AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Current state of Sharingan role -- still need to add rkhunter

Browse Source
This commit is contained in:
DarkFeather
2022-05-02 15:00:29 -05:00
parent 1c2f4266ad
commit d0146770a4
45 changed files with 4004 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/Sharingan/README.md
View File

@@ -55,3 +55,20 @@ See [[WebServer#Available Clients|AniNIX::Webserver's client list]].
# Equivalents or Competition
Various monitoring SaaS vendors are available, including Nagios, OP5, PagerDuty, etc. A variety of paid cybersecurity vendors are also on the market, particularly contract firms. Data aggregation is also oft used via the ElasticStack for a number of use-cases. We chose Graylog because it unifies these funtions for what we care about -- alarming on actionable events, whether they are malicious or accidental.
We will use a variety of tools here to feed into the Sharingan SIEM.
# Network IDS: Suricata
We use Suricata to scan network data to identify threats.
## Rules engine: oinkmaster
# Network IPS: sshguard
# WAF: modsecurity
# Vulnerability management: lynis
# Host IDS: rkhunter

9
roles/Sharingan/files/Core Normal file
View File

@@ -0,0 +1,9 @@
check program anixix-HTTP with path "/usr/lib/monitoring-plugins/check_http -H aninix.net -e 301"
if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTP is CRITICAL"
check program anixix-HTTPS with path "/usr/lib/monitoring-plugins/check_http -S -H aninix.net -e 200"
if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTPS is CRITICAL"
check program foundation-HTTPS with path "/usr/lib/monitoring-plugins/check_http -S -H foundation.aninix.net -e 200"
if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTPS is CRITICAL"

0
roles/Sharingan/files/DarkNet Normal file
View File

0
roles/Sharingan/files/Geth-Hub-1 Normal file
View File

0
roles/Sharingan/files/Geth-Hub-2 Normal file
View File

0
roles/Sharingan/files/Geth-Hub-3 Normal file
View File

0
roles/Sharingan/files/Maat Normal file
View File

0
roles/Sharingan/files/Nazara Normal file
View File

0
roles/Sharingan/files/Node0 Normal file
View File

0
roles/Sharingan/files/Sharingan Normal file
View File

0
roles/Sharingan/files/lynis/custom.prf Normal file
View File

14
roles/Sharingan/files/lynis/freshclam.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=Sharingan-IDS | Freshclam service
[Service]
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
Type=simple
ExecStart=freshclam
User=root
group=root
[Install]
WantedBy=multi-user.target

11
roles/Sharingan/files/lynis/freshclam.timer Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=Sharingan-IDS | Update AV definitions
[Timer]
OnCalendar=14:00
Persistent=false
[Install]
WantedBy=timers.target
#EOF

14
roles/Sharingan/files/lynis/sharingan-vulns.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=Sharingan-IDS | rkhunter HIDS
[Service]
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
Type=simple
ExecStart=rkhunter --check --sk
User=root
group=root
[Install]
WantedBy=multi-user.target

11
roles/Sharingan/files/lynis/sharingan-vulns.timer Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=Sharingan-IDS | rkhunter timer
[Timer]
OnCalendar=15:00
Persistent=false
[Install]
WantedBy=timers.target
#EOF

425
roles/Sharingan/files/oinkmaster.conf Normal file
View File

@@ -0,0 +1,425 @@
# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
# This file is pretty big by default, but don't worry.
# The only things required are "path" and "update_files". You must also
# set "url" to point to the correct rules archive for your version of
# Snort, unless you prefer to specify this on the command line.
# The rest in here is just a few recommended defaults, and examples
# how to use all the other optional features and give some ideas how they
# could be used.
# Remember not to let untrusted users edit Oinkmaster configuration
# files, as things like the PATH to use during execution is defined
# in here.
# Use "url = <url>" to specify the location of the rules archive to
# download. The url must begin with http://, https://, ftp://, file://
# or scp:// and end with .tar.gz or .tgz, and the file must be a
# gzipped tarball what contains a directory named "rules".
# You can also point to a local directory with dir://<directory>.
# Multiple "url = <url>" lines can be specified to grab multiple rules
# archives from different locations.
#
# Note: if URL is specified on the command line, it overrides all
# possible URLs specified in the configuration file(s).
#
# The location of the official Snort rules you should use depends
# on which Snort version you run. Basically, you should go to
# http://www.snort.org/rules/ and follow the instructions
# there to pick the right URL for your version of Snort
# (and remember to update the URL when upgrading Snort in the
# future). You can of course also specify locations to third party
# rules.
#
# As of March 2005, you must register on the Snort site to get access
# to the official Snort rules. This will get you an "oinkcode".
# You then specify the URL as
# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
# For example, if your code is 5a081649c06a277e1022e1284b and
# you use Snort 2.4, the url to use would be (without the wrap):
# http://www.snort.org/pub-bin/oinkmaster.cgi/
# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
# more information.
# URL examples follows. Replace <oinkcode> with the code you get on the
# Snort site in your registered user profile.
# Example for Snort
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/157f1670c58caa1bcb3e4de0d68e96c7e12a08ca/snortrules-snapshot-2976.tar.gz
# Suricata
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
# Example for Community rules
# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
# Example for rules from the Bleeding Snort project
# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
# If you prefer to download the rules archive from outside Oinkmaster,
# you can then point to the file on your local filesystem by using
# file://<filename>, for example:
# url = file:///tmp/snortrules.tar.gz
# In rare cases you may want to grab the rules directly from a
# local directory (don't confuse this with the output directory).
# url = dir:///etc/snort/src/rules
# Example to use scp to copy the rules archive from another host.
# Only OpenSSH is tested. See the FAQ for more information.
# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
# If you use -u scp://... and need to specify a private ssh key (passed
# as -i <key> to the scp command) you can specify it here or add an
# entry in ~/.ssh/config for the Oinkmaster user as described in the
# OpenSSH manual.
# scp_key = /home/oinkmaster/oinkmaster_privkey
# The PATH to use during execution. If you prefer to use external
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
# found, and also wget if downloading via ftp, http or https. All with
# optional .exe suffix. If you're on Cygwin, make sure that the path
# contains the Cygwin binaries and not the native Win32 binaries or
# you will get problems.
# Assume UNIX style by default:
path = /bin:/usr/bin:/usr/local/bin
# Example if running native Win32 or standalone Cygwin:
# path = c:\oinkmaster;c:\oinkmaster\bin
# Example if running standalone Cygwin and you prefer Cygwin style path:
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
# We normally use external binaries (wget, tar and gzip) since they're
# already available on most systems and do a good job. If you have the
# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
# those instead if you like. You can set use_external_bins below to
# choose which method you prefer. It's set to 0 by default on Win32
# (i.e. use Perl modules), and 1 on other systems (i.e. use external
# binaries). The reason for that is that the required Perl modules
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
# those than to install the ported Unix tools. (Note that if you're
# using scp to download the archive, external scp binary is still
# used.)
# use_external_bins = 0
# Temporary directory to use. This directory must exist when starting and
# Oinkmaster will then create a temporary sub directory in here.
# Keep it as a #comment if you want to use the default.
# The default will be checked for in the environment variables TMP,
# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.
# Example for UNIX.
# tmpdir = /home/oinkmaster/tmp/
# Example if running native Win32 or Cygwin.
# tmpdir = c:\tmp
# Example if running Cygwin and you prefer Cygwin style path.
# tmpdir = /cygdrive/c/tmp
# The umask to use during execution if you want it to be something
# else than the current value when starting Oinkmaster.
# This will affect the mode bits when writing new files.
# Keep it commented out to keep your system's current umask.
# umask = 0027
# Files in the archive(s) matching this regular expression will be
# checked for changes, and then updated or added if needed.
# All other files will be ignored. You can then choose to skip
# individual files by specifying the "skipfile" keyword below.
# Normally you shouldn't need to change this one.
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# Regexp of keywords that starts a Snort rule.
# May be useful if you create your own ruletypes and want those
# lines to be regarded as rules as well.
# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic
# If the number of rules files in the downloaded archive matching the
# 'update_files' regexp is below min_files, or if the number
# of rules is below min_rules, the rules are regarded as broken
# and the update is aborted with an error message.
# Both are set to 1 by default (i.e. the archive is only regarded as
# broken if it's totally empty).
# If you download from multiple URLs, the count is the total number
# of files/rules across all archives.
# min_files = 1
# min_rules = 1
# By default, a basic sanity check is performed on most paths/filenames
# to see if they contain illegal characters that may screw things up.
# If this check is too strict for your system (e.g. you get bogus
# "illegal characters in filename" errors because of your local language
# etc) and you're sure you want to disable the checks completely,
# set use_path_checks to 0.
# use_path_checks = 1
# If you want Oinkmaster to send a User-Agent HTTP header string
# other than the default one for wget/LWP, set this variable.
# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
# You can include other files anywhere in here by using
# "include <file>". <file> will be parsed just like a regular
# oinkmaster.conf as soon as the include statement is seen, and then
# return and continue parsing the rest of the original file. If an
# option is redefined, it will override the previous value. You can use
# as many "include" statements as you wish, and also include even more
# files from included files. Example to load stuff from "/etc/foo.conf".
# include /etc/foo.conf
#######################################################################
# Files to totally skip (i.e. never update or check for changes) #
# #
# Syntax: skipfile filename #
# or: skipfile filename1, filename2, filename3, ... #
#######################################################################
# Ignore local.rules from the rules archive by default since we might
# have put some local rules in our own local.rules and we don't want it
# to get overwritten by the empty one from the archive after each
# update.
skipfile local.rules
# The file deleted.rules contains rules that have been deleted from
# other files, so there is usually no point in updating it.
skipfile deleted.rules
# Also skip snort.conf by default since we don't want to overwrite our
# own snort.conf if we have it in the same directory as the rules. If
# you have your own production copy of snort.conf in another directory,
# it may be really nice to check for changes in this file though,
# especially since variables are sometimes added or modified and
# new/old files are included/excluded.
skipfile snort.conf
# You may want to consider ignoring threshold.conf for the same reasons
# as for snort.conf, i.e. if you customize it locally and don't want it
# to become overwritten by the default one. It may be better to put
# local thresholding/suppressing in some local file and still update
# and use the official one though, in case important stuff is added to
# it some day. We do update it by default, but it's your call.
# skipfile threshold.conf
# If you update from multiple URLs at the same time you may need to
# ignore the sid-msg.map (and generate it yourself if you need one) as
# it's usually included in each rules tarball. See the FAQ for more info.
# skipfile sid-msg.map
##########################################################################
# SIDs to modify after each update (only for the skilled/stupid/brave). #
# Don't use it unless you have to. There is nothing that stops you from #
# modifying rules in such ways that they become invalid or generally #
# break things. You have been warned. #
# If you just want to disable SIDs, please skip this section and have a #
# look at the "disablesid" keyword below. #
# #
# You may specify multiple modifysid directives for the same SID (they #
# will be processed in order of appearance), and you may also specify a #
# list of SIDs on which the substitution should be applied. #
# If the argument is in the form something.something it's regarded #
# as a filename and the substitution will apply on all rules in that #
# file. The wildcard ("*") can be used to apply the substitution on all #
# rules regardless of the SID or file. Please avoid using #comments #
# at the end of modifysid lines, they may confuse the parser in some #
# situations. #
# #
# Syntax: #
# modifysid SID "replacethis" | "withthis" #
# or: #
# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" #
# or: #
# modifysid file "replacethis" | "withthis" #
# or: #
# modifysid * "replacethis" | "withthis" #
# #
# The strings within the quotes will basically be passed to a #
# s/replacethis/withthis/ statement in Perl, so they must be valid #
# regular expressions. The strings are case-insensitive and only the #
# first occurrence will be replaced. If there are multiple occurrences #
# you want to replace, simply repeat the same modifysid line. #
# As the strings are regular expressions, you MUST escape special #
# characters like $ \ / ( ) | by prepending a "\" to them. #
# #
# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
# will first translate the rule into a single-line version and then #
# perform the substitution, so you don't have to care about the trailing #
# backslashes and newlines. #
# #
# If you use backreference variables in the substitution expression, #
# it's strongly recommended to specify them as ${1} instead of $1 and so #
# on, to avoid parsing confusion with unexpected results in some #
# situations. Note that modifysid statements will process both active #
# and inactive (disabled) rules. #
# #
# You may want to check out README.templates and template-examples.conf #
# to find how you can simplify the modifysid usage by using templates. #
##########################################################################
# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing leading "#alert" with "alert".
# (You should really use 'enablesid' for this though.)
# Oinkmaster removes whitespaces next to the leading "#" so you don't
# have to worry about that, but be careful about possible whitespace in
# other places when writing the regexps.
# modifysid 1325 "^#alert" | "alert"
# You could also do this to enable it no matter what type of rule it is
# (alert, log, pass, etc).
# modifysid 1325 "^#" | ""
# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
# Example to make SID 1378 a 'drop' rule (valid if you're running
# Snort_inline).
# modifysid 1378 "^alert" | "drop"
# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
# in SID 302.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
# You can also specify that a substitution should apply on multiple SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
# "${1} replace:"\/foo\/sh";"
# If you for some reason would like to add a comment inside the actual
# rules file, like the reason why you disabled this rule, you can do
# like this (you would normally add such comments in oinkmaster.conf
# though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
# Here is an example that is actually useful. Let's say you don't care
# about incoming welchia pings (detected by SID 483 at the time of
# writing) but you want to know when infected hosts on your network
# scans hosts on the outside. (Remember that watching for outgoing
# malicious packets is often just as important as watching for incoming
# ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes
# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
# Here is how it could be done.
# modifysid 483 \
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
# The wildcard (modifysid * ...) can be used to do all kinds of
# interesting things. The substitution expression will be applied on all
# matching rules. First, a silly example to replace "foo" with "bar" in
# all rules (that have the string "foo" in them, that is.)
# modifysid * "foo" | "bar"
# If you for some reason don't want to use the stream preprocessor to
# match established streams, you may want to replace the 'flow'
# statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
# Example to convert all rules of classtype attempted-admin to 'drop'
# rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
# This one will append some text to the 'msg' string for all rules that
# have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
# "${1}, going to tag this baby"${2}"
# There may be times when you want to replace multiple occurrences of a
# certain keyword/string in a rule and not just the first one. To
# replace the first two occurrences of "foo" with "bar" in SID 100,
# simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar"
# Or you can even specify a SID list but repeat the same SID as many
# times as required, like:
# modifysid 100,100,100 "foo" | "bar"
# Enable all rules in the file exploit.rules.
# modifysid exploit.rules "^#" | ""
# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
########################################################################
# SIDs that we don't want to update. #
# If you for some reason don't want a specific rule to be updated #
# (e.g. you made local modifications to it and you never want to #
# update it and don't care about changes in the official version), you #
# can specify a "localsid" statement for it. This means that the old #
# version of the rule (i.e. the one in the rules file on your #
# harddrive) is always kept, regardless if the official version has #
# been updated. Please do not use this feature unless in special #
# cases as it's easy to end up with many signatures that aren't #
# maintained anymore. See the FAQ for details about this and hints #
# about better solutions regarding customization of rules. #
# #
# Syntax: localsid SID #
# or: localsid SID1, SID2, SID3, ... #
########################################################################
# Example to never update SID 1325.
# localsid 1325
########################################################################
# SIDs to enable after each update. #
# Will simply remove all the leading '#' for a specified SID (if it's #
# a multi-line rule, the leading '#' for all lines are removed.) #
# These will be processed after all the modifysid and disablesid #
# statements. Using 'enablesid' on a rule that is not disabled is a #
# NOOP. #
# #
# Syntax: enablesid SID #
# or: enablesid SID1, SID2, SID3, ... #
########################################################################
# Example to enable SID 1325.
# enablesid 1325
########################################################################
# SIDs to comment out, i.e. disable, after each update by placing a #
# '#' in front of the rule (if it's a multi-line rule, it will be put #
# in front of all lines). #
# #
# Syntax: disablesid SID #
# or: disablesid SID1, SID2, SID3, ... #
########################################################################
# You can specify one SID per line.
# disablesid 1
# disablesid 2
# disablesid 3
# And also as comma-separated lists.
# disablesid 4,5,6
# It's a good idea to also add comment about why you disable the sid:
# disablesid 1324 # 20020101: disabled this SID just because I can

425
roles/Sharingan/files/oinkmaster/oinkmaster.conf Normal file
View File

@@ -0,0 +1,425 @@
# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
# This file is pretty big by default, but don't worry.
# The only things required are "path" and "update_files". You must also
# set "url" to point to the correct rules archive for your version of
# Snort, unless you prefer to specify this on the command line.
# The rest in here is just a few recommended defaults, and examples
# how to use all the other optional features and give some ideas how they
# could be used.
# Remember not to let untrusted users edit Oinkmaster configuration
# files, as things like the PATH to use during execution is defined
# in here.
# Use "url = <url>" to specify the location of the rules archive to
# download. The url must begin with http://, https://, ftp://, file://
# or scp:// and end with .tar.gz or .tgz, and the file must be a
# gzipped tarball what contains a directory named "rules".
# You can also point to a local directory with dir://<directory>.
# Multiple "url = <url>" lines can be specified to grab multiple rules
# archives from different locations.
#
# Note: if URL is specified on the command line, it overrides all
# possible URLs specified in the configuration file(s).
#
# The location of the official Snort rules you should use depends
# on which Snort version you run. Basically, you should go to
# http://www.snort.org/rules/ and follow the instructions
# there to pick the right URL for your version of Snort
# (and remember to update the URL when upgrading Snort in the
# future). You can of course also specify locations to third party
# rules.
#
# As of March 2005, you must register on the Snort site to get access
# to the official Snort rules. This will get you an "oinkcode".
# You then specify the URL as
# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
# For example, if your code is 5a081649c06a277e1022e1284b and
# you use Snort 2.4, the url to use would be (without the wrap):
# http://www.snort.org/pub-bin/oinkmaster.cgi/
# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
# more information.
# URL examples follows. Replace <oinkcode> with the code you get on the
# Snort site in your registered user profile.
# Example for Snort
# url = http://www.snort.org/pub-bin/oinkmaster.cgi/157f1670c58caa1bcb3e4de0d68e96c7e12a08ca/snortrules-snapshot-2976.tar.gz
# Suricata
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
# Example for Community rules
# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
# Example for rules from the Bleeding Snort project
# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
# If you prefer to download the rules archive from outside Oinkmaster,
# you can then point to the file on your local filesystem by using
# file://<filename>, for example:
# url = file:///tmp/snortrules.tar.gz
# In rare cases you may want to grab the rules directly from a
# local directory (don't confuse this with the output directory).
# url = dir:///etc/snort/src/rules
# Example to use scp to copy the rules archive from another host.
# Only OpenSSH is tested. See the FAQ for more information.
# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
# If you use -u scp://... and need to specify a private ssh key (passed
# as -i <key> to the scp command) you can specify it here or add an
# entry in ~/.ssh/config for the Oinkmaster user as described in the
# OpenSSH manual.
# scp_key = /home/oinkmaster/oinkmaster_privkey
# The PATH to use during execution. If you prefer to use external
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
# found, and also wget if downloading via ftp, http or https. All with
# optional .exe suffix. If you're on Cygwin, make sure that the path
# contains the Cygwin binaries and not the native Win32 binaries or
# you will get problems.
# Assume UNIX style by default:
path = /bin:/usr/bin:/usr/local/bin
# Example if running native Win32 or standalone Cygwin:
# path = c:\oinkmaster;c:\oinkmaster\bin
# Example if running standalone Cygwin and you prefer Cygwin style path:
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
# We normally use external binaries (wget, tar and gzip) since they're
# already available on most systems and do a good job. If you have the
# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
# those instead if you like. You can set use_external_bins below to
# choose which method you prefer. It's set to 0 by default on Win32
# (i.e. use Perl modules), and 1 on other systems (i.e. use external
# binaries). The reason for that is that the required Perl modules
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
# those than to install the ported Unix tools. (Note that if you're
# using scp to download the archive, external scp binary is still
# used.)
# use_external_bins = 0
# Temporary directory to use. This directory must exist when starting and
# Oinkmaster will then create a temporary sub directory in here.
# Keep it as a #comment if you want to use the default.
# The default will be checked for in the environment variables TMP,
# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.
# Example for UNIX.
# tmpdir = /home/oinkmaster/tmp/
# Example if running native Win32 or Cygwin.
# tmpdir = c:\tmp
# Example if running Cygwin and you prefer Cygwin style path.
# tmpdir = /cygdrive/c/tmp
# The umask to use during execution if you want it to be something
# else than the current value when starting Oinkmaster.
# This will affect the mode bits when writing new files.
# Keep it commented out to keep your system's current umask.
# umask = 0027
# Files in the archive(s) matching this regular expression will be
# checked for changes, and then updated or added if needed.
# All other files will be ignored. You can then choose to skip
# individual files by specifying the "skipfile" keyword below.
# Normally you shouldn't need to change this one.
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# Regexp of keywords that starts a Snort rule.
# May be useful if you create your own ruletypes and want those
# lines to be regarded as rules as well.
# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic
# If the number of rules files in the downloaded archive matching the
# 'update_files' regexp is below min_files, or if the number
# of rules is below min_rules, the rules are regarded as broken
# and the update is aborted with an error message.
# Both are set to 1 by default (i.e. the archive is only regarded as
# broken if it's totally empty).
# If you download from multiple URLs, the count is the total number
# of files/rules across all archives.
# min_files = 1
# min_rules = 1
# By default, a basic sanity check is performed on most paths/filenames
# to see if they contain illegal characters that may screw things up.
# If this check is too strict for your system (e.g. you get bogus
# "illegal characters in filename" errors because of your local language
# etc) and you're sure you want to disable the checks completely,
# set use_path_checks to 0.
# use_path_checks = 1
# If you want Oinkmaster to send a User-Agent HTTP header string
# other than the default one for wget/LWP, set this variable.
# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
# You can include other files anywhere in here by using
# "include <file>". <file> will be parsed just like a regular
# oinkmaster.conf as soon as the include statement is seen, and then
# return and continue parsing the rest of the original file. If an
# option is redefined, it will override the previous value. You can use
# as many "include" statements as you wish, and also include even more
# files from included files. Example to load stuff from "/etc/foo.conf".
# include /etc/foo.conf
#######################################################################
# Files to totally skip (i.e. never update or check for changes) #
# #
# Syntax: skipfile filename #
# or: skipfile filename1, filename2, filename3, ... #
#######################################################################
# Ignore local.rules from the rules archive by default since we might
# have put some local rules in our own local.rules and we don't want it
# to get overwritten by the empty one from the archive after each
# update.
skipfile local.rules
# The file deleted.rules contains rules that have been deleted from
# other files, so there is usually no point in updating it.
skipfile deleted.rules
# Also skip snort.conf by default since we don't want to overwrite our
# own snort.conf if we have it in the same directory as the rules. If
# you have your own production copy of snort.conf in another directory,
# it may be really nice to check for changes in this file though,
# especially since variables are sometimes added or modified and
# new/old files are included/excluded.
skipfile snort.conf
# You may want to consider ignoring threshold.conf for the same reasons
# as for snort.conf, i.e. if you customize it locally and don't want it
# to become overwritten by the default one. It may be better to put
# local thresholding/suppressing in some local file and still update
# and use the official one though, in case important stuff is added to
# it some day. We do update it by default, but it's your call.
# skipfile threshold.conf
# If you update from multiple URLs at the same time you may need to
# ignore the sid-msg.map (and generate it yourself if you need one) as
# it's usually included in each rules tarball. See the FAQ for more info.
# skipfile sid-msg.map
##########################################################################
# SIDs to modify after each update (only for the skilled/stupid/brave). #
# Don't use it unless you have to. There is nothing that stops you from #
# modifying rules in such ways that they become invalid or generally #
# break things. You have been warned. #
# If you just want to disable SIDs, please skip this section and have a #
# look at the "disablesid" keyword below. #
# #
# You may specify multiple modifysid directives for the same SID (they #
# will be processed in order of appearance), and you may also specify a #
# list of SIDs on which the substitution should be applied. #
# If the argument is in the form something.something it's regarded #
# as a filename and the substitution will apply on all rules in that #
# file. The wildcard ("*") can be used to apply the substitution on all #
# rules regardless of the SID or file. Please avoid using #comments #
# at the end of modifysid lines, they may confuse the parser in some #
# situations. #
# #
# Syntax: #
# modifysid SID "replacethis" | "withthis" #
# or: #
# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" #
# or: #
# modifysid file "replacethis" | "withthis" #
# or: #
# modifysid * "replacethis" | "withthis" #
# #
# The strings within the quotes will basically be passed to a #
# s/replacethis/withthis/ statement in Perl, so they must be valid #
# regular expressions. The strings are case-insensitive and only the #
# first occurrence will be replaced. If there are multiple occurrences #
# you want to replace, simply repeat the same modifysid line. #
# As the strings are regular expressions, you MUST escape special #
# characters like $ \ / ( ) | by prepending a "\" to them. #
# #
# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
# will first translate the rule into a single-line version and then #
# perform the substitution, so you don't have to care about the trailing #
# backslashes and newlines. #
# #
# If you use backreference variables in the substitution expression, #
# it's strongly recommended to specify them as ${1} instead of $1 and so #
# on, to avoid parsing confusion with unexpected results in some #
# situations. Note that modifysid statements will process both active #
# and inactive (disabled) rules. #
# #
# You may want to check out README.templates and template-examples.conf #
# to find how you can simplify the modifysid usage by using templates. #
##########################################################################
# Example to enable a rule (in this case SID 1325) that is disabled by
# default, by simply replacing leading "#alert" with "alert".
# (You should really use 'enablesid' for this though.)
# Oinkmaster removes whitespaces next to the leading "#" so you don't
# have to worry about that, but be careful about possible whitespace in
# other places when writing the regexps.
# modifysid 1325 "^#alert" | "alert"
# You could also do this to enable it no matter what type of rule it is
# (alert, log, pass, etc).
# modifysid 1325 "^#" | ""
# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
# Example to make SID 1378 a 'drop' rule (valid if you're running
# Snort_inline).
# modifysid 1378 "^alert" | "drop"
# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
# in SID 302.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
# You can also specify that a substitution should apply on multiple SIDs.
# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
# You can take advantage of the fact that it's regular expressions and
# do more complex stuff. This example (for Snort_inline) adds a 'replace'
# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
# "${1} replace:"\/foo\/sh";"
# If you for some reason would like to add a comment inside the actual
# rules file, like the reason why you disabled this rule, you can do
# like this (you would normally add such comments in oinkmaster.conf
# though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
# Here is an example that is actually useful. Let's say you don't care
# about incoming welchia pings (detected by SID 483 at the time of
# writing) but you want to know when infected hosts on your network
# scans hosts on the outside. (Remember that watching for outgoing
# malicious packets is often just as important as watching for incoming
# ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes
# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
# Here is how it could be done.
# modifysid 483 \
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
# The wildcard (modifysid * ...) can be used to do all kinds of
# interesting things. The substitution expression will be applied on all
# matching rules. First, a silly example to replace "foo" with "bar" in
# all rules (that have the string "foo" in them, that is.)
# modifysid * "foo" | "bar"
# If you for some reason don't want to use the stream preprocessor to
# match established streams, you may want to replace the 'flow'
# statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
# Example to convert all rules of classtype attempted-admin to 'drop'
# rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
# This one will append some text to the 'msg' string for all rules that
# have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
# "${1}, going to tag this baby"${2}"
# There may be times when you want to replace multiple occurrences of a
# certain keyword/string in a rule and not just the first one. To
# replace the first two occurrences of "foo" with "bar" in SID 100,
# simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar"
# Or you can even specify a SID list but repeat the same SID as many
# times as required, like:
# modifysid 100,100,100 "foo" | "bar"
# Enable all rules in the file exploit.rules.
# modifysid exploit.rules "^#" | ""
# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
########################################################################
# SIDs that we don't want to update. #
# If you for some reason don't want a specific rule to be updated #
# (e.g. you made local modifications to it and you never want to #
# update it and don't care about changes in the official version), you #
# can specify a "localsid" statement for it. This means that the old #
# version of the rule (i.e. the one in the rules file on your #
# harddrive) is always kept, regardless if the official version has #
# been updated. Please do not use this feature unless in special #
# cases as it's easy to end up with many signatures that aren't #
# maintained anymore. See the FAQ for details about this and hints #
# about better solutions regarding customization of rules. #
# #
# Syntax: localsid SID #
# or: localsid SID1, SID2, SID3, ... #
########################################################################
# Example to never update SID 1325.
# localsid 1325
########################################################################
# SIDs to enable after each update. #
# Will simply remove all the leading '#' for a specified SID (if it's #
# a multi-line rule, the leading '#' for all lines are removed.) #
# These will be processed after all the modifysid and disablesid #
# statements. Using 'enablesid' on a rule that is not disabled is a #
# NOOP. #
# #
# Syntax: enablesid SID #
# or: enablesid SID1, SID2, SID3, ... #
########################################################################
# Example to enable SID 1325.
# enablesid 1325
########################################################################
# SIDs to comment out, i.e. disable, after each update by placing a #
# '#' in front of the rule (if it's a multi-line rule, it will be put #
# in front of all lines). #
# #
# Syntax: disablesid SID #
# or: disablesid SID1, SID2, SID3, ... #
########################################################################
# You can specify one SID per line.
# disablesid 1
# disablesid 2
# disablesid 3
# And also as comma-separated lists.
# disablesid 4,5,6
# It's a good idea to also add comment about why you disable the sid:
# disablesid 1324 # 20020101: disabled this SID just because I can

11
roles/Sharingan/files/oinkmaster/oinkmaster.service Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=Darebee Notifier for AniNIX Martial Arts
[Service]
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
Type=simple
ExecStart=/home/DarkFeather/bin/darebee-notifier
#EOF

11
roles/Sharingan/files/oinkmaster/oinkmaster.timer Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=Sharingan-IDS | oinkmaster timer
[Timer]
OnCalendar=05:00
Persistent=false
[Install]
WantedBy=timers.target
#EOF

1342
roles/Sharingan/files/rkhunter/rkhunter.conf Normal file
View File

File diff suppressed because it is too large Load Diff

14
roles/Sharingan/files/rkhunter/rkhunter.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=Sharingan-IDS | rkhunter HIDS
[Service]
Nice=19
IOSchedulingClass=best-effort
IOSchedulingPriority=7
Type=simple
ExecStart=rkhunter --check --sk
User=root
group=root
[Install]
WantedBy=multi-user.target

11
roles/Sharingan/files/rkhunter/rkhunter.timer Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=Sharingan-IDS | rkhunter timer
[Timer]
OnCalendar=15:00
Persistent=false
[Install]
WantedBy=timers.target
#EOF

2
roles/Sharingan/files/scripts/notify Normal file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
systemd-cat -t sharingan-eval "$@"

19
roles/Sharingan/files/sharingan-data.service/Archlinux Executable file
View File

@@ -0,0 +1,19 @@
[Unit]
Description=AniNIX/Sharingan | Data filer
Documentation=man:syslog-ng(8)
Conflicts=emergency.service emergency.target
Wants=network.target network-online.target
After=network.target network-online.target
[Service]
Type=notify
EnvironmentFile=-/etc/default/syslog-ng@sharingan-data
EnvironmentFile=-/etc/sysconfig/syslog-ng@sharingan-data
ExecStart=/usr/bin/syslog-ng -F $OTHER_OPTIONS --cfgfile $CONFIG_FILE --control $CONTROL_FILE --persist-file $PERSIST_FILE --pidfile $PID_FILE
ExecReload=/usr/bin/kill -HUP $MAINPID
StandardOutput=journal
StandardError=journal
Restart=on-failure
[Install]
WantedBy=multi-user.target

19
roles/Sharingan/files/sharingan-data.service/Debian Executable file
View File

@@ -0,0 +1,19 @@
[Unit]
Description=AniNIX/Sharingan | Data filer
Documentation=man:syslog-ng(8)
Conflicts=emergency.service emergency.target
Wants=network.target network-online.target
After=network.target network-online.target
[Service]
Type=notify
EnvironmentFile=-/etc/default/syslog-ng@sharingan-data
EnvironmentFile=-/etc/sysconfig/syslog-ng@sharingan-data
ExecStart=/usr/sbin/syslog-ng -F $OTHER_OPTIONS --cfgfile $CONFIG_FILE --control $CONTROL_FILE --persist-file $PERSIST_FILE --pidfile $PID_FILE
ExecReload=/usr/bin/kill -HUP $MAINPID
StandardOutput=journal
StandardError=journal
Restart=on-failure
[Install]
WantedBy=multi-user.target

33
roles/Sharingan/files/sharingan-eval.service Executable file
View File

@@ -0,0 +1,33 @@
# This file is systemd template for monit service. To
# register monit with systemd, place the monit.service file
# to the /lib/systemd/system/ directory and then start it
# using systemctl (see bellow).
#
# Enable monit to start on boot:
# systemctl enable monit.service
#
# Start monit immediately:
# systemctl start monit.service
#
# Stop monit:
# systemctl stop monit.service
#
# Status:
# systemctl status monit.service
[Unit]
Description=AniNIX/Sharingan | Evaluation service, powered by monit
After=network-online.target
Documentation=man:monit(1) https://mmonit.com/wiki/Monit/HowTo
[Service]
Type=simple
KillMode=process
ExecStart=/usr/bin/monit -I
ExecStop=/usr/bin/monit quit
ExecReload=/usr/bin/monit reload
Restart=on-abnormal
StandardOutput=null
[Install]
WantedBy=multi-user.target

9
roles/Sharingan/files/sharingan-heartbeat.service Normal file
View File

@@ -0,0 +1,9 @@
[Unit]
Description=AniNIX/Sharingan | Heartbeat service
[Service]
ExecStart=/bin/bash -c 'systemd-cat -t sharingan-heartbeat echo `systemctl is-system-running`'
Type=oneshot
RemainAfterExit=no
User=root
Group=root

11
roles/Sharingan/files/sharingan-heartbeat.timer Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=AniNIX/Sharingan | Heartbeat timer
[Timer]
OnCalendar=*-*-* *:00/5:00
AccuracySec=12h
Persistent=true
[Install]
WantedBy=timers.target

4
roles/Sharingan/files/sshguard.conf Normal file
View File

@@ -0,0 +1,4 @@
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"
BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
BACKEND="/usr/lib/sshguard/sshg-fw-iptables"
WHITELIST_FILE=/etc/sshguard.whitelist

68
roles/Sharingan/files/suricata/classification.config Normal file
View File

@@ -0,0 +1,68 @@
# $Id$
# classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2
#
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2

11
roles/Sharingan/files/suricata/local.rules Executable file
View File

@@ -0,0 +1,11 @@
pass ip 10.0.1.2/32 445 <> 10.0.1.3 any (msg: "Ignore Microsoft-ds traffic"; sid:4294967202;)
pass dns $HOME_NET any -> 10.0.1.3 53 (msg: "Ignore false malformed DNS from DD-WRT"; sid:4294967204;)
pass ip any any <> 96.126.111.217 6667 (msg: "We consider Xertion safe"; sid:4294967205;)
pass tcp $HOME_NET any <> 10.0.1.3 any (msg: "Allow AniNIX::Core to scan"; sid:4294967206;)
pass http 10.0.1.3 any -> $HOME_NET any (msg: "Pass local http traffic."; sid:4294967208;)
pass tcp 10.0.1.3 any -> 10.0.1.1 80 (msg: "Allow Core to admin Shadowfeed with Geth integration"; sid:4294967209;)
pass tcp 10.0.1.3 any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:4294967211;)
pass http $HOME_NET any -> any any (msg:"ET POLICY curl User-Agent Outbound"; sid:4294967212; content:"curl/"; nocase; http_user_agent; depth:5;)
pass udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; sid:4294967213;)
pass ip $HOME_NET any -> [130.239.18.119,162.213.39.42,185.30.166.37,185.30.166.38,38.229.70.22,64.86.243.181] any (msg:"130.239.18.119|162.213.39.42|185.30.166.37|185.30.166.38|38.229.70.22|64.86.243.181"; rev:2; sid:4294967214; classtype:trojan-activity;)
pass tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:4294967215; rev:1;)

26
roles/Sharingan/files/suricata/reference.config Normal file
View File

@@ -0,0 +1,26 @@
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: bid http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
#config reference: cve http://cvedetails.com/cve/
config reference: secunia http://www.secunia.com/advisories/
#whitehats is unfortunately gone
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
config reference: et http://doc.emergingthreats.net/
config reference: etpro http://doc.emergingthreatspro.com/
config reference: telus http://
config reference: osvdb http://osvdb.org/show/osvdb/
config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
config reference: md5 http://www.threatexpert.com/report.aspx?md5=
config reference: exploitdb http://www.exploit-db.com/exploits/
config reference: openpacket https://www.openpacket.org/capture/grab/
config reference: securitytracker http://securitytracker.com/id?
config reference: secunia http://secunia.com/advisories/
config reference: xforce http://xforce.iss.net/xforce/xfdb/
config reference: msft http://technet.microsoft.com/security/bulletin/

1327
roles/Sharingan/files/suricata/suricata.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

69
roles/Sharingan/files/suricata/threshold.config Normal file
View File

@@ -0,0 +1,69 @@
# Configure Thresholding and Suppression
# ======================================
#
# The threshold command is deprecated. Use detection_filter for thresholds
# within a rule and event_filter for standalone threshold configurations.
# Please see README.filters for more information on filters.
#
# Thresholding:
#
# This feature is used to reduce the number of logged alerts for noisy rules.
# This can be tuned to significantly reduce false alarms, and it can also be
# used to write a newer breed of rules. Thresholding commands limit the number
# of times a particular event is logged during a specified time interval.
#
# There are 3 types of event_filters:
#
# 1) Limit
# Alert on the 1st M events during the time interval, then ignore
# events for the rest of the time interval.
#
# 2) Threshold
# Alert every M times we see this event during the time interval.
#
# 3) Both
# Alert once per time interval after seeing M occurrences of the
# event, then ignore any additional events during the time interval.
#
# Threshold commands are formatted as:
#
# event_filter gen_id gen-id, sig_id sig-id, \
# type limit|threshold|both, track by_src|by_dst, \
# count n , seconds m
#
# Limit to logging 1 event per 60 seconds:
#
# event_filter gen_id 1, sig_id 1851, type limit, \
# track by_src, count 1, seconds 60
#
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
# each rule (rules are gen_id 1):
#
# event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
#
# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
# any alert for any event generator:
#
# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
#
# Suppression:
#
# Suppression commands are standalone commands that reference generators and
# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be
# completely suppressed, or suppressed when the causitive traffic is going to
# or comming from a specific IP or group of IP addresses.
#
# Suppress this event completely:
#
# suppress gen_id 1, sig_id 1852
#
# Suppress this event from this IP:
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
# Suppress this event to this CIDR block:
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
#
# working example from iggbsd2 snort:
#suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2

5
roles/Sharingan/files/syslog-ng@sharingan-data Normal file
View File

@@ -0,0 +1,5 @@
CONFIG_FILE=/etc/syslog-ng/syslog-ng.conf
PERSIST_FILE=/var/lib/syslog-ng/syslog-ng.persist
CONTROL_FILE=/run/syslog-ng.ctl
PID_FILE=/run/syslog-ng.pid
OTHER_OPTIONS="--enable-core"

153
roles/Sharingan/tasks/data.yml Normal file
View File

@@ -0,0 +1,153 @@
---
- name: Sharingan data packages
become: yes
package:
state: present
name:
- syslog-ng
- monit
- monitoring-plugins
- name: Sharingan-Data apps dir
become: yes
file:
path: /etc/syslog-ng/apps.d
state: directory
- name: Sharingan-Data include apps dir
become: yes
register: base_config
lineinfile:
path: /etc/syslog-ng/syslog-ng.conf
line: "{{ item }}"
loop:
- '# Allow compartmentalization of config'
- '@include "apps.d/*.conf"'
- name: Sharingan-Data conf
become: yes
template:
src: graylog.conf.j2
dest: /etc/syslog-ng/apps.d/graylog.conf
owner: root
group: root
mode: 0750
- name: Sharingan-Data service conf
become: yes
copy:
src: syslog-ng@sharingan-data
dest: /etc/default/syslog-ng@sharingan-data
owner: root
group: root
mode: 0655
- name: Sharingan-Data filer service
become: yes
register: data_service
copy:
src: "sharingan-data.service/{{ ansible_os_family }}"
dest: /usr/lib/systemd/system/sharingan-data.service
owner: root
group: root
mode: 0750
- name: Sharingan-Eval service
become: yes
register: eval_service
copy:
src: sharingan-eval.service
dest: /usr/lib/systemd/system/sharingan-eval.service
owner: root
group: root
mode: 0750
- name: Sharingan-Eval monitrc
become: yes
template:
src: monitrc.j2
dest: /etc/monitrc
owner: root
group: root
mode: 0700
- name: Sharingan-Eval includes dir
become: yes
file:
path: /etc/monit.d
state: directory
- name: Sharingan-Eval monit templates
become: yes
copy:
src: templates
dest: /etc/monit.d/templates
owner: root
group: root
mode: 0700
- name: Sharingan-Eval monit scripts
become: yes
copy:
src: templates
dest: /etc/monit.d/scripts
owner: root
group: root
mode: 0700
- name: Sharingan-Eval monit host config
become: yes
copy:
src: "{{ inventory_hostname }}"
dest: "/etc/monit.d/{{ inventory_hostname }}"
owner: root
group: root
mode: 0700
- name: Sharingan-Heartbeat service
become: yes
register: heartbeat_service
copy:
src: "{{ item }}"
dest: /usr/lib/systemd/system
owner: root
group: root
mode: 0750
loop:
- sharingan-heartbeat.timer
- sharingan-heartbeat.service
- name: Sharingan-Data heartbeat timer
become: yes
copy:
src: sharingan-heartbeat.timer
dest: /usr/lib/systemd/system
owner: root
group: root
mode: 0750
- systemd:
daemon_reload: yes
become: yes
when: data_service.changed or eval_service.changed or heartbeat_service.changed
- name: Start Sharingan-Data services
become: yes
service:
name: "{{ item }}"
state: restarted
enabled: yes
loop:
- sharingan-data.service
- sharingan-heartbeat.timer
- sharingan-eval.service
- name: Disable default service
become: yes
ignore_errors: yes
service:
name: syslog-ng@default.service
state: stopped
enabled: no

59
roles/Sharingan/tasks/ids.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: sshguard package
become: yes
package:
name:
- sshguard
- suricata
- oinkmaster
state: present
- name: sshguard config
become: yes
copy:
src: sshguard.conf
dest: /etc/sshguard.conf
owner: root
group: root
mode: 0600
- name: sshguard allowlist
become: yes
copy:
dest: /etc/sshguard.allowlist
content: |
"{{ router }}/{{ netmask }}"
owner: root
group: root
mode: 0600
# - name: Copy oinkmaster service
# register: oinkmaster_service
# become: yes
# loop:
# - oinkmaster.service
# - oinkmaster.timer
# copy:
# src: "{{ item }}"
# dest: "/usr/lib/systemd/system/{{ item }}"
# owner: root
# group: root
# mode: 0644
#
# - systemd:
# daemon_reload: yes
# become: yes
# when: oinkmaster_service.changed
- name: IDS services
become: yes
loop:
- suricata.service
- sshguard.service
# - oinkmaster.timer
service:
name: "{{ item }}"
state: restarted
enabled: yes

21
roles/Sharingan/tasks/main.yml
View File

@@ -1,11 +1,12 @@
---
- name: Sharingan packages
become: yes
package:
name:
- openvas
- greenbone-security-assistant
- elasticsearch6
- mongodb
- graylog
---
- import_tasks: ../roles/Sharingan/tasks/siem.yml
when: siem is defined
- import_tasks: ../roles/Sharingan/tasks/ids.yml
when: secdetection is defined
- import_tasks: ../roles/Sharingan/tasks/vulns.yml
when: ansible_os_family == "Archlinux"
- import_tasks: ../roles/Sharingan/tasks/data.yml

33
roles/Sharingan/tasks/siem.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Sharingan packages
become: yes
register: sharingan_packages
package:
name:
- elasticsearch
- mongodb
- graylog
state: present
- name: Sharingan services
become: yes
loop:
- elasticsearch
- mongodb
- graylog
service:
name: "{{ item }}"
state: started
enabled: yes
- name: Sharingan backups directory
become: yes
file:
path: /usr/local/backups/elasticsearch
state: directory
owner: elasticsearch
group: elasticsearch
mode: 0770
- name: Set Sharingan backups
command: "curl -X PUT localhost:9200/_snapshot/my_backup?pretty -H 'Content-Type: application/json' -d '{ type: fs, settings: { location: /usr/local/backup/elasticsearch, compress: true } }'"

45
roles/Sharingan/tasks/vulns.yml Normal file
View File

@@ -0,0 +1,45 @@
---
- name: Install lynis
register: lynis_pkg
become: yes
package:
name:
- lynis
- arch-audit
- clamav
state: present
- name: lynis config
register: lynis_conf
become: yes
copy:
src: lynis/custom.prf
dest: /etc/lynis/custom.prf
owner: root
group: root
mode: 0600
- name: lynis services
become: yes
copy:
src: "lynis/{{ item }}"
dest: /usr/lib/systemd/system/
owner: root
group: root
mode: 0664
loop:
- sharingan-vulns.service
- sharingan-vulns.timer
- freshclam.service
- freshclam.timer
- name: Enable timers
become: yes
loop:
- freshclam.timer
- sharingan-vulns.timer
service:
name: "{{ item }}"
state: restarted
enabled: yes

10
roles/Sharingan/templates/graylog.conf.j2 Normal file
View File

@@ -0,0 +1,10 @@
# Define TCP syslog destination.
destination d_graylog {
syslog("{{ logserver }}" port(10514));
};
# Tell syslog-ng to send data from source s_src to the newly defined syslog destination.
log {
source(src); # Defined in the default syslog-ng configuration.
destination(d_graylog);
};

300
roles/Sharingan/templates/monitrc.j2 Executable file
View File

@@ -0,0 +1,300 @@
###############################################################################
## Monit control file
###############################################################################
##
## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
## Below you will find examples of some frequently used statements. For
## information about the control file and a complete list of statements and
## options, please have a look in the Monit manual.
##
##
###############################################################################
## Global section
###############################################################################
set daemon 30 # check services at 30 seconds intervals
with start delay 240 # optional: delay the first check by 4-minutes (by
# default Monit check immediately after Monit start)
#
## Set syslog logging. If you want to log to a standalone log file instead,
## specify the full path to the log file
#
set log syslog
#
#
## Set the location of the Monit lock file which stores the process id of the
## running Monit instance. By default this file is stored in $HOME/.monit.pid
#
# set pidfile /var/run/monit.pid
#
## Set the location of the Monit id file which stores the unique id for the
## Monit instance. The id is generated and stored on first Monit start. By
## default the file is placed in $HOME/.monit.id.
#
# set idfile /var/.monit.id
#
## Set the location of the Monit state file which saves monitoring states
## on each cycle. By default the file is placed in $HOME/.monit.state. If
## the state file is stored on a persistent filesystem, Monit will recover
## the monitoring state across reboots. If it is on temporary filesystem, the
## state will be lost on reboot which may be convenient in some situations.
#
# set statefile /var/.monit.state
#
#
## Set limits for various tests. The following example shows the default values:
##
# set limits {
# programOutput: 512 B, # check program's output truncate limit
# sendExpectBuffer: 256 B, # limit for send/expect protocol test
# fileContentBuffer: 512 B, # limit for file content test
# httpContentBuffer: 1 MB, # limit for HTTP content test
# networkTimeout: 5 seconds # timeout for network I/O
# programTimeout: 300 seconds # timeout for check program
# stopTimeout: 30 seconds # timeout for service stop
# startTimeout: 30 seconds # timeout for service start
# restartTimeout: 30 seconds # timeout for service restart
# }
## Set global SSL options (just most common options showed, see manual for
## full list).
#
# set ssl {
# verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
# selfsigned : allow # allow self signed SSL certificates (reject by default)
#}
#
#
## Set the list of mail servers for alert delivery. Multiple servers may be
## specified using a comma separator. If the first mail server fails, Monit
# will use the second mail server in the list and so on. By default Monit uses
# port 25 - it is possible to override this with the PORT option.
#
# set mailserver mail.bar.baz, # primary mailserver
# backup.bar.baz port 10025, # backup mailserver on port 10025
# localhost # fallback relay
#
#
## By default Monit will drop alert events if no mail servers are available.
## If you want to keep the alerts for later delivery retry, you can use the
## EVENTQUEUE statement. The base directory where undelivered alerts will be
## stored is specified by the BASEDIR option. You can limit the queue size
## by using the SLOTS option (if omitted, the queue is limited by space
## available in the back end filesystem).
#
# set eventqueue
# basedir /var/monit # set the base directory where events will be stored
# slots 100 # optionally limit the queue size
#
#
## Send status and events to M/Monit (for more information about M/Monit
## see https://mmonit.com/). By default Monit registers credentials with
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
## have to register Monit credentials manually in M/Monit. It is possible to
## disable credential registration using the commented out option below.
## Though, if safety is a concern we recommend instead using https when
## communicating with M/Monit and send credentials encrypted. The password
## should be URL encoded if it contains URL-significant characters like
## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
## adding the timeout option.
#
# set mmonit http://monit:monit@192.168.1.10:8080/collector
# # with timeout 30 seconds # Default timeout is 5 seconds
# # and register without credentials # Don't register credentials
#
#
## Monit by default uses the following format for alerts if the mail-format
## statement is missing::
## --8<--
## set mail-format {
## from: Monit <monit@$HOST>
## subject: monit alert -- $EVENT $SERVICE
## message: $EVENT Service $SERVICE
## Date: $DATE
## Action: $ACTION
## Host: $HOST
## Description: $DESCRIPTION
##
## Your faithful employee,
## Monit
## }
## --8<--
##
## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded at runtime. For example, to override the sender, use:
#
# set mail-format { from: monit@foo.bar }
#
#
## You can set alert recipients whom will receive alerts if/when a
## service defined in this file has errors. Alerts may be restricted on
## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar # receive all alerts
#
## Do not alert when Monit starts, stops or performs a user initiated action.
## This filter is recommended to avoid getting alerts for trivial cases.
#
# set alert your-name@your.domain not on { instance, action }
#
#
## Monit has an embedded HTTP interface which can be used to view status of
## services monitored and manage services from a web interface. The HTTP
## interface is also required if you want to issue Monit commands from the
## command line, such as 'monit status' or 'monit restart service' The reason
## for this is that the Monit client uses the HTTP interface to send these
## commands to a running Monit daemon. See the Monit Wiki if you want to
## enable SSL for the HTTP interface.
#
set httpd port 2812 and
use address localhost # only accept connection from localhost (drop if you use M/Monit)
allow localhost # allow localhost to connect to the server and
allow admin:"{{ monitcli | default('monit') }}" # require user 'admin' with password 'monit'
#with ssl { # enable SSL/TLS and set path to server certificate
# pemfile: /etc/ssl/certs/monit.pem
#}
###############################################################################
## Services
###############################################################################
##
## Check general system resources such as load average, cpu and memory
## usage. Each test specifies a resource, conditions and the action to be
## performed should a test fail.
#
# check system $HOST
# if loadavg (1min) per core > 2 for 5 cycles then alert
# if loadavg (5min) per core > 1.5 for 10 cycles then alert
# if cpu usage > 95% for 10 cycles then alert
# if memory usage > 75% then alert
# if swap usage > 25% then alert
#
#
## Check if a file exists, checksum, permissions, uid and gid. In addition
## to alert recipients in the global section, customized alert can be sent to
## additional recipients by specifying a local alert handler. The service may
## be grouped using the GROUP option. More than one group can be specified by
## repeating the 'group name' statement.
#
# check file apache_bin with path /usr/local/apache/bin/httpd
# if failed checksum and
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
# if failed permission 755 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "root" then unmonitor
# alert security@foo.bar on {
# checksum, permission, uid, gid, unmonitor
# } with the mail-format { subject: Alarm! }
# group server
#
#
## Check that a process is running, in this case Apache, and that it respond
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
## and number of children. If the process is not running, Monit will restart
## it by default. In case the service is restarted very often and the
## problem remains, it is possible to disable monitoring using the TIMEOUT
## statement. This service depends on another service (apache_bin) which
## is defined above.
#
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
# stop program = "/etc/init.d/httpd stop"
# if cpu > 60% for 2 cycles then alert
# if cpu > 80% for 5 cycles then restart
# if totalmem > 200.0 MB for 5 cycles then restart
# if children > 250 then restart
# if disk read > 500 kb/s for 10 cycles then alert
# if disk write > 500 kb/s for 10 cycles then alert
# if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
# if failed port 443 protocol https with timeout 15 seconds then restart
# if 3 restarts within 5 cycles then unmonitor
# depends on apache_bin
# group server
#
#
## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
## Other services, such as databases, may depend on this resource and an automatically
## graceful stop may be cascaded to them before the filesystem will become full and data
## lost.
#
# check filesystem datafs with path /dev/sdb1
# start program = "/bin/mount /data"
# stop program = "/bin/umount /data"
# if failed permission 660 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "disk" then unmonitor
# if space usage > 80% for 5 times within 15 cycles then alert
# if space usage > 99% then stop
# if inode usage > 30000 then alert
# if inode usage > 99% then stop
# if read rate > 1 MB/s for 5 cycles then alert
# if read rate > 500 operations/s for 5 cycles then alert
# if write rate > 1 MB/s for 5 cycles then alert
# if write rate > 500 operations/s for 5 cycles then alert
# if service time > 10 milliseconds for 3 times within 5 cycles then alert
# group server
#
#
## Check a file's timestamp. In this example, we test if a file is older
## than 15 minutes and assume something is wrong if its not updated. Also,
## if the file size exceed a given limit, execute a script
#
# check file database with path /data/mydatabase.db
# if failed permission 700 then alert
# if failed uid "data" then alert
# if failed gid "data" then alert
# if timestamp > 15 minutes then alert
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
#
#
## Check directory permission, uid and gid. An event is triggered if the
## directory does not belong to the user with uid 0 and gid 0. In addition,
## the permissions have to match the octal description of 755 (see chmod(1)).
#
# check directory bin with path /bin
# if failed permission 755 then unmonitor
# if failed uid 0 then unmonitor
# if failed gid 0 then unmonitor
#
#
## Check a remote host availability by issuing a ping test and check the
## content of a response from a web server. Up to three pings are sent and
## connection to a port and an application level network check is performed.
#
# check host myserver with address 192.168.1.1
# if failed ping then alert
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
# if failed port 80 protocol http
# and request /some/path with content = "a string"
# then alert
#
#
## Check a network link status (up/down), link capacity changes, saturation
## and bandwidth usage.
#
# check network public with interface eth0
# if failed link then alert
# if changed link then alert
# if saturation > 90% then alert
# if download > 10 MB/s then alert
# if total uploaded > 1 GB in last hour then alert
#
#
## Check custom program status output.
#
# check program myscript with path /usr/local/bin/myscript.sh
# if status != 0 then alert
#
#
###############################################################################
## Includes
###############################################################################
##
## It is possible to include additional configuration parts from other files or
## directories.
#
include /etc/monit.d/{{ inventory_hostname }}