64° Adventures

The purpose of this post is to describe how to use Open Source tools to automatically analyse phishing emails that users (internal / external) has been sent to pre-defined mailbox. The emails are automatically scanned, and any URLs that are discovered are passed on to third-party providers for analysis.

This article may have been about running Splunk Enterprise in a Docker container, but it is actually about sending logs from Docker containers to Splunk Enterprise on-premises or Cloud deployments. By default, Docker logs JSON-formatted data to the filesystem. This is adequate for simpler systems, but log management (and viewing) becomes less practicable for more complex ones. Sending Docker log direct to the Splunk SIEM system is one technique to make things easier for the admins.

Traefik proxy is a versatile and very lightweight cloud-native application gateway / load balancer that integrates really well with Docker and Kubernetes, for example. While Traefik is great and brilliant, it lacks Web Application Firewall features and integrations. Traditionally, one need to put some kind of third-party WAF in front of the Traefik and route requests from there to Traefik. This increases the complexity of the system and complicates troubleshooting.

Security.txt is based on [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116) and nowadays it has been implemented by various companies. The idea is to create a file that can be distributed on a website, from a predefined address ( [https://xxx.test/.well-known/security.txt)](https://xxx.test/.well-known/security.txt%29). The content of the file tells how the organisation can be contacted if security problems and vulnerabilities are found in the organisation’s services.