616a91c8542b4120d0985ae97c=r7f62uq42ihucmdt4j53kufepj","host": "127.0.0.1:8080","upgrade-insecure-requests": "1","connection": "keep-alive","cache-control": "no-cache","pragma": "no-cache","accept-encoding": "gzip, deflate, br","user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.1453.93 Safari/537.36","accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"},"stack_trace": "org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java)\norg.apache.catalina.connector.Response.finishResponse(Response.java:537)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:483)\norg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)\norg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\norg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:748)","rasp_id": "18619d5f553f0fc31a4e4f0eb96b2564","request_id": "3ff7d8cae4d3441e927433a1161be89c","source_code": ["","this.outputBuffer.close();","","this.adapter.service(this.request, this.response);","","state = this.this$0.handler.process(this.socket, this.status);","runnable.run();","this.this$0.runWorker(this);","this.wrappedRunnable.run();","this.target.run();"],"event_time": "2019-05-27T14:36:42+0800","plugin_message": "Reflected XSS attack detected, parameter name: input","server_type": "tomcat"}
2. 安全基线检查日志
当检测到不符合安全规范的配置时,OpenRASP 将会记录以下信息:
| 字段 | 说明 |
|---|---|
| event_type | 日志类型,固定为 security_policy 字样 |
| event_time | 事件发生时间 |
| server_hostname | 服务器主机名 |
| server_nic | 服务器IP |
| server_type | 应用服务器类型 |
| server_version | 应用服务器版本 |
| policy_id | 匹配的策略编号 |
| policy_params | 基线报警额外参数,比如 PID |
| message | 不符合规范的配置说明 |
| stack_trace | 当前调用堆栈,某些情况可能为空 |
一个完整的 JSON 日志样例如下:
{"event_type": "security_policy","event_time" : "2017-04-01T08:00:00Z","policy_id": "3002","server_hostname": "my-bloodly-hostname","server_nic": {{"name": "eth0","ip": "10.10.1.131"},{"name": "eth0","ip": "192.168.1.150"}},"server_type": "Tomcat","stack_trace": "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n""server_version": "7.0.15","message": "Tomcat 不应该以root权限启动","policy_params": {"pid": 1023}}
