Current state of Sharingan role -- still need to add rkhunter

2022-05-02 15:00:29 -05:00
parent 1c2f4266ad
commit d0146770a4
45 changed files with 4004 additions and 46 deletions
--- a/roles/Sharingan/files/suricata/classification.config
+++ b/roles/Sharingan/files/suricata/classification.config
@@ -0,0 +1,68 @@
+# $Id$
+# classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2
+#
+# The following includes information for prioritizing rules
+#
+# Each classification includes a shortname, a description, and a default
+# priority for that classification.
+#
+# This allows alerts to be classified and prioritized.  You can specify
+# what priority each classification has.  Any rule can override the default
+# priority for that rule.
+#
+# Here are a few example rules:
+#
+#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
+#	dsize: > 128; classtype:attempted-admin; priority:10;
+#
+#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
+#	      content:"expn root"; nocase; classtype:attempted-recon;)
+#
+# The first rule will set its type to "attempted-admin" and override
+# the default priority for that type to 10.
+#
+# The second rule set its type to "attempted-recon" and set its
+# priority to the default for that type.
+#
+
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: kickass-porn,SCORE! Get the lotion!,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2
--- a/roles/Sharingan/files/suricata/local.rules
+++ b/roles/Sharingan/files/suricata/local.rules
@@ -0,0 +1,11 @@
+pass ip 10.0.1.2/32 445 <> 10.0.1.3 any (msg: "Ignore Microsoft-ds traffic"; sid:4294967202;)
+pass dns $HOME_NET any -> 10.0.1.3 53 (msg: "Ignore false malformed DNS from DD-WRT"; sid:4294967204;)
+pass ip any any <> 96.126.111.217 6667 (msg: "We consider Xertion safe"; sid:4294967205;)
+pass tcp $HOME_NET any <> 10.0.1.3 any (msg: "Allow AniNIX::Core to scan"; sid:4294967206;)
+pass http 10.0.1.3 any -> $HOME_NET any (msg: "Pass local http traffic."; sid:4294967208;)
+pass tcp 10.0.1.3 any -> 10.0.1.1 80 (msg: "Allow Core to admin Shadowfeed with Geth integration"; sid:4294967209;)
+pass tcp 10.0.1.3 any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:4294967211;)
+pass http $HOME_NET any -> any any (msg:"ET POLICY curl User-Agent Outbound"; sid:4294967212; content:"curl/"; nocase; http_user_agent; depth:5;)
+pass udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; sid:4294967213;)
+pass ip $HOME_NET any -> [130.239.18.119,162.213.39.42,185.30.166.37,185.30.166.38,38.229.70.22,64.86.243.181] any (msg:"130.239.18.119|162.213.39.42|185.30.166.37|185.30.166.38|38.229.70.22|64.86.243.181"; rev:2; sid:4294967214; classtype:trojan-activity;)
+pass tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:4294967215; rev:1;)
--- a/roles/Sharingan/files/suricata/reference.config
+++ b/roles/Sharingan/files/suricata/reference.config
@@ -0,0 +1,26 @@
+# config reference: system URL
+
+config reference: bugtraq   http://www.securityfocus.com/bid/
+config reference: bid	    http://www.securityfocus.com/bid/
+config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
+#config reference: cve       http://cvedetails.com/cve/
+config reference: secunia   http://www.secunia.com/advisories/
+
+#whitehats is unfortunately gone
+config reference: arachNIDS http://www.whitehats.com/info/IDS
+
+config reference: McAfee    http://vil.nai.com/vil/content/v_
+config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
+config reference: url       http://
+config reference: et        http://doc.emergingthreats.net/
+config reference: etpro     http://doc.emergingthreatspro.com/
+config reference: telus     http://
+config reference: osvdb     http://osvdb.org/show/osvdb/
+config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
+config reference: md5	    http://www.threatexpert.com/report.aspx?md5=
+config reference: exploitdb http://www.exploit-db.com/exploits/
+config reference: openpacket https://www.openpacket.org/capture/grab/
+config reference: securitytracker http://securitytracker.com/id?
+config reference: secunia   http://secunia.com/advisories/
+config reference: xforce    http://xforce.iss.net/xforce/xfdb/
+config reference: msft      http://technet.microsoft.com/security/bulletin/
--- a/roles/Sharingan/files/suricata/suricata.yaml
+++ b/roles/Sharingan/files/suricata/suricata.yaml
--- a/roles/Sharingan/files/suricata/threshold.config
+++ b/roles/Sharingan/files/suricata/threshold.config
@@ -0,0 +1,69 @@
+# Configure Thresholding and Suppression
+# ======================================
+#
+# The threshold command is deprecated.  Use detection_filter for thresholds
+# within a rule and event_filter for standalone threshold configurations.
+# Please see README.filters for more information on filters.
+#
+# Thresholding:
+#
+# This feature is used to reduce the number of logged alerts for noisy rules.
+# This can be tuned to significantly reduce false alarms, and it can also be
+# used to write a newer breed of rules. Thresholding commands limit the number
+# of times a particular event is logged during a specified time interval.
+#
+# There are 3 types of event_filters:
+#
+# 1) Limit
+#    Alert on the 1st M events during the time interval, then ignore
+#    events for the rest of the time interval.
+#
+# 2) Threshold
+#    Alert every M times we see this event during the time interval.
+#
+# 3) Both
+#    Alert once per time interval after seeing M occurrences of the
+#    event, then ignore any additional events during the time interval.
+#
+# Threshold commands are formatted as:
+#
+# event_filter gen_id gen-id, sig_id sig-id, \
+#     type limit|threshold|both, track by_src|by_dst, \
+#     count n , seconds m
+#
+# Limit to logging 1 event per 60 seconds:
+#
+# event_filter gen_id 1, sig_id 1851, type limit, \
+#     track by_src, count 1, seconds 60
+#
+# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
+# each rule (rules are gen_id 1):
+#
+# event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
+#
+# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
+# any alert for any event generator:
+#
+# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
+#
+# Suppression:
+#
+# Suppression commands are standalone commands that reference generators and
+# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be
+# completely suppressed, or suppressed when the causitive traffic is going to
+# or comming from a specific IP or group of IP addresses.
+#
+# Suppress this event completely:
+#
+# suppress gen_id 1, sig_id 1852
+#
+# Suppress this event from this IP:
+#
+# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
+#
+# Suppress this event to this CIDR block:
+#
+# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
+#
+# working example from iggbsd2 snort:
+#suppress gen_id 122, sig_id 17, track by_src, ip 172.16.0.2