|
1 | | -<img src="https://raw.githubusercontent.com/Microflow-IO/microflow-sentinel/main/github_microflow.png" alt="logo" style="float:left; margin-right:10px;" /> |
| 1 | +<img src="https://github.com/Microflow-IO/microflow-nano/blob/main/docs/github_microflow_B.png" alt="logo" style="float:left; margin-right:10px;" /> |
| 2 | + |
2 | 3 |
|
3 | 4 |
|
4 | 5 | # ModSecurity for Anylog |
5 | 6 |
|
6 | 7 |
|
7 | 8 |
|
8 | | -## 🎬Background |
9 | 9 |
|
10 | | -How to achieve application-level lateral movement attack detection and sensitive data abnormal behavior warning without affecting the environment and business process, without blind spots, in cloud and cloud-native environments, is two difficulties in the industry; |
| 10 | + |
| 11 | +## 🎬Background |
| 12 | + |
| 13 | +In cloud and cloud-native environments, how to achieve application-level lateral movement attack detection, and sensitive data abnormal behavior warning, without affecting the environment and business, without blind spots, is two difficulties in the industry; |
| 14 | + |
| 15 | + |
11 | 16 |
|
12 | 17 | ## 🛠Resolvent |
13 | 18 |
|
14 | 19 | ModSecurity is a famous WAF engine, but the original version of ModSecurity can only detect Raw Packet, which is usually only used for traditional architecture and cloud boundary security; |
15 | 20 |
|
16 | | -Microflow Sentinel (hereinafter referred to as MFS) can obtain fine-grained traffic logs inside cloud and cloud-native environments in an ultra-lightweight way; |
| 21 | +Nano Probe can obtain fine-grained traffic logs inside cloud and cloud-native environments in an ultra-lightweight way; |
| 22 | + |
| 23 | +If we modify ModSecurity to analyze the HTTP fine-grained logs output by Nano, we can, in principle, fully leverage ModSecurity's detection capabilities to detect various application-level lateral movement attacks and sensitive data behavior anomalies within the cloud and cloud-native environments. |
| 24 | + |
17 | 25 |
|
18 | | -If we modify ModSecurity to analyze the HTTP fine-grained logs output by MFS, we can, in principle, fully leverage ModSecurity's detection capabilities to detect various application-level lateral movement attacks and sensitive data behavior anomalies within the cloud and cloud-native environments. |
19 | 26 |
|
20 | 27 | ## 📠MSA Introduction |
21 | 28 |
|
22 | | -ModSecurity for Anylog (hereinafter referred to as MSA) is based on the above background and method. |
| 29 | +ModSecurity for Anylog (hereinafter referred to as **MSA**) is based on the above background and method. |
| 30 | + |
| 31 | +It is a modified version of ModSecurity for all application logs. It can not only analyze JSON logs from Nano probes, but also enable attack detection on any application and business logs through user configuration. |
| 32 | + |
23 | 33 |
|
24 | | -It is a modified version of ModSecurity for all application logs. It can not only analyze JSON logs from MFS probes, but also enable attack detection on any application and business logs through user configuration. |
25 | 34 |
|
26 | | -### Cloud Traffic Analysis and Risk Detection Architecture |
| 35 | +**lateral movement attack detection architecture ** |
27 | 36 |
|
28 | 37 | ```mermaid |
29 | 38 | graph TB |
30 | 39 | subgraph "Cloud and Cloud-Native Environment" |
31 | | - VM1["Virtual Machine 1 (with MFS)"] |
32 | | - VM2["Virtual Machine 2 (with MFS)"] |
33 | | - Node1["Node 1 (with MFS)"] |
34 | | - Node2["Node 2 (with MFS)"] |
| 40 | + VM1["Virtual Machine 1 (with Nano)"] |
| 41 | + VM2["Virtual Machine 2 (with Nano)"] |
| 42 | + Node1["Node 1 (with Nano Pod)"] |
| 43 | + Node2["Node 2 (with Nano Pod)"] |
35 | 44 | end |
36 | 45 |
|
37 | | - Middleware["Data Middleware"] |
| 46 | + Middleware["Logstash/Fluentd"] |
38 | 47 | MSA["ModSecurity for Anylog (MSA)"] |
39 | 48 | AnalyticsPlatform["Data Analytics Platform / SOC"] |
40 | 49 |
|
41 | | - VM1 -->|"JSON over UDP"| Middleware |
42 | | - VM2 -->|"JSON over UDP"| Middleware |
43 | | - Node1 -->|"JSON over UDP"| Middleware |
44 | | - Node2 -->|"JSON over UDP"| Middleware |
| 50 | + VM1 -.->|"JSON over UDP"| Middleware |
| 51 | + VM2 -.->|"JSON over UDP"| Middleware |
| 52 | + Node1 -.->|"JSON over UDP"| Middleware |
| 53 | + Node2 -.->|"JSON over UDP"| Middleware |
45 | 54 |
|
46 | | - Middleware -->|"JSON Data"| AnalyticsPlatform |
47 | | - Middleware -->|"JSON Data"| MSA |
| 55 | + Middleware -.->|"JSON Data"| AnalyticsPlatform |
| 56 | + Middleware -.->|"JSON Data"| MSA |
48 | 57 |
|
49 | | - MSA -->|"Alerts (Syslog)"| AnalyticsPlatform |
| 58 | + MSA -.->|"Alerts (Syslog)"| AnalyticsPlatform |
50 | 59 |
|
51 | 60 | classDef vm fill:#e1f5fe,stroke:#01579b,stroke-width:2px; |
52 | 61 | classDef node fill:#e8f5e9,stroke:#1b5e20,stroke-width:2px; |
|
0 commit comments