NGWAF – First Iteration Of ML Based Feedback WAF

 

This can be achieved in the following steps:

  1. Create a new dataset (.csv) for upload in the following format (empty column, training data, label). You can refer to patch_sqli.csv as an example.

  2. Navigate to http://localhost:8088 to view NGWAF admin panel.

  3. Select the “Import Dataset” tab and upload the training set you have created

NGWAF 4 ngwaf admin upload panel

 

  1. Confirm that the training set have been uploaded successfully under the “Manage Datasets” tab.
NGWAF 5 ngwaf admin view datasets

  1. Under “Manage Model” tab, select the dataset(s) you want to retrain the model on and click on the “UPDATE WAF MODEL” button. 
NGWAF 6 ngwaf admin retrain model

NGWAF 7 ngwaf admin retrain model wait

  1. Congrats! The model should finish re-training after some time.
NGWAF 8

4. Additional Features:

NGWAF uses ELK stack to capture logs of network data that passes through NGWAF, allowing users to monitor the traffic that passes through the NGWAF for further analysis.

NGWAF 9 ElasticSearch

 

NGWAF also comes with live Telegram notification, to inform owners about live malicious threats that is detected by NGWAF.

NGWAF 10 Telegram notif

 

Sample Usage Scenarios

  1. Newly normal application (Use the inbuilt web cloner / create another duplicate deployment to use as isolation environment)
  2. Integrate into existing honeypot/honeynet (Update the configuration to point to honeypot/honeynet)

Setting up NGWAF | Requirements, installation, and usage

Requirements

Tested Operating Systems

  1. macOS (Docker Desktop)
  2. linux

WAF Component

  1. Python
  2. request
  3. fastapi
  4. pandas
  5. scikit-learn
  6. tensorflow (tentative)
  7. nltk

WAF Admin Panel Component

  1. fastapi
  2. scikit-learn
  3. nltk
  4. pandas
  5. Create React App
  6. React Material Admin Template by Flatlogic

Decode Layer

  1. Cyberchef Server

Caching Layer

  1. Redis

Quarantine Environment

  1. Drupot
  2. Elastic Search Stack Components (Elasticsearch, Logstash, Kibana, Filebeats)

Web App

  1. DVWA
  2. OWASP

Installation and Usage

With Docker running, run the following file using the command below:

./run.sh

To replace the targets, point the dest_server and honey_pot_server variable to the correct targets in the /waf/WafApp/waf.py file

# Replace me
dest_server = "dvwa"
honey_pot_server = "drupot:5000"

Once the Docker container is up, you can visit your localhost, in which these ports are running these services:

Port Service Remarks Credentials (If applicable)
8080 DVWA Where the WAF resides admin:password
5601 Elasticsearch To view logs elastic:changeme
8088 Admin Dashboard Dashboard to manage the WAF model
5001 Drupot Honeypot

To allow for Telegram live notifications, do replace the following variables in /waf/WafApp/waf.py with a valid TELEGRAM tokens.

token='<INSERT VALID TELEGRAM BOT TOKEN>'
CHAT_ID = '<INSERT VALID CHAT_ID>'
WAF_NAME = 'Tester_WAF'
WARN_MSG = "ALERT [Security Incident] Malicious activity detected on " +WAF_NAME+ ". Please alert relevant teams and check through incident artifacts."
URL= "https://api.telegram.org/bot{}/sendMessage?chat_id={}&text={}".format(token,CHAT_ID,WARN_MSG)

Disclaimers & Other Considerations

NGWAF is a W.I.P, Open source project, functions and features may change from patch to patch. If you are interested to contribute, please feel free to create an issue or pull request!

Licensing

License

GNU General Public License

Download NGWAF

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source