

MozDef: The Mozilla Defense Platform - adamnemecek
https://github.com/jeffbryner/MozDef

======
sigvef
Seems like a cool initiative, but I'm having trouble understanding what it
actually does.

~~~
killerpopiller
me to. Screenshots would've helped.

Is it webapp which informs me about new vuln. for my websites (parsing my
logfiles)?

~~~
cones688
That's what the SIEM does, see ones such as IBM QRadar [1]; aggregates all the
logs and network flows from across your estate and then uses rules/algorithms
to determine threats and security events.

From my limited understanding MozDef is more targeted at ticketing/following
through from intelligence gleaned from a SIEM as most times, people then just
stick it in Remedy or Jira.

[1]
[http://public.dhe.ibm.com/common/ssi/ecm/en/wgd03021usen/WGD...](http://public.dhe.ibm.com/common/ssi/ecm/en/wgd03021usen/WGD03021USEN.PDF)

~~~
jeffbryner
Sorry it's a bit tough to understand. You can think of MozDef as an open
source SIEM (taking in logs, parsing, alerting, correlating) plus incident
handling workflow with a focus on being open, extensible, visual and realtime.
It is early, early days but promising so far!

------
SunboX
Is this equal to OSSEC, an Open Source Host-based Intrusion Detection System?
[http://www.ossec.net/](http://www.ossec.net/)

~~~
cones688
That's an IDS, a specific security measure, akin to firewalls, AV, IPS, Vuln
Scanners.

MozDef seems to be trying to make a relevant/niche ticketing system to run
over the top of a SIEM (Security Information and Event Manager) which in turn
runs over the top of IDS/IPS/AV/FW etc etc this allows single view and
correlation between events i.e remote login from contracter over VPN using
chinese IP address, escalating privileges on a unix box, new admin account on
DB, increase in data flow outbound from DB, none of these events is
individually significant but together its pretty obvious something might be
wrong, thats why you pay good money for a SIEM.

The issue most companies face is they have awesome security intelligence
platforms or SIEMS but then have to translate it into awful business process
ticketing systems (like Remedy or Jira) not designed to handle such critical
and quick moving issues.

------
maximux
I'm happy to see more tools being developed for the defending side.

------
oelmekki
And now, there's an other public facing service on your server than can be
tried for vulnerabilities :)

Joke aside, I like the initiative, security is still something that seems to
me not taken seriously enough by day to day sysadmins and developers.

From what I understand, its main use it to report it when attacks were
attempted. Does it also check for what is probably the biggest security
concern on the wild, aka outdated softwares that have updates available
(better safe than sorry)?

~~~
riffraff
one? """ MozDef is based on open source technologies including: Nginx (http(s)
based log input) Rabbit-MQ (message queue) UWSGI (supervisory control of
python-based workers) bottle.py (simple pyhon interface for web request
handling) Elastic Search (scalable indexing and searching of JSON documents)
Meteor (responsive framework for Node.js enabling real-time data sharing)
Mongo DB (scalable data store, tightly integrated to Meteor) .. """

OTOH, maybe it's not public facing :)

------
easy_rider
>> The inspiration for MozDef comes from the large arsenal of tools available
to attackers. Suites like metasploit, armitage, lair, dradis. Defenders are
usually limited to wikis, ticketing systems and manual tracking databases
attached to the end of a Security Information Event Management (SIEM) system.

I read this as: attackers are usually one step ahead at least, and "defenders"
(sic: developers (?) ) do not like pentesting? These tools are available to
anyone..

~~~
cones688
> "defenders" (sic: developers (?) )

Defenders are usually companies or a consultancies ERT (emergency repsonse
team) or in their SOC (Security Operations Center) to monitor real time
security threats to their business and Triage, mitigate, investigate, block
etc.

Some of the enterprise tools (QRadar, Arcsight, EnVision) for these are really
advanced but run into the 100's of thousands cost, so I think MozDef is an
open sources initiative for smaller teams who don't have the resources for the
above.

~~~
easy_rider
Ah, should not comment before the coffee kicks in... That's actually an
awesome concept. Thanks for the explanation.

------
fvt
I hope this project will get traction. It's always a nightmare for sysadmin
(and developers) to discover on Friday nights that most of their apps will
require an upgrade in the next couple of hours because an exploit is out (of
nowhere most of the time).

And in any case, the architecture put in place is interesting. I'm eager to
see how they made use of Meteor.

------
theon144
It's a proof of concept and it's already making rounds at HN, reddit, G+...
Geeze, guys, give it time!

~~~
adamnemecek
One of the ways a proof of concept can become a full blown project is by
attracting contributors. A project attracts contributors if the project is
talked about.

------
skrowl
IMO, the only CORRECT way to assure that you're not vulnerable to all the
"attacker" tools is to test USING those tools yourself.

------
chankey_pathak
Awesome

