MozDef: Mozilla Enterprise Defense Platform

Overview

Tests Documentation Status

MozDef: LOGO

Documentation:

https://mozdef.readthedocs.org/en/latest/

Give MozDef a Try in AWS:

The following button will launch the Mozilla Enterprise Defense Platform in your AWS account.

Warning: Pressing the "Launch Stack" button and following through with the deployment will incur charges to your AWS account.

Launch MozDef

Why?

The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.

The Mozilla Enterprise Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.

Goals:

  • Provide a platform for use by defenders to rapidly discover and respond to security incidents
  • Automate interfaces to other systems like bunker, cymon, mig
  • Provide metrics for security events and incidents
  • Facilitate real-time collaboration amongst incident handlers
  • Facilitate repeatable, predictable processes for incident handling
  • Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation

Status:

MozDef is in production at Mozilla where we are using it to process over 300 million events per day.

Survey & Contacting us

If you're interested in running MozDef and would like to give us feedback, please take the following surveys:

These survey also include a contact form where you can reach us if you would like to (it's optional)

Note: These surveys will be open for a limited amount of time, in order to ensure that we look at your feedback in a timely fashion. Thanks for your understanding!

Comments
  • Feature Request: Search box on Investigations and Incidents pages

    Feature Request: Search box on Investigations and Incidents pages

    When attempting to look for an incident or investigation that occurred in the past, it can be somewhat difficult. Having a search box to easily match on the content you are looking for could alleviate the issue.

    category:feature ARCHIVED 
    opened by Phrozyn 19
  • Docker fails to Connect to D Bus and install Elasticserach

    Docker fails to Connect to D Bus and install Elasticserach

    When using the docker compose method of building mozdef I keep getting: Failed to connect to DBus Operation not premitted Then it won't install elasticsearch. ideas? Fixes?

    opened by goffr2 15
  • Begin using CODEOWNERS in this repo

    Begin using CODEOWNERS in this repo

    https://help.github.com/en/articles/about-code-owners

    Given that we have different groups of people working on different parts of the codebase (e.g. @andrewkrug and I working on CI/CD), if we define a CODEOWNERS file and then enable merging to follow that file, I can for example merge a change to CI/CD that doesn't affect the MozDef codebase without requiring @pwnbus to review and merge.

    I wanted to see if this sounded ok before PRing a file for CODEOWNERS.

    This would potentially have a section like

    # These owners will be the default owners for everything in
    # the repo. Unless a later match takes precedence,
    # These users will be requested for
    # review when someone opens a pull request.
    *       @jeffbryner @pwnbus @mpurzynski @Phrozyn @tristanweir
    
    # Require review by gene or andrew for cloudy MozDef stuff
    /cloudy_mozdef/ @gene1wood @andrewkrug
    

    Then we'd uncheck Restrict who can push to matching branches And add a check to Require review from Code Owners

    This way

    • nothing could be merged without review
    • the people required for review for everything other than cloudy mozdef would be the same list of people who can merge today
    • the people required for review of cloudy mozdef would be andrew and I

    Thoughts @jeffbryner @pwnbus @mpurzynski @Phrozyn @tristanweir?

    opened by gene1wood 13
  • Alerts not firing

    Alerts not firing

    Hey all,

    Maybe it's the holiday gremlins that got to me, but I've updated my docker instance to 1.35 and I can't get alerts working again. I'm down to the following very simple alert which is not working

    #!/usr/bin/env python
    
    # This Source Code Form is subject to the terms of the Mozilla Public
    # License, v. 2.0. If a copy of the MPL was not distributed with this
    # file, You can obtain one at http://mozilla.org/MPL/2.0/.
    # Copyright (c) 2014 Mozilla Corporation
    
    
    from lib.alerttask import AlertTask
    from mozdef_util.query_models import SearchQuery, TermMatch, QueryStringMatch, ExistsMatch, PhraseMatch, WildcardMatch
    
    
    class AlertHelloworld(AlertTask):
        def main(self):
            # Create a query to look back the last 20 minutes
            search_query = SearchQuery(minutes=20)
    
            # Add search terms to our query
            search_query.add_must([
                TermMatch('category', 'helloworld'),
           #     ExistsMatch('details.sourceipaddress'),
            ])
    
            self.filtersManual(search_query)
            # Search aggregations on field 'sourceipaddress'
            # keep X samples of events at most
            self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10)
            # alert when >= X matching events in an aggregation
            self.walkAggregations(threshold=1)
    
        # Set alert properties
        def onAggregation(self, aggreg):
            # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
            # aggreg['value']: value of the aggregation field, ex: [email protected]
            # aggreg['events']: list of events in the aggregation
            category = 'hellocategory'
            tags = ['hello', 'world']
            severity = 'WARNING'
            summary = "My first alert!"
    
            # Create the alert object based on these properties
            return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
    

    with

    'helloworld.AlertHelloworld': {'schedule': crontab(minute='*/1')},
    

    in my docker/compose/mozdef_alerts/files/config.py. I'm sending simple messages to my instance with curl curl -v --header "Content-Type: application/json" --request POST --data '{"tags": ["test"],"category": "helloworld"}' http://localhost:8080/events and they are showing up in Kibana.

    Is there something obvious that I'm doing wrong? Also is there some way outside of the UI that lets me determine if an alert is working?

    opened by darakian 12
  • Default test case fails for new alert

    Default test case fails for new alert

    Hey all,

    I'm just getting into making alerts and I wanted to mention that if you run

    make new-alert
    

    and then try to run the associated test you will be left with a failing test due to the line

    "notify_mozdefbot": False,
    

    This is a bit confusing for people new to alert writing and being such a new person, I'm not sure if this is desired behavior or not. Either way I wanted to make a note for those searching around.

    category:bug 
    opened by darakian 11
  • Disable globe visualization in default deployment, enabling it only when MozDef is configured to show data on the globe

    Disable globe visualization in default deployment, enabling it only when MozDef is configured to show data on the globe

    Currently the globe visualization (located at the /globe path in MozDef) doesn't display any data in MozDef out of the box. The logic to search and label an attacker is currently pretty specific to Mozilla which results in anyone else who deploys MozDef having a globe visualization with no data.

    Let's make the globe's presence conditional on whatever it is we do to put data into it and by default, show no globe.

    Thanks to @darakian for calling this out.

    opened by gene1wood 10
  • Feature Request: Configurable host IPs

    Feature Request: Configurable host IPs

    So, I'm using the docker containers as a deployment in my infrastructure and generally I really like it. However one thing that is annoying is clicking a link (say Kibana) and being sent to localhost:9090. I've make a hot edit in meteor/imports/settings.js to hard code my ip in use, but it would be really nice if I could give mozdef an ip at deploy time. ex make run my_ip=1.2.3.4 or make run config=my_overrides.txt/json or something along those line. Being able to change out the elastic search service would also be nice.

    I get that I might be using the docker containers in a way that they are not designed for so if this is out of scope just let me know and I'll rework what I have based on the alternate install method.

    opened by darakian 10
  • Add logo to favicon and main title bar

    Add logo to favicon and main title bar

    This modifies the logo on the main page to the pre existing https://github.com/mozilla/MozDef/blob/master/meteor/public/images/logo.png . It also adds a favicon of the same logo.

    opened by pwnbus 10
  • Standard levels for incidents/investigations

    Standard levels for incidents/investigations

    See also https://bugzilla.mozilla.org/show_bug.cgi?id=1120558 In Mozdef's incident UI (/incident/) there are tags such as impact.loss.rating.{Major,Moderate,Minor,None}.

    I wondered if it would make sense to use maximum,high,medium,low instead. Same for confidence tags.

    See also https://wiki.mozilla.org/Security/Standard_Levels

    category:enhancement contributors needed priority:medium state:stale 
    opened by gdestuynder 10
  • [Docker env] Alerts not being displayed - Cron silently failing in container

    [Docker env] Alerts not being displayed - Cron silently failing in container

    Hey All,

    I've got a box on the current master. It's generating alerts fine, but the mozdef dash board doesn't display the alerts. I've verified that the alerts are created by looking at the ES cluster and the alerts index exists and contains the expected results. Any ideas on where I should be looking for the alert display part of the equation?

    This is in the docker environment and nothing pops out at me after looking at the logs for each container.

    opened by darakian 8
  • Doc Request: Using log entry data in alert summary example.

    Doc Request: Using log entry data in alert summary example.

    Is there a preferred method for using data from the result a query in the alert summary? For instance, I have a PhraseMatch('summary', 'interesting string prefix') which works well, but I would like to pull out some of the summary string and have that available on the MozDef alerts dash board. I'm sure this is possible to hack together, but is there a method already in place? If so could someone point me at an example?

    opened by darakian 8
Releases(v3.1.2)
  • v3.1.2(Oct 4, 2019)

    Added

    • Alerts can be turned on/off via web ui
    • GeoModel alert to compare locations and determine if travel is possible
    • New Query model (SubnetMatch) to match documents on ip and subnets
    • LDAP Bruteforce Alert
    • Make target (lint) for running pep8 checks against codebase
    • Uptycs alert event cron script

    Fixed

    • Modified regex statements to be proper python3 statements
    • Auth0 script to consume new depnote events

    Changed

    • Moved benchmark and examples directory into scripts directory with sample ingest scripts
    Source code(tar.gz)
    Source code(zip)
  • v3.1.1(Jul 25, 2019)

    Added

    • Ability to get open indices in ElasticsearchClient
    • Documentation on installing dependencies on Mac OS X

    Changed

    • AWS Managed Elasticsearch/Kibana version to 6.7

    Fixed

    • Disk free/total in /about page shows at most 2 decimal places
    • Connections to SQS and S3 without access key and secret
    • Ability to block IPs and add to Watchlist
    Source code(tar.gz)
    Source code(zip)
  • v3.1.0(Jul 25, 2019)

    Added

    • Captured the AWS CodeBuild CI/CD configuration in code with documentation
    • Support for HTTP Basic Auth in AWS deployment
    • Docker healthchecks to docker containers
    • Descriptions to all AWS Lambda functions
    • Support for alerts-* index in docker environment
    • Alert that detects excessive numbers of AWS API describe calls
    • Additional AWS infrastructure to support AWS re:Inforce 2019 workshop
    • Documentation specific to MozDef installation now that MozDef uses Python 3
    • Config setting for CloudTrail notification SQS queue polling time
    • Config setting for Slack bot welcome message

    Changed

    • Kibana port from 9443 to 9090
    • AWS CloudFormation default values from "unset" to empty string
    • Simplify mozdef-mq logic determining AMQP endpoint URI
    • SQS to always use secure transport
    • CloudTrail alert unit tests
    • Incident summary placeholder text for greater clarity
    • Display of Veris data for easier viewing
    • All Dockerfiles to reduce image size, pin package signing keys and improve clarity

    Fixed

    • Workers starting before GeoIP data is available
    • Mismatched MozDefACMCertArn parameter name in CloudFormation template
    • Duplicate mozdefvpcflowlogs object
    • Hard coded AWS Availability Zone
    • httplib2 by updating to version to 0.13.0 for python3
    • mozdef_util by modifying bulk queue to acquire lock before saving events
    • Dashboard Kibana URL
    • Unnecessary and conflicting package dependencies from MozDef and mozdef_util
    • get_indices to include closed indices
    Source code(tar.gz)
    Source code(zip)
  • v3.0.0(Jul 8, 2019)

  • v2.0.1(Jul 8, 2019)

  • v2.0.0(Jun 28, 2019)

    Added

    • Source IP and Destination IP GeoPoints
    • Elasticsearch 6.8 Support
    • Kibana 6.8 Support
    • All doc_types have been set to _doc to support Elasticsearch >= 6

    Removed

    • Elasticsearch <= 5 Support
    • Kibana <= 5 Support
    • Specifying AWS keys in S3 backup script, moved to Elasticsearch Secrets
    Source code(tar.gz)
    Source code(zip)
  • v1.40.0(Jun 27, 2019)

    Added

    • Alertplugin for ip source enrichment
    • Alertplugin for port scan enrichment

    Fixed

    • Bulk message support in loginput

    Removed

    • Vidyo2Mozdef cron script to https://github.com/mozilla/mozdef-deprecated/blob/master/cron/vidyo2MozDef.py
    Source code(tar.gz)
    Source code(zip)
  • v1.39.0(May 29, 2019)

    Added

    • Pagination of Web UI tables
    • Added support for SQS in replacement of Rabbitmq for alerts
    • Support for no_auth for watchlist
    • Cron script for closing indexes
    • Documentation on AlertActions
    • Additional side nav theme

    Changed

    • Removed dependency on '_type' field in Elasticsearch

    Fixed

    • Slackbot reconnects successfully during network errors
    • Relative Kibana URLs now work correctly with protocol
    Source code(tar.gz)
    Source code(zip)
  • v1.38.5(Apr 10, 2019)

    Added

    • Support for CSS themes

    Changed

    • The CI/CD order to now build docker images in CodeBuild, upload them to DockerHub and then pull them down in the packer instance. Updated docs.
    • Assert TravisCI Python version in advance of change of Travis default to 3.6

    Fixed

    • Dashboard error on docker spinup
    Source code(tar.gz)
    Source code(zip)
  • v1.38.4(Apr 8, 2019)

    Fixed

    • Docker image tagging for git version tag builds
    • Correctly propagate the source ip address to the details.sourceipaddress in Duo logpull
    • Invalid literal in squidFixup.py destionationport field
    • Lowercase TAGS in squidFixup.py
    • Adding check for None type object in date fields to address GuardDuty null date

    Added

    • Documentation on the CI/CD process
    • A summary to squidFixup.py
    • Tags assertions to tests
    Source code(tar.gz)
    Source code(zip)
  • v1.38.3(Apr 2, 2019)

  • v1.38.2(Apr 1, 2019)

  • v1.38.1(Mar 29, 2019)

    v1.38.1 of the Mozilla Defense Platform.

    Added

    • Enable CI/CD with AWS CodeBuild
    • Create AMIs of MozDef, replicate and share them
    • Link everything (container images, AMIs, templates) together by MozDef version

    Changed

    • Publish versioned CloudFormation templates
    • RabbitMQ configured to use a real password
    Source code(tar.gz)
    Source code(zip)
  • v1.38(Mar 29, 2019)

    v1.38 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.38%22

    Source code(tar.gz)
    Source code(zip)
  • v1.37(Feb 28, 2019)

    v1.37 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.37%22

    Source code(tar.gz)
    Source code(zip)
  • v1.36(Feb 1, 2019)

    v1.36 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.36%22

    Source code(tar.gz)
    Source code(zip)
  • v1.35(Dec 26, 2018)

    v1.35 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.35%22

    Source code(tar.gz)
    Source code(zip)
  • v1.34(Nov 28, 2018)

    v1.34 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.34%22

    Source code(tar.gz)
    Source code(zip)
  • v1.33(Oct 31, 2018)

    v1.33 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.33%22

    Source code(tar.gz)
    Source code(zip)
  • v1.32(Sep 26, 2018)

    v1.32 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.32%22

    Source code(tar.gz)
    Source code(zip)
  • v1.31(Jul 25, 2018)

    v1.31 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.31%22

    Source code(tar.gz)
    Source code(zip)
  • v1.30(Jun 26, 2018)

    v1.30 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.30%22

    Source code(tar.gz)
    Source code(zip)
  • v1.29(May 30, 2018)

    v1.29 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.29%22

    Source code(tar.gz)
    Source code(zip)
  • v1.28(Apr 25, 2018)

    v1.28 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.28%22

    Source code(tar.gz)
    Source code(zip)
  • v1.27(Mar 29, 2018)

    v1.27 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.27%22

    Source code(tar.gz)
    Source code(zip)
  • v1.26(Feb 28, 2018)

    v1.26 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.26%22

    Source code(tar.gz)
    Source code(zip)
  • v1.25(Jan 31, 2018)

    v1.25 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.25%22

    Source code(tar.gz)
    Source code(zip)
  • v1.24(Dec 20, 2017)

    v1.24 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.24%22

    Source code(tar.gz)
    Source code(zip)
  • v1.23(Nov 16, 2017)

    v1.23 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.23%22

    Source code(tar.gz)
    Source code(zip)
  • v1.22(Oct 18, 2017)

    v1.22 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.22%22

    Source code(tar.gz)
    Source code(zip)
Owner
Mozilla
This technology could fall into the right hands.
Mozilla
Hashpic - Hashpic creates an image from a MD5 or SHA512 hash

Hashpic Hashpic creates an image from the MD5 hash of your input. Since v0.2.0 i

0xflotus 15 Nov 23, 2022
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 09, 2022
It's a simple tool for test vulnerability Apache Path Traversal

SimplesApachePathTraversal Simples Apache Path Traversal It's a simple tool for test vulnerability Apache Path Traversal https://blog.mrcl0wn.com/2021

Mr. Cl0wn - H4ck1ng C0d3r 56 Dec 27, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

WinRemoteEnum WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gather

Simon 9 Nov 09, 2022
Official repository for Pyew.

pyew Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE

Joxean 362 Nov 28, 2022
macOS persistence tool

PoisonApple Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by threat hunters for cy

Cyborg Security, Inc 212 Dec 29, 2022
Bypass ReCaptcha: A Python script for dealing with recaptcha

Bypass ReCaptcha Bypass ReCaptcha is a Python script for dealing with recaptcha.

Marcos Camargo 1 Jan 11, 2022
Log4j rce test environment and poc

log4jpwn log4j rce test environment See: https://www.lunasec.io/docs/blog/log4j-zero-day/ Experiments to trigger in various software products mentione

Leon Jacobs 307 Dec 24, 2022
Obfuscate ip address using different encodings

ipobfuscator How it works? Single ip address can be written in multiple ways. The most popular way is to represent ip as 4 octets separated with dots.

Piotr Warmke 1 Nov 02, 2021
xray多线程批量扫描工具

Auto_xray xray多线程批量扫描工具 简介 xray社区版貌似没有批量扫描,这就让安服仔使用起来很不方便,扫站得一个个手动添加,非常难受 Auto_xray目录下记得放xray,就跟平时一样的。 选项1:oneforall+xray 输入一个主域名,自动采集子域名然后添加到xray任务列表

1frame 13 Nov 09, 2022
Exploit for CVE-2017-17562 vulnerability, that allows RCE on GoAhead (< v3.6.5) if the CGI is enabled and a CGI program is dynamically linked.

GoAhead RCE Exploit Exploit for CVE-2017-17562 vulnerability, that allows RCE on GoAhead ( v3.6.5) if the CGI is enabled and a CGI program is dynamic

Francisco Spínola 2 Dec 12, 2021
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

privacyIDEA privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you

1.3k Jan 03, 2023
TCP/UDP port scanner on python, usong scapy and multiprocessin

Port Scanner TCP/UDP port scanner on python, usong scapy and multiprocessing. Usage python3 scanner.py [OPTIONS] IP_ADDRESS [{tcp|udp}[/[PORT|PORT-POR

Egor Krokhin 1 Dec 05, 2021
A fast tool to scan prototype pollution vulnerability

proto A fast tool to scan prototype pollution vulnerability Syntax python3 proto.py -l alive.txt Requirements Selenium Google Chrome Webdriver Note :

Muhammed Mahdi 4 Aug 31, 2021
Simple python script for generating custom high-secure passwords for securing your social-apps ❤️

Opensource Project Simple Python Password Generator This repository is just for peoples who want to generate strong-passwords for there social-account

K A R T H I K 15 Dec 01, 2022
The next level Python obfuscator, nearly impossible to deobfuscate.

🐸 Kramer 🐸 Kramer is a next level obfuscation tool written in Python3 allowing you to obfuscate your Python3 code easily and securely. It uses Berse

Billy 114 Dec 26, 2022
Yara Based Detection Engine for web browsers

Yobi Yara Based Detection for web browsers System Requirements Yobi requires python3 and and right now supports only firefox and other Gecko-based bro

imp0rtp3 44 Nov 20, 2022