Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to quickly build an ELK + OpenWAF environment". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Introduction to OpenWAF

OpenWAF is the first comprehensive open source Web application protection system (WAF), which analyzes HTTP request information based on nginx_lua API. OpenWAF consists of two function engines: behavior analysis engine and rule engine. Among them, the rule engine mainly analyzes a single request, and the behavior analysis engine is mainly responsible for tracking information across requests.

The rule engine is inspired by modsecurity and lua-resty-waf, and the rule mechanism of ModSecurity is implemented in lua. Based on the rule engine can carry out protocol specifications, automatic tools, injection attacks, cross-site attacks, information disclosure, abnormal requests and other security protection, support to dynamically add rules, timely repair vulnerabilities.

The behavior analysis engine includes frequency-based fuzzy identification, anti-malicious crawler, man-machine identification and other anti-detection modules, anti-CSRF, anti-CC, anti-lift rights, file upload protection and other anti-attack modules, cookie anti-tamper, hotlink protection, custom response header, attack response page and other anti-information disclosure module.

In addition to the two major engines, it also includes basic modules such as statistics, logs, attack response pages, access rules and so on. In addition to the existing functional modules, OpenWAF also supports dynamic configuration modification and dynamic addition of third-party modules to upgrade protection without restarting the engine to disrupt business.

OpenWAF supports encapsulating the above functions as policies, and different web application can apply different policies to protect them. In the future, a cloud platform will be built, and strategies can be shared for others' reference.

Introduction to ELK

ELK is the abbreviation of three different tools, which can be used in combination to complete various log analysis.

Elasticsearch: an open source search engine based on Apache Lucene (TM), which is simply a tool for indexing and storing logs

Logstash: is an application that supports log transfer, filtering, management, and search. We generally use it to collect and manage application logs, and provide Web interfaces for query and statistics.

Kibana: a web platform for more friendly display of analysis logs. To put it simply, there are pictures and truths. Various charts can be generated on it to show the results of log analysis more intuitively.

Installation

There are many installations of ELK on the Internet. Only docker deployment is described here.

Elasticsearch

Pull elasticsearch docker image

Docker pull elasticsearch

Start the elasticsearch container

Docker run-d-name openwaf_es elasticsearch

Get the openwaf_es address

Docker inspect openwaf_es | grep IPAddress gets the address: 192.168.39.17 PS: elasticsearch service port is 9200Logstash

Pull logstash docker image

Docker pull logstash

Start the logstash container

Docker run-it-- name openwaf_logstash-v / root/logstash.conf:/usr/share/logstash/config/logstash.conf logstash-f / usr/share/logstash/config/logstash.confPS: / root/logstash.conf file is as follows: udp {# udp service configuration port = > 60099 # indicates that the log server is listening on port 60099 codec = > "json" # Receive json format information} output {elasticsearch {hosts = > ["192.168.39.17 elasticsearch 9200"] # elasticsearch address is 39.17 And the port is 9200}} the above configuration indicates that openwaf sends the json log of udp protocol to port 60099 of logstash, and then logstash stores it in Elasticsearch

Get the openwaf_logstash address

Docker inspect openwaf_logstash | grep IPAddress gets the address: 192.168.39.18Kibana

Pull kibana docker image

Docker pull kibana

Start the logstash container

Docker run-d-name openwaf_kibana-e ELASTICSEARCH_URL= http://192.168.39.17:9200 kibana

Get the openwaf_kibana address

Docker inspect openwaf_kibana | grep IPAddress gets the address: 192.168.39.19 PS: the kibana service port is configured for 5601OpenWAF

Twaf_log module in conf/twaf_default_conf.json

"twaf_log": {"sock_type": "udp", "content_type": "JSON", "host": "192.168.39.18", "port": 60099,.} "how to quickly build an ELK + OpenWAF environment" is here. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.