+
Ressie is open source SIEM component for ELK stack, it provides real time monitoring, alerting and threat analysis.
This work is just SIEM proof of concept. Use at your own risk!
- MySql 5.7 - https://hub.docker.com/_/mysql/
- Ubuntu + Php 5.6 + Apache 2 + (filebeat & networkbeat)
- ElasticSearch 5
- Logstash 5
- Kibana 5
- MySql 5.7 - ressie operational db
- Custom alerting (email, slack..)
- Indexed Fuzz DB for full text search attack database
- Custom configuration of service
- Pattern matching
- IP validation against TOR and VirusTotal
- concurrent process (threading)
- Blacklisting patterns
- Whitelisting patterns
- Usage log
- Triggering predefined reactive scripts
TODO:
- UI (configuration,visualisation,daily reports)
- machine learning implementation
- suspicious usage monitor
Navigate to project root
$ cd ./ressie
- Docker
- Docker-compose
- MySQL database server (locally for ressie data)
Create and configure variables.env file based on variables.env.example
PostgreSQL settings
POSTGRES_USER=postgres
POSTGRES_PASSWORD=secret
PGDATA=/var/lib/postgresql/data/pgdata
MySQL settings
MYSQL_ROOT_PASSWORD=secret
MYSQL_DATABASE=databaseName
MYSQL_USER=databaseUser
MYSQL_PASSWORD=databaseSecret
####Run architecture
Navigate to project root
$ cd ./ressie
$ docker-composer up
To put logs directly to Elasticsearch use:
$ nc localhost 5000 < /path/to/logfile.log
Setup services from config:
$ cd ./ressie/ressie/configurations/
-
Name file config.prod
-
Use example from HERE to write new config file based on your credentials and preferences
-
Save ๐
Navigate to app root
$ cd ./ressie
Then run:
$ python -m helpBig ๐ to:
- Adam Muntner - Fuzz DB project - used for patterns recognition
- Anthony Lapenna - Docker ELK stack - used for base of test architecture
Lovro Predovan 2017