溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
Ossim 中漏洞掃描詳解
Openvas是一套開源漏洞掃描系統,如果手動搭建需要復雜的過程,花費不少人力和時間成本,因為它是套免費的漏洞掃描系統,功能上不遜色于商業版的漏洞掃描器,受到不少用戶的青睞,下表對比了NeXpose、RSAS和啟明的漏洞掃描器的主要功能。
有了以上背景之后,下文主要針對OSSIM平臺下如何以圖形化方式操作漏洞掃描的過程。
準備工作:首先確保沒有運行的掃描進程和任務
掃描漏洞同時升級漏洞庫會導致升級失敗。
第一步:同步插件
#openvas-nvt-sync
[i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'.
[i] The 'OpenVAS NVT Feed' is provided by 'The OpenVAS Project'.
[i] Online information about this feed: 'http://www.openvas.org/openvas-nvt-feed.html'.
[i] NVT dir: /var/lib/openvas/plugins
[i] Will use rsync
[i] Using rsync: /usr/bin/rsync
[i] Configured NVT rsync feed: rsync://feed.openvas.org:/nvt-feed
OpenVAS feed server - http://www.openvas.org/
This service is hosted by Intevation GmbH - http://intevation.de/
All transactions are logged.
Please report synchronization problems to openvas-feed@intevation.de.
If you have any other questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.
receiving incremental file list
deleting gb_openssl_38562.nasl.asc
deleting gb_openssl_38562.nasl
./
COPYING
588 100% 574.22kB/s 0:00:00 (xfer#1, to-check=13347/13355)
COPYING.GPLv2
18002 100% 17.17MB/s 0:00:00 (xfer#2, to-check=13346/13355)
COPYING.files
1819904 100% 1.77MB/s 0:00:00 (xfer#3, to-check=13345/13355)
DDI_Directory_Scanner.nasl
32957 100% 32.74kB/s 0:00:00 (xfer#4, to-check=13342/13355)
DDI_Directory_Scanner.nasl.asc
198 100% 0.20kB/s 0:00:00 (xfer#5, to-check=13341/13355)
... ...
同步數萬個插件時間比較長,消耗資源不大,可以去喝杯咖啡啦,或者了解一下插件的組成。
表1 Openvas主要腳本分類及分布情況
規則名稱 | 數量 | 備注 |
IIS_frontpage_DOS_2.nasl | 1 | |
phpbb | 8 | |
RA_ssh_detect RA_www_css RA_www_detect | 3 | |
RHSA_2009_03** | 279 | Redhat Security Advisory |
3com_switches | 1 | |
weblogic* | 3 | |
cisco_ids cisco_*** ciscoworks | 16 | |
awstats | 4 | |
apache | 23 | |
DDI | 30 | |
EZ_hotscripts | 3 | |
anti_nessus | 1 | |
basilix | 8 | |
bluecoat | 1 | |
bugbear | 3 | |
bugzilla | 9 | |
ca_unicenter | 2 | |
cacti | 5 | |
calendar | 3 | |
Spoll_7_5_sql_injection | 2 | |
avaya_switches | 1 | |
citrix | 8 | |
clamav | 2 | |
CUPS | 12 | |
cutenews | 12 | |
checkpoint | 6 | |
cheopsNG | 4 | |
cvstrac | 24 | |
DB2 | 4 | |
deb_*.nasl | 2595 | Debian Linux |
5 | ||
deluxeBB | 3 | |
eftp | 3 | |
ls exchange* | ||
exchange | 2 | |
fcore | 684 | |
find_service | 5 | |
fortigate | 1 | |
freebsd | 2009 | |
ftp | 30 | |
gb_CESA | 1528 | |
gb_RHSA | 871 | |
gb_adobe | 167 | |
gb_apple | 70 | |
gb_baofeng_storm | 3 | |
gb_bpsoft | 3 | |
gb_clamav | 16 | |
gb_ccproxy | 2 | |
gb_clamav | 16 | |
gb_fedora | 4679 | |
gb_google | 162 | |
gb_hp_ux | 242 | HP-UNIX |
gb_ibm_db2 | 27 | |
gb_ibm_websphere | 8 | |
gb_ibm_tivoli | 5 | |
gb_ibm_was | 16 | |
gb_ibm_lotus | 10 | |
gb_mandriva | 1684 | |
gb_java | 2 | |
gb_kaspersky | 6 | |
gb_google_chrome | 153 | |
gb_foxmail | 2 | |
gb_fsecure | 7 | |
gb_ms | 155 | Windows 相關 |
gb_ubuntu | 1261 | |
gb_samba | 12 | |
gb_sun_java | 35 | |
gb_wireshark | 87 | |
glsa | 1727 | |
gb_vmware | 41 | |
IIS | 20 | |
lotus | 5 | |
ipswitch | 5 | |
5 | ||
gb_nmap | 187 | |
nortel | 7 | |
nagios | 5 | |
openssh | 4 | |
oscommerce | 5 | |
postgresql | 5 | |
phpgroupware | 12 | |
phpmyadmin | 7 | |
phpbb | 8 | |
smb | 52 | |
sendmail | 15 | |
suse | 65 | |
ssh | 11 | |
smtp | 9 | |
Ubuntu | 179 | |
tomcat | 6 | |
tftp | 11 | |
wu_ftpd | 6 |
第二步:更新插件(做這一步操作,建議在輕負載下進行)
#perl /usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate /* 比較消耗CPU和磁盤I/O */
2015-09-07 07:27:33 Framework profile has been found...
2015-09-07 07:27:33 Deleting all tasks in 192.168.11.150 ...
2015-09-07 07:27:33 updateplugins: configured to not updateplugins
2015-09-07 07:27:33 updateplugins: configured to not repair DB
2015-09-07 07:27:33 BEGIN - DUMP PLUGINS
2015-09-07 07:29:01 FINISH - DUMP PLUGINS [ Process took 88 seconds ]
2015-09-07 07:29:01 BEGIN - IMPORT PLUGINS
2015-09-07 07:30:00 FINISH - IMPORT PLUGINS [ 40473 plugins - Process took 59 seconds ]
2015-09-07 07:30:00 BEGIN - UPDATE CATEGORIES
2015-09-07 07:30:00 FINISH - UPDATE CATEGORIES [ Process took 0 seconds ]
2015-09-07 07:30:00 BEGIN - UPDATE FAMILIES
2015-09-07 07:30:00 FINISH - UPDATE FAMILIES [ Process took 0 seconds ]
2015-09-07 07:30:00 BEGIN - UPDATE OPENVAS_PLUGINS
2015-09-07 07:30:03 FINISH - UPDATE OPENVAS_PLUGINS [ Process took 3 seconds ]
2015-09-07 07:30:03 BEGIN - UPDATE NESSUS_PREFERENCES
2015-09-07 07:30:03 show tables like "vuln_nessus_preferences_defaults"
2015-09-07 07:30:03 updateprefs: Getting plugin preferences
2015-09-07 07:30:05 FINISH - UPDATE NESSUS_PREFERENCES [ Process took 2 seconds ]
2015-09-07 07:30:06 Creating Deep profile...
2015-09-07 07:30:06 Filling categories...............
2015-09-07 07:30:06 Done
2015-09-07 07:30:06 Filling families.............................................................
2015-09-07 07:30:06 Done
2015-09-07 07:30:06 Filling plugins...
2015-09-07 07:30:13 Filling preferences in Alienvault DB...
2015-09-07 07:30:14 Done
2015-09-07 07:30:14 Deep profile inserted
2015-09-07 07:30:15 Creating Default profile...
2015-09-07 07:30:15 Filling categories...............
2015-09-07 07:30:15 Done
2015-09-07 07:30:15 Filling families.............................................................
2015-09-07 07:30:15 Done
2015-09-07 07:30:15 Filling plugins...
2015-09-07 07:30:23 Filling preferences in Alienvault DB...
2015-09-07 07:30:24 Done
2015-09-07 07:30:24 Default profile inserted
2015-09-07 07:30:24 Creating Ultimate profile...
2015-09-07 07:30:24 Filling categories...............
2015-09-07 07:30:24 Done
2015-09-07 07:30:24 Filling families.............................................................
2015-09-07 07:30:24 Done
2015-09-07 07:30:24 Filling plugins...
2015-09-07 07:30:32 Filling preferences in Alienvault DB...
2015-09-07 07:30:33 Done
2015-09-07 07:30:33 Ultimate profile inserted
2015-09-07 07:30:33 BEGIN - UPDATE PORT SCANNER
2015-09-07 07:30:35 FINISH - UPDATE PORT SCANNER [ Process took 2 seconds ]
Updating plugin_sid vulnerabilities scanner ids
plugins fetched
Updating...
Script id:94151, Name:IT-Grundschutz M4.288: Sichere Administration von VoIP-Endger?ten, Priority:0
Script id:703073, Name:Debian Security Advisory DSA 3073-1 (libgcrypt11 - security update), Priority:1
Script id:804624, Name:Adobe Reader Plugin Signature Bypass Vulnerability (Windows), Priority:2
Script id:868149, Name:Fedora Update for kernel FEDORA-2014-9959, Priority:5
Script id:95048, Name:IT-Grundschutz M5.145: Sicherer Einsatz von CUPS, Priority:0
Script id:842216, Name:Ubuntu Update for linux USN-2616-1, Priority:4
Script id:105036, Name:Open××× Detection, Priority:0
Script id:868005, Name:Fedora Update for audacious-plugins FEDORA-2014-8183, Priority:1
Script id:869350, Name:Fedora Update for springframework FEDORA-2015-6862, Priority:5
… …
Script id:105084, Name:Multiple ManageEngine Products Arbitrary File Upload Vulnerability, Priority:3
Script id:867751, Name:Fedora Update for python-keystoneclient FEDORA-2014-5555, Priority:3
Script id:882209, Name:CentOS Update for nss CESA-2015:1185 centos6, Priority:2
Script id:842209, Name:Ubuntu Update for libmodule-signature-perl USN-2607-1, Priority:5
經過一刻鐘等待終于更新完成。注意,該過程需要一氣呵成,中途不能強制退出。
下面用時間軸表示每個步驟的演進順序和所花費的時間,如下圖所示。從某日的00:34:34開始到00:38:50結束的過程。
如果有些用戶不習慣在CLI下操作升級命令,這一工作同樣可以在WebUI中完成。
第三步:驗證更新
我們看到最后一行顯示總數為40473,這個數值和下載的插件數量一直,代表升級完成。
注意:漏洞升級視頻大家可訪問:http://www.tudou.com/programs/view/kyTmc42Ky14/
第四步:開始漏洞掃描-定制策略
首先掃描資產,建立資源池,這里就不詳細介紹。在OSSIM系統里默認定義了三種策略,默認為Default,該策略最為常用。
如果需要更改策略,請點擊CREATE NEW PROFILE按鈕。
接著開始掃描,填寫任務名稱,選擇Sensor,選擇策略,選擇資源池內的主機,最后點擊新建任務按鈕。
掃描準備
漏洞掃描時那些進程最繁忙?
Htop是Linux系統中的一個互動的進程查看工具,該命令可以幫助管理員了解掃描發生的變化。#htop -d 50
一次掃描多少機器合適?
如果所監控網段服務器數量超過25臺,這里假設是100臺,那么至少分4次掃描,例如直接輸入“192.168.11.0/24”,這樣表示一個網段,那么OSSIM系統負載將會明顯增大,掃描等待時間明顯延長,可能會長達數天,直到超過一個計劃任務的周期,這樣可能造成一個惡性循環,直到拖垮整個系統。
進過300多分鐘都沒有結束的任務最后逃脫不了失敗的命運。
掃描結果分析
不過在分析時,談到“過時”的漏洞問題,在一些古老些操作系統Windows NT/2000、Solaris7/8、Linux(2.2 、2.4內核)曾經存在的那些系統漏洞、網絡服務器漏洞,在現代系統中已經絕跡,受影響系統已經被修復,這種漏洞變得沒有任何價值。對這些系統進行漏洞掃描變得沒有意義。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
