first commit

2025-07-04 13:26:38 +03:00 · 2024-11-22 21:50:29 +03:00 · 2024-11-22 21:50:29 +03:00 · eb27dcece2
commit eb27dcece2
11 changed files with 2461 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
 suricata-update -f
 Dashboard Id: 22247
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,66 @@
 name: ids
 volumes:
  logs: {}
  grafana-storage: {}
 services:
  suricata:
    stdin_open: true
    tty: true
    network_mode: host
    volumes:
      - ./eve.json:/var/log/suricata/eve.json:rw
      - ./suricata:/etc/suricata
      - ./suricata-rules:/var/lib/suricata/rules
    cap_add:
      - net_admin
      - net_raw
      - sys_nice
    image: jasonish/suricata:latest
    command: -i eth0
  loki:
    image: grafana/loki:2.9.2
    ports:
      - "3100:3100"
    volumes:
      - ./loki-local-config.yaml:/etc/loki/local-config.yaml
    command: -config.file=/etc/loki/local-config.yaml
  promtail:
    image: grafana/promtail:2.9.2
    stdin_open: true
    tty: true
    volumes:
      - ./eve.json:/var/log/eve.json:ro
      - ./promtail-config.yml:/etc/promtail/config.yml
    command: -config.file=/etc/promtail/config.yml
  grafana:
    volumes:
      - grafana-storage:/var/lib/grafana
    environment:
      - GF_PATHS_PROVISIONING=/etc/grafana/provisioning
      - GF_AUTH_ANONYMOUS_ENABLED=true
      - GF_AUTH_ANONYMOUS_ORG_ROLE=Admin
    entrypoint:
      - sh
      - -euc
      - |
        mkdir -p /etc/grafana/provisioning/datasources
        cat <<EOF > /etc/grafana/provisioning/datasources/ds.yaml
        apiVersion: 1
        datasources:
        - name: Loki
          type: loki
          access: proxy 
          orgId: 1
          url: http://loki:3100
          basicAuth: false
          isDefault: true
          version: 1
          editable: false
        EOF
        /run.sh
    image: grafana/grafana:latest
    ports:
      - "3000:3000"
--- a/eve.json
+++ b/eve.json
--- a/loki-local-config.yaml
+++ b/loki-local-config.yaml
@ -0,0 +1,50 @@
 auth_enabled: false
 server:
  http_listen_port: 3100
  grpc_listen_port: 9096
 common:
  instance_addr: 127.0.0.1
  path_prefix: /tmp/loki
  storage:
    filesystem:
      chunks_directory: /tmp/loki/chunks
      rules_directory: /tmp/loki/rules
  replication_factor: 1
  ring:
    kvstore:
      store: inmemory
 query_range:
  results_cache:
    cache:
      embedded_cache:
        enabled: true
        max_size_mb: 100
 schema_config:
  configs:
    - from: 2020-10-24
      store: tsdb
      object_store: filesystem
      schema: v13
      index:
        prefix: index_
        period: 24h
 ruler:
  alertmanager_url: http://localhost:9093
 # By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
 # analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
 #
 # Statistics help us better understand how Loki is used, and they show us performance
 # levels for most users. This helps us prioritize features and documentation.
 # For more information on what's sent, look at
 # https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
 # Refer to the buildReport method to see what goes into a report.
 #
 # If you would like to disable reporting, uncomment the following lines:
 #analytics:
 #  reporting_enabled: false
--- a/promtail-config.yml
+++ b/promtail-config.yml
@ -0,0 +1,44 @@
 server:
  http_listen_port: 9080
  grpc_listen_port: 0
 # Log only messages with the given severity or above. Supported values [debug,
 # info, warn, error]
 #  log_level: debug
 positions:
  filename: /tmp/positions.yaml
 clients:
  - url: http://loki:3100/loki/api/v1/push
 scrape_configs:
  - job_name: suricata
 # json on eve.json
    pipeline_stages:
         - json:
             expressions:
               event_type: event_type
               src_ip: src_ip
               proto: proto
               dest_port: dest_port
               alert:
         - json:
             expressions:
               action: action
               signature_id: signature_id
               signature: signature
               category: category
               severity: severity
             source: alert
         - labels:
             event_type:
             src_ip:
             proto:
             dest_port:
             signature_id:
             signature:
             category:
             severity:
    static_configs:
      - targets:
        - localhost
        labels:
          job: suricata_logs
          __path__: /var/log/eve.json
--- a/suricata-rules/.gitkeep
+++ b/suricata-rules/.gitkeep
--- a/suricata/classification.config
+++ b/suricata/classification.config
@ -0,0 +1,51 @@
 #
 # config classification:shortname,short description,priority
 #
 config classification: not-suspicious,Not Suspicious Traffic,3
 config classification: unknown,Unknown Traffic,3
 config classification: bad-unknown,Potentially Bad Traffic, 2
 config classification: attempted-recon,Attempted Information Leak,2
 config classification: successful-recon-limited,Information Leak,2
 config classification: successful-recon-largescale,Large Scale Information Leak,2
 config classification: attempted-dos,Attempted Denial of Service,2
 config classification: successful-dos,Denial of Service,2
 config classification: attempted-user,Attempted User Privilege Gain,1
 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
 config classification: successful-user,Successful User Privilege Gain,1
 config classification: attempted-admin,Attempted Administrator Privilege Gain,1
 config classification: successful-admin,Successful Administrator Privilege Gain,1
 # NEW CLASSIFICATIONS
 config classification: rpc-portmap-decode,Decode of an RPC Query,2
 config classification: shellcode-detect,Executable code was detected,1
 config classification: string-detect,A suspicious string was detected,3
 config classification: suspicious-filename-detect,A suspicious filename was detected,2
 config classification: suspicious-login,An attempted login using a suspicious username was detected,2
 config classification: system-call-detect,A system call was detected,2
 config classification: tcp-connection,A TCP connection was detected,4
 config classification: trojan-activity,A Network Trojan was detected, 1
 config classification: unusual-client-port-connection,A client was using an unusual port,2
 config classification: network-scan,Detection of a Network Scan,3
 config classification: denial-of-service,Detection of a Denial of Service Attack,2
 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
 config classification: protocol-command-decode,Generic Protocol Command Decode,3
 config classification: web-application-activity,access to a potentially vulnerable web application,2
 config classification: web-application-attack,Web Application Attack,1
 config classification: misc-activity,Misc activity,3
 config classification: misc-attack,Misc Attack,2
 config classification: icmp-event,Generic ICMP event,3
 config classification: inappropriate-content,Inappropriate Content was Detected,1
 config classification: policy-violation,Potential Corporate Privacy Violation,1
 config classification: default-login-attempt,Attempt to login by a default username and password,2
 # Update
 config classification: targeted-activity,Targeted Malicious Activity was Detected,1
 config classification: exploit-kit,Exploit Kit Activity Detected,1
 config classification: external-ip-check,Device Retrieving External IP Address Detected,2
 config classification: domain-c2,Domain Observed Used for C2 Detected,1
 config classification: pup-activity,Possibly Unwanted Program Detected,2
 config classification: credential-theft,Successful Credential Theft Detected,1
 config classification: social-engineering,Possible Social Engineering Attempted,2
 config classification: coin-mining,Crypto Currency Mining Activity Detected,2
 config classification: command-and-control,Malware Command and Control Activity Detected,1
--- a/suricata/reference.config
+++ b/suricata/reference.config
@ -0,0 +1,26 @@
 # config reference: system URL
 config reference: bugtraq   http://www.securityfocus.com/bid/
 config reference: bid	    http://www.securityfocus.com/bid/
 config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
 #config reference: cve       http://cvedetails.com/cve/
 config reference: secunia   http://www.secunia.com/advisories/
 #whitehats is unfortunately gone
 config reference: arachNIDS http://www.whitehats.com/info/IDS
 config reference: McAfee    http://vil.nai.com/vil/content/v_
 config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
 config reference: url       http://
 config reference: et        http://doc.emergingthreats.net/
 config reference: etpro     http://doc.emergingthreatspro.com/
 config reference: telus     http://
 config reference: osvdb     http://osvdb.org/show/osvdb/
 config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
 config reference: md5	    http://www.threatexpert.com/report.aspx?md5=
 config reference: exploitdb http://www.exploit-db.com/exploits/
 config reference: openpacket https://www.openpacket.org/capture/grab/
 config reference: securitytracker http://securitytracker.com/id?
 config reference: secunia   http://secunia.com/advisories/
 config reference: xforce    http://xforce.iss.net/xforce/xfdb/
 config reference: msft      http://technet.microsoft.com/security/bulletin/
--- a/suricata/suricata.yaml
+++ b/suricata/suricata.yaml
--- a/suricata/threshold.config
+++ b/suricata/threshold.config
@ -0,0 +1,32 @@
 # Thresholding:
 #
 # This feature is used to reduce the number of logged alerts for noisy rules.
 # Thresholding commands limit the number of times a particular event is logged
 # during a specified time interval.
 #
 # The syntax is the following:
 #
 # threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
 #
 # event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
 #
 # suppress gen_id <gid>, sig_id <sid>
 # suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
 #
 # The options are documented at https://docs.suricata.io/en/latest/configuration/global-thresholds.html
 #
 # Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
 # and global thresholds is documented here:
 # https://docs.suricata.io/en/latest/configuration/global-thresholds.html#global-thresholds-vs-rule-thresholds
 # Limit to 10 alerts every 10 seconds for each source host
 #threshold gen_id 0, sig_id 0, type limit, track by_src, count 10, seconds 10
 # Limit to 1 alert every 10 seconds for signature with sid 2404000 per destination host
 #threshold gen_id 1, sig_id 2404000, type limit, track by_dst, count 1, seconds 10
 # Avoid to alert on f-secure update
 # Example taken from https://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
 #suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
 #suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
 #suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25
--- a/suricata/update.yaml
+++ b/suricata/update.yaml
@ -0,0 +1 @@
 reload-command: suricatasc -c reload-rules