suricata

.gitignore

@@ -19,3 +19,10 @@
 
 # server
 server/server
+
+# nginx logs
+docker/suricata/nginx/logs/access.log
+docker/suricata/nginx/logs/error.log
+
+# suricata logs
+docker/suricata/suricata/logs/*

docker/modsecurity/docker-compose.yml

@@ -1,19 +1,10 @@
 services:
   modsecurity:
-    image: owasp/modsecurity-crs:apache
+    image: owasp/modsecurity-crs:apache-alpine
     container_name: modsecurity
     restart: always
-    ports:
-      - "3331:3331"
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
     environment:
-      BACKEND: "http://host.docker.internal:3333" # TODO: CHANGE THIS TO SURICATA'S PORT COS INLINE
+      BACKEND: "http://localhost:3333" # TODO: CHANGE THIS TO SURICATA'S PORT COS INLINE
       SERVER_NAME: "localhost"
       PORT: "3331"
-    networks:
-      - modsec-network
-
-networks:
-  modsec-network:
-    driver: bridge
+    network_mode: "host"

docker/suricata/docker-compose.yml

@@ -0,0 +1,39 @@
+services:
+  nginx:
+    image: nginx:latest
+    container_name: nginx
+    restart: always
+    ports:
+      - "3332:3332"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/logs:/var/log/nginx
+    network_mode: "host"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    depends_on:
+      - suricata
+
+  suricata:
+    image: jasonish/suricata
+    container_name: suricata
+    restart: always
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+      - SYS_NICE
+    network_mode: "host"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    environment:
+      - PUID=1000
+      - PGID=1000
+    volumes:
+      - ./suricata/etc:/etc/suricata
+      - ./suricata/logs:/var/log/suricata
+      - ./suricata/lib:/var/lib/suricata
+    command: ["-c", "/etc/suricata/suricata.yaml", "--af-packet"]
+
+networks:
+  suricata-net:
+    driver: bridge

docker/suricata/nginx/nginx.conf

@@ -0,0 +1,22 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+
+    server {
+        listen 3332;
+
+        location / {
+            proxy_pass http://host.docker.internal:3333;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+}

docker/suricata/suricata/etc/classification.config

@@ -0,0 +1,51 @@
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: inappropriate-content,Inappropriate Content was Detected,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2
+
+# Update
+config classification: targeted-activity,Targeted Malicious Activity was Detected,1
+config classification: exploit-kit,Exploit Kit Activity Detected,1
+config classification: external-ip-check,Device Retrieving External IP Address Detected,2
+config classification: domain-c2,Domain Observed Used for C2 Detected,1
+config classification: pup-activity,Possibly Unwanted Program Detected,2
+config classification: credential-theft,Successful Credential Theft Detected,1
+config classification: social-engineering,Possible Social Engineering Attempted,2
+config classification: coin-mining,Crypto Currency Mining Activity Detected,2
+config classification: command-and-control,Malware Command and Control Activity Detected,1

docker/suricata/suricata/etc/reference.config

@@ -0,0 +1,26 @@
+# config reference: system URL
+
+config reference: bugtraq   http://www.securityfocus.com/bid/
+config reference: bid	    http://www.securityfocus.com/bid/
+config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
+#config reference: cve       http://cvedetails.com/cve/
+config reference: secunia   http://www.secunia.com/advisories/
+
+#whitehats is unfortunately gone
+config reference: arachNIDS http://www.whitehats.com/info/IDS
+
+config reference: McAfee    http://vil.nai.com/vil/content/v_
+config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
+config reference: url       http://
+config reference: et        http://doc.emergingthreats.net/
+config reference: etpro     http://doc.emergingthreatspro.com/
+config reference: telus     http://
+config reference: osvdb     http://osvdb.org/show/osvdb/
+config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
+config reference: md5	    http://www.threatexpert.com/report.aspx?md5=
+config reference: exploitdb http://www.exploit-db.com/exploits/
+config reference: openpacket https://www.openpacket.org/capture/grab/
+config reference: securitytracker http://securitytracker.com/id?
+config reference: secunia   http://secunia.com/advisories/
+config reference: xforce    http://xforce.iss.net/xforce/xfdb/
+config reference: msft      http://technet.microsoft.com/security/bulletin/

docker/suricata/suricata/etc/suricata.yaml

@@ -0,0 +1,102 @@
+%YAML 1.1
+---
+# Suricata configuration file
+
+vars:
+  address-groups:
+    HOME_NET: "[172.30.0.0/16]"
+    EXTERNAL_NET: "!$HOME_NET"
+    SQL_SERVERS: "[127.30.0.2]"
+
+  port-groups:
+    HTTP_PORTS: "3332"
+
+# Define Suricata as an inline IPS
+af-packet:
+  - interface: wlan0
+    threads: auto
+    cluster-id: 99
+    cluster-type: cluster_flow
+    defrag: yes
+    bypass: no
+
+# Define network capture method
+pcap:
+  - interface: wlan0
+    buffer-size: 512mb
+
+# Suricata will listen on 3332 and forward to 3333
+ips:
+  mode: "inline"
+  default-rule-action: "drop"
+
+  rules:
+    - drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"SELECT"; nocase; sid:1000001; rev:1;)
+    - drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"DROP TABLE"; nocase; sid:1000002; rev:1;)
+    - drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"INSERT INTO"; nocase; sid:1000003; rev:1;)
+    - drop tcp any any -> any 3332 (msg:"SQL Injection Detected"; content:"UNION SELECT"; nocase; sid:1000004; rev:1;)
+
+outputs:
+  - fast:
+      enabled: yes
+      filename: "/var/log/suricata/fast.log"
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: "/var/log/suricata/eve.json"
+      types:
+        - http:
+            extended: yes     # Log full request details
+            body: yes         # Log request body
+        - alert:
+            metadata: yes
+            tagged-packets: yes
+        - tls:
+            extended: yes     # Log TLS handshakes
+        - dns:
+            enabled: yes      # Log all DNS queries
+        - flow:
+            enabled: yes      # Log all network flows
+        - anomaly:
+            enabled: yes      # Log detected anomalies
+  - pcap-log:
+      enabled: yes
+      dir: "/var/log/suricata/pcap"
+      filename: "full-packet-log.pcap"
+  - stats:
+      enabled: yes
+      filename: "/var/log/suricata/stats.log"
+      append: yes
+      totals: yes
+      threads: yes
+
+# Define the HTTP inspection settings
+app-layer:
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+        default-config:
+          personality: IDS
+          request-body-limit: 4096
+          response-body-limit: 4096
+          request-body-minimal-inspect-size: 512
+          response-body-minimal-inspect-size: 512
+          request-body-inspect-window: 4096
+          response-body-inspect-window: 4096
+
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        filename: "/var/log/suricata/suricata.log"
+
+stats:
+  enabled: yes
+  interval: 2
+
+# Enable rule management
+rule-files:
+  - suricata.rules

docker/suricata/suricata/etc/threshold.config

@@ -0,0 +1,32 @@
+# Thresholding:
+#
+# This feature is used to reduce the number of logged alerts for noisy rules.
+# Thresholding commands limit the number of times a particular event is logged
+# during a specified time interval.
+#
+# The syntax is the following:
+#
+# threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
+#
+# event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
+#
+# suppress gen_id <gid>, sig_id <sid>
+# suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
+#
+# The options are documented at https://docs.suricata.io/en/latest/configuration/global-thresholds.html
+#
+# Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
+# and global thresholds is documented here:
+# https://docs.suricata.io/en/latest/configuration/global-thresholds.html#global-thresholds-vs-rule-thresholds
+
+# Limit to 10 alerts every 10 seconds for each source host
+#threshold gen_id 0, sig_id 0, type limit, track by_src, count 10, seconds 10
+
+# Limit to 1 alert every 10 seconds for signature with sid 2404000 per destination host
+#threshold gen_id 1, sig_id 2404000, type limit, track by_dst, count 1, seconds 10
+
+# Avoid to alert on f-secure update
+# Example taken from https://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
+#suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
+#suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
+#suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25

docker/suricata/suricata/etc/update.yaml

@@ -0,0 +1 @@
+reload-command: suricatasc -c reload-rules