Skip to content

Latest commit

 

History

History
58 lines (45 loc) · 3.28 KB

README.md

File metadata and controls

58 lines (45 loc) · 3.28 KB

DB Watcher

Build Status

So officially many sites which handle card transactions indirectly or directly. Should have file integrity monitoring on their servers, with the use of tools like OSSEC. However many attackers these days are inserting card detail skimming javascript via the database rather than the traditional modify an template file on the servers.

For example on Magento there has been a spate of attacks where such javascript was inserted in to the config table under the Miscellaneous Scripts. File integrity tools will simply not pick up on these attacks.

Which is the reason for this tool. Which gives you the ability to monitor key tables such as config or cms tables, so that when an attacks occurs you can be alerted. You can remove the offending javascript, with the time frame provided by DB Watcher you can check your web access logs to see what attack vector was used.

This software uses the Maxwell to connect to mysql and read the mysql binlog for any query which adds or changes data and outputs json to Kefka and files. For the moment DB Watcher uses the file mode via named pipe.

The system allows you to set up watch tasks which can have the following rules:

  • Watch for specific DDL operations such as insert, update or delete operations
  • Watch specific database tables for changes
  • Watch specific database for any change events

In a single task these three rules can be chained together in any combination.

A task can have actions which are executed if all the task rules are matched. At the moment DB Watcher has one action which is logger since we also happen to be using Monolog

Installation

# mkfifo /path/to/pipe
or
# mknod /path/to/pipe p
  • Then configure DB Watcher rule by creating a tasks.yaml rule file in the conf directory. You can use tasks.example.yaml to show you how to configure
  • Then configure the DB Watcher logger by creating container.conf.php file in the conf directory. Please see container.conf.example.php for examples however you are able to use any monolog handler here
  • Then run maxwell using:
/path/to/maxwell/bin/maxwell --user='maxwell' --password='XXXXXX' --host='127.0.0.1' --producer=file  --output_file /path/to/pipe
  • Then run DB watcher using
php /path/to/dbwatcher/bin/dbwatcher.php run /path/to/pipe