Open elastickent opened 5 years ago
flesueur
commented
5 years ago Hi, I think it can be, I should write some doc soon to customize the topology and the provisionning of the machines (all the project is about this easy customization). You can find my current topoly in setup.json and provisionning scripts in files/*/provision.sh
If you have some insights on what you want to simulate, we can define more precisely what needs to be done.
Francois
elastickent
commented
5 years ago The first CTF scenario I had in mind was a simple one based on apache struts. I have a simple struts app that connects to mysql backend. It contains the flag, a dummy user database.
flesueur
commented
5 years ago If you only need application layer, I think a docker/docker-compose approach would be simpler, no ? I think MI-LXC would be better for an infrastucture-wide CTF (and it is in this objective I made it) : you can simulate an infrastucture, compromise a machine, pivot, etc.. Some clues may be found in this practical work, although this one requires some manual interactions : https://flesueur.github.io/srs/tp1-intrusion (hoping a translation will still be readable ;) )
elastickent
commented
5 years ago Hey Francois,
It translated very well, thank you.
Yes, you are probably right, mi-lxc is probably overly complicated for such a simple app exploit CTF.
Thanks for passing along the Intrusion write up.
The scenarios are great. If I wired up the images to you use with filebeat/auditbeat and created some dashboards around the intrusion scenario, would you like those changes via a Pull Request?
Thanks again,
-Kent
flesueur
commented
5 years ago I would definitely look into it ! I also have a practical work on IDS (https://github.com/flesueur/srs/blob/master/tp3-ids.md), currently using suricata, ossec and prelude. I like suricata but I feel that ossec and prelude are a bit "old school" ;). Achieving a setup with suricata and elastic suite, then replacing prelude-correlator with some elastic queries would definitely be great !
The global setup would not be mainlined I think, but rather a pre-deployment. You can see in the current setup that ossec, suricata and prelude are installed, partly configured, but typically do not detect the intrusion scenario. Aim of TP3 is to tailor signatures, directories monitoring etc. to detect it.
Ideally, we could have a fully functional version of elastic and a partly functional, and we could choose which one to deploy. This is definitely achievable in the current architecture (two different topologies and slightly different provisionning scripts).
My only concern is about performance. For my deployments, I need to keep it running on modest hardware (typically, students laptop). Would elastic be usable in that case ? I've always heard it needs tons of RAM...
elastickent
commented
5 years ago Hey Francois,
Awesome, glad you are interested in the idea.
It's definitely a challenge to keep the environment small enough to fit on a student laptop. Your two topology idea sounds like a great way to address it.
I'm working on a small dedicated CTF target server, a Zotac with i7 and 32 GB of RAM.
Elasticsearch docker images need 1GB of memory to run with stability.
OSSEC is a bit dated, but the WAZUH folks do have a pretty mature solution.
Due to my day job, Elastic *beats + osquery + pac's and tweaking seem to give me the best open source endpoint data to date.
-K
Thanks for sharing such a useful project.
I was hoping mi-lxc could be used as an environment for CTF security meetups?