Introduction

ZION SECURITY created this whitepaper to show the power of Splunk for web application forensics and how investigating attacks against web applications can reveal how hackers attempt to hack a corporate environment.

Splunk indexes and lets you search, alert and report on all your IT infrastructure data from a single location in real time. Logs, configurations, messages, traps and alerts, scripts and metrics; if a machine can generate it, Splunk can index it.

With Splunk you can troubleshoot application outages, investigate security incidents, and demonstrate compliance in minutes, not hours or days. More information can be found on http://www.splunk.com/ where you can download a 30-day evaluation version.

ModSecurity is the creation of Ivan Ristic, one of the experts in web application firewalls. ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. It is also an open source project that aims to make the web application firewall technology available to everyone.

Integrating Splunk with ModSecurity logs allow security managers to follow up on attacks against their web sites. Integration is straightforward:

Configure ModSecurity to forward alerts to a syslog server: Splunk
Install the Splunk light forwarder on the ModSecurity machine

page:
1
2
3
4
5
- download