PoC: undestand and document the flow from ModSecurity to the console about honeypot-project HOT 12 CLOSED

Hi @fzipi @adrianwinckles, I want to work on this. Please let me know if I can start working on this

from honeypot-project.

@tulja Sure you can! Let me know about the process, and what help you need.

from honeypot-project.

@fzipi, I'm able to run ModSecurity in Docker Container which is hosting apache web server. I also verified the OWASP CRS, by running
curl localhost:8081/index.html?exec=/bin/bash
I followed this and modsecurity-docker for my setup. I'm able to view logs in /var/log/apache2/access.log and /var/log/apache2/error.log when I'm testing with curl localhost:8081/index.html?exec=/bin/bash and curl 'http://localhost:8081/?q="><script>alert(1)</script>'
By logs/probes do you mean /var/log/apache2/error.log and /var/log/apache2/access.log. If so, do u need me to write a simple program which prints and stores the logs (to a database) from these files ?

from honeypot-project.

@tulja Good start.
In this case, the receiving console was not defined. There were a couple in the past that worked, but now I think the best approach is to use Elastic (as in ELK) as "console". So for having this console active you'll need to setup some additional resources.

I'll recommend you to go for a docker-compose approach, having ELK in one container and the other the one you have. I think I have one example somewhere, will share it here.

from honeypot-project.

Hi @fzipi, I'm able to setup ELK in one container and ModSecurity in another, shall I use file beat for sending the logs from ModSecurity to ELK?

from honeypot-project.

Yes @tulja, exactly. You will use filebeat for that. The simplest way also is log using json in modsecurity.

from honeypot-project.

Hi @fzipi, I'm able to send logs from ModSecurity Container to ELK Container using Filebeat. I'm able to check the logs of /var/log/modsec_audit.log file in the Kibana Dashboard.
I followed the below links for my setup.
https://elk-docker.readthedocs.io/
https://www.elastic.co/guide/en/beats/filebeat/5.1/filebeat-installation.html
https://medium.com/tensult/log-centralization-using-filebeat-and-logstash-11640f77cf70
Shall I work on writing the documentation for the whole process or do you need me to do something more on existing setup?

from honeypot-project.

The ideal setup is to:

• use the elk-docker as you did
• extend the official modseurity_crs docker with filebeat
• create a docker-compose file that links both.

That way we can test easily and see the logs in Kibana.

With that completed, yes please, create the documentation on ever step.

Great progress @tulja!

from honeypot-project.

Of course the last part is take from the original VM the context of what was being sent in the first place. With that in place, we can go for other steps.

from honeypot-project.

In #4 we already had plans for going for ELK, so we can document there also what was made.

from honeypot-project.

Hi @fzipi, I created documentation for ModSecurity Logs to ELK setup. I submitted a Pull Request, please check and provide necessary corrections.

from honeypot-project.

This one can be closed.

from honeypot-project.