Wednesday, January 11, 2017

DevOoops: Elasticsearch

Notes from the Devoops talk on Elastic Search

Elasticsearch Provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents.

*GET request to port 9200 will show version
"version" : {
"number" : "1.2.4"


No Authentication (initially)

Can search stored data via HTTP API

Update data with PUT request

Join an open cluster and receive all data

RCE prior to 1.2.0 (CVE-2014-3120)
RCE prior to 1.5.0* (CVE-2015-1427)

exploit/multi/elasticsearch/script_mvel_rce


Kibana

Searching via curl/browser is cumbersome...Kibana FTW
http://www.elasticsearch.org/overview/kibana/

Edit config.js to point to open Elasticsearch

Open index.html in local browser or host on a server




Viewing the content of the document


Import your own data and visualize



Elasticsearch solutions:

Apply authentication if possible
-->https://www.elastic.co/products/shield

Segment elasticsearch from Corp (and the public in general)

Be aware of the data you put in elasticsearch
-->anyone can search it

Logs Logs Logs

osquery
at

2 comments:

  1. AnonymousJanuary 12, 2017 at 6:55 AM

    What's new?

    ReplyDelete
  2. CGJanuary 12, 2017 at 9:18 AM

    nothing! i'm just posting the slide content here so i can remove it from the slide deck this year.

    ReplyDelete