Ossim 中漏洞扫描详解
Openvas是一套开源漏洞扫描系统,如果手动搭建需要复杂的过程,花费不少人力和时间成本,此文主要针对OSSIM平台下如何以图形化方式操作漏洞扫描的过程。
准备工作:首先确保没有运行的扫描进程和任务
扫描漏洞同时升级漏洞库会导致升级失败。
第一步:同步插件
#openvas-nvt-sync
同步数万个插件时间比较长,可以去喝杯咖啡啦,或者了解一下插件的组成。
表1 Openvas主要脚本分类及分布情况
|
规则名称 |
数量 |
备注 |
|
IIS_frontpage_DOS_2.nasl |
1 |
|
|
phpbb |
8 |
|
|
RA_ssh_detect RA_www_css RA_www_detect |
3 |
|
|
RHSA_2009_03** |
279 |
Redhat Security Advisory |
|
3com_switches |
1 |
|
|
weblogic* |
3 |
|
|
cisco_ids cisco_vpn ciscoworks |
16 |
|
|
awstats |
4 |
|
|
apache |
23 |
|
|
DDI |
30 |
|
|
EZ_hotscripts |
3 |
|
|
anti_nessus |
1 |
|
|
basilix |
8 |
|
|
bluecoat |
1 |
|
|
bugbear |
3 |
|
|
bugzilla |
9 |
|
|
ca_unicenter |
2 |
|
|
cacti |
5 |
|
|
calendar |
3 |
|
|
Spoll_7_5_sql_injection |
2 |
|
|
avaya_switches |
1 |
|
|
citrix |
8 |
|
|
clamav |
2 |
|
|
CUPS |
12 |
|
|
cutenews |
12 |
|
|
checkpoint |
6 |
|
|
cheopsNG |
4 |
|
|
cvstrac |
24 |
|
|
DB2 |
4 |
|
|
deb_*.nasl |
2595 |
Debian Linux |
|
DNS |
5 |
|
|
deluxeBB |
3 |
|
|
eftp |
3 |
|
|
ls exchange* |
||
|
exchange |
2 |
|
|
fcore |
684 |
|
|
find_service |
5 |
|
|
fortigate |
1 |
|
|
freebsd |
2009 |
|
|
ftp |
30 |
|
|
gb_CESA |
1528 |
|
|
gb_RHSA |
871 |
|
|
gb_adobe |
167 |
|
|
gb_apple |
70 |
|
|
gb_baofeng_storm |
3 |
|
|
gb_bpsoft |
3 |
|
|
gb_clamav |
16 |
|
|
gb_ccproxy |
2 |
|
|
gb_clamav |
16 |
|
|
gb_fedora |
4679 |
|
|
gb_google |
162 |
|
|
gb_hp_ux |
242 |
HP-UNIX |
|
gb_ibm_db2 |
27 |
|
|
gb_ibm_websphere |
8 |
|
|
gb_ibm_tivoli |
5 |
|
|
gb_ibm_was |
16 |
|
|
gb_ibm_lotus |
10 |
|
|
gb_mandriva |
1684 |
|
|
gb_java |
2 |
|
|
gb_kaspersky |
6 |
|
|
gb_google_chrome |
153 |
|
|
gb_foxmail |
2 |
|
|
gb_fsecure |
7 |
|
|
gb_ms |
155 |
Windows 相关 |
|
gb_ubuntu |
1261 |
|
|
gb_samba |
12 |
|
|
gb_sun_java |
35 |
|
|
gb_wireshark |
87 |
|
|
glsa |
1727 |
|
|
gb_vmware |
41 |
|
|
IIS |
20 |
|
|
lotus |
5 |
|
|
ipswitch |
5 |
|
|
mysql |
5 |
|
|
gb_nmap |
187 |
|
|
nortel |
7 |
|
|
nagios |
5 |
|
|
openssh |
4 |
|
|
oscommerce |
5 |
|
|
postgresql |
5 |
|
|
phpgroupware |
12 |
|
|
phpmyadmin |
7 |
|
|
phpbb |
8 |
|
|
smb |
52 |
|
|
sendmail |
15 |
|
|
suse |
65 |
|
|
ssh |
11 |
|
|
smtp |
9 |
|
|
Ubuntu |
179 |
|
|
tomcat |
6 |
|
|
tftp |
11 |
|
|
wu_ftpd |
6 |
第二步:更新插件
#perl /usr/share/ossim/scripts/vulnmeter/updateplugins.pl migrate
2015-09-07 07:27:33 Framework profile has been found...
2015-09-07 07:27:33 Deleting all tasks in 192.168.11.150 ...
2015-09-07 07:27:33 updateplugins: configured to not updateplugins
2015-09-07 07:27:33 updateplugins: configured to not repair DB
2015-09-07 07:27:33 BEGIN - DUMP PLUGINS
2015-09-07 07:29:01 FINISH - DUMP PLUGINS [ Process took 88 seconds ]
2015-09-07 07:29:01 BEGIN - IMPORT PLUGINS
2015-09-07 07:30:00 FINISH - IMPORT PLUGINS [ 40473 plugins - Process took 59 seconds ]
2015-09-07 07:30:00 BEGIN - UPDATE CATEGORIES
2015-09-07 07:30:00 FINISH - UPDATE CATEGORIES [ Process took 0 seconds ]
2015-09-07 07:30:00 BEGIN - UPDATE FAMILIES
2015-09-07 07:30:00 FINISH - UPDATE FAMILIES [ Process took 0 seconds ]
2015-09-07 07:30:00 BEGIN - UPDATE OPENVAS_PLUGINS
2015-09-07 07:30:03 FINISH - UPDATE OPENVAS_PLUGINS [ Process took 3 seconds ]
2015-09-07 07:30:03 BEGIN - UPDATE NESSUS_PREFERENCES
2015-09-07 07:30:03 show tables like "vuln_nessus_preferences_defaults"
2015-09-07 07:30:03 updateprefs: Getting plugin preferences
2015-09-07 07:30:05 FINISH - UPDATE NESSUS_PREFERENCES [ Process took 2 seconds ]
2015-09-07 07:30:06 Creating Deep profile...
2015-09-07 07:30:06 Filling categories...............
2015-09-07 07:30:06 Done
2015-09-07 07:30:06 Filling families.............................................................
2015-09-07 07:30:06 Done
2015-09-07 07:30:06 Filling plugins...
2015-09-07 07:30:13 Filling preferences in Alienvault DB...
2015-09-07 07:30:14 Done
2015-09-07 07:30:14 Deep profile inserted
2015-09-07 07:30:15 Creating Default profile...
2015-09-07 07:30:15 Filling categories...............
2015-09-07 07:30:15 Done
2015-09-07 07:30:15 Filling families.............................................................
2015-09-07 07:30:15 Done
2015-09-07 07:30:15 Filling plugins...
2015-09-07 07:30:23 Filling preferences in Alienvault DB...
2015-09-07 07:30:24 Done
2015-09-07 07:30:24 Default profile inserted
2015-09-07 07:30:24 Creating Ultimate profile...
2015-09-07 07:30:24 Filling categories...............
2015-09-07 07:30:24 Done
2015-09-07 07:30:24 Filling families.............................................................
2015-09-07 07:30:24 Done
2015-09-07 07:30:24 Filling plugins...
2015-09-07 07:30:32 Filling preferences in Alienvault DB...
2015-09-07 07:30:33 Done
2015-09-07 07:30:33 Ultimate profile inserted
2015-09-07 07:30:33 BEGIN - UPDATE PORT SCANNER
2015-09-07 07:30:35 FINISH - UPDATE PORT SCANNER [ Process took 2 seconds ]
Updating plugin_sid vulnerabilities scanner ids
plugins fetched
Updating...
Script id:94151, Name:IT-Grundschutz M4.288: Sichere Administration von VoIP-Endger?ten, Priority:0
Script id:703073, Name:Debian Security Advisory DSA 3073-1 (libgcrypt11 - security update), Priority:1
Script id:804624, Name:Adobe Reader Plugin Signature Bypass Vulnerability (Windows), Priority:2
Script id:868149, Name:Fedora Update for kernel FEDORA-2014-9959, Priority:5
Script id:95048, Name:IT-Grundschutz M5.145: Sicherer Einsatz von CUPS, Priority:0
Script id:842216, Name:Ubuntu Update for linux USN-2616-1, Priority:4
Script id:105036, Name:OpenVPN Detection, Priority:0
Script id:868005, Name:Fedora Update for audacious-plugins FEDORA-2014-8183, Priority:1
Script id:869350, Name:Fedora Update for springframework FEDORA-2015-6862, Priority:5
… …
Script id:105084, Name:Multiple ManageEngine Products Arbitrary File Upload Vulnerability, Priority:3
Script id:867751, Name:Fedora Update for python-keystoneclient FEDORA-2014-5555, Priority:3
Script id:882209, Name:CentOS Update for nss CESA-2015:1185 centos6, Priority:2
Script id:842209, Name:Ubuntu Update for libmodule-signature-perl USN-2607-1, Priority:5
经过一刻钟等待终于更新完成。下面用时间轴表示每个步骤的演进顺序和所花费的时间,如下图所示。从某日的00:34:34开始到00:38:50结束的过程。
第三步:验证更新
我们看到最后一行显示总数为40473,这个数值和下载的插件数量一直,代表升级完成。
第四步:开始漏洞扫描-定制策略
首先扫描资产,建立资源池,这里就不详细介绍。在OSSIM系统里默认定义了三种策略,默认为Default,该策略最为常用。
如果需要更改策略,请点击CREATE NEW PROFILE按钮。
接着开始扫描,填写任务名称,选择Sensor,选择策略,选择资源池内的主机,最后点击新建任务按钮。
扫描准备
漏洞扫描时那些进程最繁忙?
Htop是Linux系统中的一个互动的进程查看工具,该命令可以帮助管理员了解扫描发生的变化。#htop -d 50
一次扫描多少机器合适?
如果所监控网段服务器数量超过25台,这里假设是100台,那么至少分4次扫描,例如直接输入“192.168.11.0/24”,这样表示一个网段,那么OSSIM系统负载将会明显增大,扫描等待时间明显延长,可能会长达数天,直到超过一个计划任务的周期,这样可能造成一个恶性循环,直到拖垮整个系统。
扫描结果分析
不过在分析时,谈到“过时”的漏洞问题,在一些古老些操作系统Windows NT/2000、Solaris7/8、Linux(2.2 、2.4内核)曾经存在的那些系统漏洞、网络服务器漏洞,在现代系统中已经绝迹,受影响系统已经被修复,这种漏洞变得没有任何价值。对这些系统进行漏洞扫描变得没有意义。