# Delete all rulesiptables-F# List all rulesiptables-Liptables-S# Block IP addresses & portsiptables-IINPUT-sip1,ip2,ip3-jDROPiptables-IINPUT-ptcp--dport443-jDROPiptables-IINPUT-sip1,ip2-ptcp--dport443-jDROP# String based drop## Strings are case sensitive (pretty easy to bypass if you want to check an SQLi for example)iptables-IINPUT-ptcp--dport<port_listening>-mstring--algobm--string'<payload>'-jDROPiptables-IOUTPUT-ptcp--sport<port_listening>-mstring--algobm--string'CTF{'-jDROP## You can also check for the hex, base64 and double base64 of the expected CTF flag chars# Drop every input port except someiptables-PINPUTDROP# Default to dropiptables-IINPUT-ptcp--dport8000-jACCEPTiptables-IINPUT-ptcp--dport443-jACCEPT# Persist Iptables## Debian/Ubuntu:apt-getinstalliptables-persistentiptables-save>/etc/iptables/rules.v4ip6tables-save>/etc/iptables/rules.v6iptables-restore</etc/iptables/rules.v4##RHEL/CentOS:iptables-save>/etc/sysconfig/iptablesip6tables-save>/etc/sysconfig/ip6tablesiptables-restore</etc/sysconfig/iptables
Suricata
安装与配置
# Install details from: https://suricata.readthedocs.io/en/suricata-6.0.0/install.html#install-binary-packages# Ubuntuadd-apt-repositoryppa:oisf/suricata-stableapt-getupdateapt-getinstallsuricata# Debianecho"deb http://http.debian.net/debian buster-backports main"> \/etc/apt/sources.list.d/backports.listapt-getupdateapt-getinstallsuricata-tbuster-backports# CentOSyuminstallepel-releaseyuminstallsuricata# Get rulessuricata-updatesuricata-updatelist-sources#List sources of the rulessuricata-updateenable-sourceet/open#Add et/open rulesetssuricata-update## To use the dowloaded rules update the following line in /etc/suricata/suricata.yamldefault-rule-path:/var/lib/suricata/rulesrule-files:-suricata.rules# Run## Add rules in /etc/suricata/rules/suricata.rulessystemctlsuricatastartsuricata-c/etc/suricata/suricata.yaml-ieth0# Reload rulessuricatasc-cruleset-reload-nonblocking## or set the follogin in /etc/suricata/suricata.yamldetect-engine:-rule-reload:true# Validate suricata configsuricata-T-c/etc/suricata/suricata.yaml-v# Configure suricata as IPs## Config drop to generate alerts## Search for the following lines in /etc/suricata/suricata.yaml and remove comments:-drop:alerts:yesflows:all## Forward all packages to the queue where suricata can act as IPSiptables-IINPUT-jNFQUEUEiptables-IOUTPUT-jNFQUEUE## Start suricata in IPS modesuricata-c/etc/suricata/suricata.yaml-q0### or modify the service config file as:systemctleditsuricata.service[Service]ExecStart=ExecStart=/usr/bin/suricata-c/etc/suricata/suricata.yaml--pidfile/run/suricata.pid-q0-vvvType=simplesystemctldaemon-reload
# Meta Keywordsmsg:"description"; #Set a description to the rulesid:123#Set a unique ID to the rulerev:1#Rule revision numberconfigclassification:not-suspicious,NotSuspiciousTraffic,3#Classifyreference:url,www.info.com#Referencepriority:1; #Set a prioritymetadata:keyvalue,keyvalue; #Extra metadata# Filter by geolocationgeoip:src,RU;# ICMP type & Codeitype:<10;icode:0# Filter by stringcontent:"something"content:|616161|#Hex: AAAcontent:"http|3A|//"#Mix string and hexcontent:"abc"; nocase; #Case insensitiverejecttcpanyany ->anyany (msg: "php-rce"; content:"eval"; nocase; metadata:tagphp-rce; sid:101; rev:1;)# Replaces string## Content and replace string must have the same lengthcontent:"abc"; replace:"def"alerttcpanyany ->anyany (msg: "flag replace"; content:"CTF{a6st"; replace:"CTF{u798"; nocase; sid:100; rev:1;)## The replace works in both input and output packets## But it only modifies the first match# Filter by regexpcre:"/<regex>/opts"pcre:"/NICK .*USA.*[0-9]{3,}/i"droptcpanyany ->anyany (msg:"regex"; pcre:"/CTF\{[\w]{3}/i"; sid:10001;)# Other examples## Drop by portdroptcpanyany ->any8000 (msg:"8000 port"; sid:1000;)