Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
doc
 
 
lib
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.rst

WGAP : Webserver Gets a Probe

Auditing probe for webservers

This tool is based on IoVisor/bcc and need a Linux 4.6+ kernel, headers.

The probe runs on webservers and sends events to a collector daemon ( hindsight <https://github.com/mozilla-services/hindsight>) or hekad <https://github.com/mozilla-services/heka> for example).

Minimum Requirements

Optional Requirements

  • py.test 2.7 (for running the test suite)
  • Sphinx 1.3 (for generating documentation)

Events

The probes listens events from uid > 1000 (normal users):

  • file write operations : __sys_open
  • TCP connect (80, 443, 25) : __tcp_v4_connect
  • UDP packets sent (Dos) :
  • Server socket listen: __inet_listen
  • Command execution : __sys_execve

Event message format

  • timestamp : nanosecond
  • event : FILE_WRITE, FILE_READ, TCP_CONN, UDP_PKT, SOCK_LISTEN, EXEC
  • host : hostname
  • uid
  • gid
  • pid
  • namespace
  • process_name
  • cwd : current working directory of the process
  • fields :
    • src_addr / dst_addr / src_port / dst_port
    • filename, filepath
    • ...

Basic Setup

Install for the current user:

$ python setup.py install --user

Run the application:

$ python -m wgap --help

Run the test suite:

$ py.test test/

Build documentation:

$ cd doc && make html

Deploy the application in a self-contained Virtualenv environment:

$ python deploy.py /path/to/apps
$ cd /path/to/apps/ && wgap/bin/cli --help

About

Webserver Gets a Probe (Web IDS)

Resources

License

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.