This is a university project demonstrating the usage of the Elastic Stack to process and visualize System calls produced by Sysdig.
To run the whole system at once, simply call this script with the container name to track, e.g.
$ ./run.sh ${CONTAINER_NAME}
If you don't want sysdig to track syscalls, simply add
$ ./run.sh --no-track
This will fix potential problems (see below), bring up all containers & watch their syscalls with sysdig.
If you instead want to only run sysdig to track syscalls, simply call
$ ./run.sh --only-track ${CONTAINER_NAME}
To run the modified DVWA with some clients (located in ./dvwa-app) and track the victim, call
$ ./run.sh dvwa-app_victim_1
When the Elastic Stack and the DVWA is up and running, you see the syscalls visualized in Kibana. At some point you might want to start the attacker, which performs SQL injection attacks and watch the dashboard change. Do so by running:
$ docker-compose -f ./dvwa-app/docker-compose.yml up -d --scale attacker=1
- run.sh - execute to start Elastic Stack and track the specified container's syscalls
- dashboard_and_visualizations.ndjson - a new-line-delimited JSON file configuring all Kibana objects
- elasticsearch-default-filebeat-mapping.json - the mapping to be applied to the ElasticSearch index
- sysdig-utils - some utility scripts to get lists of e.g. all Sysdig supported syscalls or all sycall parameters
- DummyApp - an containerized Nginx serving as a simple test container
- dvwa-app - the modified and containerized DVWA
- Filebeat - a Filebeat container watching the log-file and sending beats to Logstash
- logstash-conf - the Logstash configuration for defining a single pipeline
For stopping all Docker containers run:
$ docker-compose -f dvwa-app/docker-compose.yml down -v && docker-compose down -v
The setup of the Elastic Stack is heavily based on https://elk-docker.readthedocs.io/