SIEM is a security sotfware capable of real-time analysis of events generated by applications and network hardware. Generally, an agent collects data from various sources present on a vulnerable host and sends it to a server for processing. Data acquired is used to detect potential attacks as they happen.
Multiple Docker containers with different roles:
- Victim containers:
- OWASP juice shop
- Small Ubuntu image
- For each of the above containers, tcpdump is executed to collect network traffic as logs
- Hostile containers: running different attacks on startup
Attack detection logic was encapsulated in different bits of code, using Jupyter notebook. Each piece of code is feeded with batches of packets from tcpdump. After careful parsing, processing the algorithm can issue an alert stating that a certain type of attack might have occured.
Victim containers are started and tcpdump continuosly monitor the traffic sent/received on network. Syslog aggregates all of these logs, which then are transmitted on a log management platform, called Papertrail. As said eralier, there are multiple boxes of detection logic written in Python. These algorithms connect to Papertrail platform and retrieve a number of packets for analysis.
- Web Application specific attacks (OWASP juice box):
- Password spraying (password is tried on multiple different users in a short period of time)
- SQL injection (specific regular expressions contained in a packet)
- Brute force attack
- Network attacks detected:
- Ping scanning
- Denial-of-Service (SYN Flood)
- ARP cache poisoning
- Exposed port detection