From d0146770a4886a160aa5a944d5ec9d6e9342f575 Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Mon, 2 May 2022 15:00:29 -0500 Subject: [PATCH] Current state of Sharingan role -- still need to add rkhunter --- .gitignore | 3 +- examples/msn0.yml | 61 +- .../Sharingan-Data/files/templates/empty-dir | 0 roles/Sharingan/README.md | 17 + .../{Sharingan-Data => Sharingan}/files/Core | 0 .../files/DarkNet | 0 .../files/Geth-Hub-1 | 0 .../files/Geth-Hub-2 | 0 .../files/Geth-Hub-3 | 0 .../{Sharingan-Data => Sharingan}/files/Maat | 0 .../files/Nazara | 0 .../{Sharingan-Data => Sharingan}/files/Node0 | 0 .../files/Sharingan | 0 .../files/lynis/custom.prf} | 0 roles/Sharingan/files/lynis/freshclam.service | 14 + roles/Sharingan/files/lynis/freshclam.timer | 11 + .../files/lynis/sharingan-vulns.service | 14 + .../files/lynis/sharingan-vulns.timer | 11 + roles/Sharingan/files/oinkmaster.conf | 425 ++++++ .../files/oinkmaster/oinkmaster.conf | 425 ++++++ .../files/oinkmaster/oinkmaster.service | 11 + .../files/oinkmaster/oinkmaster.timer | 11 + roles/Sharingan/files/rkhunter/rkhunter.conf | 1342 +++++++++++++++++ .../Sharingan/files/rkhunter/rkhunter.service | 14 + roles/Sharingan/files/rkhunter/rkhunter.timer | 11 + .../files/scripts/notify | 0 .../files/sharingan-data.service/Archlinux | 0 .../files/sharingan-data.service/Debian | 0 .../files/sharingan-eval.service | 0 .../files/sharingan-heartbeat.service | 2 +- .../files/sharingan-heartbeat.timer | 0 roles/Sharingan/files/sshguard.conf | 4 + .../files/suricata/classification.config | 68 + roles/Sharingan/files/suricata/local.rules | 11 + .../Sharingan/files/suricata/reference.config | 26 + roles/Sharingan/files/suricata/suricata.yaml | 1327 ++++++++++++++++ .../Sharingan/files/suricata/threshold.config | 69 + .../files/syslog-ng@sharingan-data | 0 .../main.yml => Sharingan/tasks/data.yml} | 15 +- roles/Sharingan/tasks/ids.yml | 59 + roles/Sharingan/tasks/main.yml | 21 +- roles/Sharingan/tasks/siem.yml | 33 + roles/Sharingan/tasks/vulns.yml | 45 + .../templates/graylog.conf.j2 | 0 .../templates/monitrc.j2 | 0 45 files changed, 4004 insertions(+), 46 deletions(-) delete mode 100644 roles/Sharingan-Data/files/templates/empty-dir rename roles/{Sharingan-Data => Sharingan}/files/Core (100%) rename roles/{Sharingan-Data => Sharingan}/files/DarkNet (100%) rename roles/{Sharingan-Data => Sharingan}/files/Geth-Hub-1 (100%) rename roles/{Sharingan-Data => Sharingan}/files/Geth-Hub-2 (100%) rename roles/{Sharingan-Data => Sharingan}/files/Geth-Hub-3 (100%) rename roles/{Sharingan-Data => Sharingan}/files/Maat (100%) rename roles/{Sharingan-Data => Sharingan}/files/Nazara (100%) rename roles/{Sharingan-Data => Sharingan}/files/Node0 (100%) rename roles/{Sharingan-Data => Sharingan}/files/Sharingan (100%) rename roles/{Sharingan-Data/files/scripts/empty-dir => Sharingan/files/lynis/custom.prf} (100%) create mode 100644 roles/Sharingan/files/lynis/freshclam.service create mode 100644 roles/Sharingan/files/lynis/freshclam.timer create mode 100644 roles/Sharingan/files/lynis/sharingan-vulns.service create mode 100644 roles/Sharingan/files/lynis/sharingan-vulns.timer create mode 100644 roles/Sharingan/files/oinkmaster.conf create mode 100644 roles/Sharingan/files/oinkmaster/oinkmaster.conf create mode 100644 roles/Sharingan/files/oinkmaster/oinkmaster.service create mode 100644 roles/Sharingan/files/oinkmaster/oinkmaster.timer create mode 100644 roles/Sharingan/files/rkhunter/rkhunter.conf create mode 100644 roles/Sharingan/files/rkhunter/rkhunter.service create mode 100644 roles/Sharingan/files/rkhunter/rkhunter.timer rename roles/{Sharingan-Data => Sharingan}/files/scripts/notify (100%) rename roles/{Sharingan-Data => Sharingan}/files/sharingan-data.service/Archlinux (100%) rename roles/{Sharingan-Data => Sharingan}/files/sharingan-data.service/Debian (100%) rename roles/{Sharingan-Data => Sharingan}/files/sharingan-eval.service (100%) rename roles/{Sharingan-Data => Sharingan}/files/sharingan-heartbeat.service (55%) rename roles/{Sharingan-Data => Sharingan}/files/sharingan-heartbeat.timer (100%) create mode 100644 roles/Sharingan/files/sshguard.conf create mode 100644 roles/Sharingan/files/suricata/classification.config create mode 100755 roles/Sharingan/files/suricata/local.rules create mode 100644 roles/Sharingan/files/suricata/reference.config create mode 100644 roles/Sharingan/files/suricata/suricata.yaml create mode 100644 roles/Sharingan/files/suricata/threshold.config rename roles/{Sharingan-Data => Sharingan}/files/syslog-ng@sharingan-data (100%) rename roles/{Sharingan-Data/tasks/main.yml => Sharingan/tasks/data.yml} (89%) create mode 100644 roles/Sharingan/tasks/ids.yml create mode 100644 roles/Sharingan/tasks/siem.yml create mode 100644 roles/Sharingan/tasks/vulns.yml rename roles/{Sharingan-Data => Sharingan}/templates/graylog.conf.j2 (100%) rename roles/{Sharingan-Data => Sharingan}/templates/monitrc.j2 (100%) diff --git a/.gitignore b/.gitignore index 94499ed..8513235 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ -roles/Node/files/** +roles/Node/files/*-vm.service roles/Nazara/files/dns roles/Nazara/files/dhcp venv/ +**pkg.tar.zst # ---> Python # Byte-compiled / optimized / DLL files diff --git a/examples/msn0.yml b/examples/msn0.yml index 37e6f59..ee31f42 100644 --- a/examples/msn0.yml +++ b/examples/msn0.yml @@ -77,36 +77,6 @@ all: vnc: 7 disks: - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/Maat.qcow2' - test1: - ip: 10.0.1.19 - ipinterface: ens3 - mac: 00:15:5d:01:02:06 - cores: 2 - memory: 2 - bridge: br0 - vnc: 6 - disks: - - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2' - test2: - ip: 10.0.1.20 - ipinterface: ens3 - mac: 00:15:5d:01:02:05 - cores: 2 - memory: 2 - bridge: br0 - vnc: 5 - disks: - - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2' - test3: - ip: 10.0.1.21 - ipinterface: ens3 - mac: 00:15:5d:01:02:04 - cores: 2 - memory: 2 - bridge: br0 - vnc: 4 - disks: - - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2' geth_hubs: # 10.0.1.32/28 vars: @@ -168,7 +138,36 @@ all: disks: - '-drive if=none,id=disk0,cache=none,format=raw,aio=native,file=/dev/sdc' - '-cdrom /srv/maat/iso/archlinux.iso -boot order=d' - + test1: + ip: 10.0.1.52 + ipinterface: ens3 + mac: 00:15:5d:01:02:06 + cores: 2 + memory: 2 + bridge: br0 + vnc: 6 + disks: + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2' + test2: + ip: 10.0.1.53 + ipinterface: ens3 + mac: 00:15:5d:01:02:05 + cores: 2 + memory: 2 + bridge: br0 + vnc: 5 + disks: + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2' + test3: + ip: 10.0.1.54 + ipinterface: ens3 + mac: 00:15:5d:01:02:04 + cores: 2 + memory: 2 + bridge: br0 + vnc: 4 + disks: + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2' appliances: hosts: # 10.0.1.64/27 Shadowfeed: diff --git a/roles/Sharingan-Data/files/templates/empty-dir b/roles/Sharingan-Data/files/templates/empty-dir deleted file mode 100644 index e69de29..0000000 diff --git a/roles/Sharingan/README.md b/roles/Sharingan/README.md index 6d90eda..c40c709 100644 --- a/roles/Sharingan/README.md +++ b/roles/Sharingan/README.md @@ -55,3 +55,20 @@ See [[WebServer#Available Clients|AniNIX::Webserver's client list]]. # Equivalents or Competition Various monitoring SaaS vendors are available, including Nagios, OP5, PagerDuty, etc. A variety of paid cybersecurity vendors are also on the market, particularly contract firms. Data aggregation is also oft used via the ElasticStack for a number of use-cases. We chose Graylog because it unifies these funtions for what we care about -- alarming on actionable events, whether they are malicious or accidental. +We will use a variety of tools here to feed into the Sharingan SIEM. + +# Network IDS: Suricata + +We use Suricata to scan network data to identify threats. + +## Rules engine: oinkmaster + +# Network IPS: sshguard + +# WAF: modsecurity + +# Vulnerability management: lynis + +# Host IDS: rkhunter + + diff --git a/roles/Sharingan-Data/files/Core b/roles/Sharingan/files/Core similarity index 100% rename from roles/Sharingan-Data/files/Core rename to roles/Sharingan/files/Core diff --git a/roles/Sharingan-Data/files/DarkNet b/roles/Sharingan/files/DarkNet similarity index 100% rename from roles/Sharingan-Data/files/DarkNet rename to roles/Sharingan/files/DarkNet diff --git a/roles/Sharingan-Data/files/Geth-Hub-1 b/roles/Sharingan/files/Geth-Hub-1 similarity index 100% rename from roles/Sharingan-Data/files/Geth-Hub-1 rename to roles/Sharingan/files/Geth-Hub-1 diff --git a/roles/Sharingan-Data/files/Geth-Hub-2 b/roles/Sharingan/files/Geth-Hub-2 similarity index 100% rename from roles/Sharingan-Data/files/Geth-Hub-2 rename to roles/Sharingan/files/Geth-Hub-2 diff --git a/roles/Sharingan-Data/files/Geth-Hub-3 b/roles/Sharingan/files/Geth-Hub-3 similarity index 100% rename from roles/Sharingan-Data/files/Geth-Hub-3 rename to roles/Sharingan/files/Geth-Hub-3 diff --git a/roles/Sharingan-Data/files/Maat b/roles/Sharingan/files/Maat similarity index 100% rename from roles/Sharingan-Data/files/Maat rename to roles/Sharingan/files/Maat diff --git a/roles/Sharingan-Data/files/Nazara b/roles/Sharingan/files/Nazara similarity index 100% rename from roles/Sharingan-Data/files/Nazara rename to roles/Sharingan/files/Nazara diff --git a/roles/Sharingan-Data/files/Node0 b/roles/Sharingan/files/Node0 similarity index 100% rename from roles/Sharingan-Data/files/Node0 rename to roles/Sharingan/files/Node0 diff --git a/roles/Sharingan-Data/files/Sharingan b/roles/Sharingan/files/Sharingan similarity index 100% rename from roles/Sharingan-Data/files/Sharingan rename to roles/Sharingan/files/Sharingan diff --git a/roles/Sharingan-Data/files/scripts/empty-dir b/roles/Sharingan/files/lynis/custom.prf similarity index 100% rename from roles/Sharingan-Data/files/scripts/empty-dir rename to roles/Sharingan/files/lynis/custom.prf diff --git a/roles/Sharingan/files/lynis/freshclam.service b/roles/Sharingan/files/lynis/freshclam.service new file mode 100644 index 0000000..1e3180d --- /dev/null +++ b/roles/Sharingan/files/lynis/freshclam.service @@ -0,0 +1,14 @@ +[Unit] +Description=Sharingan-IDS | Freshclam service + +[Service] +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +Type=simple +ExecStart=freshclam +User=root +group=root + +[Install] +WantedBy=multi-user.target diff --git a/roles/Sharingan/files/lynis/freshclam.timer b/roles/Sharingan/files/lynis/freshclam.timer new file mode 100644 index 0000000..f700371 --- /dev/null +++ b/roles/Sharingan/files/lynis/freshclam.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Sharingan-IDS | Update AV definitions + +[Timer] +OnCalendar=14:00 +Persistent=false + +[Install] +WantedBy=timers.target + +#EOF diff --git a/roles/Sharingan/files/lynis/sharingan-vulns.service b/roles/Sharingan/files/lynis/sharingan-vulns.service new file mode 100644 index 0000000..819b416 --- /dev/null +++ b/roles/Sharingan/files/lynis/sharingan-vulns.service @@ -0,0 +1,14 @@ +[Unit] +Description=Sharingan-IDS | rkhunter HIDS + +[Service] +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +Type=simple +ExecStart=rkhunter --check --sk +User=root +group=root + +[Install] +WantedBy=multi-user.target diff --git a/roles/Sharingan/files/lynis/sharingan-vulns.timer b/roles/Sharingan/files/lynis/sharingan-vulns.timer new file mode 100644 index 0000000..13cfabc --- /dev/null +++ b/roles/Sharingan/files/lynis/sharingan-vulns.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Sharingan-IDS | rkhunter timer + +[Timer] +OnCalendar=15:00 +Persistent=false + +[Install] +WantedBy=timers.target + +#EOF diff --git a/roles/Sharingan/files/oinkmaster.conf b/roles/Sharingan/files/oinkmaster.conf new file mode 100644 index 0000000..743a247 --- /dev/null +++ b/roles/Sharingan/files/oinkmaster.conf @@ -0,0 +1,425 @@ +# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ # + +# This file is pretty big by default, but don't worry. +# The only things required are "path" and "update_files". You must also +# set "url" to point to the correct rules archive for your version of +# Snort, unless you prefer to specify this on the command line. +# The rest in here is just a few recommended defaults, and examples +# how to use all the other optional features and give some ideas how they +# could be used. + +# Remember not to let untrusted users edit Oinkmaster configuration +# files, as things like the PATH to use during execution is defined +# in here. + + + +# Use "url = " to specify the location of the rules archive to +# download. The url must begin with http://, https://, ftp://, file:// +# or scp:// and end with .tar.gz or .tgz, and the file must be a +# gzipped tarball what contains a directory named "rules". +# You can also point to a local directory with dir://. +# Multiple "url = " lines can be specified to grab multiple rules +# archives from different locations. +# +# Note: if URL is specified on the command line, it overrides all +# possible URLs specified in the configuration file(s). +# +# The location of the official Snort rules you should use depends +# on which Snort version you run. Basically, you should go to +# http://www.snort.org/rules/ and follow the instructions +# there to pick the right URL for your version of Snort +# (and remember to update the URL when upgrading Snort in the +# future). You can of course also specify locations to third party +# rules. +# +# As of March 2005, you must register on the Snort site to get access +# to the official Snort rules. This will get you an "oinkcode". +# You then specify the URL as +# http://www.snort.org/pub-bin/oinkmaster.cgi// +# For example, if your code is 5a081649c06a277e1022e1284b and +# you use Snort 2.4, the url to use would be (without the wrap): +# http://www.snort.org/pub-bin/oinkmaster.cgi/ +# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz +# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for +# more information. + + +# URL examples follows. Replace with the code you get on the +# Snort site in your registered user profile. + +# Example for Snort +# url = http://www.snort.org/pub-bin/oinkmaster.cgi/157f1670c58caa1bcb3e4de0d68e96c7e12a08ca/snortrules-snapshot-2976.tar.gz + +# Suricata + url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz + +# Example for Community rules +# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz + +# Example for rules from the Bleeding Snort project +# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz + +# If you prefer to download the rules archive from outside Oinkmaster, +# you can then point to the file on your local filesystem by using +# file://, for example: +# url = file:///tmp/snortrules.tar.gz + +# In rare cases you may want to grab the rules directly from a +# local directory (don't confuse this with the output directory). +# url = dir:///etc/snort/src/rules + +# Example to use scp to copy the rules archive from another host. +# Only OpenSSH is tested. See the FAQ for more information. +# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz + +# If you use -u scp://... and need to specify a private ssh key (passed +# as -i to the scp command) you can specify it here or add an +# entry in ~/.ssh/config for the Oinkmaster user as described in the +# OpenSSH manual. +# scp_key = /home/oinkmaster/oinkmaster_privkey + + +# The PATH to use during execution. If you prefer to use external +# binaries (i.e. use_external_bins=1, see below), tar and gzip must be +# found, and also wget if downloading via ftp, http or https. All with +# optional .exe suffix. If you're on Cygwin, make sure that the path +# contains the Cygwin binaries and not the native Win32 binaries or +# you will get problems. +# Assume UNIX style by default: +path = /bin:/usr/bin:/usr/local/bin + +# Example if running native Win32 or standalone Cygwin: +# path = c:\oinkmaster;c:\oinkmaster\bin + +# Example if running standalone Cygwin and you prefer Cygwin style path: +# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin + + +# We normally use external binaries (wget, tar and gzip) since they're +# already available on most systems and do a good job. If you have the +# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use +# those instead if you like. You can set use_external_bins below to +# choose which method you prefer. It's set to 0 by default on Win32 +# (i.e. use Perl modules), and 1 on other systems (i.e. use external +# binaries). The reason for that is that the required Perl modules +# are included on Windows/ActivePerl 5.8.1+, so it's easier to use +# those than to install the ported Unix tools. (Note that if you're +# using scp to download the archive, external scp binary is still +# used.) +# use_external_bins = 0 + + +# Temporary directory to use. This directory must exist when starting and +# Oinkmaster will then create a temporary sub directory in here. +# Keep it as a #comment if you want to use the default. +# The default will be checked for in the environment variables TMP, +# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. + +# Example for UNIX. +# tmpdir = /home/oinkmaster/tmp/ + +# Example if running native Win32 or Cygwin. +# tmpdir = c:\tmp + +# Example if running Cygwin and you prefer Cygwin style path. +# tmpdir = /cygdrive/c/tmp + + +# The umask to use during execution if you want it to be something +# else than the current value when starting Oinkmaster. +# This will affect the mode bits when writing new files. +# Keep it commented out to keep your system's current umask. +# umask = 0027 + + +# Files in the archive(s) matching this regular expression will be +# checked for changes, and then updated or added if needed. +# All other files will be ignored. You can then choose to skip +# individual files by specifying the "skipfile" keyword below. +# Normally you shouldn't need to change this one. +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + + +# Regexp of keywords that starts a Snort rule. +# May be useful if you create your own ruletypes and want those +# lines to be regarded as rules as well. +# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic + + +# If the number of rules files in the downloaded archive matching the +# 'update_files' regexp is below min_files, or if the number +# of rules is below min_rules, the rules are regarded as broken +# and the update is aborted with an error message. +# Both are set to 1 by default (i.e. the archive is only regarded as +# broken if it's totally empty). +# If you download from multiple URLs, the count is the total number +# of files/rules across all archives. +# min_files = 1 +# min_rules = 1 + + +# By default, a basic sanity check is performed on most paths/filenames +# to see if they contain illegal characters that may screw things up. +# If this check is too strict for your system (e.g. you get bogus +# "illegal characters in filename" errors because of your local language +# etc) and you're sure you want to disable the checks completely, +# set use_path_checks to 0. +# use_path_checks = 1 + + +# If you want Oinkmaster to send a User-Agent HTTP header string +# other than the default one for wget/LWP, set this variable. +# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) + + +# You can include other files anywhere in here by using +# "include ". will be parsed just like a regular +# oinkmaster.conf as soon as the include statement is seen, and then +# return and continue parsing the rest of the original file. If an +# option is redefined, it will override the previous value. You can use +# as many "include" statements as you wish, and also include even more +# files from included files. Example to load stuff from "/etc/foo.conf". +# include /etc/foo.conf + + + +####################################################################### +# Files to totally skip (i.e. never update or check for changes) # +# # +# Syntax: skipfile filename # +# or: skipfile filename1, filename2, filename3, ... # +####################################################################### + +# Ignore local.rules from the rules archive by default since we might +# have put some local rules in our own local.rules and we don't want it +# to get overwritten by the empty one from the archive after each +# update. +skipfile local.rules + +# The file deleted.rules contains rules that have been deleted from +# other files, so there is usually no point in updating it. +skipfile deleted.rules + +# Also skip snort.conf by default since we don't want to overwrite our +# own snort.conf if we have it in the same directory as the rules. If +# you have your own production copy of snort.conf in another directory, +# it may be really nice to check for changes in this file though, +# especially since variables are sometimes added or modified and +# new/old files are included/excluded. +skipfile snort.conf + +# You may want to consider ignoring threshold.conf for the same reasons +# as for snort.conf, i.e. if you customize it locally and don't want it +# to become overwritten by the default one. It may be better to put +# local thresholding/suppressing in some local file and still update +# and use the official one though, in case important stuff is added to +# it some day. We do update it by default, but it's your call. +# skipfile threshold.conf + +# If you update from multiple URLs at the same time you may need to +# ignore the sid-msg.map (and generate it yourself if you need one) as +# it's usually included in each rules tarball. See the FAQ for more info. +# skipfile sid-msg.map + + + +########################################################################## +# SIDs to modify after each update (only for the skilled/stupid/brave). # +# Don't use it unless you have to. There is nothing that stops you from # +# modifying rules in such ways that they become invalid or generally # +# break things. You have been warned. # +# If you just want to disable SIDs, please skip this section and have a # +# look at the "disablesid" keyword below. # +# # +# You may specify multiple modifysid directives for the same SID (they # +# will be processed in order of appearance), and you may also specify a # +# list of SIDs on which the substitution should be applied. # +# If the argument is in the form something.something it's regarded # +# as a filename and the substitution will apply on all rules in that # +# file. The wildcard ("*") can be used to apply the substitution on all # +# rules regardless of the SID or file. Please avoid using #comments # +# at the end of modifysid lines, they may confuse the parser in some # +# situations. # +# # +# Syntax: # +# modifysid SID "replacethis" | "withthis" # +# or: # +# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # +# or: # +# modifysid file "replacethis" | "withthis" # +# or: # +# modifysid * "replacethis" | "withthis" # +# # +# The strings within the quotes will basically be passed to a # +# s/replacethis/withthis/ statement in Perl, so they must be valid # +# regular expressions. The strings are case-insensitive and only the # +# first occurrence will be replaced. If there are multiple occurrences # +# you want to replace, simply repeat the same modifysid line. # +# As the strings are regular expressions, you MUST escape special # +# characters like $ \ / ( ) | by prepending a "\" to them. # +# # +# If you specify a modifysid statement for a multi-line rule, Oinkmaster # +# will first translate the rule into a single-line version and then # +# perform the substitution, so you don't have to care about the trailing # +# backslashes and newlines. # +# # +# If you use backreference variables in the substitution expression, # +# it's strongly recommended to specify them as ${1} instead of $1 and so # +# on, to avoid parsing confusion with unexpected results in some # +# situations. Note that modifysid statements will process both active # +# and inactive (disabled) rules. # +# # +# You may want to check out README.templates and template-examples.conf # +# to find how you can simplify the modifysid usage by using templates. # +########################################################################## + +# Example to enable a rule (in this case SID 1325) that is disabled by +# default, by simply replacing leading "#alert" with "alert". +# (You should really use 'enablesid' for this though.) +# Oinkmaster removes whitespaces next to the leading "#" so you don't +# have to worry about that, but be careful about possible whitespace in +# other places when writing the regexps. +# modifysid 1325 "^#alert" | "alert" + +# You could also do this to enable it no matter what type of rule it is +# (alert, log, pass, etc). +# modifysid 1325 "^#" | "" + +# Example to add "tag" stuff to SID 1325. +# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" + +# Example to make SID 1378 a 'drop' rule (valid if you're running +# Snort_inline). +# modifysid 1378 "^alert" | "drop" + +# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET +# in SID 302. +# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET" + +# You can also specify that a substitution should apply on multiple SIDs. +# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET" + +# You can take advantage of the fact that it's regular expressions and +# do more complex stuff. This example (for Snort_inline) adds a 'replace' +# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh". +# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \ +# "${1} replace:"\/foo\/sh";" + +# If you for some reason would like to add a comment inside the actual +# rules file, like the reason why you disabled this rule, you can do +# like this (you would normally add such comments in oinkmaster.conf +# though). +# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}" + +# Here is an example that is actually useful. Let's say you don't care +# about incoming welchia pings (detected by SID 483 at the time of +# writing) but you want to know when infected hosts on your network +# scans hosts on the outside. (Remember that watching for outgoing +# malicious packets is often just as important as watching for incoming +# ones, especially in this case.) The rule currently looks like +# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..." +# but we want to switch that so it becomes +# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...". +# Here is how it could be done. +# modifysid 483 \ +# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \ +# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}" + +# The wildcard (modifysid * ...) can be used to do all kinds of +# interesting things. The substitution expression will be applied on all +# matching rules. First, a silly example to replace "foo" with "bar" in +# all rules (that have the string "foo" in them, that is.) +# modifysid * "foo" | "bar" + +# If you for some reason don't want to use the stream preprocessor to +# match established streams, you may want to replace the 'flow' +# statement with 'flags:A+;' in all those rules. +# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;" + +# Example to convert all rules of classtype attempted-admin to 'drop' +# rules (for Snort_inline only, obviously). +# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}" + +# This one will append some text to the 'msg' string for all rules that +# have the 'tag' keyword in them. +# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \ +# "${1}, going to tag this baby"${2}" + +# There may be times when you want to replace multiple occurrences of a +# certain keyword/string in a rule and not just the first one. To +# replace the first two occurrences of "foo" with "bar" in SID 100, +# simply repeat the modifysid statement: +# modifysid 100 "foo" | "bar" +# modifysid 100 "foo" | "bar" + +# Or you can even specify a SID list but repeat the same SID as many +# times as required, like: +# modifysid 100,100,100 "foo" | "bar" + +# Enable all rules in the file exploit.rules. +# modifysid exploit.rules "^#" | "" + +# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171. +# modifysid exploit.rules, snmp.rules, 1171 "^#" | "" + + + +######################################################################## +# SIDs that we don't want to update. # +# If you for some reason don't want a specific rule to be updated # +# (e.g. you made local modifications to it and you never want to # +# update it and don't care about changes in the official version), you # +# can specify a "localsid" statement for it. This means that the old # +# version of the rule (i.e. the one in the rules file on your # +# harddrive) is always kept, regardless if the official version has # +# been updated. Please do not use this feature unless in special # +# cases as it's easy to end up with many signatures that aren't # +# maintained anymore. See the FAQ for details about this and hints # +# about better solutions regarding customization of rules. # +# # +# Syntax: localsid SID # +# or: localsid SID1, SID2, SID3, ... # +######################################################################## + +# Example to never update SID 1325. +# localsid 1325 + + + +######################################################################## +# SIDs to enable after each update. # +# Will simply remove all the leading '#' for a specified SID (if it's # +# a multi-line rule, the leading '#' for all lines are removed.) # +# These will be processed after all the modifysid and disablesid # +# statements. Using 'enablesid' on a rule that is not disabled is a # +# NOOP. # +# # +# Syntax: enablesid SID # +# or: enablesid SID1, SID2, SID3, ... # +######################################################################## + +# Example to enable SID 1325. +# enablesid 1325 + + + +######################################################################## +# SIDs to comment out, i.e. disable, after each update by placing a # +# '#' in front of the rule (if it's a multi-line rule, it will be put # +# in front of all lines). # +# # +# Syntax: disablesid SID # +# or: disablesid SID1, SID2, SID3, ... # +######################################################################## + +# You can specify one SID per line. +# disablesid 1 +# disablesid 2 +# disablesid 3 + +# And also as comma-separated lists. +# disablesid 4,5,6 + +# It's a good idea to also add comment about why you disable the sid: +# disablesid 1324 # 20020101: disabled this SID just because I can diff --git a/roles/Sharingan/files/oinkmaster/oinkmaster.conf b/roles/Sharingan/files/oinkmaster/oinkmaster.conf new file mode 100644 index 0000000..743a247 --- /dev/null +++ b/roles/Sharingan/files/oinkmaster/oinkmaster.conf @@ -0,0 +1,425 @@ +# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ # + +# This file is pretty big by default, but don't worry. +# The only things required are "path" and "update_files". You must also +# set "url" to point to the correct rules archive for your version of +# Snort, unless you prefer to specify this on the command line. +# The rest in here is just a few recommended defaults, and examples +# how to use all the other optional features and give some ideas how they +# could be used. + +# Remember not to let untrusted users edit Oinkmaster configuration +# files, as things like the PATH to use during execution is defined +# in here. + + + +# Use "url = " to specify the location of the rules archive to +# download. The url must begin with http://, https://, ftp://, file:// +# or scp:// and end with .tar.gz or .tgz, and the file must be a +# gzipped tarball what contains a directory named "rules". +# You can also point to a local directory with dir://. +# Multiple "url = " lines can be specified to grab multiple rules +# archives from different locations. +# +# Note: if URL is specified on the command line, it overrides all +# possible URLs specified in the configuration file(s). +# +# The location of the official Snort rules you should use depends +# on which Snort version you run. Basically, you should go to +# http://www.snort.org/rules/ and follow the instructions +# there to pick the right URL for your version of Snort +# (and remember to update the URL when upgrading Snort in the +# future). You can of course also specify locations to third party +# rules. +# +# As of March 2005, you must register on the Snort site to get access +# to the official Snort rules. This will get you an "oinkcode". +# You then specify the URL as +# http://www.snort.org/pub-bin/oinkmaster.cgi// +# For example, if your code is 5a081649c06a277e1022e1284b and +# you use Snort 2.4, the url to use would be (without the wrap): +# http://www.snort.org/pub-bin/oinkmaster.cgi/ +# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz +# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for +# more information. + + +# URL examples follows. Replace with the code you get on the +# Snort site in your registered user profile. + +# Example for Snort +# url = http://www.snort.org/pub-bin/oinkmaster.cgi/157f1670c58caa1bcb3e4de0d68e96c7e12a08ca/snortrules-snapshot-2976.tar.gz + +# Suricata + url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz + +# Example for Community rules +# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz + +# Example for rules from the Bleeding Snort project +# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz + +# If you prefer to download the rules archive from outside Oinkmaster, +# you can then point to the file on your local filesystem by using +# file://, for example: +# url = file:///tmp/snortrules.tar.gz + +# In rare cases you may want to grab the rules directly from a +# local directory (don't confuse this with the output directory). +# url = dir:///etc/snort/src/rules + +# Example to use scp to copy the rules archive from another host. +# Only OpenSSH is tested. See the FAQ for more information. +# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz + +# If you use -u scp://... and need to specify a private ssh key (passed +# as -i to the scp command) you can specify it here or add an +# entry in ~/.ssh/config for the Oinkmaster user as described in the +# OpenSSH manual. +# scp_key = /home/oinkmaster/oinkmaster_privkey + + +# The PATH to use during execution. If you prefer to use external +# binaries (i.e. use_external_bins=1, see below), tar and gzip must be +# found, and also wget if downloading via ftp, http or https. All with +# optional .exe suffix. If you're on Cygwin, make sure that the path +# contains the Cygwin binaries and not the native Win32 binaries or +# you will get problems. +# Assume UNIX style by default: +path = /bin:/usr/bin:/usr/local/bin + +# Example if running native Win32 or standalone Cygwin: +# path = c:\oinkmaster;c:\oinkmaster\bin + +# Example if running standalone Cygwin and you prefer Cygwin style path: +# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin + + +# We normally use external binaries (wget, tar and gzip) since they're +# already available on most systems and do a good job. If you have the +# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use +# those instead if you like. You can set use_external_bins below to +# choose which method you prefer. It's set to 0 by default on Win32 +# (i.e. use Perl modules), and 1 on other systems (i.e. use external +# binaries). The reason for that is that the required Perl modules +# are included on Windows/ActivePerl 5.8.1+, so it's easier to use +# those than to install the ported Unix tools. (Note that if you're +# using scp to download the archive, external scp binary is still +# used.) +# use_external_bins = 0 + + +# Temporary directory to use. This directory must exist when starting and +# Oinkmaster will then create a temporary sub directory in here. +# Keep it as a #comment if you want to use the default. +# The default will be checked for in the environment variables TMP, +# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. + +# Example for UNIX. +# tmpdir = /home/oinkmaster/tmp/ + +# Example if running native Win32 or Cygwin. +# tmpdir = c:\tmp + +# Example if running Cygwin and you prefer Cygwin style path. +# tmpdir = /cygdrive/c/tmp + + +# The umask to use during execution if you want it to be something +# else than the current value when starting Oinkmaster. +# This will affect the mode bits when writing new files. +# Keep it commented out to keep your system's current umask. +# umask = 0027 + + +# Files in the archive(s) matching this regular expression will be +# checked for changes, and then updated or added if needed. +# All other files will be ignored. You can then choose to skip +# individual files by specifying the "skipfile" keyword below. +# Normally you shouldn't need to change this one. +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + + +# Regexp of keywords that starts a Snort rule. +# May be useful if you create your own ruletypes and want those +# lines to be regarded as rules as well. +# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic + + +# If the number of rules files in the downloaded archive matching the +# 'update_files' regexp is below min_files, or if the number +# of rules is below min_rules, the rules are regarded as broken +# and the update is aborted with an error message. +# Both are set to 1 by default (i.e. the archive is only regarded as +# broken if it's totally empty). +# If you download from multiple URLs, the count is the total number +# of files/rules across all archives. +# min_files = 1 +# min_rules = 1 + + +# By default, a basic sanity check is performed on most paths/filenames +# to see if they contain illegal characters that may screw things up. +# If this check is too strict for your system (e.g. you get bogus +# "illegal characters in filename" errors because of your local language +# etc) and you're sure you want to disable the checks completely, +# set use_path_checks to 0. +# use_path_checks = 1 + + +# If you want Oinkmaster to send a User-Agent HTTP header string +# other than the default one for wget/LWP, set this variable. +# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) + + +# You can include other files anywhere in here by using +# "include ". will be parsed just like a regular +# oinkmaster.conf as soon as the include statement is seen, and then +# return and continue parsing the rest of the original file. If an +# option is redefined, it will override the previous value. You can use +# as many "include" statements as you wish, and also include even more +# files from included files. Example to load stuff from "/etc/foo.conf". +# include /etc/foo.conf + + + +####################################################################### +# Files to totally skip (i.e. never update or check for changes) # +# # +# Syntax: skipfile filename # +# or: skipfile filename1, filename2, filename3, ... # +####################################################################### + +# Ignore local.rules from the rules archive by default since we might +# have put some local rules in our own local.rules and we don't want it +# to get overwritten by the empty one from the archive after each +# update. +skipfile local.rules + +# The file deleted.rules contains rules that have been deleted from +# other files, so there is usually no point in updating it. +skipfile deleted.rules + +# Also skip snort.conf by default since we don't want to overwrite our +# own snort.conf if we have it in the same directory as the rules. If +# you have your own production copy of snort.conf in another directory, +# it may be really nice to check for changes in this file though, +# especially since variables are sometimes added or modified and +# new/old files are included/excluded. +skipfile snort.conf + +# You may want to consider ignoring threshold.conf for the same reasons +# as for snort.conf, i.e. if you customize it locally and don't want it +# to become overwritten by the default one. It may be better to put +# local thresholding/suppressing in some local file and still update +# and use the official one though, in case important stuff is added to +# it some day. We do update it by default, but it's your call. +# skipfile threshold.conf + +# If you update from multiple URLs at the same time you may need to +# ignore the sid-msg.map (and generate it yourself if you need one) as +# it's usually included in each rules tarball. See the FAQ for more info. +# skipfile sid-msg.map + + + +########################################################################## +# SIDs to modify after each update (only for the skilled/stupid/brave). # +# Don't use it unless you have to. There is nothing that stops you from # +# modifying rules in such ways that they become invalid or generally # +# break things. You have been warned. # +# If you just want to disable SIDs, please skip this section and have a # +# look at the "disablesid" keyword below. # +# # +# You may specify multiple modifysid directives for the same SID (they # +# will be processed in order of appearance), and you may also specify a # +# list of SIDs on which the substitution should be applied. # +# If the argument is in the form something.something it's regarded # +# as a filename and the substitution will apply on all rules in that # +# file. The wildcard ("*") can be used to apply the substitution on all # +# rules regardless of the SID or file. Please avoid using #comments # +# at the end of modifysid lines, they may confuse the parser in some # +# situations. # +# # +# Syntax: # +# modifysid SID "replacethis" | "withthis" # +# or: # +# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # +# or: # +# modifysid file "replacethis" | "withthis" # +# or: # +# modifysid * "replacethis" | "withthis" # +# # +# The strings within the quotes will basically be passed to a # +# s/replacethis/withthis/ statement in Perl, so they must be valid # +# regular expressions. The strings are case-insensitive and only the # +# first occurrence will be replaced. If there are multiple occurrences # +# you want to replace, simply repeat the same modifysid line. # +# As the strings are regular expressions, you MUST escape special # +# characters like $ \ / ( ) | by prepending a "\" to them. # +# # +# If you specify a modifysid statement for a multi-line rule, Oinkmaster # +# will first translate the rule into a single-line version and then # +# perform the substitution, so you don't have to care about the trailing # +# backslashes and newlines. # +# # +# If you use backreference variables in the substitution expression, # +# it's strongly recommended to specify them as ${1} instead of $1 and so # +# on, to avoid parsing confusion with unexpected results in some # +# situations. Note that modifysid statements will process both active # +# and inactive (disabled) rules. # +# # +# You may want to check out README.templates and template-examples.conf # +# to find how you can simplify the modifysid usage by using templates. # +########################################################################## + +# Example to enable a rule (in this case SID 1325) that is disabled by +# default, by simply replacing leading "#alert" with "alert". +# (You should really use 'enablesid' for this though.) +# Oinkmaster removes whitespaces next to the leading "#" so you don't +# have to worry about that, but be careful about possible whitespace in +# other places when writing the regexps. +# modifysid 1325 "^#alert" | "alert" + +# You could also do this to enable it no matter what type of rule it is +# (alert, log, pass, etc). +# modifysid 1325 "^#" | "" + +# Example to add "tag" stuff to SID 1325. +# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" + +# Example to make SID 1378 a 'drop' rule (valid if you're running +# Snort_inline). +# modifysid 1378 "^alert" | "drop" + +# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET +# in SID 302. +# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET" + +# You can also specify that a substitution should apply on multiple SIDs. +# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET" + +# You can take advantage of the fact that it's regular expressions and +# do more complex stuff. This example (for Snort_inline) adds a 'replace' +# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh". +# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \ +# "${1} replace:"\/foo\/sh";" + +# If you for some reason would like to add a comment inside the actual +# rules file, like the reason why you disabled this rule, you can do +# like this (you would normally add such comments in oinkmaster.conf +# though). +# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}" + +# Here is an example that is actually useful. Let's say you don't care +# about incoming welchia pings (detected by SID 483 at the time of +# writing) but you want to know when infected hosts on your network +# scans hosts on the outside. (Remember that watching for outgoing +# malicious packets is often just as important as watching for incoming +# ones, especially in this case.) The rule currently looks like +# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..." +# but we want to switch that so it becomes +# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...". +# Here is how it could be done. +# modifysid 483 \ +# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \ +# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}" + +# The wildcard (modifysid * ...) can be used to do all kinds of +# interesting things. The substitution expression will be applied on all +# matching rules. First, a silly example to replace "foo" with "bar" in +# all rules (that have the string "foo" in them, that is.) +# modifysid * "foo" | "bar" + +# If you for some reason don't want to use the stream preprocessor to +# match established streams, you may want to replace the 'flow' +# statement with 'flags:A+;' in all those rules. +# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;" + +# Example to convert all rules of classtype attempted-admin to 'drop' +# rules (for Snort_inline only, obviously). +# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}" + +# This one will append some text to the 'msg' string for all rules that +# have the 'tag' keyword in them. +# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \ +# "${1}, going to tag this baby"${2}" + +# There may be times when you want to replace multiple occurrences of a +# certain keyword/string in a rule and not just the first one. To +# replace the first two occurrences of "foo" with "bar" in SID 100, +# simply repeat the modifysid statement: +# modifysid 100 "foo" | "bar" +# modifysid 100 "foo" | "bar" + +# Or you can even specify a SID list but repeat the same SID as many +# times as required, like: +# modifysid 100,100,100 "foo" | "bar" + +# Enable all rules in the file exploit.rules. +# modifysid exploit.rules "^#" | "" + +# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171. +# modifysid exploit.rules, snmp.rules, 1171 "^#" | "" + + + +######################################################################## +# SIDs that we don't want to update. # +# If you for some reason don't want a specific rule to be updated # +# (e.g. you made local modifications to it and you never want to # +# update it and don't care about changes in the official version), you # +# can specify a "localsid" statement for it. This means that the old # +# version of the rule (i.e. the one in the rules file on your # +# harddrive) is always kept, regardless if the official version has # +# been updated. Please do not use this feature unless in special # +# cases as it's easy to end up with many signatures that aren't # +# maintained anymore. See the FAQ for details about this and hints # +# about better solutions regarding customization of rules. # +# # +# Syntax: localsid SID # +# or: localsid SID1, SID2, SID3, ... # +######################################################################## + +# Example to never update SID 1325. +# localsid 1325 + + + +######################################################################## +# SIDs to enable after each update. # +# Will simply remove all the leading '#' for a specified SID (if it's # +# a multi-line rule, the leading '#' for all lines are removed.) # +# These will be processed after all the modifysid and disablesid # +# statements. Using 'enablesid' on a rule that is not disabled is a # +# NOOP. # +# # +# Syntax: enablesid SID # +# or: enablesid SID1, SID2, SID3, ... # +######################################################################## + +# Example to enable SID 1325. +# enablesid 1325 + + + +######################################################################## +# SIDs to comment out, i.e. disable, after each update by placing a # +# '#' in front of the rule (if it's a multi-line rule, it will be put # +# in front of all lines). # +# # +# Syntax: disablesid SID # +# or: disablesid SID1, SID2, SID3, ... # +######################################################################## + +# You can specify one SID per line. +# disablesid 1 +# disablesid 2 +# disablesid 3 + +# And also as comma-separated lists. +# disablesid 4,5,6 + +# It's a good idea to also add comment about why you disable the sid: +# disablesid 1324 # 20020101: disabled this SID just because I can diff --git a/roles/Sharingan/files/oinkmaster/oinkmaster.service b/roles/Sharingan/files/oinkmaster/oinkmaster.service new file mode 100644 index 0000000..7a526be --- /dev/null +++ b/roles/Sharingan/files/oinkmaster/oinkmaster.service @@ -0,0 +1,11 @@ +[Unit] +Description=Darebee Notifier for AniNIX Martial Arts + +[Service] +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +Type=simple +ExecStart=/home/DarkFeather/bin/darebee-notifier + +#EOF diff --git a/roles/Sharingan/files/oinkmaster/oinkmaster.timer b/roles/Sharingan/files/oinkmaster/oinkmaster.timer new file mode 100644 index 0000000..5ce97ba --- /dev/null +++ b/roles/Sharingan/files/oinkmaster/oinkmaster.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Sharingan-IDS | oinkmaster timer + +[Timer] +OnCalendar=05:00 +Persistent=false + +[Install] +WantedBy=timers.target + +#EOF diff --git a/roles/Sharingan/files/rkhunter/rkhunter.conf b/roles/Sharingan/files/rkhunter/rkhunter.conf new file mode 100644 index 0000000..4fdf11f --- /dev/null +++ b/roles/Sharingan/files/rkhunter/rkhunter.conf @@ -0,0 +1,1342 @@ +# +# This is the main configuration file for Rootkit Hunter. +# +# You can modify this file directly, or you can create a local configuration +# file. The local file must be named 'rkhunter.conf.local', and must reside +# in the same directory as this file. Alternatively you can create a directory, +# named 'rkhunter.d', which also must be in the same directory as this +# configuration file. Within the 'rkhunter.d' directory you can place further +# configuration files. There is no restriction on the file names used, other +# than they must end in '.conf'. +# +# Please modify the configuration file(s) to your own requirements. It is +# recommended that the command 'rkhunter -C' is run after any changes have +# been made. +# +# Please review the documentation before posting bug reports or questions. +# To report bugs, provide patches or comments, please go to: +# http://rkhunter.sourceforge.net +# +# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. +# Note that this is a moderated list, so please subscribe before posting. +# +# In the configuration files, lines beginning with a hash (#), and blank lines, +# are ignored. Also, end-of-line comments are not supported. +# +# Any of the configuration options may appear more than once. However, several +# options only take one value, and so the last one seen will be used. Some +# options are allowed to appear more than once, and the text describing the +# option will say if this is so. These configuration options will, in effect, +# have their values concatenated together. To delete a previously specified +# option list, specify the option with no value (that is, a null string). +# +# Some of the options are space-separated lists, others, typically those +# specifying pathnames, are newline-separated lists. These must be entered +# as one item per line. Quotes must not be used to surround the pathname. +# +# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an +# option: XXX=/tmp/abc (correct) +# XXX=/tmp/xyz +# +# XXX="/tmp/abc" (incorrect) +# XXX="/tmp/xyz" +# +# XXX=/tmp/abc /tmp/xyz (incorrect) +# or XXX="/tmp/abc /tmp/xyz" (incorrect) +# or XXX="/tmp/abc" "/tmp/xyz" (incorrect) +# +# The last three examples are being configured as space-separated lists, +# which is incorrect, generally, for options specifying pathnames. They +# should be configured with one entry per line as in the first example. +# +# If wildcard characters (globbing) are allowed for an option, then the +# text describing the option will say so. Any globbing character explicitly +# required in a pathname should be escaped. +# +# Space-separated lists may be enclosed by quotes, although they are not +# required. If they are used, then they must only appear at the start and +# end of the list, not in the middle. +# +# For example: XXX=abc def gh (correct) +# XXX="abc def gh" (correct) +# XXX="abc" "def" "gh" (incorrect) +# +# Space-separated lists may also be entered simply as one entry per line. +# +# For example: XXX=abc (correct) +# XXX=def +# XXX="gh" +# +# If a configuration option is never set, then the program will assume a +# default value. The text describing the option will state the default value. +# If there is no default, then rkhunter will calculate a value or pathname +# to use. If a value is set for a configuration option, then the default +# value is ignored. If it is wished to keep the default value, as well as +# any other set value, then the default must be explicitly set. +# + + +# +# If this option is set to '1', it specifies that the mirrors file +# ('mirrors.dat'), which is used when the '--update' and '--versioncheck' +# options are used, is to be rotated. Rotating the entries in the file allows +# a basic form of load-balancing between the mirror sites whenever the above +# options are used. +# +# If the option is set to '0', then the mirrors will be treated as if in a +# priority list. That is, the first mirror listed will always be used first. +# The second mirror will only be used if the first mirror fails, the third +# mirror will only be used if the second mirror fails, and so on. +# +# If the mirrors file is read-only, then the '--versioncheck' command-line +# option can only be used if this option is set to '0'. +# +# The default value is '1'. +# +#ROTATE_MIRRORS=1 + +# +# If this option is set to '1', it specifies that when the '--update' option is +# used, then the mirrors file is to be checked for updates as well. If the +# current mirrors file contains any local mirrors, these will be prepended to +# the updated file. If this option is set to '0', the mirrors file can only be +# updated manually. This may be useful if only using local mirrors. +# +# The default value is '1'. +# +#UPDATE_MIRRORS=1 + +# +# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when +# the '--update' or '--versioncheck' command-line options are given. +# Possible values are: +# 0 - use any mirror +# 1 - only use local mirrors +# 2 - only use remote mirrors +# +# Local and remote mirrors can be defined in the mirrors file by using the +# 'local=' and 'remote=' keywords respectively. +# +# The default value is '0'. +# +#MIRRORS_MODE=0 + +# +# Email a message to this address if a warning is found when the system is +# being checked. Multiple addresses may be specified simply be separating +# them with a space. To disable the option, simply set it to the null string +# or comment it out. +# +# The option may be specified more than once. +# +# The default value is the null string. +# +# Also see the MAIL_CMD option. +# +#MAIL-ON-WARNING=me@mydomain root@mydomain + +# +# This option specifies the mail command to use if MAIL-ON-WARNING is set. +# +# NOTE: Double quotes are not required around the command, but are required +# around the subject line if it contains spaces. +# +# The default is to use the 'mail' command, with a subject line +# of '[rkhunter] Warnings found for ${HOST_NAME}'. +# +#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" + +# +# This option specifies the directory to use for temporary files. +# +# NOTE: Do not use '/tmp' as your temporary directory. Some important files +# will be written to this directory, so be sure that the directory permissions +# are secure. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will assume a +# default directory beneath the installation directory. +# +#TMPDIR=/var/lib/rkhunter/tmp + +# +# This option specifies the database directory to use. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will assume a +# default directory beneath the installation directory. +# +#DBDIR=/var/lib/rkhunter/db + +# +# This option specifies the script directory to use. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will not run. +# +#SCRIPTDIR=/usr/local/lib/rkhunter/scripts + +# +# This option can be used to modify the command directory list used by rkhunter +# to locate commands (that is, its PATH). By default this will be the root PATH, +# and an internal list of some common command directories. +# +# Any directories specified here will, by default, be appended to the default +# list. However, if a directory name begins with the '+' character, then that +# directory will be prepended to the list (that is, it will be put at the start +# of the list). +# +# This is a space-separated list of directory names. The option may be +# specified more than once. +# +# The default value is based on the root account PATH environment variable. +# +#BINDIR=/bin /usr/bin /sbin /usr/sbin +#BINDIR=+/usr/local/bin +/usr/local/sbin + +# +# This option specifies the default language to use. This should be similar to +# the ISO 639 language code. +# +# NOTE: Please ensure that the language you specify is supported. +# For a list of supported languages use the following command: +# +# rkhunter --lang en --list languages +# +# The default language is 'en' (English). +# +#LANGUAGE=en + +# +# This option is a space-separated list of the languages that are to be updated +# when the '--update' option is used. If unset, then all the languages will be +# updated. If none of the languages are to be updated, then set this option to +# just 'en'. +# +# The default language, specified by the LANGUAGE option, and the English (en) +# language file will always be updated regardless of this option. +# +# This option may be specified more than once. +# +# The default value is the null string, indicating that all the language files +# will be updated. +# +#UPDATE_LANG="" + +# +# This option specifies the log file pathname. The file will be created if it +# does not initially exist. If the option is unset, then the program will +# display a message each time it is run saying that the default value is being +# used. +# +# The default value is '/var/log/rkhunter.log'. +# +LOGFILE=/var/log/rkhunter.log + +# +# Set this option to '1' if the log file is to be appended to whenever rkhunter +# is run. A value of '0' will cause a new log file to be created whenever the +# program is run. +# +# The default value is '0'. +# +#APPEND_LOG=0 + +# +# Set the following option to '1' if the log file is to be copied when rkhunter +# finishes and an error or warning has occurred. The copied log file name will +# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). +# For example: rkhunter.log.2009-04-21_00:57:51 +# If the option value is '0', then the log file will not be copied regardless +# of whether any errors or warnings occurred. +# +# The default value is '0'. +# +#COPY_LOG_ON_ERROR=0 + +# +# Set the following option to enable the rkhunter check start and finish times +# to be logged by syslog. Warning messages will also be logged. The value of +# the option must be a standard syslog facility and priority, separated by a +# dot. For example: +# +# USE_SYSLOG=authpriv.warning +# +# Setting the value to 'NONE', or just leaving the option commented out, +# disables the use of syslog. +# +# The default value is not to use syslog. +# +#USE_SYSLOG=authpriv.notice + +# +# Set the following option to '1' if the second colour set is to be used. This +# can be useful if your screen uses black characters on a white background +# (for example, a PC instead of a server). A value of '0' will cause the default +# colour set to be used. +# +# The default value is '0'. +# +#COLOR_SET2=0 + +# +# Set the following option to '0' if rkhunter should not detect if X is being +# used. If X is detected as being used, then the second colour set will +# automatically be used. If set to '1', then the use of X will be detected. +# +# The default value is '0'. +# +AUTO_X_DETECT=1 + +# +# Set the following option to '1' if it is wanted that any 'Whitelisted' results +# are shown in white rather than green. For colour set 2 users, setting this +# option will cause the result to be shown in black. Setting the option to '0' +# causes whitelisted results to be displayed in green. +# +# The default value is '0'. +# +#WHITELISTED_IS_WHITE=0 + +# +# The following option is checked against the SSH configuration file +# 'PermitRootLogin' option. A warning will be displayed if they do not match. +# However, if a value has not been set in the SSH configuration file, then a +# value here of 'unset' can be used to avoid warning messages. +# +# The default value is 'no'. +# +#ALLOW_SSH_ROOT_USER=no + +# +# Set this option to '1' to allow the use of the SSH-1 protocol, but note +# that theoretically it is weaker, and therefore less secure, than the +# SSH-2 protocol. Do not modify this option unless you have good reasons +# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 +# authentication). If the 'Protocol' option has not been set in the SSH +# configuration file, then a value of '2' may be set here in order to +# suppress a warning message. A value of '0' indicates that the use of +# SSH-1 is not allowed. +# +# The default value is '0'. +# +#ALLOW_SSH_PROT_V1=0 + +# +# This setting tells rkhunter the directory containing the SSH configuration +# file. If unset, this setting will be worked out by rkhunter, and so should +# not usually need to be set. +# +# This option has no default value. +# +#SSH_CONFIG_DIR=/etc/ssh + +# +# These two options determine which tests are to be performed. The ENABLE_TESTS +# option can use the word 'ALL' to refer to all of the available tests. The +# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are +# disabled. The list of disabled tests is applied to the list of enabled tests. +# +# Both options are space-separated lists of test names, and both options may +# be specified more than once. The currently available test names can be seen +# by using the command 'rkhunter --list tests'. +# +# The supplied configuration file has some tests already disabled, and these +# are tests that will be used only occasionally, can be considered 'advanced' +# or that are prone to produce more than the average number of false-positives. +# +# Please read the README file for more details about enabling and disabling +# tests, the test names, and how rkhunter behaves when these options are used. +# +# The default values are to enable all tests and to disable none. However, if +# either of the options below are specified, then they will override the +# program defaults. +# +ENABLE_TESTS=ALL +DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps + +# +# The HASH_CMD option can be used to specify the command to use for the file +# properties hash value check. It can be specified as just the command name or +# the full pathname. If just the command name is given, and it is one of MD5, +# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the +# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of +# these are found, it will then look to see if a perl module has been installed +# which will support the relevant hash function. To see which perl modules have +# been installed use the command 'rkhunter --list perl'. +# +# Systems using prelinking are restricted to using either the SHA1 or MD5 +# function. +# +# A value of 'NONE' (in uppercase) can be specified to indicate that no hash +# function should be used. Rkhunter will detect this, and automatically disable +# the file properties hash check test. +# +# Examples: +# For Solaris 9 : HASH_CMD=gmd5sum +# For Solaris 10: HASH_CMD=sha1sum +# For AIX (>5.2): HASH_CMD="csum -hMD5" +# For NetBSD : HASH_CMD="cksum -a sha512" +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is the SHA256 function, unless prelinking is used in +# which case it defaults to the SHA1 function. +# +# Also see the HASH_FLD_IDX option. In addition, note the comments under +# the PKGMGR option relating to the use of HASH_CMD. +# +#HASH_CMD=SHA256 + +# +# The HASH_FLD_IDX option specifies which field from the HASH_CMD command +# output contains the hash value. The fields are assumed to be space-separated. +# +# The option value must be an integer greater than zero. +# +# The default value is '1', but for *BSD users rkhunter will, by default, use a +# value of '4' if the HASH_CMD option has not been set. +# +#HASH_FLD_IDX=4 + +# +# The PKGMGR option tells rkhunter to use the specified package manager to +# obtain the file property information. This is used when updating the file +# properties file ('rkhunter.dat'), and when running the file properties check. +# For RedHat/RPM-based systems, 'RPM' can be used to get information from the +# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems +# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be +# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of +# 'NONE', indicates that no package manager is to be used. +# +# The package managers obtain each file hash value using a hash function. The +# Solaris package manager includes a 16-bit checksum value, but this is not +# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers +# currently use a SHA256 hash function. Other package managers will, typically, +# use an MD5 hash function. +# +# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value. +# The 'RPM' package manager additionally provides values for the inode, file +# permissions, uid, gid and other values. The 'SOLARIS' package manager also +# provides most of the values, similar to 'RPM', but not the inode number. +# +# For any file not part of a package, rkhunter will revert to using the +# HASH_CMD hash function instead. This means that if the HASH_CMD option +# is set, and PKGMGR is set, then the HASH_CMD hash function is only used, +# and stored, for non-packaged files. All packaged files will use, and store, +# whatever hash function the relevant package manager uses. So, for example, +# with the 'RPM' package manager, packaged files will be stored with their +# SHA256 value regardless of the value of the HASH_CMD option. +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is 'NONE'. +# +# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. +# +#PKGMGR=NONE + +# +# It is possible that a file, which is part of a package, may have been +# modified by the administrator. Typically this occurs for configuration +# files. However, the package manager may list the file as being modified. +# For the RPM package manager this may well depend on how the package was +# built. This option specifies a pathname which is to be exempt from the +# package manager verification process, and which will be treated +# as a non-packaged file. As such, the file properties are still checked. +# +# This option only takes effect if the PKGMGR option has been set, and +# is not 'NONE'. +# +# This option may be specified more than once. +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is the null string. +# +#PKGMGR_NO_VRFY="" + +# +# If the 'SOLARIS' package manager is used, then it is possible to use the +# checksum (hash) value stored for a file. However, this is only a 16-bit +# checksum, and as such is not nearly as secure as, for example, a SHA-2 value. +# If the option is set to '0', then the checksum is not used and the hash +# function given by HASH_CMD is used instead. To enable this option, set its +# value to '1'. The Solaris 'sum' command must be present on the system if this +# option is used. +# +# The default value is '0'. +# +#USE_SUNSUM=0 + +# +# This option can be used to tell rkhunter to ignore any prelink dependency +# errors for the given commands. However, a warning will also be issued if the +# error does not occur for a given command. As such this option must only be +# used on commands which experience a persistent problem. +# +# Short-term prelink dependency errors can usually be resolved simply by +# running the 'prelink' command on the given pathname. +# +# This is a space-separated list of command pathnames. The option can be +# specified more than once. +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is the null string. +# +#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top + +# +# These options specify a command, directory or file pathname which will be +# included or excluded in the file properties checks. +# +# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, +# 'top' - and directory names are added to the internal list of directories to +# be searched for each of the command names in the command list. Additionally, +# full pathnames to files, which need not be commands, may be given. Any files +# or directories which are already part of the internal lists will be silently +# ignored from the configuration. +# +# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for +# simple command names. +# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. +# +# To extend the use of wildcards to include recursive checking of directories, +# see the GLOBSTAR configuration option. +# +# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS +# option. Wildcards may be used with this option. +# +# By combining these two options, and using wildcards, whole directories can be +# excluded. For example: +# +# USER_FILEPROP_FILES_DIRS=/etc/* +# USER_FILEPROP_FILES_DIRS=/etc/*/* +# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* +# +# This will look for files in the first two directory levels of '/etc'. However, +# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be +# excluded. +# +# NOTE: Only files and directories which have been added by the user, and are +# not part of the internal lists, can be excluded. So, for example, it is not +# possible to exclude the 'ps' command by using '/bin/ps'. These will be +# silently ignored from the configuration. +# +# Both options can be specified more than once. +# +# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. +# +# The default value for both options is the null string. +# +#USER_FILEPROP_FILES_DIRS=top +#USER_FILEPROP_FILES_DIRS=/usr/local/sbin +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/* +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* + +# +# This option whitelists files and directories from existing, or not existing, +# on the system at the time of testing. This option is used when the +# configuration file options themselves are checked, and during the file +# properties check, the hidden files and directories checks, and the filesystem +# check of the '/dev' directory. +# +# This option may be specified more than once, and may use wildcards. +# Be aware though that this is probably not what you want to do as the +# wildcarding will be expanded after files have been deleted. As such +# deleted files won't be whitelisted if wildcarded. +# +# NOTE: The user must take into consideration how often the file will appear +# and disappear from the system in relation to how often rkhunter is run. If +# the file appears, and disappears, too often then rkhunter may not notice +# this. All it will see is that the file has changed. The inode number and DTM +# will certainly be different for each new file, and rkhunter will report this. +# +# The default value is the null string. +# +#EXISTWHITELIST="" + +# +# Whitelist various attributes of the specified file. The attributes are those +# of the 'attributes' test. Specifying a file name here does not include it +# being whitelisted for the write permission test (see below). +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ATTRWHITELIST=/usr/bin/date + +# +# Allow the specified file to have the 'others' (world) permission have the +# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#WRITEWHITELIST=/usr/bin/date + +# +# Allow the specified file to be a script. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#SCRIPTWHITELIST=/usr/bin/groups + +# +# Allow the specified file to have the immutable attribute set. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#IMMUTWHITELIST=/sbin/ifdown + +# +# If this option is set to '1', then the immutable-bit test is reversed. That +# is, the files are expected to have the bit set. A value of '0' means that the +# immutable-bit should not be set. +# +# The default value is '0'. +# +#IMMUTABLE_SET=0 + +# +# If this option is set to '1', then any changed inode value is ignored in +# the file properties check. The inode test itself still runs, but it will +# always return that no inodes have changed. +# +# This option may be useful for filesystems such as Btrfs, which handle inodes +# slightly differently than other filesystems. +# +# The default value is '0'. +# +#SKIP_INODE_CHECK=0 + +# +# Allow the specified hidden directory to be whitelisted. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWHIDDENDIR=/etc/.java +ALLOWHIDDENDIR=/dev/.udev +#ALLOWHIDDENDIR=/dev/.udevdb +#ALLOWHIDDENDIR=/dev/.mdadm + +# +# Allow the specified hidden file to be whitelisted. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac +#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac +#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac +#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac + +# +# Allow the specified process to use deleted files. The process name may be +# followed by a colon-separated list of full pathnames (which have been +# deleted). The process will then only be whitelisted if it is using one of +# the given pathnames. For example: +# +# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz +# +# This option may be specified more than once. It may also use wildcards, but +# only in the deleted file pathnames, not in the process name. The use of +# extended pattern matching in pathname expansion (for example, '**') is not +# supported for this option. However, the option itself extends globbing when +# the '*' character is used by matching zero or more characters in the +# pathname, including those in sub-directories. For example, the pathname +# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz' +# but is matched when used in this option. Similarly, using '/tmp/*' will +# match any file found in the '/tmp' directory or any sub-directories. +# +# The default value is the null string. +# +#ALLOWPROCDELFILE=/sbin/cardmgr +#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* + +# +# Allow the specified process to listen on any network interface. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWPROCLISTEN=/sbin/dhclient +#ALLOWPROCLISTEN=/usr/bin/dhcpcd +#ALLOWPROCLISTEN=/usr/sbin/tcpdump +#ALLOWPROCLISTEN=/usr/sbin/snort-plain + +# +# Allow the specified network interfaces to be in promiscuous mode. +# +# This is a space-separated list of interface names. The option may be +# specified more than once. +# +# The default value is the null string. +# +#ALLOWPROMISCIF=eth0 + +# +# This option specifies how rkhunter should scan the '/dev' directory for +# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'. +# +# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this, +# it is highly recommended that this value is used. +# +# The default value is 'THOROUGH'. +# +# Also see the ALLOWDEVFILE option. +# +#SCAN_MODE_DEV=THOROUGH + +# +# Allow the specified file to be present in the '/dev' directory, and not +# regarded as suspicious. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWDEVFILE=/dev/shm/pulse-shm-* +#ALLOWDEVFILE=/dev/shm/sem.ADBE_* + +# +# Allow the specified process pathnames to use shared memory segments. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWIPCPROC=/usr/bin/firefox +#ALLOWIPCPROC=/usr/bin/vlc + +# +# Allow the specified memory segment creator PIDs to use shared memory segments. +# +# This is a space-separated list of PID numbers (as given by the +# 'ipcs -p' command). This option may be specified more than once. +# +# The default value is the null string. +# +#ALLOWIPCPID=12345 6789 + +# +# Allow the specified account names to use shared memory segments. +# +# This is a space-separated list of account names. The option may be specified +# more than once. +# +# The default value is the null string. +# +#ALLOWIPCUSER=usera userb + +# +# This option can be used to set the maximum shared memory segment size +# (in bytes) that is not considered suspicious. Any segment above this size, +# and with 600 or 666 permissions, will be considered suspicious during the +# shared memory check. +# +# The default is 1048576 (1M) bytes. +# +#IPC_SEG_SIZE=1048576 + +# +# This option is used to indicate if the Phalanx2 test is to perform a basic +# check, or a more thorough check. If the option is set to '0', then a basic +# check is performed. If it is set to '1', then all the directories in the +# '/etc' and '/usr' directories are scanned. +# +# NOTE: Setting this option to '1' will cause the test to take longer +# to complete. +# +# The default value is '0'. +# +#PHALANX2_DIRTEST=0 + +# +# This option tells rkhunter where the inetd configuration file is located. +# +# The default value is the null string. +# +#INETD_CONF_PATH=/etc/inetd.conf + +# +# This option allows the specified enabled inetd services. +# +# This is a space-separated list of service names. The option may be specified +# more than once. +# +# For non-Solaris users the simple service name should be used. +# For example: +# +# INETD_ALLOWED_SVC=echo +# +# For Solaris 9 users the simple service name should also be used, but +# if it is an RPC service, then the executable pathname should be used. +# For example: +# +# INETD_ALLOWED_SVC=imaps +# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd +# +# For Solaris 10 users the service/FMRI name should be used. For example: +# +# INETD_ALLOWED_SVC=/network/rpc/meta +# INETD_ALLOWED_SVC=/network/rpc/metamed +# INETD_ALLOWED_SVC=/application/font/stfsloader +# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord +# +# The default value is the null string. +# +#INETD_ALLOWED_SVC=echo + +# +# This option tells rkhunter where the xinetd configuration file is located. +# +# The default value is the null string. +# +#XINETD_CONF_PATH=/etc/xinetd.conf + +# +# This option allows the specified enabled xinetd services. Whilst it would be +# nice to use the service names themselves, at the time of testing we only have +# the pathname available. As such, these entries are the xinetd file pathnames. +# +# This is a space-separated list of service names. The option may be specified +# more than once. +# +# The default value is the null string. +# +#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo + +# +# This option tells rkhunter the local system startup file pathnames. The +# directories will be searched for files. If unset, then rkhunter will try +# and determine were the startup files are located. If the option is set to +# 'NONE' then certain tests will be skipped. +# +# This is a space-separated list of file and directory pathnames. The option +# may be specified more than once, and may use wildcard characters. +# +# This option has no default value. +# +#STARTUP_PATHS=/etc/rc.d /etc/rc.local + +# +# This option tells rkhunter the pathname to the file containing the user +# account passwords. If unset, this setting will be worked out by rkhunter, +# and so should not usually need to be set. Users of TCB shadow files should +# not set this option. +# +# This option has no default value. +# +#PASSWORD_FILE=/etc/shadow + +# +# This option allows the specified accounts to be root equivalent. These +# accounts will have a UID value of zero. The 'root' account does not need +# to be listed as it is automatically whitelisted. +# +# This is a space-separated list of account names. The option may be specified +# more than once. +# +# NOTE: For *BSD systems you will probably need to use this option for the +# 'toor' account. +# +# The default value is the null string. +# +#UID0_ACCOUNTS=toor rooty + +# +# This option allows the specified accounts to have no password. NIS/YP entries +# do not need to be listed as they are automatically whitelisted. +# +# This is a space-separated list of account names. The option may be specified +# more than once. +# +# The default value is the null string. +# +#PWDLESS_ACCOUNTS=abc + +# +# This option tells rkhunter the pathname to the syslog configuration file. +# If unset, this setting will be worked out by rkhunter, and so should not +# usually need to be set. A value of 'NONE' can be used to indicate that +# there is no configuration file, but that the syslog daemon process may +# be running. +# +# This is a space-separated list of pathnames. The option may be specified +# more than once. +# +# This option has no default value. +# +#SYSLOG_CONFIG_FILE=/etc/syslog.conf + +# +# If this option is set to '1', then the use of syslog remote logging is +# permitted. A value of '0' disallows the use of remote logging. +# +# The default value is '0'. +# +#ALLOW_SYSLOG_REMOTE_LOGGING=0 + +# +# This option allows the specified applications, or a specific version of an +# application, to be whitelisted. If a specific version is to be whitelisted, +# then the name must be followed by a colon and then the version number. +# For example: +# +# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29 +# +# This is a space-separated list of pathnames. The option may be specified +# more than once. +# +# The default value is the null string. +# +#APP_WHITELIST="" + +# +# Set this option to scan for suspicious files in directories which pose a +# relatively higher risk due to user write access. +# +# Please do not enable the 'suspscan' test by default as it is CPU and I/O +# intensive, and prone to producing false positives. Do review all settings +# before usage. Also be aware that running 'suspscan' in combination with +# verbose logging on, rkhunter's default, will show all ignored files. +# +# Please consider adding all directories the user the (web)server runs as, +# and has write access to, including the document root (e.g: '/var/www') and +# log directories (e.g: '/var/log/httpd'). +# +# This is a space-separated list of directory pathnames. The option may be +# specified more than once. +# +# The default value is the '/tmp' and '/var/tmp' directories. +# +#SUSPSCAN_DIRS=/tmp /var/tmp + +# +# This option specifies the directory for temporary files used by the +# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is +# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS +# as that is highly likely to cause false-positive results. +# +# The default value is '/dev/shm'. +# +#SUSPSCAN_TEMP=/dev/shm + +# +# This option specifies the 'suspscan' test maximum filesize in bytes. Files +# larger than this will not be inspected. Do make sure you have enough space +# available in your temporary files directory. +# +# The default value is '1024000'. +# +#SUSPSCAN_MAXSIZE=1024000 + +# +# This option specifies the 'suspscan' test score threshold. Below this value +# no hits will be reported. +# +# The default value is '200'. +# +#SUSPSCAN_THRESH=200 + +# +# This option may be used to whitelist file pathnames from the suspscan test. +# +# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration +# option. +# +# This option may be specified more than once. +# +# The default value is the null string. +# +#SUSPSCAN_WHITELIST="" + +# +# The following options can be used to whitelist network ports which are known +# to have been used by malware. +# +# The PORT_WHITELIST option is a space-separated list of one or more of two +# types of whitelisting. These are: +# +# 1) a 'protocol:port' pair +# 2) an asterisk ('*') +# +# Only the UDP or TCP protocol may be specified, and the port number must be +# between 1 and 65535 inclusive. +# +# The asterisk can be used to indicate that any executable which rkhunter can +# locate as a command, is whitelisted. (Also see BINDIR) +# +# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. +# These are: +# +# 1) a pathname to an executable +# 2) a combined pathname, protocol and port +# +# As above, the protocol can only be TCP or UDP, and the port number must be +# between 1 and 65535 inclusive. +# +# Examples: +# +# PORT_WHITELIST=TCP:2001 UDP:32011 +# PORT_PATH_WHITELIST=/usr/sbin/squid +# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801 +# +# NOTE: In order to whitelist a pathname, or use the asterisk option, the +# 'lsof' command must be present. +# +# Both options may be specified more than once. +# +# The default value for both options is the null string. +# +#PORT_WHITELIST="" +#PORT_PATH_WHITELIST="" + +# +# The following option can be used to tell rkhunter where the operating system +# 'release' file is located. This file contains information specifying the +# current O/S version. RKH will store this information, and check to see if it +# has changed between each run. If it has changed, then the user is warned that +# RKH may issue warning messages until RKH has been run with the '--propupd' +# option. +# +# Since the contents of the file vary according to the O/S distribution, RKH +# will perform different actions when it detects the file itself. As such, this +# option should not be set unless necessary. If this option is specified, then +# RKH will assume the O/S release information is on the first non-blank line of +# the file. +# +# This option has no default value. +# +# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options. +# +#OS_VERSION_FILE=/etc/release + +# +# Set the following option to '0' if you do not want to receive a warning if any +# O/S information has changed since the last run of 'rkhunter --propupd'. The +# warnings occur during the file properties check. Setting a value of '1' will +# cause rkhunter to issue a warning if something has changed. +# +# The default value is '1'. +# +#WARN_ON_OS_CHANGE=1 + +# +# Set the following option to '1' if you want rkhunter to automatically run a +# file properties update ('--propupd') if the O/S has changed. Detection of an +# O/S change occurs during the file properties check. Setting a value of '0' +# will cause rkhunter not to do an automatic update. +# +# WARNING: Only set this option if you are sure that the update will work +# correctly. That is, that the database directory is writeable, that a valid +# hash function is available, and so on. This can usually be checked simply by +# running 'rkhunter --propupd' at least once. +# +# The default value is '0'. +# +#UPDT_ON_OS_CHANGE=0 + +# +# The following two options can be used to whitelist files and directories that +# would normally be flagged with a warning during the various rootkit and +# malware checks. Only existing files and directories can be specified, and +# these must be full pathnames not links. +# +# Additionally, the RTKT_FILE_WHITELIST option may include a string after the +# file name (separated by a colon). This will then only whitelist that string +# in that file (as part of the malware checks). For example: +# +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm +# +# If the option list includes the filename on its own as well, then the file +# will be whitelisted from rootkit checks of the files existence, but still +# only the specific string within the file will be whitelisted. For example: +# +# RTKT_FILE_WHITELIST=/etc/rc.local +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm +# +# To whitelist a file from the existence checks, but not from the strings +# checks, then include the filename on its own and on its own but with just +# a colon appended. For example: +# +# RTKT_FILE_WHITELIST=/etc/rc.local +# RTKT_FILE_WHITELIST=/etc/rc.local: +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# Both of these options may be specified more than once. +# +# For both options the default value is the null string. +# +#RTKT_DIR_WHITELIST="" +#RTKT_FILE_WHITELIST="" + +# +# The following option can be used to whitelist shared library files that would +# normally be flagged with a warning during the preloaded shared library check. +# These library pathnames usually exist in the '/etc/ld.so.preload' file or in +# the LD_PRELOAD environment variable. +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# This option is a space-separated list of library pathnames. The option may be +# specified more than once. +# +# The default value is the null string. +# +#SHARED_LIB_WHITELIST=/lib/snoopy.so + +# +# To force rkhunter to use the supplied script for the 'stat' or 'readlink' +# command the following two options can be used. The value must be set to +# 'BUILTIN'. +# +# NOTE: IRIX users will probably need to enable STAT_CMD. +# +# For both options the default value is the null string. +# +#STAT_CMD=BUILTIN +#READLINK_CMD=BUILTIN + +# +# In the file properties test any modification date/time is displayed as the +# number of epoch seconds. Rkhunter will try and use the 'date' command, or +# failing that the 'perl' command, to display the date and time in a +# human-readable format as well. This option may be used if some other command +# should be used instead. The given command must understand the '%s' and +# 'seconds ago' options found in the GNU 'date' command. +# +# A value of 'NONE' may be used to request that only the epoch seconds be shown. +# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if +# it is present. +# +# This option has no default value. +# +#EPOCH_DATE_CMD="" + +# +# This setting tells rkhunter the directory containing the available Linux +# kernel modules. If unset, this setting will be worked out by rkhunter, and +# so should not usually need to be set. +# +# This option has no default value. +# +#MODULES_DIR="" + +# +# The following option can be set to a command which rkhunter will use when +# downloading files from the Internet - that is, when the '--update' or +# '--versioncheck' option is used. The command can take options. +# +# This allows the user to use a command other than the one automatically +# selected by rkhunter, but still one which it already knows about. +# For example: +# +# WEB_CMD=curl +# +# Alternatively, the user may specify a completely new command. However, note +# that rkhunter expects the downloaded file to be written to stdout, and that +# everything written to stderr is ignored. For example: +# +# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" +# +# *BSD users may want to use the 'ftp' command, provided that it supports the +# HTTP protocol: +# +# WEB_CMD="ftp -o -" +# +# This option has no default value. +# +#WEB_CMD="" + +# +# Set the following option to '1' if locking is to be used when rkhunter runs. +# The lock is set just before logging starts, and is removed when the program +# ends. It is used to prevent items such as the log file, and the file +# properties file, from becoming corrupted if rkhunter is running more than +# once. The mechanism used is to simply create a lock file in the LOCKDIR +# directory. If the lock file already exists, because rkhunter is already +# running, then the current process simply loops around sleeping for 10 seconds +# and then retrying the lock. A value of '0' means not to use locking. +# +# The default value is '0'. +# +# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options. +# +#USE_LOCKING=0 + +# +# This option specifies the directory to be used when locking is enabled. +# If the option is unset, then the directory to be used will be worked out +# by rkhunter. In that instance the directories '/run/lock', '/var/lock', +# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none +# of those can be found, or are not read/writeable, then the TMPDIR directory +# will be used. +# +# To avoid the lock file persisting across a server reboot, the directory +# used should be memory-resident. +# +# This option has no default value. +# +#LOCKDIR="" + +# +# If locking is used, then rkhunter may have to wait to get the lock file. +# This option sets the total amount of time, in seconds, that rkhunter should +# wait. It will retry the lock every 10 seconds, until either it obtains the +# lock or the timeout value has been reached. +# +# The default value is 300 seconds (5 minutes). +# +#LOCK_TIMEOUT=300 + +# +# If locking is used, then rkhunter may be doing nothing for some time if it +# has to wait for the lock. If this option is set to '1', then some simple +# messages are echoed to the users screen to let them know that rkhunter is +# waiting for the lock. Set this option to '0' if the messages are not to be +# displayed. +# +# The default value is '1'. +# +#SHOW_LOCK_MSGS=1 + +# +# If this option is set to 'THOROUGH' then rkhunter will search (on a per +# rootkit basis) for filenames in all of the directories (as defined by the +# result of running 'find / -xdev'). While still not optimal, as it still +# searches for only file names as opposed to file contents, this is one step +# away from the rigidity of searching in known (evidence) or default +# (installation) locations. +# +# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. +# +# You should only activate this feature as part of a more thorough +# investigation, which should be based on relevant best practices and +# procedures. +# +# Enabling this feature implies you have the knowledge to interpret the +# results properly. +# +# The default value is the null string. +# +#SCANROOTKITMODE=THOROUGH + +# +# The following option can be set to the name(s) of the tests the 'unhide' +# command is to use. Options such as '-m' and '-v' may be specified, but will +# only take effect when they are seen. The test names are a space-separated +# list, and will be executed in the order given. +# +# This option may be specified more than once. +# +# The default value is 'sys' in order to maintain compatibility with older +# versions of 'unhide'. +# +#UNHIDE_TESTS=sys + +# +# The following option can be used to set options for the 'unhide-tcp' command. +# The options are space-separated. +# +# This option may be specified more than once. +# +# The default value is the null string. +# +#UNHIDETCP_OPTS="" + +# +# This option can be set to either '0' or '1'. If set to '1' then the summary, +# shown after rkhunter has run, will display the actual number of warnings +# found. If it is set to '0', then the summary will simply indicate that +# 'One or more' warnings were found. If no warnings were found, and this option +# is set to '1', then a "0" will be shown. If the option is set to '0', then +# the words 'No warnings' will be shown. +# +# The default value is '0'. +# +#SHOW_SUMMARY_WARNINGS_NUMBER=0 + +# +# This option is used to determine where, if anywhere, the summary scan time is +# displayed. A value of '0' indicates that it should not be displayed anywhere. +# A value of '1' indicates that the time should only appear on the screen, and a +# value of '2' that it should only appear in the log file. A value of '3' +# indicates that the time taken should appear both on the screen and in the log +# file. +# +# The default value is '3'. +# +#SHOW_SUMMARY_TIME=3 + +# +# The two options below may be used to check if a file is missing or empty +# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check +# if the file is missing, since that can be interpreted as a file of no size. +# However, the file will only be reported as missing if the MISSING_LOGFILES +# option hasn't already done this. +# +# Both options are space-separated lists of pathnames, and may be specified +# more than once. +# +# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is +# perfectly possible for the file to be either missing or empty. As such these +# options may produce false-positive warnings when log files are rotated. +# +# For both options the default value is the null string. +# +#EMPTY_LOGFILES="" +#MISSING_LOGFILES="" + +# +# This option can be set to either '0' or '1'. If set to '1' then the globbing +# characters '**' can be used to allow the recursive checking of directories. +# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option. +# For example: +# +# USER_FILEPROP_FILES_DIRS=/etc/**/*.conf +# +# This will check all '.conf' files within the '/etc' directory, and any +# sub-directories (at any level). If GLOBSTAR is not set, then the shell will +# interpret '**' as '*' and only one level of sub-directories will be checked. +# +# NOTE: This option is only valid for those shells which support the 'globstar' +# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command, +# and 'ksh' via the 'set' command. +# +# The default value is '0'. +# +#GLOBSTAR=0 + +INSTALLDIR=/usr +DBDIR=/var/lib/rkhunter/db +SCRIPTDIR=/usr/lib/rkhunter/scripts +TMPDIR=/var/lib/rkhunter/tmp +USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf +SCRIPTWHITELIST=/usr/bin/egrep +SCRIPTWHITELIST=/usr/bin/fgrep +SCRIPTWHITELIST=/usr/bin/ldd +SCRIPTWHITELIST=/usr/bin/vendor_perl/GET + diff --git a/roles/Sharingan/files/rkhunter/rkhunter.service b/roles/Sharingan/files/rkhunter/rkhunter.service new file mode 100644 index 0000000..819b416 --- /dev/null +++ b/roles/Sharingan/files/rkhunter/rkhunter.service @@ -0,0 +1,14 @@ +[Unit] +Description=Sharingan-IDS | rkhunter HIDS + +[Service] +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +Type=simple +ExecStart=rkhunter --check --sk +User=root +group=root + +[Install] +WantedBy=multi-user.target diff --git a/roles/Sharingan/files/rkhunter/rkhunter.timer b/roles/Sharingan/files/rkhunter/rkhunter.timer new file mode 100644 index 0000000..13cfabc --- /dev/null +++ b/roles/Sharingan/files/rkhunter/rkhunter.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Sharingan-IDS | rkhunter timer + +[Timer] +OnCalendar=15:00 +Persistent=false + +[Install] +WantedBy=timers.target + +#EOF diff --git a/roles/Sharingan-Data/files/scripts/notify b/roles/Sharingan/files/scripts/notify similarity index 100% rename from roles/Sharingan-Data/files/scripts/notify rename to roles/Sharingan/files/scripts/notify diff --git a/roles/Sharingan-Data/files/sharingan-data.service/Archlinux b/roles/Sharingan/files/sharingan-data.service/Archlinux similarity index 100% rename from roles/Sharingan-Data/files/sharingan-data.service/Archlinux rename to roles/Sharingan/files/sharingan-data.service/Archlinux diff --git a/roles/Sharingan-Data/files/sharingan-data.service/Debian b/roles/Sharingan/files/sharingan-data.service/Debian similarity index 100% rename from roles/Sharingan-Data/files/sharingan-data.service/Debian rename to roles/Sharingan/files/sharingan-data.service/Debian diff --git a/roles/Sharingan-Data/files/sharingan-eval.service b/roles/Sharingan/files/sharingan-eval.service similarity index 100% rename from roles/Sharingan-Data/files/sharingan-eval.service rename to roles/Sharingan/files/sharingan-eval.service diff --git a/roles/Sharingan-Data/files/sharingan-heartbeat.service b/roles/Sharingan/files/sharingan-heartbeat.service similarity index 55% rename from roles/Sharingan-Data/files/sharingan-heartbeat.service rename to roles/Sharingan/files/sharingan-heartbeat.service index 0ea2444..6841ac2 100644 --- a/roles/Sharingan-Data/files/sharingan-heartbeat.service +++ b/roles/Sharingan/files/sharingan-heartbeat.service @@ -2,7 +2,7 @@ Description=AniNIX/Sharingan | Heartbeat service [Service] -ExecStart=/usr/sbin/systemctl is-system-running +ExecStart=/bin/bash -c 'systemd-cat -t sharingan-heartbeat echo `systemctl is-system-running`' Type=oneshot RemainAfterExit=no User=root diff --git a/roles/Sharingan-Data/files/sharingan-heartbeat.timer b/roles/Sharingan/files/sharingan-heartbeat.timer similarity index 100% rename from roles/Sharingan-Data/files/sharingan-heartbeat.timer rename to roles/Sharingan/files/sharingan-heartbeat.timer diff --git a/roles/Sharingan/files/sshguard.conf b/roles/Sharingan/files/sshguard.conf new file mode 100644 index 0000000..e5acc97 --- /dev/null +++ b/roles/Sharingan/files/sshguard.conf @@ -0,0 +1,4 @@ +LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat" +BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db +BACKEND="/usr/lib/sshguard/sshg-fw-iptables" +WHITELIST_FILE=/etc/sshguard.whitelist diff --git a/roles/Sharingan/files/suricata/classification.config b/roles/Sharingan/files/suricata/classification.config new file mode 100644 index 0000000..ebe91ca --- /dev/null +++ b/roles/Sharingan/files/suricata/classification.config @@ -0,0 +1,68 @@ +# $Id$ +# classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2 +# +# The following includes information for prioritizing rules +# +# Each classification includes a shortname, a description, and a default +# priority for that classification. +# +# This allows alerts to be classified and prioritized. You can specify +# what priority each classification has. Any rule can override the default +# priority for that rule. +# +# Here are a few example rules: +# +# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; +# dsize: > 128; classtype:attempted-admin; priority:10; +# +# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \ +# content:"expn root"; nocase; classtype:attempted-recon;) +# +# The first rule will set its type to "attempted-admin" and override +# the default priority for that type to 10. +# +# The second rule set its type to "attempted-recon" and set its +# priority to the default for that type. +# + +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,2 +config classification: icmp-event,Generic ICMP event,3 +config classification: kickass-porn,SCORE! Get the lotion!,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 diff --git a/roles/Sharingan/files/suricata/local.rules b/roles/Sharingan/files/suricata/local.rules new file mode 100755 index 0000000..60ddc67 --- /dev/null +++ b/roles/Sharingan/files/suricata/local.rules @@ -0,0 +1,11 @@ +pass ip 10.0.1.2/32 445 <> 10.0.1.3 any (msg: "Ignore Microsoft-ds traffic"; sid:4294967202;) +pass dns $HOME_NET any -> 10.0.1.3 53 (msg: "Ignore false malformed DNS from DD-WRT"; sid:4294967204;) +pass ip any any <> 96.126.111.217 6667 (msg: "We consider Xertion safe"; sid:4294967205;) +pass tcp $HOME_NET any <> 10.0.1.3 any (msg: "Allow AniNIX::Core to scan"; sid:4294967206;) +pass http 10.0.1.3 any -> $HOME_NET any (msg: "Pass local http traffic."; sid:4294967208;) +pass tcp 10.0.1.3 any -> 10.0.1.1 80 (msg: "Allow Core to admin Shadowfeed with Geth integration"; sid:4294967209;) +pass tcp 10.0.1.3 any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:4294967211;) +pass http $HOME_NET any -> any any (msg:"ET POLICY curl User-Agent Outbound"; sid:4294967212; content:"curl/"; nocase; http_user_agent; depth:5;) +pass udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; sid:4294967213;) +pass ip $HOME_NET any -> [130.239.18.119,162.213.39.42,185.30.166.37,185.30.166.38,38.229.70.22,64.86.243.181] any (msg:"130.239.18.119|162.213.39.42|185.30.166.37|185.30.166.38|38.229.70.22|64.86.243.181"; rev:2; sid:4294967214; classtype:trojan-activity;) +pass tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:4294967215; rev:1;) diff --git a/roles/Sharingan/files/suricata/reference.config b/roles/Sharingan/files/suricata/reference.config new file mode 100644 index 0000000..ff4f53d --- /dev/null +++ b/roles/Sharingan/files/suricata/reference.config @@ -0,0 +1,26 @@ +# config reference: system URL + +config reference: bugtraq http://www.securityfocus.com/bid/ +config reference: bid http://www.securityfocus.com/bid/ +config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= +#config reference: cve http://cvedetails.com/cve/ +config reference: secunia http://www.secunia.com/advisories/ + +#whitehats is unfortunately gone +config reference: arachNIDS http://www.whitehats.com/info/IDS + +config reference: McAfee http://vil.nai.com/vil/content/v_ +config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= +config reference: url http:// +config reference: et http://doc.emergingthreats.net/ +config reference: etpro http://doc.emergingthreatspro.com/ +config reference: telus http:// +config reference: osvdb http://osvdb.org/show/osvdb/ +config reference: threatexpert http://www.threatexpert.com/report.aspx?md5= +config reference: md5 http://www.threatexpert.com/report.aspx?md5= +config reference: exploitdb http://www.exploit-db.com/exploits/ +config reference: openpacket https://www.openpacket.org/capture/grab/ +config reference: securitytracker http://securitytracker.com/id? +config reference: secunia http://secunia.com/advisories/ +config reference: xforce http://xforce.iss.net/xforce/xfdb/ +config reference: msft http://technet.microsoft.com/security/bulletin/ diff --git a/roles/Sharingan/files/suricata/suricata.yaml b/roles/Sharingan/files/suricata/suricata.yaml new file mode 100644 index 0000000..62b9b1b --- /dev/null +++ b/roles/Sharingan/files/suricata/suricata.yaml @@ -0,0 +1,1327 @@ +%YAML 1.1 +--- + +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml + + +# Number of packets allowed to be processed simultaneously. Default is a +# conservative 1024. A higher number will make sure CPU's/CPU cores will be +# more easily kept busy, but may negatively impact caching. +# +# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules +# apply. In that case try somenp1s0fing like 60000 or more. This is because the CUDA +# pattern matcher buffers and scans as many packets as possible in parallel. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition menp1s0fod. Defaults to "autofp" (auto flow pinned +# load balancing). +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow alloted usihng the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# If suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Run suricata as user and group. +#run-as: +#user: suricata +#group: suricata + +# Default pid file. +# Will use this file if no --pidfile in command options. +#pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on enp1s0fernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# The default logging directory. Any log or output file will be +# placed here if its not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /var/log/suricata/ + +# Unix command socket can be used to pass commands to suricata. +# An external tool can then connect to get information from suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: no + #filename: custom.socket + +# Configure the type of alert (and other) logging you would like. +outputs: + + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: no + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: no + type: file #file|syslog|unix_dgram|unix_stream + filename: eve.json + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + types: + - alert + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns + - tls: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + force-hash: [md5] # force logging of md5 checksums + #- drop + - ssh + + # alert output for use with Barnyard2 + - unified2-alert: + enabled: no + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # HTTP X-Forwarded-For support by adding the unified2 extra header that + # will contain the actual client IP address or by overwriting the source + # IP address (helpful when inspecting traffic that is being reversed + # proxied). + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Header name were the actual IP address will be reported, if more than + # one IP address is present, the last IP address will be the one taken + # into consideration. + header: X-Forwarded-For + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: no + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + #extended: yes # Log extended information like fingerprint + certs-log-dir: certs # directory to store the certificates files + + # a line based log of DNS requests and/or replies (no alerts) + - dns-log: + enabled: no + filename: dns.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log to used with pcap file study. + # this module is dedicated to offline pcap parsing (empty output + # if used with another kind of input). It can interoperate with + # pcap parser like wireshark via the suriwire plugin. + - pcap-info: + enabled: no + + # Packet log... log packets in pcap format. 2 modes of operation: "normal" + # and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. + # In this base dir the pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + mode: normal # normal or sguil. + #sguil-base-dir: /nsm_data/ + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (http://www.prelude-technologies.com/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the suricata engine. + # The interval field (in seconds) tells after how long output will be written + # on the log file. + - stats: + enabled: yes + filename: stats.log + interval: 8 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: yes + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + identity: "sharingan-nids" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # a line based information for dropped packets in IPS mode + - drop: + enabled: no + filename: drop.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # output module to store extracted files to disk + # + # The files are stored to the log-dir in a format "file." where is + # an incrementing number starting at 1. For each file "file." a meta + # file "file..meta" is created. + # + # File extraction depends on a lot of things to be fully done: + # - stream reassembly depth. For optimal results, set this to 0 (unlimited) + # - http request / response body sizes. Again set to 0 for optimal results. + # - rules that contain the "filestore" keyword. + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + force-md5: no # force logging of md5 checksums + #waldo: file.waldo # waldo file to store the file_id across runs + + # output module to log files tracked in a easily parsable json format + - file-log: + enabled: no + filename: files-json.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +magic-file: /usr/share/file/misc/magic.mgc + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permit to do send all needed packet to suricata via this a rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want packet to be sent to another queue after an ACCEPT decision +# set mode to 'route' and set next-queue value. +# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if suricata is not able to keep pace. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +# af-packet support +# Set threads to > 1 to use PACKET_FANOUT support +af-packet: + - interface: enp1s0f0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + # Default clusterid. AF_PACKET will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_round_robin: round robin load balancing + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + use-mmap: yes + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independantly of the number + # of threads: + #ring-size: 2048 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: yes + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap od IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: enp1s0f1 + - interface: enp1s0f1 + threads: 1 + cluster-id: 98 + cluster-type: cluster_flow + defrag: yes + # buffer-size: 32768 + # disable-promisc: no + # Put default values here + - interface: default + #threads: 2 + #use-mmap: yes + +legacy: + uricontent: enabled + +# You can specify a threshold config file by setting "threshold-file" +# to the path of the threshold config file: +# threshold-file: /etc/suricata/threshold.config + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect-engine: + - profile: medium + - custom-values: + toclient-src-groups: 2 + toclient-dst-groups: 2 + toclient-sp-groups: 2 + toclient-dp-groups: 3 + toserver-src-groups: 2 + toserver-dst-groups: 4 + toserver-sp-groups: 2 + toserver-dp-groups: 25 + - sgh-mpm-context: auto + - inspection-recursion-limit: 3000 + # When rule-reload is enabled, sending a USR2 signal to the Suricata process + # will trigger a live rule reload. Experimental feature, use with care. + #- rule-reload: true + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #- delayed-detect: yes + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + # On some cpu's/architectures it is beneficial to tie individual threads + # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, + # and each extra CPU/core has one "detect" thread. + # + # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. + # + set-cpu-affinity: no + # Tune cpu affinity of suricata threads. Each family of threads can be bound + # on specific CPUs. + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - decode-cpu-set: + cpu: [ 0, 1 ] + mode: "balanced" + - stream-cpu-set: + cpu: [ "0-1" ] + - detect-cpu-set: + cpu: [ "all" ] + mode: "exclusive" # run detect threads in these cpus + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + - verdict-cpu-set: + cpu: [ 0 ] + prio: + default: "high" + - reject-cpu-set: + cpu: [ 0 ] + prio: + default: "low" + - output-cpu-set: + cpu: [ "all" ] + prio: + default: "medium" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.5 + +# Cuda configuration. +cuda: + # The "mpm" profile. On not specifying any of these parameters, the engine's + # internal default values are used, which are same as the ones specified in + # in the default conf file. + mpm: + # The minimum length required to buffer data to the gpu. + # Anything below this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + # A value of 0 indicates there's no limit. + data-buffer-size-min-limit: 0 + # The maximum length for data that we would buffer to the gpu. + # Anything over this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + data-buffer-size-max-limit: 1500 + # The ring buffer size used by the CudaBuffer API to buffer data. + cudabuffer-buffer-size: 500mb + # The max chunk size that can be sent to the gpu in a single go. + gpu-transfer-size: 50mb + # The timeout limit for batching of packets in microseconds. + batching-timeout: 2000 + # The device to use for the mpm. Currently we don't support load balancing + # on multiple gpus. In case you have multiple devices on your system, you + # can specify the device to use, using this conf. By default we hold 0, to + # specify the first device cuda sees. To find out device-id associated with + # the card(s) on the system run "suricata --list-cuda-cards". + device-id: 0 + # No of Cuda streams used for asynchronous processing. All values > 0 are valid. + # For this option you need a device with Compute Capability > 1.0. + cuda-streams: 2 + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, +# ac and ac-gfbs. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. +# +# There is also a CUDA pattern matcher (only available if Suricata was +# compiled with --enable-cuda: b2g_cuda. Make sure to update your +# max-pending-packets setting above as well if you use b2g_cuda. + +mpm-algo: ac + +# The memory settings for hash size of these algorithms can vary from lowest +# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max +# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - +# medium (1024) - high (2048). +# +# For B2g/B3g algorithms, there is a support for two different scan/search +# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and +# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms +# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & +# B3gSearchBNDMq. +# +# For B2g the different scan/search algorithms and, hash and bloom +# filter size settings. For B3g the different scan/search algorithms and, hash +# and bloom filter size settings. For wumanber the hash and bloom filter size +# settings. + +pattern-matcher: + - b2gc: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2gm: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2g: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b3g: + search-algo: B3gSearchBNDMq + hash-size: low + bf-size: medium + - wumanber: + hash-size: low + bf-size: medium + +# Defrag settings: + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# prunning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doens't find a flow to prune, it will set +# the emergency bit and it will try again with more agressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 64mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a hanshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + tcp: + new: 60 + established: 3600 + closed: 120 + emergency-new: 10 + emergency-established: 300 + emergency-closed: 20 + udp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + icmp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packet with invalid csum will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated trafic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# +# reassembly: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lower the risk of some evasion technics but could lead +# # detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size +# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value +# # of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# chunk-prealloc: 250 # Number of preallocated stream chunks. These +# # are used during stream inspection (raw). +# segments: # Settings for reassembly segment pool. +# - size: 4 # Size of the (data)segment for a pool +# prealloc: 256 # Number of segments to prealloc and keep +# # in the pool. +# +stream: + memcap: 32mb + checksum-validation: auto # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 128mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #chunk-prealloc: 250 + #segments: + # - size: 4 + # prealloc: 256 + # - size: 16 + # prealloc: 512 + # - size: 112 + # prealloc: 512 + # - size: 248 + # prealloc: 512 + # - size: 512 + # prealloc: 512 + # - size: 768 + # prealloc: 1024 + # - size: 1448 + # prealloc: 1024 + # - size: 65535 + # prealloc: 128 + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 16777216 + +# Logging configuration. This is not about logging IDS alerts, but +# IDS output about what its doing, errors, etc. +logging: + + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overriden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # somenp1s0fing reasonable if not provided. Can be overriden in an + # output section. You can leave this out to get the default. + # + # This value is overriden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overriden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + - file: + enabled: no + filename: /var/log/suricata.log + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + +# Tilera mpipe configuration. for use on Tilera TILE-Gx. +mpipe: + + # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". + load-balance: dynamic + + # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 + iqueue-packets: 2048 + + # List of interfaces we will listen on. + inputs: + - interface: xgbe2 + - interface: xgbe3 + - interface: xgbe4 + + + # Relative weight of memory for packets of each mPipe buffer size. + stack: + size128: 0 + size256: 9 + size512: 0 + size1024: 0 + size1664: 7 + size4096: 0 + size10386: 0 + size16384: 0 + +# PF_RING configuration. for use with native PF_RING support +# for more info see http://www.ntop.org/PF_RING.html +pfring: + - interface: enp1s0f0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. + # This is only supported in versions of PF_RING > 4.1.1. + cluster-type: cluster_flow + # bpf filter for this interface + #bpf-filter: tcp + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: enp1s0f1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + +pcap: + - interface: enp1s0f0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to somenp1s0fing bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# in /etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# The 8000 above should be the same number you passed on the command +# line, i.e. -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + +# Set the default rule path here to search for the files. +# if not set, it will look at the current working dir +default-rule-path: /etc/suricata/rules +rule-files: + - botcc.rules + - ciarmy.rules + - compromised.rules + - drop.rules + - dshield.rules + - emerging-activex.rules + - emerging-attack_response.rules + # - emerging-chat.rules -- Ignore to allow IRC + - emerging-current_events.rules + - emerging-dns.rules + - emerging-dos.rules + - emerging-exploit.rules + - emerging-ftp.rules + - emerging-games.rules + - emerging-icmp_info.rules + # - emerging-icmp.rules -- ignore to suppress icmp messages + - emerging-imap.rules + - emerging-inappropriate.rules + - emerging-malware.rules + - emerging-misc.rules + - emerging-mobile_malware.rules + - emerging-netbios.rules + #- emerging-p2p.rules + - emerging-policy.rules + - emerging-pop3.rules + - emerging-rpc.rules + - emerging-scada.rules + - emerging-scan.rules + - emerging-shellcode.rules + - emerging-smtp.rules + - emerging-snmp.rules + - emerging-sql.rules + - emerging-telnet.rules + - emerging-tftp.rules + - emerging-trojan.rules + - emerging-user_agents.rules + - emerging-voip.rules + - emerging-web_client.rules + - emerging-web_server.rules + - emerging-web_specific_apps.rules + - emerging-worm.rules + # - tor.rules -- Ignore these to allow privacy users + # - decoder-events.rules # available in suricata sources under rules dir -- Ignored for too trigger-happy on UDPv4 checksum + # - stream-events.rules # available in suricata sources under rules dir -- Ignored for false positives + - http-events.rules # available in suricata sources under rules dir + - smtp-events.rules # available in suricata sources under rules dir + - dns-events.rules # available in suricata sources under rules dir + - tls-events.rules # available in suricata sources under rules dir + - local.rules # Custom rules for us + +classification-file: /etc/suricata/rules/classification.config +reference-config-file: /etc/suricata/rules/reference.config + +# Holds variables that would be used by the engine. +vars: + + # Holds the address group vars that would be passed in a Signature. + # These would be retrieved during the Signature address parsing stage. + address-groups: + + HOME_NET: "[127.0.0.0/16,10.0.1.0/24,96.41.230.196]" + + EXTERNAL_NET: "!$HOME_NET" + + HTTP_SERVERS: "$HOME_NET" + + SMTP_SERVERS: "$HOME_NET" + + SQL_SERVERS: "$HOME_NET" + + DNS_SERVERS: "$HOME_NET" + + TELNET_SERVERS: "$HOME_NET" + + AIM_SERVERS: "$EXTERNAL_NET" + + DNP3_SERVER: "$HOME_NET" + + DNP3_CLIENT: "$HOME_NET" + + MODBUS_CLIENT: "$HOME_NET" + + MODBUS_SERVER: "$HOME_NET" + + ENIP_CLIENT: "$HOME_NET" + + ENIP_SERVER: "$HOME_NET" + + # Holds the port group vars that would be passed in a Signature. + # These would be retrieved during the Signature port parsing stage. + port-groups: + + HTTP_PORTS: "80,443" + + SHELLCODE_PORTS: "!80" + + ORACLE_PORTS: "1521" + + SSH_PORTS: 22 + + DNP3_PORTS: "20000" + +# Set the order of alerts bassed on actions +# The default order is pass, drop, reject, alert +action-order: + - pass + - drop + - reject + - alert + +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: ["10.0.1.2"] + bsd: [] + bsd-right: [] + old-linux: [] + linux: ["127.0.0.1","10.0.1.3"] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +# Holds details on the app-layer. The protocols section details each protocol. +# Under each protocol, the default value for detection-enabled and " +# parsed-enabled is yes, unless specified otherwise. +# Each protocol covers enabling/disabling parsers for all ipprotos +# the app-layer protocol runs on. For example "dcerpc" refers to the tcp +# version of the protocol as well as the udp version of the protocol. +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables detection only(parser disabled). +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + + #no-reassemble: yes + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + imap: + enabled: detection-only + msn: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139 + # smb2 detection is disabled internally inside the engine. + #smb2: + # enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: 64mb + + ########################################################################### + # Configure libhtp. + # + # + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # server-config: List of server configurations to use if address matches + # address: List of ip addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # uri-include-all: Include all parts of the URI. By default the + # 'scheme', username/password, hostname and port + # are excluded. Setting this option to true adds + # all of them to the normalized uri as inspected + # by http_uri, urilen, pcre with /U and the other + # keywords that inspect the normalized uri. + # Note that this does not affect http_raw_uri. + # Also, note that including all was the default in + # 1.4 and 2.0beta1. + # + # meta-field-limit: Hard size limit for request and response size + # limits. Applies to request line and headers, + # response line and headers. Does not apply to + # request or response bodies. Default is 18k. + # If this limit is reached an event is raised. + # + # Currently Available Personalities: + # Minimal + # Generic + # IDS (default) + # IIS_4_0 + # IIS_5_0 + # IIS_5_1 + # IIS_6_0 + # IIS_7_0 + # IIS_7_5 + # Apache_2 + ########################################################################### + libhtp: + + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 3072 + response-body-limit: 3072 + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 32kb + response-body-inspect-window: 4kb + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + +# Profiling settings. Only effective if Suricata has been built with the +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + sort: avgticks + + # Limit the number of items printed at exit. + limit: 100 + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + hba: -1 + + # use_all_streams set to "yes" will query the Napatech service for all configured + # streams and listen on all of them. When set to "no" the streams config array + # will be used. + use-all-streams: yes + + # The streams to listen on + streams: [1, 2, 3] + +# Includes. Files included here will be handled as if they were +# inlined in this configuration file. +#include: include1.yaml +#include: include2.yaml diff --git a/roles/Sharingan/files/suricata/threshold.config b/roles/Sharingan/files/suricata/threshold.config new file mode 100644 index 0000000..9a6e631 --- /dev/null +++ b/roles/Sharingan/files/suricata/threshold.config @@ -0,0 +1,69 @@ +# Configure Thresholding and Suppression +# ====================================== +# +# The threshold command is deprecated. Use detection_filter for thresholds +# within a rule and event_filter for standalone threshold configurations. +# Please see README.filters for more information on filters. +# +# Thresholding: +# +# This feature is used to reduce the number of logged alerts for noisy rules. +# This can be tuned to significantly reduce false alarms, and it can also be +# used to write a newer breed of rules. Thresholding commands limit the number +# of times a particular event is logged during a specified time interval. +# +# There are 3 types of event_filters: +# +# 1) Limit +# Alert on the 1st M events during the time interval, then ignore +# events for the rest of the time interval. +# +# 2) Threshold +# Alert every M times we see this event during the time interval. +# +# 3) Both +# Alert once per time interval after seeing M occurrences of the +# event, then ignore any additional events during the time interval. +# +# Threshold commands are formatted as: +# +# event_filter gen_id gen-id, sig_id sig-id, \ +# type limit|threshold|both, track by_src|by_dst, \ +# count n , seconds m +# +# Limit to logging 1 event per 60 seconds: +# +# event_filter gen_id 1, sig_id 1851, type limit, \ +# track by_src, count 1, seconds 60 +# +# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering +# each rule (rules are gen_id 1): +# +# event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 +# +# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering +# any alert for any event generator: +# +# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 +# +# Suppression: +# +# Suppression commands are standalone commands that reference generators and +# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be +# completely suppressed, or suppressed when the causitive traffic is going to +# or comming from a specific IP or group of IP addresses. +# +# Suppress this event completely: +# +# suppress gen_id 1, sig_id 1852 +# +# Suppress this event from this IP: +# +# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 +# +# Suppress this event to this CIDR block: +# +# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 +# +# working example from iggbsd2 snort: +#suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2 diff --git a/roles/Sharingan-Data/files/syslog-ng@sharingan-data b/roles/Sharingan/files/syslog-ng@sharingan-data similarity index 100% rename from roles/Sharingan-Data/files/syslog-ng@sharingan-data rename to roles/Sharingan/files/syslog-ng@sharingan-data diff --git a/roles/Sharingan-Data/tasks/main.yml b/roles/Sharingan/tasks/data.yml similarity index 89% rename from roles/Sharingan-Data/tasks/main.yml rename to roles/Sharingan/tasks/data.yml index 073daa1..2581219 100644 --- a/roles/Sharingan-Data/tasks/main.yml +++ b/roles/Sharingan/tasks/data.yml @@ -1,5 +1,6 @@ --- - - name: Sharingan data filers + + - name: Sharingan data packages become: yes package: state: present @@ -32,6 +33,7 @@ owner: root group: root mode: 0750 + - name: Sharingan-Data service conf become: yes copy: @@ -43,6 +45,7 @@ - name: Sharingan-Data filer service become: yes + register: data_service copy: src: "sharingan-data.service/{{ ansible_os_family }}" dest: /usr/lib/systemd/system/sharingan-data.service @@ -52,6 +55,7 @@ - name: Sharingan-Eval service become: yes + register: eval_service copy: src: sharingan-eval.service dest: /usr/lib/systemd/system/sharingan-eval.service @@ -102,14 +106,18 @@ group: root mode: 0700 - - name: Sharingan-Data heartbeat service + - name: Sharingan-Heartbeat service become: yes + register: heartbeat_service copy: - src: sharingan-heartbeat.service + src: "{{ item }}" dest: /usr/lib/systemd/system owner: root group: root mode: 0750 + loop: + - sharingan-heartbeat.timer + - sharingan-heartbeat.service - name: Sharingan-Data heartbeat timer become: yes @@ -123,6 +131,7 @@ - systemd: daemon_reload: yes become: yes + when: data_service.changed or eval_service.changed or heartbeat_service.changed - name: Start Sharingan-Data services become: yes diff --git a/roles/Sharingan/tasks/ids.yml b/roles/Sharingan/tasks/ids.yml new file mode 100644 index 0000000..a034c74 --- /dev/null +++ b/roles/Sharingan/tasks/ids.yml @@ -0,0 +1,59 @@ +--- + + - name: sshguard package + become: yes + package: + name: + - sshguard + - suricata + - oinkmaster + state: present + + - name: sshguard config + become: yes + copy: + src: sshguard.conf + dest: /etc/sshguard.conf + owner: root + group: root + mode: 0600 + + - name: sshguard allowlist + become: yes + copy: + dest: /etc/sshguard.allowlist + content: | + "{{ router }}/{{ netmask }}" + owner: root + group: root + mode: 0600 + +# - name: Copy oinkmaster service +# register: oinkmaster_service +# become: yes +# loop: +# - oinkmaster.service +# - oinkmaster.timer +# copy: +# src: "{{ item }}" +# dest: "/usr/lib/systemd/system/{{ item }}" +# owner: root +# group: root +# mode: 0644 +# +# - systemd: +# daemon_reload: yes +# become: yes +# when: oinkmaster_service.changed + + - name: IDS services + become: yes + loop: + - suricata.service + - sshguard.service + # - oinkmaster.timer + service: + name: "{{ item }}" + state: restarted + enabled: yes + diff --git a/roles/Sharingan/tasks/main.yml b/roles/Sharingan/tasks/main.yml index ca2f5c4..9f8e3ae 100644 --- a/roles/Sharingan/tasks/main.yml +++ b/roles/Sharingan/tasks/main.yml @@ -1,11 +1,12 @@ ---- - - name: Sharingan packages - become: yes - package: - name: - - openvas - - greenbone-security-assistant - - elasticsearch6 - - mongodb - - graylog +--- + - import_tasks: ../roles/Sharingan/tasks/siem.yml + when: siem is defined + + - import_tasks: ../roles/Sharingan/tasks/ids.yml + when: secdetection is defined + + - import_tasks: ../roles/Sharingan/tasks/vulns.yml + when: ansible_os_family == "Archlinux" + + - import_tasks: ../roles/Sharingan/tasks/data.yml diff --git a/roles/Sharingan/tasks/siem.yml b/roles/Sharingan/tasks/siem.yml new file mode 100644 index 0000000..c21105c --- /dev/null +++ b/roles/Sharingan/tasks/siem.yml @@ -0,0 +1,33 @@ +--- + - name: Sharingan packages + become: yes + register: sharingan_packages + package: + name: + - elasticsearch + - mongodb + - graylog + state: present + + - name: Sharingan services + become: yes + loop: + - elasticsearch + - mongodb + - graylog + service: + name: "{{ item }}" + state: started + enabled: yes + + - name: Sharingan backups directory + become: yes + file: + path: /usr/local/backups/elasticsearch + state: directory + owner: elasticsearch + group: elasticsearch + mode: 0770 + + - name: Set Sharingan backups + command: "curl -X PUT localhost:9200/_snapshot/my_backup?pretty -H 'Content-Type: application/json' -d '{ type: fs, settings: { location: /usr/local/backup/elasticsearch, compress: true } }'" diff --git a/roles/Sharingan/tasks/vulns.yml b/roles/Sharingan/tasks/vulns.yml new file mode 100644 index 0000000..8c92b98 --- /dev/null +++ b/roles/Sharingan/tasks/vulns.yml @@ -0,0 +1,45 @@ +--- + + - name: Install lynis + register: lynis_pkg + become: yes + package: + name: + - lynis + - arch-audit + - clamav + state: present + + - name: lynis config + register: lynis_conf + become: yes + copy: + src: lynis/custom.prf + dest: /etc/lynis/custom.prf + owner: root + group: root + mode: 0600 + + - name: lynis services + become: yes + copy: + src: "lynis/{{ item }}" + dest: /usr/lib/systemd/system/ + owner: root + group: root + mode: 0664 + loop: + - sharingan-vulns.service + - sharingan-vulns.timer + - freshclam.service + - freshclam.timer + + - name: Enable timers + become: yes + loop: + - freshclam.timer + - sharingan-vulns.timer + service: + name: "{{ item }}" + state: restarted + enabled: yes diff --git a/roles/Sharingan-Data/templates/graylog.conf.j2 b/roles/Sharingan/templates/graylog.conf.j2 similarity index 100% rename from roles/Sharingan-Data/templates/graylog.conf.j2 rename to roles/Sharingan/templates/graylog.conf.j2 diff --git a/roles/Sharingan-Data/templates/monitrc.j2 b/roles/Sharingan/templates/monitrc.j2 similarity index 100% rename from roles/Sharingan-Data/templates/monitrc.j2 rename to roles/Sharingan/templates/monitrc.j2