MozDef: Mozilla Enterprise Defense Platform

Overview

Tests Documentation Status

MozDef: LOGO

Documentation:

https://mozdef.readthedocs.org/en/latest/

Give MozDef a Try in AWS:

The following button will launch the Mozilla Enterprise Defense Platform in your AWS account.

Warning: Pressing the "Launch Stack" button and following through with the deployment will incur charges to your AWS account.

Launch MozDef

Why?

The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.

The Mozilla Enterprise Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.

Goals:

  • Provide a platform for use by defenders to rapidly discover and respond to security incidents
  • Automate interfaces to other systems like bunker, cymon, mig
  • Provide metrics for security events and incidents
  • Facilitate real-time collaboration amongst incident handlers
  • Facilitate repeatable, predictable processes for incident handling
  • Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation

Status:

MozDef is in production at Mozilla where we are using it to process over 300 million events per day.

Survey & Contacting us

If you're interested in running MozDef and would like to give us feedback, please take the following surveys:

These survey also include a contact form where you can reach us if you would like to (it's optional)

Note: These surveys will be open for a limited amount of time, in order to ensure that we look at your feedback in a timely fashion. Thanks for your understanding!

Comments
  • Feature Request: Search box on Investigations and Incidents pages

    Feature Request: Search box on Investigations and Incidents pages

    When attempting to look for an incident or investigation that occurred in the past, it can be somewhat difficult. Having a search box to easily match on the content you are looking for could alleviate the issue.

    category:feature ARCHIVED 
    opened by Phrozyn 19
  • Docker fails to Connect to D Bus and install Elasticserach

    Docker fails to Connect to D Bus and install Elasticserach

    When using the docker compose method of building mozdef I keep getting: Failed to connect to DBus Operation not premitted Then it won't install elasticsearch. ideas? Fixes?

    opened by goffr2 15
  • Begin using CODEOWNERS in this repo

    Begin using CODEOWNERS in this repo

    https://help.github.com/en/articles/about-code-owners

    Given that we have different groups of people working on different parts of the codebase (e.g. @andrewkrug and I working on CI/CD), if we define a CODEOWNERS file and then enable merging to follow that file, I can for example merge a change to CI/CD that doesn't affect the MozDef codebase without requiring @pwnbus to review and merge.

    I wanted to see if this sounded ok before PRing a file for CODEOWNERS.

    This would potentially have a section like

    # These owners will be the default owners for everything in
    # the repo. Unless a later match takes precedence,
    # These users will be requested for
    # review when someone opens a pull request.
    *       @jeffbryner @pwnbus @mpurzynski @Phrozyn @tristanweir
    
    # Require review by gene or andrew for cloudy MozDef stuff
    /cloudy_mozdef/ @gene1wood @andrewkrug
    

    Then we'd uncheck Restrict who can push to matching branches And add a check to Require review from Code Owners

    This way

    • nothing could be merged without review
    • the people required for review for everything other than cloudy mozdef would be the same list of people who can merge today
    • the people required for review of cloudy mozdef would be andrew and I

    Thoughts @jeffbryner @pwnbus @mpurzynski @Phrozyn @tristanweir?

    opened by gene1wood 13
  • Alerts not firing

    Alerts not firing

    Hey all,

    Maybe it's the holiday gremlins that got to me, but I've updated my docker instance to 1.35 and I can't get alerts working again. I'm down to the following very simple alert which is not working

    #!/usr/bin/env python
    
    # This Source Code Form is subject to the terms of the Mozilla Public
    # License, v. 2.0. If a copy of the MPL was not distributed with this
    # file, You can obtain one at http://mozilla.org/MPL/2.0/.
    # Copyright (c) 2014 Mozilla Corporation
    
    
    from lib.alerttask import AlertTask
    from mozdef_util.query_models import SearchQuery, TermMatch, QueryStringMatch, ExistsMatch, PhraseMatch, WildcardMatch
    
    
    class AlertHelloworld(AlertTask):
        def main(self):
            # Create a query to look back the last 20 minutes
            search_query = SearchQuery(minutes=20)
    
            # Add search terms to our query
            search_query.add_must([
                TermMatch('category', 'helloworld'),
           #     ExistsMatch('details.sourceipaddress'),
            ])
    
            self.filtersManual(search_query)
            # Search aggregations on field 'sourceipaddress'
            # keep X samples of events at most
            self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10)
            # alert when >= X matching events in an aggregation
            self.walkAggregations(threshold=1)
    
        # Set alert properties
        def onAggregation(self, aggreg):
            # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
            # aggreg['value']: value of the aggregation field, ex: [email protected]
            # aggreg['events']: list of events in the aggregation
            category = 'hellocategory'
            tags = ['hello', 'world']
            severity = 'WARNING'
            summary = "My first alert!"
    
            # Create the alert object based on these properties
            return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
    

    with

    'helloworld.AlertHelloworld': {'schedule': crontab(minute='*/1')},
    

    in my docker/compose/mozdef_alerts/files/config.py. I'm sending simple messages to my instance with curl curl -v --header "Content-Type: application/json" --request POST --data '{"tags": ["test"],"category": "helloworld"}' http://localhost:8080/events and they are showing up in Kibana.

    Is there something obvious that I'm doing wrong? Also is there some way outside of the UI that lets me determine if an alert is working?

    opened by darakian 12
  • Default test case fails for new alert

    Default test case fails for new alert

    Hey all,

    I'm just getting into making alerts and I wanted to mention that if you run

    make new-alert
    

    and then try to run the associated test you will be left with a failing test due to the line

    "notify_mozdefbot": False,
    

    This is a bit confusing for people new to alert writing and being such a new person, I'm not sure if this is desired behavior or not. Either way I wanted to make a note for those searching around.

    category:bug 
    opened by darakian 11
  • Disable globe visualization in default deployment, enabling it only when MozDef is configured to show data on the globe

    Disable globe visualization in default deployment, enabling it only when MozDef is configured to show data on the globe

    Currently the globe visualization (located at the /globe path in MozDef) doesn't display any data in MozDef out of the box. The logic to search and label an attacker is currently pretty specific to Mozilla which results in anyone else who deploys MozDef having a globe visualization with no data.

    Let's make the globe's presence conditional on whatever it is we do to put data into it and by default, show no globe.

    Thanks to @darakian for calling this out.

    opened by gene1wood 10
  • Feature Request: Configurable host IPs

    Feature Request: Configurable host IPs

    So, I'm using the docker containers as a deployment in my infrastructure and generally I really like it. However one thing that is annoying is clicking a link (say Kibana) and being sent to localhost:9090. I've make a hot edit in meteor/imports/settings.js to hard code my ip in use, but it would be really nice if I could give mozdef an ip at deploy time. ex make run my_ip=1.2.3.4 or make run config=my_overrides.txt/json or something along those line. Being able to change out the elastic search service would also be nice.

    I get that I might be using the docker containers in a way that they are not designed for so if this is out of scope just let me know and I'll rework what I have based on the alternate install method.

    opened by darakian 10
  • Add logo to favicon and main title bar

    Add logo to favicon and main title bar

    This modifies the logo on the main page to the pre existing https://github.com/mozilla/MozDef/blob/master/meteor/public/images/logo.png . It also adds a favicon of the same logo.

    opened by pwnbus 10
  • Standard levels for incidents/investigations

    Standard levels for incidents/investigations

    See also https://bugzilla.mozilla.org/show_bug.cgi?id=1120558 In Mozdef's incident UI (/incident/) there are tags such as impact.loss.rating.{Major,Moderate,Minor,None}.

    I wondered if it would make sense to use maximum,high,medium,low instead. Same for confidence tags.

    See also https://wiki.mozilla.org/Security/Standard_Levels

    category:enhancement contributors needed priority:medium state:stale 
    opened by gdestuynder 10
  • [Docker env] Alerts not being displayed - Cron silently failing in container

    [Docker env] Alerts not being displayed - Cron silently failing in container

    Hey All,

    I've got a box on the current master. It's generating alerts fine, but the mozdef dash board doesn't display the alerts. I've verified that the alerts are created by looking at the ES cluster and the alerts index exists and contains the expected results. Any ideas on where I should be looking for the alert display part of the equation?

    This is in the docker environment and nothing pops out at me after looking at the logs for each container.

    opened by darakian 8
  • Doc Request: Using log entry data in alert summary example.

    Doc Request: Using log entry data in alert summary example.

    Is there a preferred method for using data from the result a query in the alert summary? For instance, I have a PhraseMatch('summary', 'interesting string prefix') which works well, but I would like to pull out some of the summary string and have that available on the MozDef alerts dash board. I'm sure this is possible to hack together, but is there a method already in place? If so could someone point me at an example?

    opened by darakian 8
Releases(v3.1.2)
  • v3.1.2(Oct 4, 2019)

    Added

    • Alerts can be turned on/off via web ui
    • GeoModel alert to compare locations and determine if travel is possible
    • New Query model (SubnetMatch) to match documents on ip and subnets
    • LDAP Bruteforce Alert
    • Make target (lint) for running pep8 checks against codebase
    • Uptycs alert event cron script

    Fixed

    • Modified regex statements to be proper python3 statements
    • Auth0 script to consume new depnote events

    Changed

    • Moved benchmark and examples directory into scripts directory with sample ingest scripts
    Source code(tar.gz)
    Source code(zip)
  • v3.1.1(Jul 25, 2019)

    Added

    • Ability to get open indices in ElasticsearchClient
    • Documentation on installing dependencies on Mac OS X

    Changed

    • AWS Managed Elasticsearch/Kibana version to 6.7

    Fixed

    • Disk free/total in /about page shows at most 2 decimal places
    • Connections to SQS and S3 without access key and secret
    • Ability to block IPs and add to Watchlist
    Source code(tar.gz)
    Source code(zip)
  • v3.1.0(Jul 25, 2019)

    Added

    • Captured the AWS CodeBuild CI/CD configuration in code with documentation
    • Support for HTTP Basic Auth in AWS deployment
    • Docker healthchecks to docker containers
    • Descriptions to all AWS Lambda functions
    • Support for alerts-* index in docker environment
    • Alert that detects excessive numbers of AWS API describe calls
    • Additional AWS infrastructure to support AWS re:Inforce 2019 workshop
    • Documentation specific to MozDef installation now that MozDef uses Python 3
    • Config setting for CloudTrail notification SQS queue polling time
    • Config setting for Slack bot welcome message

    Changed

    • Kibana port from 9443 to 9090
    • AWS CloudFormation default values from "unset" to empty string
    • Simplify mozdef-mq logic determining AMQP endpoint URI
    • SQS to always use secure transport
    • CloudTrail alert unit tests
    • Incident summary placeholder text for greater clarity
    • Display of Veris data for easier viewing
    • All Dockerfiles to reduce image size, pin package signing keys and improve clarity

    Fixed

    • Workers starting before GeoIP data is available
    • Mismatched MozDefACMCertArn parameter name in CloudFormation template
    • Duplicate mozdefvpcflowlogs object
    • Hard coded AWS Availability Zone
    • httplib2 by updating to version to 0.13.0 for python3
    • mozdef_util by modifying bulk queue to acquire lock before saving events
    • Dashboard Kibana URL
    • Unnecessary and conflicting package dependencies from MozDef and mozdef_util
    • get_indices to include closed indices
    Source code(tar.gz)
    Source code(zip)
  • v3.0.0(Jul 8, 2019)

  • v2.0.1(Jul 8, 2019)

  • v2.0.0(Jun 28, 2019)

    Added

    • Source IP and Destination IP GeoPoints
    • Elasticsearch 6.8 Support
    • Kibana 6.8 Support
    • All doc_types have been set to _doc to support Elasticsearch >= 6

    Removed

    • Elasticsearch <= 5 Support
    • Kibana <= 5 Support
    • Specifying AWS keys in S3 backup script, moved to Elasticsearch Secrets
    Source code(tar.gz)
    Source code(zip)
  • v1.40.0(Jun 27, 2019)

    Added

    • Alertplugin for ip source enrichment
    • Alertplugin for port scan enrichment

    Fixed

    • Bulk message support in loginput

    Removed

    • Vidyo2Mozdef cron script to https://github.com/mozilla/mozdef-deprecated/blob/master/cron/vidyo2MozDef.py
    Source code(tar.gz)
    Source code(zip)
  • v1.39.0(May 29, 2019)

    Added

    • Pagination of Web UI tables
    • Added support for SQS in replacement of Rabbitmq for alerts
    • Support for no_auth for watchlist
    • Cron script for closing indexes
    • Documentation on AlertActions
    • Additional side nav theme

    Changed

    • Removed dependency on '_type' field in Elasticsearch

    Fixed

    • Slackbot reconnects successfully during network errors
    • Relative Kibana URLs now work correctly with protocol
    Source code(tar.gz)
    Source code(zip)
  • v1.38.5(Apr 10, 2019)

    Added

    • Support for CSS themes

    Changed

    • The CI/CD order to now build docker images in CodeBuild, upload them to DockerHub and then pull them down in the packer instance. Updated docs.
    • Assert TravisCI Python version in advance of change of Travis default to 3.6

    Fixed

    • Dashboard error on docker spinup
    Source code(tar.gz)
    Source code(zip)
  • v1.38.4(Apr 8, 2019)

    Fixed

    • Docker image tagging for git version tag builds
    • Correctly propagate the source ip address to the details.sourceipaddress in Duo logpull
    • Invalid literal in squidFixup.py destionationport field
    • Lowercase TAGS in squidFixup.py
    • Adding check for None type object in date fields to address GuardDuty null date

    Added

    • Documentation on the CI/CD process
    • A summary to squidFixup.py
    • Tags assertions to tests
    Source code(tar.gz)
    Source code(zip)
  • v1.38.3(Apr 2, 2019)

  • v1.38.2(Apr 1, 2019)

  • v1.38.1(Mar 29, 2019)

    v1.38.1 of the Mozilla Defense Platform.

    Added

    • Enable CI/CD with AWS CodeBuild
    • Create AMIs of MozDef, replicate and share them
    • Link everything (container images, AMIs, templates) together by MozDef version

    Changed

    • Publish versioned CloudFormation templates
    • RabbitMQ configured to use a real password
    Source code(tar.gz)
    Source code(zip)
  • v1.38(Mar 29, 2019)

    v1.38 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.38%22

    Source code(tar.gz)
    Source code(zip)
  • v1.37(Feb 28, 2019)

    v1.37 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.37%22

    Source code(tar.gz)
    Source code(zip)
  • v1.36(Feb 1, 2019)

    v1.36 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.36%22

    Source code(tar.gz)
    Source code(zip)
  • v1.35(Dec 26, 2018)

    v1.35 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.35%22

    Source code(tar.gz)
    Source code(zip)
  • v1.34(Nov 28, 2018)

    v1.34 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.34%22

    Source code(tar.gz)
    Source code(zip)
  • v1.33(Oct 31, 2018)

    v1.33 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.33%22

    Source code(tar.gz)
    Source code(zip)
  • v1.32(Sep 26, 2018)

    v1.32 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.32%22

    Source code(tar.gz)
    Source code(zip)
  • v1.31(Jul 25, 2018)

    v1.31 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.31%22

    Source code(tar.gz)
    Source code(zip)
  • v1.30(Jun 26, 2018)

    v1.30 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.30%22

    Source code(tar.gz)
    Source code(zip)
  • v1.29(May 30, 2018)

    v1.29 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.29%22

    Source code(tar.gz)
    Source code(zip)
  • v1.28(Apr 25, 2018)

    v1.28 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.28%22

    Source code(tar.gz)
    Source code(zip)
  • v1.27(Mar 29, 2018)

    v1.27 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.27%22

    Source code(tar.gz)
    Source code(zip)
  • v1.26(Feb 28, 2018)

    v1.26 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.26%22

    Source code(tar.gz)
    Source code(zip)
  • v1.25(Jan 31, 2018)

    v1.25 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.25%22

    Source code(tar.gz)
    Source code(zip)
  • v1.24(Dec 20, 2017)

    v1.24 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.24%22

    Source code(tar.gz)
    Source code(zip)
  • v1.23(Nov 16, 2017)

    v1.23 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.23%22

    Source code(tar.gz)
    Source code(zip)
  • v1.22(Oct 18, 2017)

    v1.22 of the Mozilla Defense Platform.

    Change Log: https://github.com/mozilla/MozDef/issues?q=is%3Aclosed+milestone%3A%22Release+v1.22%22

    Source code(tar.gz)
    Source code(zip)
Owner
Mozilla
This technology could fall into the right hands.
Mozilla
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.4k Jan 4, 2023
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.

MurMurHash This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform. What is MurMurHash? Murm

Viral Maniar 87 Dec 31, 2022
Used to build an XSS platform on the command line.

pyXSSPlatform Used to build an XSS platform on the command line. Usage: 1.generate the cert file You can use openssl like this: openssl req -new -x509

null 70 Jun 21, 2022
A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

James 41 Dec 30, 2022
A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask.

PWInput A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask. Installatio

Al Sweigart 26 Sep 4, 2022
Threat Intel Platform for T-POTs

GreedyBear The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to p

The Honeynet Project 72 Jan 1, 2023
Komodo Edit is a fast and free multi-language code editor. Written in JS, Python, C++ and based on the Mozilla platform.

Komodo Edit This readme explains how to get started building, using and developing with the Komodo Edit source base. Whilst the main Komodo Edit sourc

ActiveState Komodo 2k Dec 28, 2022
Abilian Social Business Engine - an enterprise social networking / collaboration platform.

About Abilian SBE (Social Business Engine) is a platform for social business applications, and more specifically collaborative / enterprise 2.0 busine

Abilian open source projects 63 Dec 29, 2022
Abilian Social Business Engine - an enterprise social networking / collaboration platform.

About Abilian SBE (Social Business Engine) is a platform for social business applications, and more specifically collaborative / enterprise 2.0 busine

Abilian open source projects 63 Dec 29, 2022
Socorro is the Mozilla crash ingestion pipeline. It accepts and processes Breakpad-style crash reports. It provides analysis tools.

Socorro Socorro is a Mozilla-centric ingestion pipeline and analysis tools for crash reports using the Breakpad libraries. Support This is a Mozilla-s

Mozilla Services 552 Dec 19, 2022
Mozilla Campus Club CCEW is a student committee working to spread awareness on Open Source software.

Mozilla Campus Club CCEW is a student committee working to spread awareness on Open Source software. We organize webinars and workshops on different technical topics and making Open Source contributions.

Mozilla-Campus-Club-Cummins 8 Jun 15, 2022
AutoSub is a CLI application to generate subtitle files (.srt, .vtt, and .txt transcript) for any video file using Mozilla DeepSpeech.

AutoSub About Motivation Installation Docker How-to example How it works TO-DO Contributing References About AutoSub is a CLI application to generate

Abhiroop Talasila 414 Jan 6, 2023
Install Firefox from Mozilla.org easily, complete with .desktop file creation.

firefox-installer Install Firefox from Mozilla.org easily, complete with .desktop file creation. Dependencies Python 3 Python LXML Debian/Ubuntu: sudo

rany 7 Nov 4, 2022
A system for managing CI data for Mozilla projects

Treeherder Description Treeherder is a reporting dashboard for Mozilla checkins. It allows users to see the results of automatic builds and their resp

Mozilla 235 Dec 22, 2022
SLIDE : In Defense of Smart Algorithms over Hardware Acceleration for Large-Scale Deep Learning Systems

The SLIDE package contains the source code for reproducing the main experiments in this paper. Dataset The Datasets can be downloaded in Amazon-

Intel Labs 72 Dec 16, 2022
Minimal implementation of Denoised Smoothing: A Provable Defense for Pretrained Classifiers in TensorFlow.

Denoised-Smoothing-TF Minimal implementation of Denoised Smoothing: A Provable Defense for Pretrained Classifiers in TensorFlow. Denoised Smoothing is

Sayak Paul 19 Dec 11, 2022
A certifiable defense against adversarial examples by training neural networks to be provably robust

DiffAI v3 DiffAI is a system for training neural networks to be provably robust and for proving that they are robust. The system was developed for the

SRI Lab, ETH Zurich 202 Dec 13, 2022
ReplitTD - Replit Tower Defense Game

IMPORTANT: I mean no offense at all in this game, this is only based off of cycl

kokomi simp :3 3 Jun 25, 2022
LBK 20 Dec 2, 2022