DFIR-MESI — Arquitetura de Servidores
Digital Forensics & Incident Response — Mapeamento de Infraestrutura
🖥 Ubuntu 24.04 LTS │ Docker Engine │ dfirmesiproject.com
Camada Externa — Clientes
🌐
Analistas DFIR / SOC
Acesso via browser HTTPS :443
🤖
Claude AI (MCP Client)
SSE/HTTPS → MCP Servers
🖥️
Windows Endpoints
Wazuh Agent :1514 │ Velociraptor :8000
📡
Syslog Sources
UDP :514 → Wazuh Manager
HTTPS :443 / TCP :1514-1515 / UDP :514
▼
Camada 1 — Firewall (UFW)
🛡️
UFW — Uncomplicated Firewall
Stateful packet filtering • iptables/nftables backend
TCP
22
SSH
TCP
80
HTTP / Certbot
TCP
443
HTTPS / Nginx
TCP
1514-1515
Wazuh Agent / Enrollment
UDP
514
Syslog
TCP
55000
Wazuh API
Default Incoming:
DENY
Default Outgoing:
ALLOW
Docker bypass:
iptables FORWARD chain
Pacotes permitidos
▼
Camada 2 — Nginx Reverse Proxy
⚡
Nginx Reverse Proxy
SSL/TLS termination • Let's Encrypt • SSE support
iris.dfirmesiproject.com
→
127.0.0.1:8443
IRIS Web UI
velociraptor.dfirmesiproject.com
→
127.0.0.1:8889
Velociraptor GUI
wazuh.dfirmesiproject.com
→
127.0.0.1:5601
Wazuh Dashboard
mcp-wazuh.dfirmesiproject.com
→
127.0.0.1:3002
Wazuh MCP (SSE)
mcp-velociraptor.dfirmesiproject.com
→
127.0.0.1:3001
Velociraptor MCP (SSE)
mcp-iris.dfirmesiproject.com
→
127.0.0.1:3003
IRIS MCP (SSE)
TLS 1.2/1.3
Let's Encrypt
proxy_buffering off
SSE keepalive 86400s
HTTP/2
X-Forwarded-For
client_max_body_size 500M
proxy_pass → 127.0.0.1:port (loopback)
▼
Camada 3 — Docker Containers
W
Wazuh SIEM Stack
v4.14 • /opt/dfir-mesi/wazuh/
wazuh-wazuh.manager-1
:1514/tcp :1515/tcp :514/udp :55000/tcp
Manager • Authd • API • Active Response
wazuh-wazuh.indexer-1
:9200/tcp (OpenSearch)
Indexação e armazenamento de alertas
wazuh-wazuh.dashboard-1
127.0.0.1:5601/tcp
Dashboard web (OpenSearch Dashboards)
I
DFIR-IRIS Stack
v2.4.24 • /opt/dfir-mesi/iris/
iriswebapp_nginx
0.0.0.0:8443/tcp
Reverse proxy interno IRIS
iriswebapp_app
interno
Aplicação principal IRIS
iriswebapp_worker
Worker assíncrono (tasks)
iriswebapp_db
:5432 (interno)
PostgreSQL
iriswebapp_rabbitmq
:5672 (interno)
Message broker
V
Velociraptor
v0.75.3 • Container único
velociraptor
127.0.0.1:8000/tcp — Frontend (agents)
127.0.0.1:8001/tcp — API gRPC
127.0.0.1:8889/tcp — GUI Web
Coleta forense • VQL • Hunting
⚙
MCP Servers (Model Context Protocol)
Python 3.13 • FastMCP • SSE Transport
wazuh-mcp-server
127.0.0.1:3002 → container :8000
GenSecAI • 24 ferramentas
velociraptor-mcp-server
127.0.0.1:3001 → container :8000
SOCFortress • VQL queries
iris-mcp-server
127.0.0.1:3003 → container :8000
Custom DFIR-MESI • 35 funções + KPIs
🔗
Webhook & Automação
Integrações Wazuh ↔ IRIS ↔ Velociraptor
dfir-assets-webhook
127.0.0.1:5555/tcp
Sincroniza assets Velociraptor → IRIS
Trigger: on_postload_case_create
custom-iris.py (Wazuh → IRIS)
Script Python no Manager container
Alertas Wazuh ≥12 → Criação de Cases IRIS
custom-velociraptor.py (Wazuh → Velo → IRIS)
Script Python v10.5 no Manager container
Alerta ransomware → Coleta forense automática
Artefatos: Triage.Targets + HighValueMemory → IRIS + Slack
Wazuh Agent :1514 │ Velociraptor Agent :8000
▲
Camada Endpoint — Windows Clients
🖥️
Windows Endpoints (10/11/Server)
Instalação automatizada via PowerShell v9.5
💻
Workstation
● Wazuh Agent 4.14
● Sysmon v15.15
● Velociraptor Client
● Active Response
🖧
Server
● Wazuh Agent 4.14
● Sysmon v15.15
● Velociraptor Client
● Active Response
Wazuh Agent
→
TCP :1514
wazuh-wazuh.manager-1 (eventos/alertas)
Wazuh Enrollment
→
TCP :1515
wazuh-authd (registro de agentes)
Velociraptor Client
→
TCP :8000
Velociraptor Frontend (coleta forense)
Sysmon
→
local
Event Channel → Wazuh Agent (eventchannel)
Legenda
Wazuh SIEM
DFIR-IRIS
Velociraptor
MCP Servers
Nginx Proxy
UFW Firewall
Webhook/Automação
Container ativo
Container interno