This is a Grafana based dashboard for NGINX App Protect WAF (NAP). The overall solution uses Logstash to receive logs from NGINX App Protect WAF, process them and finally store them in Elasticsearch indexes. Grafana helps us visualize those logs.
To run this Dashboard you will need to deploy following open source solutions.
- Logstash
- Elasticsearch
- Grafana
- Docker
- Docker Compose
- Python 3.7+
Steps will be provided on how to deploy all of the software in a Docker environment using Docker Compose. It is assumed that Docker and Python is already installed and configured on the system.
Clone this repo to your local machine using https://github.com/skenderidis/nap-dashboard and switch the working directory to be nap-dashboard
git clone https://github.com/skenderidis/nap-dashboard
cd nap-dashboardTZ=Asia/Dubai && docker-compose up -d
NOTES:
- Change the timezone used in the docker containers by altering the inline environment variable in the command above accordingly to your location. A list of TZ Database Names can be found here.
- The TCP port that Logstash is listening to is 515.
In you are not running the following commands from your docker host, please change
localhostto the hostname or IP address of your docker host.
- Create signature index on Elasticsearch
curl -X PUT 'http://localhost:9200/signatures/'Expected Response: {"acknowledged":true,"shards_acknowledged":true,"index":"signatures"}
- Create index mapping for signature index
curl -d "@elastic/signature-mapping.json" -H 'Content-Type: application/json' -X PUT 'http://localhost:9200/signatures/_mapping/'Expected Response: {"acknowledged":true}
- Populate the signature index with the data extracted from NGINX signature report tool. You can repeat this process to update the signatures.
In order to enrich the logs that Elasticsearch is receiving from NAP with information such as signature accuracy, risk, cve, systems affected, etc we need to extract the signatures from NAP (by using NGINX attack signature report tool) and import them into Elasticsearch. More info on NGINX signature report tool can be found here.
Otherwise you can use the
signature-report.jsonfile that can be found on thesignaturesfolder and contains the latest signatures.
python3 signatures/upload-signatures.py signatures/signatures-report.json localhostIf successful it will take around 1 min to push all signatures to elastic. Expect to see multiple responses of the following: {"_index":"signatures","_type":"_doc","_id":"200000001","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":7553,"_primary_term":1}
- Create template for NAP indexes Index Mapping
curl -d "@elastic/template-mapping.json" -H 'Content-Type: application/json' -X PUT 'http://localhost:9200/_template/waf_template?include_type_name'Expected Response: {"acknowledged":true}
- Create enrich policy for the NAP/Signatures Indices.
curl -d "@elastic/enrich-policy.json" -H 'Content-Type: application/json' -X PUT 'http://localhost:9200/_enrich/policy/signatures-policy'Expected Response: {"acknowledged":true}
- Deploy enrich policy.
curl -X POST 'http://localhost:9200/_enrich/policy/signatures-policy/_execute'Expected Response: {"status":{"phase":"COMPLETE"}}
- Create Ingest Pipeline.
curl -d "@elastic/sig-lookup.json" -H 'Content-Type: application/json' -X PUT 'http://localhost:9200/_ingest/pipeline/sig_lookup'Expected Response: {"acknowledged":true}
- Setup Grafana source - Elastic WAF Index.
curl -d "@grafana/DS-waf-index.json" -H 'Content-Type: application/json' -u 'admin:admin' -X POST 'http://localhost:3000/api/datasources/'- Setup Grafana source - Elastic WAF Decoded Index.
curl -d "@grafana/DS-waf-decoded-index.json" -H 'Content-Type: application/json' -u 'admin:admin' -X POST 'http://localhost:3000/api/datasources/'- Deploy Grafana Dashboards.
To deploy the Grafana Dashboards goto Import Dashboard and input the Dashboard ID (as per the following table) on Import via grafana.com tab.
| Dashboard Name | Dashboard ID | Grafana Source | Grafana Website |
|---|---|---|---|
| NGINX NAP Main Dashboard | 15675 | WAF-Logs | Link |
| NGINX NAP Support-ID Dashboard | 15676 | WAF-Logs , WAF-Decoded | Link |
| NGINX NAP Attack Signatures Dashboard | 15677 | WAF-Decoded | Link |
| NGINX NAP BOT Dashboard | 15678 | WAF-Logs | Link |
The dashboards (NAP, Attack Signatures and Bot) have links so that you can click on the supportID from the logs and navigate to the SupportID dashboard having the supportID that you click as the selected filter. Currently the links point to the IP address 192.168.2.103 and this needs to change with the actual IP address of your Grafana deployment.
The easiest way to modify the links is the following.
- Go to the dashboard settings and select the JSON Model.
- Search for 192.168.2.103 and replace it with the actual IP
On the Main dashboard (NAP) there are links to the other 3 dashboards. Currently the links point to the demo URL for these dashboards. Please edit the Violations table and modify the links that have been highlighted on the image below with Red
|
This is the main dashboard that provides an overview of all the violations that have been logged by NGINX App Protect WAF. From this table you can navigate to the other dashboards like SupportID, by clicking on the links. Some of the graphs/tables included in this dashboard are:
- Attacks recorded and mitigated
- Violation categories
- Attacks over time
- Mitigated Bots
- GeoMap
- Attacks per URL
- Attack Signature detected
- Bot activity per IP/Country
- Bot activity per Policy/Device
- CVEs and Threat Campaigns
- Logs
The Attack Signature dashboard provides all details for the signatures that were triggered by NGINX App Protect WAF. Some of the graphs/tables included in this dashboard are:
- Signature Hits
- Signature Accuracy and Risk
- Signatures per Context
- Signature details
- Signatures per URL/IP/Policy
- Parameter Names and Values
- Header Names and Values
- Cookies Names and Values
- Logs
The Bot Dashboard provides all details for the Bot activity that was logged by NGINX App Protect WAF. Some of the graphs/tables included in this dashboard are:
- Bot Types
- Bot Categories
- Bot Activity over time
- Mitigated Bots
- Bot activity per URL
- Bot activity per IP/Country
- Bot activity per Policy/Device
- Logs
The SupportID Dashboard provides all details for a specific transaction that was logged by NGINX App Protect WAF. These include the following:
- Client/Server Information (Client IP/Port, Server IP/Port, X-Forwared-For, etc)
- Violation Details (Outcome, Request Status, Outcome Reson, etc)
- Bot Details (Bot Classm Bot Category, Bit Signature, etc)
- Device Details (NAP Device name, Vritual Server Name)
- Signatures Triggered
- Treat Campaign triggered
- Violation list
- Many more
It also includes both the original and decoded Elasticsearch indices for better troubleshooting.
Please open a GitHub issue for any problem or enhancement you need.