mikesparr · December 20, 2024 06:51 · mikesparr · Jan 21, 2022 · mikesparr · Jan 21, 2022
diff --git a/cloud-ids-default-network.sh b/cloud-ids-default-network.sh
 #!/usr/bin/env bash

 # REF: https://cloud.google.com/intrusion-detection-system/docs/configuring-ids

 export PROJECT_ID=$(gcloud config get-value project)
 export PROJECT_USER=$(gcloud config get-value core/account) # set current user
 export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
 export IDNS=${PROJECT_ID}.svc.id.goog # workload identity domain

 export GCP_REGION="us-west4" # CHANGEME (OPT)
 export GCP_ZONE="us-west4-a" # CHANGEME (OPT)

 export NETWORK_NAME="default"

 # enable apis
 gcloud services enable compute.googleapis.com \
    servicenetworking.googleapis.com \
    ids.googleapis.com

 # configure gcloud sdk
 gcloud config set compute/region $GCP_REGION
 gcloud config set compute/zone $GCP_ZONE


 #####################################################################
 # PRIVATE SERVICE ACCESS
 #####################################################################
 # reserved range
 export RANGE_NAME="ids-range"

 gcloud compute addresses create $RANGE_NAME \
    --global \
    --purpose=VPC_PEERING \
    --addresses=192.168.0.0 \
    --prefix-length=16 \
    --description="Address range for Cloud IDS peering" \
    --network=$NETWORK_NAME

 # private connection (peering)
 gcloud services vpc-peerings connect \
    --service=servicenetworking.googleapis.com \
    --ranges=$RANGE_NAME \
    --network=$NETWORK_NAME \
    --project=$PROJECT_ID

 # copy the operation name output from above
 export OPERATION_NAME="operations/pssn.p24-44200283199-65db6c3d-d6d7-40e6-8474-6c26519b4db5"
 gcloud services vpc-peerings operations describe --name $OPERATION_NAME # confirm status
 # Operation "operations/pssn.p24-44200283199-65db6c3d-d6d7-40e6-8474-6c26519b4db5" finished successfully.


 #####################################################################
 # CLOUD IDS ENDPOINT
 #####################################################################
 # endpoint (can take a long time to create)
 export ENDPOINT_NAME="default-endpoint"
 export SEVERITY="INFORMATIONAL" # LOW | MEDIUM | HIGH | CRITICAL

 gcloud ids endpoints create $ENDPOINT_NAME \
    --network=$NETWORK_NAME \
    --zone=$GCP_ZONE \
    --severity=$SEVERITY \
    --no-async

 # verify
 gcloud ids endpoints describe $ENDPOINT_NAME --zone $GCP_ZONE

 # get forwarding rule from endpoint data
 export FWD_RULE=$(gcloud ids endpoints describe $ENDPOINT_NAME --zone us-west4-a --format="value(endpointForwardingRule)")

 # packet mirroring policy (default network and subnets are all "default")
 export POLICY_NAME="ids-mirror-policy"
 gcloud compute packet-mirrorings create $POLICY_NAME \
    --region=$GCP_REGION \
    --collector-ilb=$FWD_RULE \
    --network=$NETWORK_NAME \
    --mirrored-subnets=$NETWORK_NAME


 #####################################################################
 # SPIN UP TEST INSTANCE
 #####################################################################
 export TEST_INSTANCE="vulnerable-instance"
 gcloud compute instances create $TEST_INSTANCE \
    --project=$PROJECT_ID \
    --zone=$GCP_ZONE \
    --machine-type=e2-micro \
    --network-interface=network-tier=PREMIUM,subnet=default


 #####################################################################
 # SIMULATE INTRUSION
 #####################################################################
 gcloud compute ssh --zone $GCP_ZONE $TEST_INSTANCE -- 'curl http://example.com/cgi-bin/../../../..//bin/cat%%20/etc/passwd'


 #####################################################################
 # INSPECT LOGS (use the following log filter in logging)
 # Note: edit timestamps as needed
 #####################################################################
 # logName="projects/$PROJECT_ID/logs/ids.googleapis.com%2Fthreat"
 #    AND resource.type="ids.googleapis.com/Endpoint"
 #    AND resource.labels.id="$ENDPOINT_NAME"
 #    AND timestamp >= "2021-04-18T08:00:00-07"
 #    AND timestamp <= "2021-04-18T09:00:00-07"
 #    AND jsonPayload.alert_severity=("HIGH" OR "CRITICAL")
	#!/usr/bin/env bash

	# REF: https://cloud.google.com/intrusion-detection-system/docs/configuring-ids

	export PROJECT_ID=$(gcloud config get-value project)
	export PROJECT_USER=$(gcloud config get-value core/account) # set current user
	export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
	export IDNS=${PROJECT_ID}.svc.id.goog # workload identity domain

	export GCP_REGION="us-west4" # CHANGEME (OPT)
	export GCP_ZONE="us-west4-a" # CHANGEME (OPT)

	export NETWORK_NAME="default"

	# enable apis
	gcloud services enable compute.googleapis.com \
	servicenetworking.googleapis.com \
	ids.googleapis.com

	# configure gcloud sdk
	gcloud config set compute/region $GCP_REGION
	gcloud config set compute/zone $GCP_ZONE


	#####################################################################
	# PRIVATE SERVICE ACCESS
	#####################################################################
	# reserved range
	export RANGE_NAME="ids-range"

	gcloud compute addresses create $RANGE_NAME \
	--global \
	--purpose=VPC_PEERING \
	--addresses=192.168.0.0 \
	--prefix-length=16 \
	--description="Address range for Cloud IDS peering" \
	--network=$NETWORK_NAME

	# private connection (peering)
	gcloud services vpc-peerings connect \
	--service=servicenetworking.googleapis.com \
	--ranges=$RANGE_NAME \
	--network=$NETWORK_NAME \
	--project=$PROJECT_ID

	# copy the operation name output from above
	export OPERATION_NAME="operations/pssn.p24-44200283199-65db6c3d-d6d7-40e6-8474-6c26519b4db5"
	gcloud services vpc-peerings operations describe --name $OPERATION_NAME # confirm status
	# Operation "operations/pssn.p24-44200283199-65db6c3d-d6d7-40e6-8474-6c26519b4db5" finished successfully.


	#####################################################################
	# CLOUD IDS ENDPOINT
	#####################################################################
	# endpoint (can take a long time to create)
	export ENDPOINT_NAME="default-endpoint"
	export SEVERITY="INFORMATIONAL" # LOW \| MEDIUM \| HIGH \| CRITICAL

	gcloud ids endpoints create $ENDPOINT_NAME \
	--network=$NETWORK_NAME \
	--zone=$GCP_ZONE \
	--severity=$SEVERITY \
	--no-async

	# verify
	gcloud ids endpoints describe $ENDPOINT_NAME --zone $GCP_ZONE

	# get forwarding rule from endpoint data
	export FWD_RULE=$(gcloud ids endpoints describe $ENDPOINT_NAME --zone us-west4-a --format="value(endpointForwardingRule)")

	# packet mirroring policy (default network and subnets are all "default")
	export POLICY_NAME="ids-mirror-policy"
	gcloud compute packet-mirrorings create $POLICY_NAME \
	--region=$GCP_REGION \
	--collector-ilb=$FWD_RULE \
	--network=$NETWORK_NAME \
	--mirrored-subnets=$NETWORK_NAME


	#####################################################################
	# SPIN UP TEST INSTANCE
	#####################################################################
	export TEST_INSTANCE="vulnerable-instance"
	gcloud compute instances create $TEST_INSTANCE \
	--project=$PROJECT_ID \
	--zone=$GCP_ZONE \
	--machine-type=e2-micro \
	--network-interface=network-tier=PREMIUM,subnet=default


	#####################################################################
	# SIMULATE INTRUSION
	#####################################################################
	gcloud compute ssh --zone $GCP_ZONE $TEST_INSTANCE -- 'curl http://example.com/cgi-bin/../../../..//bin/cat%%20/etc/passwd'


	#####################################################################
	# INSPECT LOGS (use the following log filter in logging)
	# Note: edit timestamps as needed
	#####################################################################
	# logName="projects/$PROJECT_ID/logs/ids.googleapis.com%2Fthreat"
	# AND resource.type="ids.googleapis.com/Endpoint"
	# AND resource.labels.id="$ENDPOINT_NAME"
	# AND timestamp >= "2021-04-18T08:00:00-07"
	# AND timestamp <= "2021-04-18T09:00:00-07"
	# AND jsonPayload.alert_severity=("HIGH" OR "CRITICAL")