How this work can be validated by Rico at Anglia Ruskin University
Tulja’s GSoC work concentrated on developing a PoC using a standard MoDSec probe image under Docker generating log entries, pushed to another docker image running Logstash, but use JSON output instead of MLOGC format.
From the Logstash docker image, output is pushed into ELK. This must be documented:
As PoC docker images
As diagrams
In the Logstash development environment, preferred development is Python if possible
Ruby on Rails or Java may also be possible.
There is a MISP API for Python and worth noting mlogic can use Ruby extensions.
Develop “Tags” in alerts generated by probe or conversion within Logstash using OWASP Automated Threats to Web Applications (OAT) Project as an ontology.
Assess what additional complications this may introduce.
Also discussed:
How to move alarms into ELK to threat intelligence platform such as MISP. Should this be:
Conversion from ELK to MISP (there are “watcher” apps which could help with translation of the data)?
Parallel step where we take the output from Logstash at the same time and port into MISP?
We decided to be able to do both steps in parallel to
Generate ELK visualisation/dashboard feed as well as
MISP threat intelligence feed as well.
Determine build requirements for the MISP; we want to build the PoC in the research lab at Anglia Ruskin University (have server resources for PoC) and can host OVA / docker images if needed.
Major aims
Develop end-to-end PoC with multiple honeypots/probes
Capture attacks from an external source (could use ZAP to generate the attack traffic in this instance) into Logstash in JSON format
Push the log alerts to ELK and MISP separately
Display alerts as threat intelligence in MISP platform. Use evidence to prove this in terms of
Screenshots
Demo video
Test plan
Supporting documentation.
If this becomes standard PoC, we can document appropriately and determine variations and deltas to develop and test.
We need to raise this as an additional ticket on GitHub
Outcomes/Deliverables
End-to-end PoC taking multiple docker-based web honeypots deployed in AWS to push mlogic JSON alert output into a docker-based Logstash which pushes the alert output into ELK and MISP in parallel to give both visualisation/dashboard displays and threat intelligence feeds to the community.
Develop “Tags” within alerts generated by the probe or conversion within Logstash utilising OWASP Automated Threats to Web Applications (OAT) Project as an ontology. Also need to assess what additional complications this may introduce.
Reproduce tests from previous Trustwave incarnation - use ModSec to inject a variable (bags = true) and attempt to lure an attacker and pick that out using the ModSec logs; we need to reproduce this
Investigate OWASP funding AWS Cloud usage for Honeypot Project.
Follow up
Tulja to document integration of docker based probes with Logstash docker image using JSO and porting output into ELK.
Record docker installation instructions and integration options
Investigate installation and configuration requirements for MISP and ease of deployment both as dedicated server and docker image
Implement MISP platform to receive multiple probe feeds within AWS environment and lab PoC utilising Logstash and also parallel feed into ELK.
Once PoC is fully tested, produce documentation with
Full test plan
Screenshots
Configurations
Video demo
Rico to reproduce Tulja’s work (from GSoC) in research lab environment ready for academic paper output especially deploying as AWS instances