Vomitblood/cspj-application
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

suricata

Browse source
This commit is contained in:
Vomitblood 2025-02-05 04:24:40 +08:00
parent 9e817d081f
commit 02542e5124
9 changed files with 284 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.gitignore vendored
View file

@ -18,4 +18,11 @@
**/gen/schemas **/gen/schemas
# server # server
server/server server/server
# nginx logs
docker/suricata/nginx/logs/access.log
docker/suricata/nginx/logs/error.log
# suricata logs
docker/suricata/suricata/logs/*

15
docker/modsecurity/docker-compose.yml
View file

@ -1,19 +1,10 @@
services: services:
modsecurity: modsecurity:
image: owasp/modsecurity-crs:apache image: owasp/modsecurity-crs:apache-alpine
container_name: modsecurity container_name: modsecurity
restart: always restart: always
ports:
- "3331:3331"
extra_hosts:
- "host.docker.internal:host-gateway"
environment: environment:
BACKEND: "http://host.docker.internal:3333" # TODO: CHANGE THIS TO SURICATA'S PORT COS INLINE BACKEND: "http://localhost:3333" # TODO: CHANGE THIS TO SURICATA'S PORT COS INLINE
SERVER_NAME: "localhost" SERVER_NAME: "localhost"
PORT: "3331" PORT: "3331"
networks: network_mode: "host"
- modsec-network
networks:
modsec-network:
driver: bridge

39
docker/suricata/docker-compose.yml Normal file
View file

@ -0,0 +1,39 @@
services:
nginx:
image: nginx:latest
container_name: nginx
restart: always
ports:
- "3332:3332"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/logs:/var/log/nginx
network_mode: "host"
extra_hosts:
- "host.docker.internal:host-gateway"
depends_on:
- suricata
suricata:
image: jasonish/suricata
container_name: suricata
restart: always
cap_add:
- NET_ADMIN
- NET_RAW
- SYS_NICE
network_mode: "host"
extra_hosts:
- "host.docker.internal:host-gateway"
environment:
- PUID=1000
- PGID=1000
volumes:
- ./suricata/etc:/etc/suricata
- ./suricata/logs:/var/log/suricata
- ./suricata/lib:/var/lib/suricata
command: ["-c", "/etc/suricata/suricata.yaml", "--af-packet"]
networks:
suricata-net:
driver: bridge

22
docker/suricata/nginx/nginx.conf Normal file
View file

@ -0,0 +1,22 @@
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server {
listen 3332;
location / {
proxy_pass http://host.docker.internal:3333;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}

51
docker/suricata/suricata/etc/classification.config Normal file
View file

@ -0,0 +1,51 @@
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1

26
docker/suricata/suricata/etc/reference.config Normal file
View file

@ -0,0 +1,26 @@
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: bid http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
#config reference: cve http://cvedetails.com/cve/
config reference: secunia http://www.secunia.com/advisories/
#whitehats is unfortunately gone
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
config reference: et http://doc.emergingthreats.net/
config reference: etpro http://doc.emergingthreatspro.com/
config reference: telus http://
config reference: osvdb http://osvdb.org/show/osvdb/
config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
config reference: md5 http://www.threatexpert.com/report.aspx?md5=
config reference: exploitdb http://www.exploit-db.com/exploits/
config reference: openpacket https://www.openpacket.org/capture/grab/
config reference: securitytracker http://securitytracker.com/id?
config reference: secunia http://secunia.com/advisories/
config reference: xforce http://xforce.iss.net/xforce/xfdb/
config reference: msft http://technet.microsoft.com/security/bulletin/

102
docker/suricata/suricata/etc/suricata.yaml Normal file
View file

@ -0,0 +1,102 @@
%YAML 1.1
---
# Suricata configuration file
vars:
address-groups:
HOME_NET: "[172.30.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
SQL_SERVERS: "[127.30.0.2]"
port-groups:
HTTP_PORTS: "3332"
# Define Suricata as an inline IPS
af-packet:
- interface: wlan0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
bypass: no
# Define network capture method
pcap:
- interface: wlan0
buffer-size: 512mb
# Suricata will listen on 3332 and forward to 3333
ips:
mode: "inline"
default-rule-action: "drop"
rules:
- drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"SELECT"; nocase; sid:1000001; rev:1;)
- drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"DROP TABLE"; nocase; sid:1000002; rev:1;)
- drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"INSERT INTO"; nocase; sid:1000003; rev:1;)
- drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"UNION SELECT"; nocase; sid:1000004; rev:1;)
outputs:
- fast:
enabled: yes
filename: "/var/log/suricata/fast.log"
- eve-log:
enabled: yes
filetype: regular
filename: "/var/log/suricata/eve.json"
types:
- http:
extended: yes # Log full request details
body: yes # Log request body
- alert:
metadata: yes
tagged-packets: yes
- tls:
extended: yes # Log TLS handshakes
- dns:
enabled: yes # Log all DNS queries
- flow:
enabled: yes # Log all network flows
- anomaly:
enabled: yes # Log detected anomalies
- pcap-log:
enabled: yes
dir: "/var/log/suricata/pcap"
filename: "full-packet-log.pcap"
- stats:
enabled: yes
filename: "/var/log/suricata/stats.log"
append: yes
totals: yes
threads: yes
# Define the HTTP inspection settings
app-layer:
protocols:
http:
enabled: yes
libhtp:
default-config:
personality: IDS
request-body-limit: 4096
response-body-limit: 4096
request-body-minimal-inspect-size: 512
response-body-minimal-inspect-size: 512
request-body-inspect-window: 4096
response-body-inspect-window: 4096
logging:
outputs:
- console:
enabled: yes
- file:
enabled: yes
filename: "/var/log/suricata/suricata.log"
stats:
enabled: yes
interval: 2
# Enable rule management
rule-files:
- suricata.rules

32
docker/suricata/suricata/etc/threshold.config Normal file
View file

@ -0,0 +1,32 @@
# Thresholding:
#
# This feature is used to reduce the number of logged alerts for noisy rules.
# Thresholding commands limit the number of times a particular event is logged
# during a specified time interval.
#
# The syntax is the following:
#
# threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
#
# event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
#
# suppress gen_id <gid>, sig_id <sid>
# suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
#
# The options are documented at https://docs.suricata.io/en/latest/configuration/global-thresholds.html
#
# Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
# and global thresholds is documented here:
# https://docs.suricata.io/en/latest/configuration/global-thresholds.html#global-thresholds-vs-rule-thresholds
# Limit to 10 alerts every 10 seconds for each source host
#threshold gen_id 0, sig_id 0, type limit, track by_src, count 10, seconds 10
# Limit to 1 alert every 10 seconds for signature with sid 2404000 per destination host
#threshold gen_id 1, sig_id 2404000, type limit, track by_dst, count 1, seconds 10
# Avoid to alert on f-secure update
# Example taken from https://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
#suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
#suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
#suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25

1
docker/suricata/suricata/etc/update.yaml Normal file
View file

@ -0,0 +1 @@
reload-command: suricatasc -c reload-rules