日志说明

存储路径

OpenRASP 默认会开启文件日志,存储路径如下:

  • Java 版本: <app_home>/rasp/logs/alarm/.log
  • PHP 版本: <openrasp_rootdir>/logs/alarm/*.log 值得注意的是,Java 版本当前的报警没有日期,只有 rotate 之后才会有日期,e.g
  1. /tomcat/rasp/logs/alarm/alarm.log
  2. /tomcat/rasp/logs/alarm/alarm.log.2018-12-04
  3. ...

对于 PHP 版本,报警日志总是会带有日期,e.g

  1. /opt/rasp/logs/alarm/alarm.log.2018-12-16

不过,由于 PHP 本身的限制,有些日志还是会打印到 PHP 错误日志里,比如 INI 配置错误。

日志类型

OpenRASP 包含四类日志,

文件名文件内容
plugin/plugin-DATE.log检测插件的日志,e.g 插件异常、插件调试输出
rasp/rasp-DATE.lograsp agent 调试日志
alarm/alarm-DATE.log攻击报警日志,JSON 格式,一行一个
policy_alarm/policy_alarm-DATE.log安全基线检查报警日志,JSON 格式,一行一个

日志格式

1. 攻击日志格式

当发生攻击事件时,OpenRASP 将会记录以下信息,

字段说明
rasp_idRASP agent id
app_id应用ID
event_type日志类型,固定为 attack 字样
event_time事件发生时间
request_id当前请求ID
request_method请求方法
intercept_state拦截状态
attack_source攻击来源 IP
target被攻击目标域名
server_hostname被攻击的服务器主机名
server_ip被攻击目标 IP
server_type应用服务器类型
server_version应用服务器版本
path当前URL,不包含参数
url当前URL,包含完整GET参数
attack_type攻击类型
attack_params攻击参数
attack_source请求来源
client_ip客户端真实IP地址,请参考 其他配置选项 进行配置
plugin_name报告攻击插件名称
plugin_confidence检测结果可靠性,插件返回
plugin_message检测结果信息
plugin_algorithm插件检测算法
header请求header信息
stack_trace当前调用堆栈
body当前请求的body,如果有

一个完整的 JSON 日志样例如下:

  1. {
  2.   "attack_type": "xss_userinput",
  3.   "request_method": "get",
  4.   "server_version": "7.0.78.0",
  5.   "path": "/vulns/017-xss.jsp",
  6.   "event_type": "attack",
  7.   "attack_params": {
  8.     "name": "input",
  9.     "value": "<script>alert(1)</script>"
  10.   },
  11.   "server_ip": "127.0.0.1",
  12.   "client_ip": "",
  13.   "attack_source": "127.0.0.1",
  14.   "app_id": "1e46d1ae2cec7966343c1c1455cdb9ea3c356662",
  15.   "server_nic": [
  16.     {
  17.       "name": "eth0",
  18.       "ip": "172.24.172.168"
  19.     }
  20.   ],
  21.   "intercept_state": "log",
  22.   "plugin_confidence": 100,
  23.   "plugin_algorithm": "xss_userinput",
  24.   "plugin_name": "java_builtin_plugin",
  25.   "server_hostname": "devnull",
  26.   "url": "http://127.0.0.1:8080/vulns/017-xss.jsp?input=%3cscript%3ealert(1)%3c%2fscript%3e",
  27.   "target": "127.0.0.1",
  28.   "header": {
  29.     "referer": "http://127.0.0.1:8080/vulns/017-xss.jsp",
  30.     "accept-language": "en-US,en;q=0.9,fr;q=0.8,zh-CN;q=0.7,zh;q=0.6,zh-TW;q=0.5,hr;q=0.4,ja;q=0.3,pt;q=0.2,la;q=0.1",
  31.     "cookie": "JSESSIONID=E51A4982D9E62B1C49F1B522404C6AA7; 89facc616a91c8542b4120d0985ae97c=r7f62uq42ihucmdt4j53kufepj",
  32.     "host": "127.0.0.1:8080",
  33.     "upgrade-insecure-requests": "1",
  34.     "connection": "keep-alive",
  35.     "cache-control": "no-cache",
  36.     "pragma": "no-cache",
  37.     "accept-encoding": "gzip, deflate, br",
  38.     "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.1453.93 Safari/537.36",
  39.     "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"
  40.   },
  41.   "stack_trace": "org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java)\norg.apache.catalina.connector.Response.finishResponse(Response.java:537)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:483)\norg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)\norg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\norg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:748)",
  42.   "rasp_id": "18619d5f553f0fc31a4e4f0eb96b2564",
  43.   "request_id": "3ff7d8cae4d3441e927433a1161be89c",
  44.   "source_code": [
  45.     "",
  46.     "this.outputBuffer.close();",
  47.     "",
  48.     "this.adapter.service(this.request, this.response);",
  49.     "",
  50.     "state = this.this$0.handler.process(this.socket, this.status);",
  51.     "runnable.run();",
  52.     "this.this$0.runWorker(this);",
  53.     "this.wrappedRunnable.run();",
  54.     "this.target.run();"
  55.   ],
  56.   "event_time": "2019-05-27T14:36:42+0800",
  57.   "plugin_message": "Reflected XSS attack detected, parameter name: input",
  58.   "server_type": "tomcat"
  59. }
2. 安全基线检查日志

当检测到不符合安全规范的配置时,OpenRASP 将会记录以下信息:

字段说明
event_type日志类型,固定为 security_policy 字样
event_time事件发生时间
server_hostname服务器主机名
server_nic服务器IP
server_type应用服务器类型
server_version应用服务器版本
policy_id匹配的策略编号
policy_params基线报警额外参数,比如 PID
message不符合规范的配置说明
stack_trace当前调用堆栈,某些情况可能为空

一个完整的 JSON 日志样例如下:

  1. {
  2.    "event_type":      "security_policy",
  3.    "event_time" :     "2017-04-01T08:00:00Z",
  4.    "policy_id":       "3002",
  5.    "server_hostname": "my-bloodly-hostname",
  6.    "server_nic": {
  7.       {
  8.          "name": "eth0",
  9.          "ip":   "10.10.1.131"
  10.       },
  11.       {
  12.          "name": "eth0",
  13.          "ip":   "192.168.1.150"
  14.       }
  15.    },
  16.    "server_type":    "Tomcat",
  17.    "stack_trace":    "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n"
  18.    "server_version": "7.0.15",   
  19.    "message":        "Tomcat 不应该以root权限启动",
  20.    "policy_params":  {
  21.       "pid": 1023
  22.    }
  23. }