Last active
February 16, 2018 13:22
-
-
Save markuskont/0c4524d7daa6998299959efa69477a31 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| drop dns any any -> any any (msg:"dns request for facebook"; dns_query; content: "facebook"; rev: 1; sid: 1;) | |
| drop http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"http on non-http port"; content:"GET"; http_method; rev: 1; sid: 2;) | |
| drop http any any -> any any (msg:"firefox beaconing home"; content:"detectportal.firefox.com"; http_host; rev: 1; sid: 3;) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # vi: set ft=ruby : | |
| # | |
| $buildSuricata = <<SCRIPT | |
| export DEBIAN_FRONTEND=noninteractive | |
| apt-get update && apt-get build-dep suricata -y | |
| git clone https://github.com/OISF/suricata | |
| cd suricata | |
| git clone https://github.com/OISF/libhtp.git -b 0.5.x | |
| ./autogen.sh | |
| ./configure --prefix=/opt/suricata --sysconfdir=/etc | |
| make | |
| make install-full | |
| cat >> /etc/suricata/suricata.yaml <<EOF | |
| af-packet: | |
| - interface: enp0s3 | |
| threads: 1 | |
| defrag: yes | |
| cluster-type: cluster_flow | |
| cluster-id: 98 | |
| copy-mode: ips | |
| copy-iface: enp0s8 | |
| buffer-size: 64535 | |
| use-mmap: yes | |
| - interface: enp0s8 | |
| threads: 1 | |
| cluster-id: 97 | |
| defrag: yes | |
| cluster-type: cluster_flow | |
| copy-mode: ips | |
| copy-iface: enp0s3 | |
| buffer-size: 64535 | |
| use-mmap: yes | |
| echo "do not forget to set stream-engine and http-body parser to inline mode, otherwise alerting will be done on ACK-ed data and initial SYN will not be dropped" | |
| EOF | |
| /opt/suricata/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vvv -D | |
| SCRIPT | |
| $setupWebServer = <<SCRIPT | |
| export DEBIAN_FRONTEND=noninteractive | |
| apt-get update && apt-get install -y nginx | |
| SCRIPT | |
| Vagrant.configure(2) do |config| | |
| config.vm.provider :virtualbox do |vb| | |
| vb.customize ["modifyvm", :id, "--cpus", 2] | |
| vb.customize ["modifyvm", :id, "--memory", 2048] | |
| #vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"] | |
| end | |
| config.vm.define 'client' do |box| | |
| box.vm.box = "janihur/ubuntu-1604-lxde-desktop" | |
| box.vm.hostname = 'client' | |
| box.vm.network :private_network, ip: "192.168.12.30", virtualbox__intnet: true | |
| #box.vm.provision "shell", inline: $routeThroughSuricata | |
| box.vm.provider :virtualbox do |vb| | |
| vb.gui = true | |
| end | |
| end | |
| config.vm.define 'bridge' do |box| | |
| box.vm.box = "ubuntu/xenial64" | |
| box.vm.hostname = 'bridge' | |
| box.vm.network :private_network, ip: "192.168.12.254", virtualbox__intnet: true | |
| box.vm.provision "shell", inline: $buildSuricata | |
| box.vm.provider :virtualbox do |vb| | |
| vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"] | |
| end | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment