Skip to content

ICL-ml4csec/RAS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
scenario-vanilla
scenario-vanilla
Β 
Β 
scenario-waf
scenario-waf
Β 
Β 
.gitignore
.gitignore
Β 
Β 
README.md
README.md
Β 
Β 
ras.sh
ras.sh
Β 
Β 

Repository files navigation

RAS - Research Attack Simulation Environment

A versatile, containerized framework for replicating diverse attack scenarios and capturing artifacts for security analysis and defensive system development, featuring modular definitions of scenarios and built-in network packet capture capabilities.

πŸ—οΈ Definitions

RAS revolves around scenarios that define the environment and attack vectors. Each scenario consists of:

  • Containers: Docker images for services (e.g., nginx, Juice Shop)
  • Networks: Docker networks for communication
  • Configurations: Nginx and ModSecurity configurations
  • Artifacts: Output directories for logs and packet captures

We provide two example scenarios:

  1. Vanilla: Basic setup with nginx proxying to Juice Shop, no WAF.
  2. WAF: Same setup with ModSecurity WAF enabled, preventing suspicious payloads from reaching the application.

πŸš€ Quick Start

Prerequisites

  • Docker and Docker Compose
  • sudo access (for packet capture)

Basic Usage

# Start vanilla scenario
./ras.sh vanilla start

# Stop scenario and cleanup
./ras.sh vanilla stop

# Start WAF scenario with packet capture
./ras.sh waf start --sniff edge

./ras.sh waf stop

πŸ“‹ Commands

Scenario Management

./ras.sh <scenario> <command> [options]

Scenarios:

  • vanilla - No WAF protection
  • waf - ModSecurity WAF enabled

Commands:

  • start [--sniff BRIDGE] - Start containers (optionally with packet capture)
  • stop - Stop containers and packet capture
  • restart - Restart containers
  • logs - Show container logs
  • bridges - Show available network bridges
  • clean - Remove all containers and data

Packet Capture Options

Use --sniff with start command:

  • edge - Capture attacker/shopper ↔ nginx traffic
  • appnet - Capture nginx ↔ web service traffic
  • both - Capture both networks

πŸ“ Output Structure

scenario-vanilla/
└── out/
    β”œβ”€β”€ nginx/     # Nginx access/error logs
    └── pcap/      # Packet captures (timestamped)

scenario-waf/
└── out/
    β”œβ”€β”€ nginx/     # Nginx logs
    β”œβ”€β”€ waf/       # ModSecurity logs
    └── pcap/      # Packet captures (timestamped)

Packet Capture

Must be enabled with --sniff option. Captures are stored in:

  • scenario-<name>/out/pcap/
  • Timestamped PCAP files (YYYYMMDD-HHMMSS format)
  • Automatic cleanup when stopping containers

πŸ”§ Examples

# Start vanilla with full network capture
./ras.sh vanilla start --sniff both

# View WAF scenario logs in real-time
./ras.sh waf logs

# Check available bridges for waf scenario
./ras.sh waf bridges

# Clean everything for vanilla scenario
./ras.sh vanilla clean

# Restart waf scenario with edge capture
./ras.sh waf restart
./ras.sh waf start --sniff edge

πŸ› Troubleshooting

Containers won't start:

./ras.sh <scenario> clean
./ras.sh <scenario> start

Permission issues:

./ras.sh <scenario> fix-permissions

Can't find networks:

  • Ensure containers are running before using --sniff or bridges commands

About

Reproducible Attack Scenarios

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages