tulja
commented
5 years ago Hi @fzipi @adrianwinckles, I want to work on this. Please let me know if I can start working on this
Closed fzipi closed 5 years ago
tulja
commented
5 years ago Hi @fzipi @adrianwinckles, I want to work on this. Please let me know if I can start working on this
fzipi
commented
5 years ago @tulja Sure you can! Let me know about the process, and what help you need.
tulja
commented
5 years ago @fzipi, I'm able to run ModSecurity in Docker Container which is hosting apache web server. I also verified the OWASP CRS, by running
curl localhost:8081/index.html?exec=/bin/bash
I followed this and modsecurity-docker for my setup. I'm able to view logs in /var/log/apache2/access.log and /var/log/apache2/error.log when I'm testing with curl localhost:8081/index.html?exec=/bin/bash and curl 'http://localhost:8081/?q="><script>alert(1)</script>'
By logs/probes do you mean /var/log/apache2/error.log and /var/log/apache2/access.log. If so, do u need me to write a simple program which prints and stores the logs (to a database) from these files ?
fzipi
commented
5 years ago @tulja Good start. In this case, the receiving console was not defined. There were a couple in the past that worked, but now I think the best approach is to use Elastic (as in ELK) as "console". So for having this console active you'll need to setup some additional resources.
I'll recommend you to go for a docker-compose approach, having ELK in one container and the other the one you have. I think I have one example somewhere, will share it here.
tulja
commented
5 years ago Hi @fzipi, I'm able to setup ELK in one container and ModSecurity in another, shall I use file beat for sending the logs from ModSecurity to ELK?
fzipi
commented
5 years ago Yes @tulja, exactly. You will use filebeat for that. The simplest way also is log using json in modsecurity.
tulja
commented
5 years ago Hi @fzipi, I'm able to send logs from ModSecurity Container to ELK Container using Filebeat. I'm able to check the logs of /var/log/modsec_audit.log file in the Kibana Dashboard. I followed the below links for my setup. https://elk-docker.readthedocs.io/ https://www.elastic.co/guide/en/beats/filebeat/5.1/filebeat-installation.html https://medium.com/tensult/log-centralization-using-filebeat-and-logstash-11640f77cf70 Shall I work on writing the documentation for the whole process or do you need me to do something more on existing setup?
fzipi
commented
5 years ago The ideal setup is to:
That way we can test easily and see the logs in Kibana.
With that completed, yes please, create the documentation on ever step.
Great progress @tulja!
fzipi
commented
5 years ago Of course the last part is take from the original VM the context of what was being sent in the first place. With that in place, we can go for other steps.
fzipi
commented
5 years ago In #4 we already had plans for going for ELK, so we can document there also what was made.
tulja
commented
5 years ago Hi @fzipi, I created documentation for ModSecurity Logs to ELK setup. I submitted a Pull Request, please check and provide necessary corrections.
fzipi
commented
5 years ago This one can be closed.
We need a Proof of Concept to understand how ModSecurity baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes)