first commit

2025-07-04 13:26:38 +03:00 · 2024-11-22 21:50:29 +03:00 · 2024-11-22 21:50:29 +03:00 · eb27dcece2
commit eb27dcece2
11 changed files with 2461 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
+suricata-update -f
+
+Dashboard Id: 22247
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,66 @@
+name: ids
+volumes:
+  logs: {}
+  grafana-storage: {}
+services:
+  suricata:
+    stdin_open: true
+    tty: true
+    network_mode: host
+    volumes:
+      - ./eve.json:/var/log/suricata/eve.json:rw
+      - ./suricata:/etc/suricata
+      - ./suricata-rules:/var/lib/suricata/rules
+    cap_add:
+      - net_admin
+      - net_raw
+      - sys_nice
+    image: jasonish/suricata:latest
+    command: -i eth0
+
+  loki:
+    image: grafana/loki:2.9.2
+    ports:
+      - "3100:3100"
+    volumes:
+      - ./loki-local-config.yaml:/etc/loki/local-config.yaml
+    command: -config.file=/etc/loki/local-config.yaml
+
+  promtail:
+    image: grafana/promtail:2.9.2
+    stdin_open: true
+    tty: true
+    volumes:
+      - ./eve.json:/var/log/eve.json:ro
+      - ./promtail-config.yml:/etc/promtail/config.yml
+    command: -config.file=/etc/promtail/config.yml
+
+  grafana:
+    volumes:
+      - grafana-storage:/var/lib/grafana
+    environment:
+      - GF_PATHS_PROVISIONING=/etc/grafana/provisioning
+      - GF_AUTH_ANONYMOUS_ENABLED=true
+      - GF_AUTH_ANONYMOUS_ORG_ROLE=Admin
+    entrypoint:
+      - sh
+      - -euc
+      - |
+        mkdir -p /etc/grafana/provisioning/datasources
+        cat <<EOF > /etc/grafana/provisioning/datasources/ds.yaml
+        apiVersion: 1
+        datasources:
+        - name: Loki
+          type: loki
+          access: proxy 
+          orgId: 1
+          url: http://loki:3100
+          basicAuth: false
+          isDefault: true
+          version: 1
+          editable: false
+        EOF
+        /run.sh
+    image: grafana/grafana:latest
+    ports:
+      - "3000:3000"
--- a/eve.json
+++ b/eve.json
--- a/loki-local-config.yaml
+++ b/loki-local-config.yaml
@ -0,0 +1,50 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /tmp/loki
+  storage:
+    filesystem:
+      chunks_directory: /tmp/loki/chunks
+      rules_directory: /tmp/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+ruler:
+  alertmanager_url: http://localhost:9093
+
+# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
+# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
+#
+# Statistics help us better understand how Loki is used, and they show us performance
+# levels for most users. This helps us prioritize features and documentation.
+# For more information on what's sent, look at
+# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
+# Refer to the buildReport method to see what goes into a report.
+#
+# If you would like to disable reporting, uncomment the following lines:
+#analytics:
+#  reporting_enabled: false
--- a/promtail-config.yml
+++ b/promtail-config.yml
@ -0,0 +1,44 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+# Log only messages with the given severity or above. Supported values [debug,
+# info, warn, error]
+#  log_level: debug
+positions:
+  filename: /tmp/positions.yaml
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+scrape_configs:
+  - job_name: suricata
+# json on eve.json
+    pipeline_stages:
+         - json:
+             expressions:
+               event_type: event_type
+               src_ip: src_ip
+               proto: proto
+               dest_port: dest_port
+               alert:
+         - json:
+             expressions:
+               action: action
+               signature_id: signature_id
+               signature: signature
+               category: category
+               severity: severity
+             source: alert
+         - labels:
+             event_type:
+             src_ip:
+             proto:
+             dest_port:
+             signature_id:
+             signature:
+             category:
+             severity:
+    static_configs:
+      - targets:
+        - localhost
+        labels:
+          job: suricata_logs
+          __path__: /var/log/eve.json
--- a/suricata-rules/.gitkeep
+++ b/suricata-rules/.gitkeep
--- a/suricata/classification.config
+++ b/suricata/classification.config
@ -0,0 +1,51 @@
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: inappropriate-content,Inappropriate Content was Detected,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2
+
+# Update
+config classification: targeted-activity,Targeted Malicious Activity was Detected,1
+config classification: exploit-kit,Exploit Kit Activity Detected,1
+config classification: external-ip-check,Device Retrieving External IP Address Detected,2
+config classification: domain-c2,Domain Observed Used for C2 Detected,1
+config classification: pup-activity,Possibly Unwanted Program Detected,2
+config classification: credential-theft,Successful Credential Theft Detected,1
+config classification: social-engineering,Possible Social Engineering Attempted,2
+config classification: coin-mining,Crypto Currency Mining Activity Detected,2
+config classification: command-and-control,Malware Command and Control Activity Detected,1
--- a/suricata/reference.config
+++ b/suricata/reference.config
@ -0,0 +1,26 @@
+# config reference: system URL
+
+config reference: bugtraq   http://www.securityfocus.com/bid/
+config reference: bid	    http://www.securityfocus.com/bid/
+config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
+#config reference: cve       http://cvedetails.com/cve/
+config reference: secunia   http://www.secunia.com/advisories/
+
+#whitehats is unfortunately gone
+config reference: arachNIDS http://www.whitehats.com/info/IDS
+
+config reference: McAfee    http://vil.nai.com/vil/content/v_
+config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
+config reference: url       http://
+config reference: et        http://doc.emergingthreats.net/
+config reference: etpro     http://doc.emergingthreatspro.com/
+config reference: telus     http://
+config reference: osvdb     http://osvdb.org/show/osvdb/
+config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
+config reference: md5	    http://www.threatexpert.com/report.aspx?md5=
+config reference: exploitdb http://www.exploit-db.com/exploits/
+config reference: openpacket https://www.openpacket.org/capture/grab/
+config reference: securitytracker http://securitytracker.com/id?
+config reference: secunia   http://secunia.com/advisories/
+config reference: xforce    http://xforce.iss.net/xforce/xfdb/
+config reference: msft      http://technet.microsoft.com/security/bulletin/
--- a/suricata/suricata.yaml
+++ b/suricata/suricata.yaml
--- a/suricata/threshold.config
+++ b/suricata/threshold.config
@ -0,0 +1,32 @@
+# Thresholding:
+#
+# This feature is used to reduce the number of logged alerts for noisy rules.
+# Thresholding commands limit the number of times a particular event is logged
+# during a specified time interval.
+#
+# The syntax is the following:
+#
+# threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
+#
+# event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
+#
+# suppress gen_id <gid>, sig_id <sid>
+# suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
+#
+# The options are documented at https://docs.suricata.io/en/latest/configuration/global-thresholds.html
+#
+# Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
+# and global thresholds is documented here:
+# https://docs.suricata.io/en/latest/configuration/global-thresholds.html#global-thresholds-vs-rule-thresholds
+
+# Limit to 10 alerts every 10 seconds for each source host
+#threshold gen_id 0, sig_id 0, type limit, track by_src, count 10, seconds 10
+
+# Limit to 1 alert every 10 seconds for signature with sid 2404000 per destination host
+#threshold gen_id 1, sig_id 2404000, type limit, track by_dst, count 1, seconds 10
+
+# Avoid to alert on f-secure update
+# Example taken from https://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
+#suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
+#suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
+#suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25
--- a/suricata/update.yaml
+++ b/suricata/update.yaml
@ -0,0 +1 @@
+reload-command: suricatasc -c reload-rules