日志说明

存储路径

OpenRASP 默认会开启文件日志，存储路径如下:

Java 版本: <app_home>/rasp/logs/alarm/*.log*
PHP 版本: <openrasp_rootdir>/logs/alarm/*.log

值得注意的是，Java 版本当前的报警没有日期，只有日志滚动之后才会有日期，e.g

/tomcat/rasp/logs/alarm/alarm.log
/tomcat/rasp/logs/alarm/alarm.log.2018-12-04
...

对于 PHP 版本，报警日志总是会带有日期，e.g

/opt/rasp/logs/alarm/alarm.log.2018-12-16

不过，由于 PHP 本身的限制，有些日志还是会打印到 PHP 错误日志里，比如 INI 配置错误。

日志类型

OpenRASP 包含四类日志，

文件名

文件内容

plugin/plugin-DATE.log

检测插件的日志，e.g 插件异常、插件调试输出

rasp/rasp-DATE.log

rasp agent 调试日志

alarm/alarm-DATE.log

攻击报警日志，JSON 格式，一行一个

policy_alarm/policy_alarm-DATE.log

安全基线检查报警日志，JSON 格式，一行一个

日志格式

1. 攻击日志格式

当发生攻击事件时，OpenRASP 将会记录以下信息，

字段

说明

rasp_id

RASP agent id

app_id

应用ID

app_name

应用名称

event_type

日志类型，固定为 attack 字样

event_time

事件发生时间

event_level

漏洞级别，范围是 critical/high/medium/low

request_id

当前请求ID

request_method

请求方法

intercept_state

拦截状态

attack_source

攻击来源 IP

target

被攻击目标域名

server_hostname

被攻击的服务器主机名

server_ip

被攻击目标 IP

server_type

应用服务器类型

server_version

应用服务器版本

path

当前URL，不包含参数

url

当前URL，包含完整GET参数

attack_type

攻击类型

attack_params

攻击参数，包含hook点参数、堆栈等等

attack_source

请求来源

client_ip

plugin_name

报告攻击插件名称

plugin_confidence

检测结果可靠性，插件返回

plugin_message

检测结果信息

plugin_algorithm

插件检测算法

header

请求header信息

stack_md5

当前堆栈MD5

body

当前请求的body，如果有

一个完整的 JSON 日志样例如下:

{
  "@timestamp": 1618894722217,
  "app_id": "88cce00aa5a5207f2d13250f892bdcb96c46f080",
  "app_name": "Demo App",
  "attack_count": 2,
  "attack_location": {
    "latitude": 0,
    "location_en": "-",
    "location_zh_cn": "-",
    "longitude": 0
  },
  "attack_params": {
    "command": "cmd /c calc",
    "env": [],
    "stack": [
      "java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java)",
      "java.base/java.lang.ProcessImpl.start(ProcessImpl.java:244)",
      "java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1109)",
      "java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)",
      "java.base/java.lang.Runtime.exec(Runtime.java:590)",
      "java.base/java.lang.Runtime.exec(Runtime.java:414)",
      "java.base/java.lang.Runtime.exec(Runtime.java:311)",
      "org.apache.jsp._004_002dcommand_002d1_jsp._jspService(_004_002dcommand_002d1_jsp.java:136)",
      "org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)",
      "javax.servlet.http.HttpServlet.service(HttpServlet.java:741)",
      "org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)",
      "org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)",
      "org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)",
      "javax.servlet.http.HttpServlet.service(HttpServlet.java:741)",
      "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)",
      "org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)",
      "org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)",
      "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)",
      "org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)",
      "org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)",
      "org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)",
      "org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)",
      "org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)",
      "org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)",
      "org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)",
      "org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)",
      "org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)",
      "org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)",
      "org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)",
      "org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)",
      "org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)",
      "org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)",
      "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)",
      "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)",
      "org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)",
      "java.base/java.lang.Thread.run(Thread.java:831)"
    ]
  },
  "attack_source": "127.0.0.1",
  "attack_type": "command",
  "body": "",
  "client_ip": "",
  "event_level": "critical",
  "event_time": "2021-04-20T12:58:42+0800",
  "event_type": "attack",
  "header": {
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "accept-encoding": "gzip, deflate, br",
    "accept-language": "en,zh-CN;q=0.9,zh;q=0.8,la;q=0.7",
    "connection": "keep-alive",
    "cookie": "JSESSIONID=FA7196A1FDE61D1795DCEB3280890E14",
    "dnt": "1",
    "host": "127.0.0.1:8080",
    "referer": "http://127.0.0.1:8080/vulns/004-command-1.jsp",
    "upgrade-insecure-requests": "1",
    "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
  },
  "id": "5f425ea2234ca4d4bcd991108affff8c",
  "intercept_state": "log",
  "parameter": {
    "form": "{\"cmd\":[\"cmd /c calc\"]}",
    "json": "{}",
    "multipart": "[]"
  },
  "path": "/vulns/004-command-1.jsp",
  "plugin_algorithm": "command_other",
  "plugin_confidence": 90,
  "plugin_message": "Command execution - Logging all command execution by default, command is cmd /c calc",
  "plugin_name": "official",
  "rasp_id": "520d19c523509c53025d66e67e394ab2",
  "rasp_version": "1.3.6",
  "request_id": "c7229f3f91e34e95902c7ada3b17865d",
  "request_method": "get",
  "server_hostname": "YOUR_COMPUTER",
  "server_ip": "127.0.0.1",
  "server_nic": [
    {
      "ip": "192.168.154.1",
      "name": "vmnet8"
    },
    {
      "ip": "172.16.177.1",
      "name": "vmnet1"
    },
    {
      "ip": "172.24.172.41",
      "name": "en0"
    }
  ],
  "server_type": "tomcat",
  "server_version": "9.0.14.0",
  "source_code": "",
  "stack_md5": "c0eccc0d41f14fcef3f0a6d7521d0875",
  "target": "127.0.0.1",
  "upsert_id": "5f425ea2234ca4d4bcd991108affff8c",
  "url": "http://127.0.0.1:8080/vulns/004-command-1.jsp?cmd=cmd+/c+calc"
}

2. 安全基线检查日志

当检测到不符合安全规范的配置时，OpenRASP 将会记录以下信息:

字段

说明

event_type

日志类型，固定为 security_policy 字样

event_time

事件发生时间

server_hostname

服务器主机名

server_nic

服务器IP

server_type

应用服务器类型

server_version

应用服务器版本

policy_id

匹配的策略编号

policy_params

基线报警额外参数，比如 PID

message

不符合规范的配置说明

stack_trace

当前调用堆栈，某些情况可能为空

一个完整的 JSON 日志样例如下:

{
   "event_type":      "security_policy",
   "event_time" :     "2017-04-01T08:00:00Z",
   "policy_id":       "3002",
   "server_hostname": "my-bloodly-hostname",
   "server_nic": {
      {
         "name": "eth0",
         "ip":   "10.10.1.131"
      },
      {
         "name": "eth0",
         "ip":   "192.168.1.150"
      }
   },
   "server_type":    "Tomcat",
   "stack_trace":    "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n"
   "server_version": "7.0.15",   
   "message":        "Tomcat 不应该以root权限启动",
   "policy_params":  {
      "pid": 1023
   }
}

3. 应用行为日志

当你在管理后台 -> 防护设置里，开启 打印「行为日志」，仅用于调试，请勿在线上开启 后，我们会在 plugin.log 里打印应用的行为日志，样例如下:

2021-01-04 10:11:39,627 INFO  [http-bio-8080-exec-2][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Read file: /usr/local/apache-tomcat-7.0.78/webapps/vulns/004-command-1.jsp
2021-01-04 10:11:40,882 INFO  [http-bio-8080-exec-1][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Execute command: cp /etc/passwd /tmp/ [ 'java.lang.UNIXProcess.<init>',
  'java.lang.ProcessImpl.start',
  'java.lang.ProcessBuilder.start',
  'java.lang.Runtime.exec',
  'java.lang.Runtime.exec',
  'java.lang.Runtime.exec',
  'org.apache.jsp._004_002dcommand_002d1_jsp._jspService',
  'org.apache.jasper.runtime.HttpJspBase.service',
  'javax.servlet.http.HttpServlet.service',
  'org.apache.jasper.servlet.JspServletWrapper.service',
  'org.apache.jasper.servlet.JspServlet.serviceJspFile',
  'org.apache.jasper.servlet.JspServlet.service',
  'javax.servlet.http.HttpServlet.service',
  'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
  'org.apache.catalina.core.ApplicationFilterChain.doFilter',
  'org.apache.tomcat.websocket.server.WsFilter.doFilter',
  'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
  'org.apache.catalina.core.ApplicationFilterChain.doFilter',
  'org.apache.catalina.core.StandardWrapperValve.invoke',
  'org.apache.catalina.core.StandardContextValve.invoke',
  'org.apache.catalina.authenticator.AuthenticatorBase.invoke',
  'org.apache.catalina.core.StandardHostValve.invoke',
  'org.apache.catalina.valves.ErrorReportValve.invoke',
  'org.apache.catalina.valves.AccessLogValve.invoke',
  'org.apache.catalina.core.StandardEngineValve.invoke',
  'org.apache.catalina.connector.CoyoteAdapter.service',
  'org.apache.coyote.http11.AbstractHttp11Processor.process',
  'org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process',
  'org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run',
  'java.util.concurrent.ThreadPoolExecutor.runWorker',
  'java.util.concurrent.ThreadPoolExecutor$Worker.run',
  'org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run',
  'java.lang.Thread.run' ]

Previous服务配置 Next管理后台

Last updated 11 days ago

{ "@timestamp": 1618894722217, "app_id": "88cce00aa5a5207f2d13250f892bdcb96c46f080", "app_name": "Demo App", "attack_count": 2, "attack_location": { "latitude": 0, "location_en": "-", "location_zh_cn": "-", "longitude": 0 }, "attack_params": { "command": "cmd /c calc", "env": [], "stack": [ "java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java)", "java.base/java.lang.ProcessImpl.start(ProcessImpl.java:244)", "java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1109)", "java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)", "java.base/java.lang.Runtime.exec(Runtime.java:590)", "java.base/java.lang.Runtime.exec(Runtime.java:414)", "java.base/java.lang.Runtime.exec(Runtime.java:311)", "org.apache.jsp._004_002dcommand_002d1_jsp._jspService(_004_002dcommand_002d1_jsp.java:136)", "org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)", "javax.servlet.http.HttpServlet.service(HttpServlet.java:741)", "org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)", "org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)", "org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)", "javax.servlet.http.HttpServlet.service(HttpServlet.java:741)", "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)", "org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)", "org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)", "org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)", "org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)", "org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)", "org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)", "org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)", "org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)", "org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)", "org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)", "org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)", "org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)", "org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)", "org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)", "org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)", "org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)", "org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)", "java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)", "java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)", "org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)", "java.base/java.lang.Thread.run(Thread.java:831)" ] }, "attack_source": "127.0.0.1", "attack_type": "command", "body": "", "client_ip": "", "event_level": "critical", "event_time": "2021-04-20T12:58:42+0800", "event_type": "attack", "header": { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "accept-encoding": "gzip, deflate, br", "accept-language": "en,zh-CN;q=0.9,zh;q=0.8,la;q=0.7", "connection": "keep-alive", "cookie": "JSESSIONID=FA7196A1FDE61D1795DCEB3280890E14", "dnt": "1", "host": "127.0.0.1:8080", "referer": "http://127.0.0.1:8080/vulns/004-command-1.jsp", "upgrade-insecure-requests": "1", "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0" }, "id": "5f425ea2234ca4d4bcd991108affff8c", "intercept_state": "log", "parameter": { "form": "{\"cmd\":[\"cmd /c calc\"]}", "json": "{}", "multipart": "[]" }, "path": "/vulns/004-command-1.jsp", "plugin_algorithm": "command_other", "plugin_confidence": 90, "plugin_message": "Command execution - Logging all command execution by default, command is cmd /c calc", "plugin_name": "official", "rasp_id": "520d19c523509c53025d66e67e394ab2", "rasp_version": "1.3.6", "request_id": "c7229f3f91e34e95902c7ada3b17865d", "request_method": "get", "server_hostname": "YOUR_COMPUTER", "server_ip": "127.0.0.1", "server_nic": [ { "ip": "192.168.154.1", "name": "vmnet8" }, { "ip": "172.16.177.1", "name": "vmnet1" }, { "ip": "172.24.172.41", "name": "en0" } ], "server_type": "tomcat", "server_version": "9.0.14.0", "source_code": "", "stack_md5": "c0eccc0d41f14fcef3f0a6d7521d0875", "target": "127.0.0.1", "upsert_id": "5f425ea2234ca4d4bcd991108affff8c", "url": "http://127.0.0.1:8080/vulns/004-command-1.jsp?cmd=cmd+/c+calc" }

{ "event_type": "security_policy", "event_time" : "2017-04-01T08:00:00Z", "policy_id": "3002", "server_hostname": "my-bloodly-hostname", "server_nic": { { "name": "eth0", "ip": "10.10.1.131" }, { "name": "eth0", "ip": "192.168.1.150" } }, "server_type": "Tomcat", "stack_trace": "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n" "server_version": "7.0.15", "message": "Tomcat 不应该以root权限启动", "policy_params": { "pid": 1023 } }

2021-01-04 10:11:39,627 INFO [http-bio-8080-exec-2][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Read file: /usr/local/apache-tomcat-7.0.78/webapps/vulns/004-command-1.jsp 2021-01-04 10:11:40,882 INFO [http-bio-8080-exec-1][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Execute command: cp /etc/passwd /tmp/ [ 'java.lang.UNIXProcess.<init>', 'java.lang.ProcessImpl.start', 'java.lang.ProcessBuilder.start', 'java.lang.Runtime.exec', 'java.lang.Runtime.exec', 'java.lang.Runtime.exec', 'org.apache.jsp._004_002dcommand_002d1_jsp._jspService', 'org.apache.jasper.runtime.HttpJspBase.service', 'javax.servlet.http.HttpServlet.service', 'org.apache.jasper.servlet.JspServletWrapper.service', 'org.apache.jasper.servlet.JspServlet.serviceJspFile', 'org.apache.jasper.servlet.JspServlet.service', 'javax.servlet.http.HttpServlet.service', 'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter', 'org.apache.catalina.core.ApplicationFilterChain.doFilter', 'org.apache.tomcat.websocket.server.WsFilter.doFilter', 'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter', 'org.apache.catalina.core.ApplicationFilterChain.doFilter', 'org.apache.catalina.core.StandardWrapperValve.invoke', 'org.apache.catalina.core.StandardContextValve.invoke', 'org.apache.catalina.authenticator.AuthenticatorBase.invoke', 'org.apache.catalina.core.StandardHostValve.invoke', 'org.apache.catalina.valves.ErrorReportValve.invoke', 'org.apache.catalina.valves.AccessLogValve.invoke', 'org.apache.catalina.core.StandardEngineValve.invoke', 'org.apache.catalina.connector.CoyoteAdapter.service', 'org.apache.coyote.http11.AbstractHttp11Processor.process', 'org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process', 'org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run', 'java.util.concurrent.ThreadPoolExecutor.runWorker', 'java.util.concurrent.ThreadPoolExecutor$Worker.run', 'org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run', 'java.lang.Thread.run' ]