Giters

arall / elastic-modsecurity

Example of Elastic stash (Elasticsearch, Kibana, Elastic Agent) and ModSecurity with DVWA

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Guide

Copy the .env.example into .env:

cp .env.example .env

Populate the .env file with your settings. You must generate a password for Elastic and Kibana.

Start Elastic stack:

cd elastic
docker-compose -f docker-compose-elastic.yml up -d

Once Kibana is ready:

# Prepare the FLEET application on kibana
curl -k -u "elastic:<es_password>" -XPOST http://localhost:5601/api/fleet/setup --header 'kbn-xsrf: true'

# Create a Fleet Server Policy
curl -k -u "elastic:<es_password>" "http://localhost:5601/api/fleet/agent_policies?sys_monitoring=true" \
--header 'kbn-xsrf: true' \
--header 'Content-Type: application/json' \
--data-raw '{"id":"fleet-server-policy","name":"Fleet Server policy","description":"","namespace":"default","monitoring_enabled":["logs","metrics"],"has_fleet_server":true}'

# Update Fleet Server URL
curl -k -u "elastic:<es_password>" -XPUT "http://localhost:5601/api/fleet/settings" \
--header 'kbn-xsrf: true' \
--header 'Content-Type: application/json' \
--data-raw '{"fleet_server_hosts":["http://fleet:8220"]}'

# Update Fleet Output
curl -k -u "elastic:<es_password>" -XPUT "http://localhost:5601/api/fleet/outputs/fleet-default-output" \
--header 'kbn-xsrf: true' \
--header 'Content-Type: application/json' \
--data-raw '{"name":"default","type":"elasticsearch","is_default":true,"is_default_monitoring":true,"hosts":["https://elasticsearch:9200"],"config_yaml": "ssl.certificate_authorities: [\"/usr/share/elastic-agent/config/certs/ca/ca.crt\"]"}'

# Generate Service token
curl -k -u "elastic:<es_password>D" -s -X POST http://localhost:5601/api/fleet/service-tokens --header 'kbn-xsrf: true' | jq -r .value

Save the token returned in the last command into the .env file as FLEET_SERVER_SERVICE_TOKEN variable.

Navigate to Kibana and modify the policy: http://localhost:5601/app/fleet/policies/fleet-server-policy Add ModSecurity and Apache integrations. Use the default settings.

Then run the fleet sever & agent:

docker-compose -f docker-compose-fleet.yml up -d

Then navigate to http://localhost, login with admin:admin, initialize the DVWA. Login again using admin:password and perform some attacks, for example, navigate to http://localhost/vulnerabilities/sqli/?id=%27+OR+1+%3D+1+--+&Submit=Submit#.

This should generate Apache2 and ModSecurity logs that will be processed by the Elastic Agent, and displayed in Kibana.

About

Example of Elastic stash (Elasticsearch, Kibana, Elastic Agent) and ModSecurity with DVWA

Languages

Language:Shell 100.0%