长亭WAF雷池社区版联动企业微信报警

一、Logstash

1.1 logstash容器安装（加入safeline-ce容器网）

docker run -di --restart=always --log-driver json-file  -p 5044:5044 -p 9600:9600 --name logstash  --net safeline-ce  logstash:8.8.1

1.2 logstash配置

注意事项：

1.jdbc_driver_library的jar包需要单独下载；

2.waf的日志根据id进行增量更新，id递增则logstash进行output。其中记录id号的user.metadata空文件需要单独创建。其中查询的SQL语句statement  最后需要写明增量条件 > :sql_last_value；

3.日志量较大的话，分页进行配置；

4.Output模块中理论上可以直接通过http的发送给数据给企业微信机器人的webhook，不过这边是通过发送到本地的webhook做了相关makedown的格式调整以及颜色和超链接的优化，再由本地webhook发送至企业微信机器人的webhook。；

5.在38行output中pushwechatalert为后文webhook配置waf.json的id，需要一致。

input {  
    jdbc {  
        jdbc_connection_string => "jdbc:[postgresql://169.254.0.2:5432/safeline-ce]()"  
        jdbc_user => "safeline-ce"  
        jdbc_password => "F6epaIfxxxxxxxxxxxxxxx64dKbUhhc"  
        jdbc_driver_library => "/usr/share/logstash/jdk/bin/pgsql/postgresql-42.6.0.jar"  
        jdbc_driver_class => "org.postgresql.Driver"  
        jdbc_paging_enabled => "true"  
        jdbc_page_size => "300000"  
        use_column_value => "true"  
        tracking_column => "id"  
        tracking_column_type => "numeric"  
        record_last_run => "true"  
        clean_run => false  
        last_run_metadata_path => "/usr/share/logstash/jdk/bin/pgsql/user.metadata"  
        statement => "SELECT mgt_detect_log_basic.id as id,timestamp,host,url_path,src_ip,method,query_string,mgt_detect_log_basic.event_id as event_id FROM mgt_detect_log_basic,mgt_detect_log_detail where 1=1 and mgt_detect_log_basic.id = mgt_detect_log_detail.id and mgt_detect_log_basic.id  > :sql_last_value"  
        schedule => "* * * * *"  
        type => "jdbc"  
        jdbc_default_timezone =>"Asia/Shanghai"  
        }  
}  
filter {  
    json {  
    source => "message"  
     }  
    ruby {  
        code => "event.timestamp.time.localtime"  
}  
mutate {  
remove_field => [ "@timestamp","@version","type" ]  
    }  
}  
  
output {  
http {  
http_method => "post"  
format => "json"  
url => ""  
content_type => "application/json"  
}  
stdout {  
    codec => rubydebug {}  
}  

}

1.3 logstash配置启动（主容器已经起了一个logstsh进程，单独再起一个要指定--path.data）

nohup logstash -f /usr/share/logstash/jdk/bin/pgsql/logstas-pgsql.conf --path.data=/usr/share/logstash/jdk/bin/pgsql/data > /dev/null 2>&1 &

二、自建webhook

2.1 webhook安装（写者是安装在logstash所在的容器里）

wget https://github.com/adnanh/webhook/releases/download/2.8.1/webhook-linux-amd64.tar.gz
tar -zxvf webhook-linux-amd64.tar.gz -C ./
cp webhook-linux-amd64/webhook /usr/bin/

2.2 webhook配置（三个配置文件）

waf.json（execute-command执行推送企业微信报警脚本）

[
{
"id": "pushwechatalert",
"execute-command" : "/usr/share/logstash/jdk/bin/pgsql/webhook/ctwaf.sh",
"pass-arguments-to-command":
[
{
"source":"entire-payload",
#"name":"parameter-name"
}
]
}
]

ctwaf.sh（6-11行提取logstash output过来的日志，提取出字段，12-17行对企业微信报警模板文件alert-waf.json进行字段替换。18行微信机器人webhook地址，19行更新模板。）

#!/bin/bash
PAYLOAD= $1
echo $1 >> /var/log/test.log
PAYLOAD2=echo $1  
echo $PAYLOAD2  >> /var/log/payload2.log
CT_Event=echo $PAYLOAD2 |  awk -F ',' {'print $1'}  | awk -F ':' {'print $2'}  | sed 's/"\(.*\)"/\1/g'
CT_Time=echo $PAYLOAD2 |  awk -F ',' {'print $7'}  | awk -F ':' {'print $2'}  | xargs -I {}  date -d @{} +"%Y-%m-%d %H:%M:%S"
CT_Method=echo $PAYLOAD2 |  awk -F ',' {'print $4'} | awk -F ':' {'print $2'} | sed 's/"\(.*\)"/\1/g'
CT_Server=echo $PAYLOAD2 |  awk -F ',' {'print $2'} | awk -F ':' {'print $2'} | sed 's/"\(.*\)"/\1/g'
CT_Url=echo $PAYLOAD2 |  awk -F ',' {'print $8'}  | awk -F '"' {'print $4'}
CT_Sip=echo $PAYLOAD2 | awk -F ',' {'print $6'} | awk -F ':' {'print $2'} | sed 's/"\(.*\)"/\1/g'
sed -i "s/CT_Event/$CT_Event/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s/CT_Time/$CT_Time/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s/CT_Method/$CT_Method/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s#CT_Url#$CT_Url#g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s/CT_Server/$CT_Server/g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
sed -i "s#CT_Sip#$CT_Sip#g" /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json
curl -H "Content-Type: application/json" -X POST -d @/usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxxxx
cp -f /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json.tm /usr/share/logstash/jdk/bin/pgsql/webhook/alert-waf.json

alert-waf.json（11-12行的192.168.1.1地址非WAF地址，为另外一台nginx，用来增加用户的cookie头并代理waf实现免登录查看报警。）

{
"msgtype": "markdown",
  "markdown": {
&nbsp; &nbsp; "content": "报警类型：<font color="\&quot;info\&quot;">长亭</font>，请注意。\n&gt;
报警时间：<font color="\&quot;comment\&quot;">CT_Time</font>\n&gt;
请求方法：<font color="\&quot;comment\&quot;">CT_Method</font>\n&gt;
请求路径：<font color="\&quot;comment\&quot;">CT_Url</font>\n&gt;
请求域名：<font color="\&quot;comment\&quot;">CT_Server</font>\n&gt;
攻击IP：<font color="\&quot;comment\&quot;">CT_Sip</font>\n&gt;
[攻击报文](http://192.168.1.1:8888/api/DetectLogDetail?event_id=CT_Event)\n&gt;
[免登录查看攻击详情](http://192.168.1.1:8888/logs?page=1&amp;size=20¶ms=%7B%7D)\n&gt;"
&nbsp; }
}

2.3 启动webhook

nohup webhook -hooks waf.json -port 8888 --verbose  > /dev/null 2>&1 &

三、NGINX免登录查看WAF日志。

单独安装了一个nginx容器，其中proxy_pass为waf登录地址，proxy_pass_header为用户cookie)，并配置定时任务去访问waf，防止cookie失效。

来源：热心雷池社区版用户