Webserver Gets a Probe (Web IDS)
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
debian
doc
etc/wgap-probe
lib
test
.drone.yml
.gitignore
LICENSE
README.rst
deploy.py
requirements.txt
setup.py
wgap-probe

README.rst

WGAP : Webserver Gets a Probe

Auditing probe for webservers

This tool is based on IoVisor/bcc and need a Linux 4.6+ kernel, headers.

The probe runs on webservers and sends events to a collector daemon ( hindsight <https://github.com/mozilla-services/hindsight>) or hekad <https://github.com/mozilla-services/heka> for example).

Minimum Requirements

Optional Requirements

  • py.test 2.7 (for running the test suite)
  • Sphinx 1.3 (for generating documentation)

Events

The probes listens events from uid > 1000 (normal users):

  • file write operations : __sys_open
  • TCP connect (80, 443, 25) : __tcp_v4_connect
  • UDP packets sent (Dos) :
  • Server socket listen: __inet_listen
  • Command execution : __sys_execve

Event message format

  • timestamp : nanosecond
  • event : FILE_WRITE, FILE_READ, TCP_CONN, UDP_PKT, SOCK_LISTEN, EXEC
  • host : hostname
  • uid
  • gid
  • pid
  • namespace
  • process_name
  • cwd : current working directory of the process
  • fields :
    • src_addr / dst_addr / src_port / dst_port
    • filename, filepath
    • ...

Basic Setup

Install for the current user:

$ python setup.py install --user

Run the application:

$ python -m wgap --help

Run the test suite:

$ py.test test/

Build documentation:

$ cd doc && make html

Deploy the application in a self-contained Virtualenv environment:

$ python deploy.py /path/to/apps
$ cd /path/to/apps/ && wgap/bin/cli --help