federicofantini/Wazuh-TI

GitHub: federicofantini/Wazuh-TI

这是一个指导如何在Wazuh中部署完整威胁情报管道的项目,通过自动化TI摄取和集成来提升安全检测效率。

Stars: 6 | Forks: 3

# Wazuh-TI
Wazuh-TI Logo **用于 Wazuh 检测的威胁情报摄取管道** [![GitHub 版本标签](https://img.shields.io/github/tag/federicofantini/Wazuh-TI?include_prereleases=&sort=semver&color=blue)](https://github.com/federicofantini/Wazuh-TI/releases/) [![许可证](https://img.shields.io/badge/License-GPLv3-blue)](#license) [![问题](https://img.shields.io/github/issues/federicofantini/Wazuh-TI?logo=github)](https://github.com/federicofantini/Wazuh-TI/issues) [![星标](https://img.shields.io/github/stars/federicofantini/Wazuh-TI?style=flat&logo=github)](https://github.com/federicofantini/Wazuh-TI/stargazers) [![复刻](https://img.shields.io/github/forks/federicofantini/Wazuh-TI?style=flat&logo=github)](https://github.com/federicofantini/Wazuh-TI/forks) [![最近提交](https://img.shields.io/github/last-commit/federicofantini/Wazuh-TI?logo=github)](https://github.com/federicofantini/Wazuh-TI/commits/main) [![Python](https://img.shields.io/badge/Python-3.x-3776AB?logo=python&logoColor=white)](https://www.python.org/) [![Shell](https://img.shields.io/badge/Shell-Bash-4EAA25?logo=gnubash&logoColor=white)](https://www.gnu.org/software/bash/) [![Wazuh](https://img.shields.io/badge/Wazuh-Threat%20Intelligence-005571)](https://wazuh.com/) [![OpenCTI](https://img.shields.io/badge/OpenCTI-Integration-1F6FEB)](https://www.opencti.io/) ## 0. 参考 此仓库是此博客文章的补充材料:https://blog.federicofantini.net/blog/2026/03/23/Wauh-Threat-Intelligence.html ## 1. 概述 本指南说明了如何部署完整的威胁情报管道: - TI 源自动化 (Wazuh Manager) - CDB 列表集成 - 自定义检测规则 - Suricata 网络遥测 (Linux 代理) - Sysmon 遥测 (Windows 代理) - 通过 cron 进行定时更新 要更好地了解实现选择和项目工作原理,请参阅此博客文章:... ## 2. Wazuh Manager 设置 所有管理器端文件位于: ``` wazuh-manager/ ``` ### 2.1 安装 TI 更新脚本 复制: ``` wazuh-manager/usr/local/bin/update-ti-lists.sh ``` 到: ``` /usr/local/bin/update-ti-lists.sh ``` 设置执行权限: ``` chmod +x /usr/local/bin/update-ti-lists.sh ``` 在此处配置环境变量:`/etc/default/wazuh-ti` ``` THREATFOX_AUTH_KEY="..." THREATFOX_DAYS=1 OTX_ALIENVAULT_AUTH_KEY="..." OTX_DAYS_DELTA=1 ``` ### 2.2 安装自定义 TI 规则 复制: ``` wazuh-manager/var/ossec/etc/rules/local_ti_rules_linux.xml wazuh-manager/var/ossec/etc/rules/local_ti_rules_windows.xml ``` 到: ``` /var/ossec/etc/rules/ ``` 验证权限: ``` chown wazuh:wazuh /var/ossec/etc/rules/local_ti_rules_*.xml ``` ### 2.3 更新 Wazuh Manager 的 ossec.conf 将以下相关配置合并: ``` wazuh-manager/var/ossec/etc/ossec.conf ``` 到: ``` /var/ossec/etc/ossec.conf ``` 确保 `` 部分包含: ``` ... etc/lists/threatview_cs_c2 etc/lists/threatfox_ip etc/lists/threatfox_domain etc/lists/et_compromised_ips etc/lists/et_ciarmy etc/lists/et_drop etc/lists/et_tor etc/lists/et_dshield ... ``` 根据 `update-ti-lists.sh` 生成的输出调整列表名称。 ### 2.4 在管理器上配置 Cron 打开 crontab: ``` crontab -e ``` 插入: ``` 0 3 * * * /usr/local/bin/update-ti-lists.sh >> /var/log/wazuh-ti-update.log 2>&1 15 3 * * * test -s /var/log/wazuh-ti-update.log && systemctl restart wazuh-manager >> /var/log/wazuh-restart.log 2>&1 ``` 此配置: - 每天 03:00 更新 TI 源 - 仅在更新产生输出时,于 03:15 重启 Wazuh Manager - 确保 CDB 列表被重新编译并正确加载 ### 2.5 确保 lists 文件夹存在 ``` mkdir -p /var/ossec/etc/lists chown wazuh:wazuh /var/ossec/etc/lists ``` ### 2.6 初始重启 完成设置后: ``` systemctl restart wazuh-manager ``` 这确保: - 自定义规则被加载 - CDB 列表被编译 - 检测功能激活 ### 2.7 OpenCTI 集成 此替代集成将 OpenCTI TAXII 指标导出到 Wazuh CDB 列表。 生成的列表: ``` opencti_ips opencti_domains opencti_file_hashes ``` 最终的 Wazuh 目标位置: ``` /var/ossec/etc/lists/ ``` #### 安装 OpenCTI 获取用户 创建一个专用的非特权用户: ``` sudo adduser --disabled-password --gecos "" opencti-ti sudo -u opencti-ti mkdir -p /home/opencti-ti/bin sudo -u opencti-ti mkdir -p /home/opencti-ti/iocs sudo -u opencti-ti mkdir -p /home/opencti-ti/logs ``` 复制获取脚本: ``` sudo cp wazuh-manager/usr/local/bin/fetch_opencti_iocs.py /home/opencti-ti/bin/fetch_opencti_iocs.py sudo chown opencti-ti:opencti-ti /home/opencti-ti/bin/fetch_opencti_iocs.py sudo chmod 750 /home/opencti-ti/bin/fetch_opencti_iocs.py ``` 至少,配置脚本中的基本全局变量: ``` TAXII_URL = "..." OUTPUT_DIR = "/home/opencti-ti/iocs" TRANCO_DIR = "/home/opencti-ti/bin" ``` 该脚本提取 IP、域名/主机名/URL-hosts 和文件哈希,对域名列表应用基于 Tranco 的过滤,并将生成的指标写入三个 Wazuh CDB 列表文件。 手动测试: ``` sudo -u opencti-ti /usr/bin/python3 /home/opencti-ti/bin/fetch_opencti_iocs.py sudo -u opencti-ti ls -lh /home/opencti-ti/iocs/ ``` #### 安排 OpenCTI 更新 编辑 `opencti-ti` 的 crontab: ``` sudo crontab -u opencti-ti -e ``` 每天运行获取: ``` 0 3 * * * /usr/bin/python3 /home/opencti-ti/bin/fetch_opencti_iocs.py >> /home/opencti-ti/logs/fetch_opencti_iocs.log 2>&1 ``` 配置日志轮转: ``` sudo tee /etc/logrotate.d/opencti-ti >/dev/null <<'EOF' /home/opencti-ti/logs/fetch_opencti_iocs.log { size 10M rotate 4 compress delaycompress missingok notifempty copytruncate su opencti-ti opencti-ti } EOF sudo -u opencti-ti touch /home/opencti-ti/logs/fetch_opencti_iocs.log ``` #### 将列表复制到 Wazuh 在 Wazuh Manager 上添加一个 root cron 作业: ``` sudo crontab -e ``` 将生成的文件复制到 Wazuh 并重启管理器: ``` 30 3,21 * * * cp /home/opencti-ti/iocs/opencti_ips /home/opencti-ti/iocs/opencti_domains /home/opencti-ti/iocs/opencti_file_hashes /var/ossec/etc/lists/ && chown wazuh:wazuh /var/ossec/etc/lists/opencti_ips /var/ossec/etc/lists/opencti_domains /var/ossec/etc/lists/opencti_file_hashes && chmod 640 /var/ossec/etc/lists/opencti_ips /var/ossec/etc/lists/opencti_domains /var/ossec/etc/lists/opencti_file_hashes && systemctl restart wazuh-manager ``` #### 注册 CDB 列表 将列表添加到 `/var/ossec/etc/ossec.conf` 的 `` 部分: ``` etc/lists/opencti_ips etc/lists/opencti_domains etc/lists/opencti_file_hashes ``` #### 安装 OpenCTI 规则 复制: ``` wazuh-manager/var/ossec/etc/rules/local_ti_rules_opencti_linux.xml wazuh-manager/var/ossec/etc/rules/local_ti_rules_opencti_windows.xml ``` 到: ``` /var/ossec/etc/rules/ ``` 验证权限: ``` chown wazuh:wazuh /var/ossec/etc/rules/local_ti_rules_*.xml ``` 重启管理器: ``` sudo systemctl restart wazuh-manager ``` #### 验证 ``` sudo -u opencti-ti ls -lh /home/opencti-ti/iocs/ sudo ls -lh /var/ossec/etc/lists/opencti_* sudo ls -lh /var/ossec/etc/lists/opencti_*.cdb sudo systemctl status wazuh-manager sudo /var/ossec/bin/wazuh-logtest ``` ## 3. Linux 代理设置 (Suricata + Wazuh Agent) 所有代理端文件位于: ``` wazuh-agent/ ``` ### 3.1 安装 Suricata #### Debian / Ubuntu ``` sudo apt update sudo apt install suricata ``` #### RHEL / CentOS ``` sudo yum install epel-release sudo yum install suricata ``` 验证安装: ``` suricata --build-info ``` 启用并启动 Suricata: ``` systemctl enable suricata systemctl start suricata ``` ### 3.2 安装自定义 Suricata 配置 复制: ``` wazuh-agent/etc/suricata/suricata.yaml ``` 到: ``` /etc/suricata/suricata.yaml ``` 使用以下命令检查配置:`suricata -T -c /etc/suricata/suricata.yaml -v` 确保 EVE JSON 输出已启用并写入: ``` /var/log/suricata/eve.json ``` 重启 Suricata: ``` systemctl restart suricata ``` ### 3.3 安装 Suricata 更新脚本 复制: ``` wazuh-agent/usr/local/sbin/suricata-update.sh ``` 到: ``` /usr/local/sbin/suricata-update.sh ``` 设置权限: ``` chmod +x /usr/local/sbin/suricata-update.sh ``` ### 3.4 配置 Suricata 规则更新 Cron(代理) 打开 crontab: ``` crontab -e ``` 插入: ``` 15 3,9,15,18 * * * /usr/local/sbin/suricata-update.sh ``` 这会每天多次更新 Suricata 规则。 ### 3.5 配置 Wazuh Agent 的 ossec.conf 复制: ``` wazuh-agent/var/ossec/etc/ossec.conf ``` 合并到: ``` /var/ossec/etc/ossec.conf ``` 确保配置了 Suricata 日志收集: ``` json /var/log/suricata/eve.json ``` 重启代理: ``` systemctl restart wazuh-agent ``` ## 4. Windows 代理 (Sysmon) 请遵循官方 Wazuh 指南进行 Sysmon 安装 > 使用 Wazuh 检测: https://wazuh.com/blog/detecting-process-injection-attacks-with-wazuh/ 在此仓库中: ``` wazuh-agent/sysmon/sysmonconfig.xml ``` 安装 Sysmon: ``` Sysmon64.exe -accepteula -i sysmonconfig.xml ``` 确保 Wazuh 代理按照官方指南记录的方式收集 Windows 事件日志。 ## 5. 验证 部署后: 1. 确认 TI 列表存在: `ls /var/ossec/etc/lists/ | grep -vP '\.cdb$'` et_ciarmy et_compromised_ips et_drop et_dshield et_tor ipsum_bad_ips openphish_domain otx_alienvault_domain otx_alienvault_ip threatfox_domain threatfox_ip threatview_cs_c2 2. 确认 CDB 文件已编译: `ls /var/ossec/etc/lists/*.cdb` et_ciarmy.cdb et_compromised_ips.cdb et_drop.cdb et_dshield.cdb et_tor.cdb ipsum_bad_ips.cdb openphish_domain.cdb otx_alienvault_domain.cdb otx_alienvault_ip.cdb threatfox_domain.cdb threatfox_ip.cdb threatview_cs_c2.cdb 3. 检查管理器状态: systemctl status wazuh-manager 4. 测试规则评估: /var/ossec/bin/wazuh-logtest 5. 检查日志文件:`/var/log/wazuh-ti-update.log` 2026-03-07 03:00:03 Wrote /var/ossec/etc/lists/threatview_cs_c2 (1704 entries) 2026-03-07 03:00:08 Wrote /var/ossec/etc/lists/et_compromised_ips (1740 entries) 2026-03-07 03:00:14 Wrote /var/ossec/etc/lists/et_ciarmy (73986 entries) 2026-03-07 03:00:17 Wrote /var/ossec/etc/lists/et_drop (2779 entries) 2026-03-07 03:00:19 Wrote /var/ossec/etc/lists/et_tor (18210 entries) 2026-03-07 03:00:19 Wrote /var/ossec/etc/lists/et_dshield (74 entries) 2026-03-07 03:00:20 Wrote /var/ossec/etc/lists/threatfox_ip (4734 entries) 2026-03-07 03:00:20 Wrote /var/ossec/etc/lists/threatfox_domain (9685 entries) 2026-03-07 03:00:20 Fetching OTX pulses (local filter: indicators created in last 1 days) 2026-03-07 03:00:24 Fetched OTX pulse (size=0MB) 2026-03-07 03:00:24 Wrote /var/ossec/etc/lists/otx_alienvault_ip (157 entries) 2026-03-07 03:00:24 Wrote /var/ossec/etc/lists/otx_alienvault_domain (13480 entries) 2026-03-07 03:00:24 Wrote /var/ossec/etc/lists/openphish_domain (5662 entries) 2026-03-07 03:00:24 Wrote /var/ossec/etc/lists/ipsum_bad_ips (714593 entries) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/threatfox_ip 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/threatfox_ip (4706 entries, removed 28) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/threatfox_domain 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/threatfox_domain (9676 entries, removed 9) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/threatview_cs_c2 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/threatview_cs_c2 (852 entries, removed 852) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/et_compromised_ips 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/et_compromised_ips (1200 entries, removed 540) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/et_ciarmy 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/et_ciarmy (60494 entries, removed 13492) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/et_drop 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/et_drop (1556 entries, removed 1223) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/et_tor 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/et_tor (10984 entries, removed 7226) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/et_dshield 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/et_dshield (55 entries, removed 19) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/otx_alienvault_ip 2026-03-07 03:00:24 Dedup completed for /var/ossec/etc/lists/otx_alienvault_ip (157 entries, removed 0) 2026-03-07 03:00:24 Deduplicating /var/ossec/etc/lists/otx_alienvault_domain 2026-03-07 03:00:25 Dedup completed for /var/ossec/etc/lists/otx_alienvault_domain (13480 entries, removed 0) 2026-03-07 03:00:25 Deduplicating /var/ossec/etc/lists/openphish_domain 2026-03-07 03:00:25 Dedup completed for /var/ossec/etc/lists/openphish_domain (5586 entries, removed 76) 2026-03-07 03:00:25 Deduplicating /var/ossec/etc/lists/ipsum_bad_ips 2026-03-07 03:00:26 Dedup completed for /var/ossec/etc/lists/ipsum_bad_ips (509765 entries, removed 204828) 2026-03-07 03:00:26 Done 6. 生成一个匹配已知指标的测试事件。 如果配置正确,告警应出现在: - Wazuh 仪表板 - Discord(如果配置了 webhook 集成) ## 6. 最终说明 此设置: - 不修改 Wazuh 核心 - 使用有文档记录的 CDB 列表和规则机制 - 可以干净地移除 - 可以与未来原生的 CTI 功能共存 当 Wazuh 引入完全集成的 CTI 源管理功能时,可以相应地替换或调整此管道。
标签:Bash, CDB, cron, Metaprompt, OpenCTI, Python, Suricata, Sysmon, Wazuh, 代理部署, 威胁情报, 安全运营, 定时更新, 应用安全, 开发者工具, 情报摄取, 扫描框架, 无后门, 检测规则, 现代安全运营, 管道, 网络安全, 网络调试, 网络资产发现, 自动化, 逆向工具, 遥测, 隐私保护, 集成