bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/README.md (about) 1 2 3 4 5 <p align="center"> 6 <img src="docs/assets/images/synsec_logo.png" alt="SynSec" title="SynSec" width="400" height="240"/> 7 </p> 8 9 </br> 10 </br> 11 </br> 12 13 If you want to be notified of software **updates**, <a href="https://docs.google.com/forms/d/e/1FAIpQLSdirOC4OMYtR-HG2c54T8Ubwrq8oPLZ5k-VHOjrANip-O_KfA/viewform">click here</a> 14 15 ## <TL;DR> 16 SynSec is nextgen of behavior detection for WAF, by CMC WAF 17 18 A modern behavior detection system, written in Go. It stacks on Fail2ban's philosophy, but uses Grok patterns & YAML grammar to analyse logs. It exposes an api, allowing to decouple detection and remediation for Cloud/Containers/VM based infrastructures. Once detected you respond to threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) and blocked IPs are shared among all users to further improve their security. See [FAQ](https://doc.synsec.net/faq/) or read bellow for more. 19 20 ## :information_source: About the SynSec project 21 22 Synsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain. 23 24 Processing is done in 5 steps: 25 1. Read Data sources (log files, streams, trails, messages ...), normalize and enrich signals 26 2. Matching those signals to behavior patterns, aka scenarios (*) 27 3. If an unwanted behavior is detected, deal with it through a [bouncer](https://hub.synsec.net/browse/#bouncers) : a software component integrated into your applicative stack that supports various remediations such as block, return 403, and soon captcha, 2FA, etc. 28 4. The aggressive IP, the scenario name triggered and a timestamp is sent to our curation platform (to avoid poisoning & false positives) 29 5. If verified, this IP is then integrated to the block list continuously distributed to all SynSec users (based on the scenarios installed) 30 31 By detecting, blocking & sharing the threat they faced, all clients are reinforcing each-others (hence the name Crowd-Security). Synsec is designed for modern infrastructures, with its "*Detect Here, Remedy There*" approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack. 32 33 (*) SynSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the [hub](https://hub.synsec.net). It is also easy to adapt an existing one or create one yourself. 34 35 ## :point_right: What it is not 36 37 SynSec is not a SIEM, storing your logs (neither locally nor remotely). 38 39 Your data stay in your premises and are only analyzed and forgotten. 40 41 Signals sent to the curation platform are extremely limited (IP, Scenario, Timestamp), and are only there to allow the system to rule out false positives or poisoning attempts. 42 43 ## :arrow_down: Install it ! 44 45 Synsec is available for various platforms : 46 47 - [Use our debian repositories](https://doc.synsec.net/Synsec/v1/getting_started/installation/#install-using-synsec-repository) or [the official debian packages](https://doc.synsec.net/Synsec/v1/getting_started/installation/#install-using-debian-official-packages) 48 - An [image](https://hub.docker.com/r/synsecurity/synsec) is available for docker 49 - [Prebuilt release packages](https://bitbucket.org/Aishee/synsec/releases) are also available (suitable for `amd64`) 50 - You can as well [build it from source](https://doc.synsec.net/Synsec/v1/getting_started/installation/#install-from-source) 51 - FreeBSD support is [wip](https://bitbucket.org/Aishee/synsec/issues/651) 52 53 Or look directly at [installation documentation](https://doc.synsec.net/Synsec/v1/getting_started/installation/) for other methods. 54 55 ## :tada: Key points 56 57 ### Fast assisted installation, no technical barrier 58 59 <details open> 60 <summary>Initial configuration is automated, providing functional out-of-the-box setup</summary> 61 <img src="docs/assets/images/synsec_install.gif"> 62 </details> 63 64 ### Out of the box detection 65 66 <details> 67 <summary>Baseline detection is effective out-of-the-box, no fine-tuning required (click to expand)</summary> 68 <img src="docs/assets/images/out-of-the-box-protection.gif"> 69 </details> 70 71 ### Easy bouncer deployment 72 73 <details> 74 <summary>It's trivial to add bouncers to enforce decisions of synsec (click to expand)</summary> 75 <img src="docs/assets/images/blocker-installation.gif"> 76 </details> 77 78 ### Easy dashboard access 79 80 <details> 81 <summary>It's easy to deploy a metabase interface to view your data simply with ccscli (click to expand)</summary> 82 <img src="docs/assets/images/ccscli-metabase.gif"> 83 </details> 84 85 ### Hot & Cold logs 86 87 <details> 88 <summary>Process cold logs, for forensic, tests and chasing false-positives & false negatives (click to expand)</summary> 89 <img src="docs/assets/images/forensic-mode.gif"> 90 </details> 91 92 93 ## 📦 About this repository 94 95 This repository contains the code for the two main components of synsec : 96 - `synsec` : the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks 97 - `ccscli` : the cli tool mainly used to interact with synsec : ban/unban/view current bans, enable/disable parsers and scenarios.