jmoreira01/WAZUH_YARA_Complete_Configuration

[](https://wazuh.com/) [](https://virustotal.github.io/yara/) # Wazuh - 完整配置指南 ## 目录 1. [环境架构](#environment-architecture) 2. [Wazuh 安装](#wazuh-installation) 3. [基本配置](#basic-configuration) 4. [文件完整性监控 (FIM)](#file-integrity-monitoring-fim) 5. [YARA 集成 - 恶意软件检测](#yara-integration---malware-detection) 6. [恶意 IP 封禁 (CDB 列表)](#malicious-ip-blocking-cdb-lists) 7. [暴力破解检测](#brute-force-detection) 8. [SQL 注入检测](#sql-injection-detection) 9. [主动响应](#active-response) 10. [故障排除](#troubleshooting) 11. [常用命令](#useful-commands) ## 环境架构 ### 组件 | 组件 | 操作系统 | IP | 服务 | Wazuh | |-----------|------------------|-----|----------|-------| | **Wazuh Server** | Ubuntu 22.04 | 192.168.1.121 | Manager, Indexer, Dashboard | v4.14.1 | | **Linux Agent** | Debian 13 Trixie | 192.168.1.122 | Apache, SSH | Agent v4.14.x | | **Windows Agent** | Windows 10/11 | 动态 | RDP, SMB | Agent v4.14.x | | **Kali Attacker** | Kali Linux | 动态 | Hydra, curl | N/A | ### 使用的端口 - **1514/TCP** - Agent → Manager (通信) - **1515/TCP** - Agent → Manager (注册) - **55000/TCP** - Manager API - **443/TCP** - Web Dashboard - **9200/TCP** - Indexer ## Wazuh 安装 ### Server (Ubuntu 22.04) ``` # 更新系统 sudo apt update && sudo apt upgrade -y # 安装 Wazuh (快速入门) curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh sudo bash ./wazuh-install.sh -a # 保存管理员密码 cat ~/wazuh-install-files/wazuh-passwords.txt # 访问 Dashboard # https://SERVER_IP # 用户: admin | 密码: (来自上述文件) ``` ### Linux Agent ``` # Dashboard 自动生成的命令: # Agents → Deploy new agent → Linux curl -so wazuh-agent.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.14.x_amd64.deb sudo WAZUH_MANAGER='192.168.1.121' dpkg -i ./wazuh-agent.deb sudo systemctl daemon-reload sudo systemctl enable wazuh-agent sudo systemctl start wazuh-agent ``` ### Windows Agent 1. Dashboard → Agents → Deploy new agent → Windows 2. 配置 Server 地址：`192.168.1.121` 3. 下载 MSI 安装包 4. 以管理员身份运行 5. 验证：`Get-Service -Name "WazuhSvc"` ## 基本配置 ### 配置文件 | 位置 | 组件 | 描述 | |----------|-----------|-------------| | `/var/ossec/etc/ossec.conf` | Server | 主 Manager 配置 | | `/var/ossec/etc/ossec.conf` | Linux Agent | Agent 配置 | | `C:\Program Files (x86)\ossec-agent\ossec.conf` | Windows Agent | Agent 配置 | | `/var/ossec/etc/rules/local_rules.xml` | Server | 自定义规则 | | `/var/ossec/etc/decoders/local_decoder.xml` | Server | 自定义解码器 | | `/var/ossec/etc/lists/` | Server | CDB 列表 | ### 管理命令 ``` # SERVER sudo systemctl status wazuh-manager sudo systemctl restart wazuh-manager sudo systemctl stop wazuh-manager # LINUX AGENT sudo systemctl status wazuh-agent sudo systemctl restart wazuh-agent # WINDOWS AGENT (以管理员身份运行 PowerShell) Get-Service -Name "WazuhSvc" net stop WazuhSvc net start WazuhSvc ``` ## 文件完整性监控 (FIM) ### 概念 FIM 监控关键文件和目录的更改，可检测： - **文件创建** (规则 554) - **文件修改** (规则 550) - **文件删除** (规则 553) - **权限更改** (规则 550) - **所有者更改** (规则 550) ### Linux Agent 配置 **文件：** `/var/ossec/etc/ossec.conf` ``` no 43200 yes /tmp/yara/malware /var/www/html /home /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /etc/mtab /etc/hosts.deny .log$|.swp$ ``` ### Windows Agent 配置 **文件：** `C:\Program Files (x86)\ossec-agent\ossec.conf` ``` no 43200 yes C:\partilha C:\Users\%USERNAME% ``` ### 重要参数 | 参数 | 值 | 描述 | |-----------|--------|-------------| | `disabled` | `yes`/`no` | 启用/禁用 FIM | | `frequency` | 秒 | 扫描间隔 (43200 = 12小时) | | `scan_on_start` | `yes`/`no` | Agent 启动时扫描 | | `check_all` | `yes`/`no` | 监控所有内容 (大小、权限、哈希等) | | `realtime` | `yes`/`no` | 实时检测 (与定期扫描相对) | ### 默认 FIM 规则 - **规则 550** - 文件被修改 - **规则 551** - 完整性校验和已更改 - **规则 553** - 文件已删除 - **规则 554** - 文件已添加至系统 ### FIM 测试 ``` # Linux sudo touch /tmp/yara/malware/test_fim.txt sudo echo "test" >> /tmp/yara/malware/test_fim.txt # 检查服务器上的警报 sudo tail -f /var/ossec/logs/alerts/alerts.log | grep -i syscheck ``` ## YARA 集成 - 恶意软件检测 ### 概述 **YARA** = Yet Another Ridiculous Acronym (或 Yet Another Recursive Acronym) 通过描述恶意软件家族或可疑文件的规则来识别恶意软件的模式识别引擎。 ### 工作流程 ``` 1. File created/modified in /tmp/yara/malware 2. FIM detects (Rule 100301 - File added) 3. Active Response triggers → yara.sh executes on agent 4. YARA analyzes file → compares with rules 5. If match → writes to active-responses.log 6. Decoder processes → extracts yara_rule, yara_scanned_file 7. Rule 108001 triggers → YARA alert generated 8. Dashboard shows → Malware detected ``` ## YARA 配置 - Linux Agent ### 1. 在 Agent 上安装 YARA ``` # 依赖项 sudo apt update sudo apt install -y make gcc autoconf libtool libssl-dev pkg-config jq # 下载 YARA sudo curl -LO https://github.com/VirusTotal/yara/archive/v4.5.5.tar.gz # 解压并编译 sudo tar -xvzf v4.5.5.tar.gz -C /usr/local/bin/ cd /usr/local/bin/yara-4.5.5/ sudo ./bootstrap.sh sudo ./configure sudo make sudo make install sudo make check # 验证安装 yara --version # 应返回: 4.5.5 ``` ### 2. 下载 YARA 规则 ``` # 创建规则目录 sudo mkdir -p /tmp/yara/rules # 下载 Valhalla 规则 (2711 条规则) sudo curl 'https://valhalla.nextron-systems.com/api/v1/get' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ --compressed \ --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \ -o /tmp/yara/rules/yara_rules.yar # 验证下载 ls -lh /tmp/yara/rules/ # 应显示: yara_rules.yar (~2.4M) ``` ### 3. 主动响应脚本 (yara.sh) **文件：** `/var/ossec/active-response/bin/yara.sh` **⚠️ 关键修复：** LOG_FILE 使用绝对路径 ``` #!/bin/bash # YARA Active Response 脚本 LOCAL=`dirname $0` cd $LOCAL cd ../ # ✅ 重要：绝对路径 LOG_FILE="/var/ossec/logs/active-responses.log" # 处理通过 stdin 接收的 JSON read INPUT_JSON YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1]) YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3]) FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path) # 执行 YARA ${YARA_PATH}/yara -w -r ${YARA_RULES} ${FILENAME} >> ${LOG_FILE} 2>&1 ``` **权限：** ``` sudo chown root:wazuh /var/ossec/active-response/bin/yara.sh sudo chmod 750 /var/ossec/active-response/bin/yara.sh ``` ### 4. 为 YARA 配置 FIM (Agent) **文件：** `/var/ossec/etc/ossec.conf` ``` no 43200 yes /tmp/yara/malware ``` **创建目录：** ``` sudo mkdir -p /tmp/yara/malware ``` **重启 Agent：** ``` sudo systemctl restart wazuh-agent ``` ## YARA 配置 - Wazuh Server ### 1. 自定义规则 **文件：** `/var/ossec/etc/rules/local_rules.xml` **⚠️ 正确的 XML 结构：** ``` 5716 !192.168.1.0/24 sshd: authentication failed from IP outside local network. 550 /tmp/yara/malware/ File modified in /tmp/yara/malware directory. 554 /tmp/yara/malware/ File added to /tmp/yara/malware directory. yara_decoder YARA grouping rule 108000 wazuh-yara: INFO - Scan result: File "$(yara_scanned_file)" is a positive match. YARA rule: $(yara_rule) ``` **⚠️ 重要提示：** - 每个 `` 必须有结束标签 `` - 不要让 group 处于“打开”状态而不关闭 - 检查 XML 缩进 ### 2. 自定义解码器 **文件：** `/var/ossec/etc/decoders/local_decoder.xml` ``` wazuh-yara: yara_decoder wazuh-yara: (\S+) - Scan result: (\S+) (\S+) log_type, yara_rule, yara_scanned_file ``` **提取的字段：** - `log_type` - INFO, WARNING, ERROR - `yara_rule` - 匹配的 YARA 规则名称 (例如，MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A) - `yara_scanned_file` - 被分析文件的完整路径 ### 3. 配置主动响应 **文件：** `/var/ossec/etc/ossec.conf` **⚠️ 关键修复：** `all` (而不是 `local`) ``` yara_linux yara.sh -yara_path /usr/local/bin -yara_rules /tmp/yara/rules/yara_rules.yar no no yara_linux all 100300,100301 ``` **参数 `extra_args`：** - `-yara_path` - YARA 二进制文件所在目录 - `-yara_rules` - 规则文件的完整路径 **重启 Manager：** ``` sudo systemctl restart wazuh-manager sudo systemctl status wazuh-manager ``` ## YARA 测试 - 恶意软件样本 ### 恶意软件下载脚本 **文件：** `/tmp/yara/malware/malware_downloader.sh` ``` #!/bin/bash echo "Downloading malware samples for YARA testing..." # Mirai 僵尸网络 wget https://bazaar.abuse.ch/sample/10f8f2573cbb3954d3c0908af9e53daca56ab6db7c5239f92c7cf917549dea6c/ -O mirai # xbash 恶意软件 wget https://bazaar.abuse.ch/sample/25d1d6caf2b8e4e9a5f3c6a45f3f2f5f8f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5/ -O xbash # PHP Webshell wget https://bazaar.abuse.ch/sample/9d3c5e7a8f2b1c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8/ -O webshell.php # VPNFilter 恶意软件 wget https://bazaar.abuse.ch/sample/50ac2b2b3d1c4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9/ -O vpn_filter echo "Download complete!" ls -lh ``` ### EICAR 测试文件 (安全) ``` # 创建 EICAR 测试文件（被所有杀毒软件检测） echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/yara/malware/eicar.com ``` ### 验证结果 **在 Agent 上：** ``` # 查看 Active Response 日志 sudo tail -f /var/ossec/logs/active-responses.log # 预期输出示例： # wazuh-yara: INFO - Scan result: MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A /tmp/yara/malware/mirai ``` **在 Server 上：** ``` # 查看 YARA 警报 sudo tail -f /var/ossec/logs/alerts/alerts.log | grep -A 10 "108001" # 示例输出： # Rule: 108001 (level 12) -> 'File "/tmp/yara/malware/malware/mirai" is a positive match...' # yara_rule: MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A # yara_scanned_file: /tmp/yara/malware/mirai ``` **在 Dashboard 上：** 1. 访问 **Threat Intelligence** → **Security Events** 2. 过滤条件：`rule.id: 108001` 3. 验证带有恶意软件详细信息的告警 ## YARA 配置 - Windows Agent ### 1. 安装 YARA **下载：** - URL: https://github.com/VirusTotal/yara/releases - 文件: `yara-v4.5.5-win64.zip` **安装：** ``` # 解压至 C:\Program Files\yara\ # 添加到系统 PATH： # System → Properties → Environment Variables → PATH # 添加：C:\Program Files\yara\ # 验证 yara --version ``` ### 2. YARA 规则 ``` # 创建目录 mkdir C:\yara_rules # 下载 Valhalla 规则 Invoke-WebRequest -Uri "https://valhalla.nextron-systems.com/api/v1/get" ` -Method POST ` -Body "demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text" ` -OutFile "C:\yara_rules\yara_rules.yar" ``` ### 3. yara.bat 脚本 **文件：** `C:\Program Files (x86)\ossec-agent\active-response\bin\yara.bat` ``` @echo off setlocal set /p INPUT_JSON= for /f "tokens=2 delims=:" %%a in ('echo %INPUT_JSON% ^| findstr /i "path"') do ( set FILEPATH=%%a ) set FILEPATH=%FILEPATH:"=% set FILEPATH=%FILEPATH:}=% set FILEPATH=%FILEPATH: =% "C:\Program Files\yara\yara64.exe" -r ^ "C:\yara_rules\yara_rules.yar" ^ "%FILEPATH%" >> "C:\Program Files (x86)\ossec-agent\active-responses.log" 2>&1 exit /b 0 ``` ### 4. Server 配置 (Windows) **规则：** ``` 550 C:\\partilha\\ File modified in C:\partilha 554 C:\\partilha\\ File added to C:\partilha yara_decoder Windows YARA grouping 108010 YARA Windows malware: $(yara_rule) ``` **主动响应：** ``` yara_windows yara.bat no no yara_windows local 100310,100311 ``` ## 恶意 IP 封禁 (CDB 列表) ### 概念 **CDB = Constant Database** - 为快速查找而优化的键值数据库 格式： ``` 192.168.1.50:malicious 10.0.0.23:botnet ``` ### 1. 创建 IP 列表 (Server) ``` # 下载 AlienVault 列表 sudo wget https://iplists.firehol.org/files/alienvault_reputation.ipset \ -O /var/ossec/etc/lists/alienvault_reputation.ipset # 添加攻击者 IP sudo echo "ATTACKER_IP" >> /var/ossec/etc/lists/alienvault_reputation.ipset ``` ### 2. 转换为 CDB ``` # 下载转换脚本 sudo wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py # 转换 sudo /var/ossec/framework/python/bin/python3 /tmp/iplist-to-cdblist.py \ /var/ossec/etc/lists/alienvault_reputation.ipset \ /var/ossec/etc/lists/blacklist-alienvault # 权限 sudo chown wazuh:wazuh /var/ossec/etc/lists/blacklist-alienvault # 清理临时文件 sudo rm -rf /var/ossec/etc/lists/alienvault_reputation.ipset sudo rm -rf /tmp/iplist-to-cdblist.py ``` ### 3. 将列表添加到 ossec.conf ``` ruleset/decoders ruleset/rules 0215-policy_rules.xml etc/lists/audit-keys etc/lists/amazon/aws-eventnames etc/lists/security-eventchannel etc/lists/blacklist-alienvault etc/decoders etc/rules ``` ### 4. 自定义规则 **针对 Linux (Apache)：** ``` web|attack|attacks etc/lists/blacklist-alienvault IP address found in AlienVault reputation database. ``` **针对 Windows (RDP)：** ``` authentication etc/lists/blacklist-alienvault Malicious IP detected - Windows RDP ``` ### 5. 主动响应 **Linux (firewall-drop)：** ``` no firewall-drop local 100100 600 ``` **Windows (netsh)：** ``` no netsh local 100110 600 ``` ### 测试 ``` # 从攻击者 (Kali)，访问目标服务器/服务 curl http://TARGET_IP/ # 重复 5-10 次 for i in {1..10}; do curl http://TARGET_IP/; sleep 1; done # 验证目标上的阻断 # Linux: sudo iptables -L -n | grep ATTACKER_IP # Windows: netsh advfirewall firewall show rule name=all | findstr "Wazuh" ``` ## 暴力破解检测 ### 监控的日志 **SSH (Linux)：** - `/var/log/auth.log` (Debian/Ubuntu) - `/var/log/secure` (CentOS/RHEL) ### 默认 Wazuh 规则 - **规则 5710** - 无效用户 - **规则 5711** - 尝试失败 - **规则 5716** - 可能的 SSH 暴力破解攻击 - **规则 5720** - 多次身份验证失败 - **规则 5763** - 确认的 SSH 暴力破解 ### 模拟攻击 (Hydra) ``` # 安装 Hydra sudo apt install -y hydra # 创建密码字典 cat > passwords.txt << EOF 123456 password qwerty admin letmein welcome test123 linux ubuntu badpass EOF # 执行攻击 hydra -l badguy -P passwords.txt TARGET_IP ssh -t 4 ``` ### 验证检测 ``` # Dashboard # Filter: rule.id:(5551 OR 5712 OR 5716 OR 5720 OR 5763) # 命令行 sudo tail -200 /var/ossec/logs/alerts/alerts.log | grep -E "5551|5712|5716|5720|5763" ``` ## SQL 注入检测 ### 配置 Apache 日志 (Agent) ``` apache /var/log/apache2/access.log ``` ### 默认规则 - **规则 31106** - 检测到 SQL 注入尝试 ### 模拟攻击 ``` # 攻击 1：SELECT curl -XGET "http://TARGET_IP/users/?id=SELECT+*+FROM+users" # 攻击 2：UNION curl -XGET "http://TARGET_IP/search?q=test'+UNION+SELECT+null,null--" # 攻击 3：OR 1=1 curl -XGET "http://TARGET_IP/login.php?id=1'+OR+'1'='1" # 攻击 4：Comment injection curl -XGET "http://TARGET_IP/login.php?user=admin'--" ``` ### 验证检测 ``` # Dashboard: rule.id:31106 # 日志 sudo tail -200 /var/ossec/logs/alerts/alerts.log | grep -i "31106" ``` ## 主动响应 ### 概念 对特定告警的自动响应机制。 ### 可用命令 | 命令 | 系统 | 操作 | |---------|--------|--------| | `firewall-drop` | Linux | 通过 iptables 封禁 IP | | `netsh` | Windows | 通过 Windows 防火墙封禁 IP | | `disable-account` | Linux/Windows | 禁用用户账户 | | `restart-wazuh` | Agent | 重启 Wazuh Agent | | **自定义** | 任意 | 自定义脚本 (yara.sh 等) | ### 结构 ``` command_name script.sh -argument1 value1 -argument2 value2 yes/no no command_name local|server|all 100,101,102 600 ``` ### 参数 - `location="local"` - 在生成告警的 Agent 上执行 - `location="server"` - 在 Wazuh Server 上执行 - `location="all"` - 在所有 Agent 上执行 - `timeout` - 恢复操作之前的时间（秒）(例如，解封 IP) ### 完整示例：恶意 IP 封禁 ``` firewall-drop firewall-drop yes no firewall-drop local 100100 600 ``` **工作流程：** 1. 规则 100100 触发 (检测到恶意 IP) 2. 主动响应调用 `firewall-drop` 3. 脚本添加 iptables 规则：`iptables -I INPUT -s MALICIOUS_IP -j DROP` 4. 600 秒 (10 分钟) 后，规则自动移除 ## 故障排除 ### 问题：YARA 未检测到恶意软件 **诊断：** ``` # 1. 检查是否已安装 YARA yara --version # 2. 手动测试 YARA /usr/local/bin/yara -w -r /tmp/yara/rules/yara_rules.yar /tmp/yara/malware/eicar.com # 3. 检查脚本权限 ls -la /var/ossec/active-response/bin/yara.sh # 4. 检查 Active Response 日志 sudo tail -50 /var/ossec/logs/active-responses.log # 5. 检查 agent 日志 sudo tail -100 /var/ossec/logs/ossec.log | grep -i yara ``` **解决方案：** - **yara.sh 脚本：** 检查 LOG_FILE 的绝对路径 - **主动响应：** 检查是否为 `all` (而不是 `local`) - **XML 规则：** 检查 group 结构 (`` 是否已正确关闭) ### 问题：Agent 无法连接到 Server ``` # 检查连接性 telnet SERVER_IP 1514 telnet SERVER_IP 1515 # 检查 agent 配置 grep "MANAGER_IP" /var/ossec/etc/ossec.conf # 检查日志 sudo tail -50 /var/ossec/logs/ossec.log ``` ### 问题：FIM 未生成告警 ``` # 1. 检查 FIM 是否处于活动状态 sudo grep -A 10 "" /var/ossec/etc/ossec.conf # 2. 强制扫描 sudo /var/ossec/bin/wazuh-control restart # 3. 检查日志 sudo tail -50 /var/ossec/logs/ossec.log | grep -i syscheck ``` ### 问题：Wazuh Manager 无法重启 ``` # 查看特定错误 sudo /var/ossec/bin/wazuh-control start # 检查 XML 语法 sudo /var/ossec/bin/verify-agent-conf # 检查日志 sudo tail -100 /var/ossec/logs/ossec.log ``` ## 常用命令 ### 服务管理 ``` # SERVER sudo systemctl status wazuh-manager sudo systemctl restart wazuh-manager sudo systemctl stop wazuh-manager sudo /var/ossec/bin/wazuh-control start sudo /var/ossec/bin/wazuh-control stop # LINUX AGENT sudo systemctl status wazuh-agent sudo systemctl restart wazuh-agent sudo /var/ossec/bin/wazuh-control restart # WINDOWS AGENT Get-Service -Name "WazuhSvc" net stop WazuhSvc && net start WazuhSvc ``` ### Agent 验证 ``` # 列出已连接的 agent sudo /var/ossec/bin/agent_control -l # 查看特定 agent 信息 sudo /var/ossec/bin/agent_control -i AGENT_ID # 强制重新加载配置 sudo /var/ossec/bin/agent_control -R -a ``` ### 日志分析 ``` # 实时查看警报 sudo tail -f /var/ossec/logs/alerts/alerts.log # 查看特定 Rule 的警报 sudo tail -500 /var/ossec/logs/alerts/alerts.log | grep "Rule: 108001" # 查看 manager 日志 sudo tail -f /var/ossec/logs/ossec.log # 查看 Active Response 日志（在 agent 上） sudo tail -f /var/ossec/logs/active-responses.log ``` ### 测试 ``` # 测试特定 Rule sudo /var/ossec/bin/wazuh-logtest # 验证 Rule 语法 sudo /var/ossec/bin/verify-agent-conf # 测试 Decoder echo 'LOG_LINE' | sudo /var/ossec/bin/wazuh-logtest -v ``` ### 清理与维护 ``` # 清理旧日志（服务器） sudo find /var/ossec/logs/alerts/ -name "*.log.*" -mtime +30 -delete # 查看已用空间 sudo du -sh /var/ossec/ # 备份配置 sudo tar -czf ~/wazuh-config-backup-$(date +%Y%m%d).tar.gz \ /var/ossec/etc/ossec.conf \ /var/ossec/etc/rules/local_rules.xml \ /var/ossec/etc/decoders/local_decoder.xml \ /var/ossec/etc/lists/ ``` ## 参考文献 ### 官方文档 - **Wazuh 文档：** https://documentation.wazuh.com - **YARA 文档：** https://yara.readthedocs.io - **MITRE ATT&CK：** https://attack.mitre.org ### 实用资源 - **Valhalla YARA 规则：** https://valhalla.nextron-systems.com - **AlienVault IP 信誉库：** https://iplists.firehol.org - **Wazuh 规则集：** https://github.com/wazuh/wazuh-ruleset - **MalwareBazaar：** https://bazaar.abuse.ch **作者： Jorge Moreira **日期：** 2026 年 1 月 **版本：** 1.0 **课程：** DETECT - 网络安全培训 **🎯 指南结束**

标签：CDB列表, CISA项目, Conpot, Debian, DOE合作, IP黑名单, PB级数据处理, SQL注入检测, Wazuh, Windows安全, x64dbg, YARA, 主动响应, 云资产可视化, 免杀技术, 威胁情报, 安全架构, 安全运维, 开发者工具, 攻击模拟, 暴力破解检测, 端点安全, 红队行动, 补丁管理, 配置指南, 驱动签名利用