mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
108 lines
2.9 KiB
Markdown
108 lines
2.9 KiB
Markdown
# API Reference: Implementing Network Intrusion Prevention with Suricata
|
|
|
|
## Suricata Rule Syntax
|
|
|
|
```
|
|
action protocol src_ip src_port -> dst_ip dst_port (options;)
|
|
```
|
|
|
|
### Actions
|
|
|
|
| Action | Mode | Description |
|
|
|--------|------|-------------|
|
|
| `alert` | IDS/IPS | Generate alert |
|
|
| `pass` | IDS/IPS | Stop inspection of packet |
|
|
| `drop` | IPS only | Drop packet and generate alert |
|
|
| `reject` | IPS only | Send RST/ICMP unreachable + drop |
|
|
| `rejectsrc` | IPS only | Send RST/unreachable to source |
|
|
| `rejectboth` | IPS only | Send RST/unreachable to both |
|
|
|
|
### Example Rules
|
|
|
|
```
|
|
# Block known malicious TLS certificate
|
|
drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Malicious TLS Cert"; tls.cert_subject; content:"CN=badactor.com"; sid:1000001; rev:1;)
|
|
|
|
# Detect and drop SQL injection attempts
|
|
drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection Attempt"; flow:established,to_server; http.uri; pcre:"/(\%27)|(\')|(\-\-)|(\%23)|(#)/i"; sid:1000002; rev:1;)
|
|
|
|
# Alert on DNS exfiltration (long subdomain)
|
|
alert dns $HOME_NET any -> any 53 (msg:"DNS Exfiltration Possible"; dns.query; pcre:"/^[a-z0-9]{32,}\./i"; threshold:type both, track by_src, count 10, seconds 60; sid:1000003; rev:1;)
|
|
```
|
|
|
|
## suricata-update Commands
|
|
|
|
```bash
|
|
# Update rule sources
|
|
suricata-update update-sources
|
|
suricata-update list-sources
|
|
|
|
# Enable Emerging Threats Open ruleset
|
|
suricata-update enable-source et/open
|
|
|
|
# Update rules and reload
|
|
suricata-update
|
|
suricatasc -c reload-rules
|
|
```
|
|
|
|
## Suricata CLI
|
|
|
|
```bash
|
|
# IDS mode (passive)
|
|
suricata -c /etc/suricata/suricata.yaml -i eth0
|
|
|
|
# IPS mode (inline via NFQUEUE)
|
|
suricata -c /etc/suricata/suricata.yaml -q 0
|
|
|
|
# Offline PCAP analysis
|
|
suricata -c /etc/suricata/suricata.yaml -r capture.pcap -l /var/log/suricata/
|
|
|
|
# Test configuration
|
|
suricata -T -c /etc/suricata/suricata.yaml
|
|
|
|
# Unix socket control
|
|
suricatasc -c reload-rules
|
|
suricatasc -c dump-counters
|
|
suricatasc -c iface-stat eth0
|
|
```
|
|
|
|
## EVE JSON Log Format
|
|
|
|
```json
|
|
{
|
|
"timestamp": "2025-01-15T10:30:00.000000+0000",
|
|
"event_type": "alert",
|
|
"src_ip": "192.168.1.100",
|
|
"dest_ip": "10.0.0.5",
|
|
"src_port": 52341,
|
|
"dest_port": 443,
|
|
"proto": "TCP",
|
|
"alert": {
|
|
"action": "blocked",
|
|
"gid": 1,
|
|
"signature_id": 2028759,
|
|
"rev": 3,
|
|
"signature": "ET MALWARE Cobalt Strike Beacon",
|
|
"category": "A Network Trojan was detected",
|
|
"severity": 1
|
|
}
|
|
}
|
|
```
|
|
|
|
## Performance Tuning
|
|
|
|
| Setting | Default | Recommended (IPS) |
|
|
|---------|---------|-------------------|
|
|
| `max-pending-packets` | 1024 | 4096-65000 |
|
|
| `default-packet-size` | 1514 | 1514 |
|
|
| `runmode` | autofp | workers |
|
|
| `detect.profile` | medium | high |
|
|
| `mpm-algo` | auto | hs (Hyperscan) |
|
|
|
|
### References
|
|
|
|
- Suricata Docs: https://docs.suricata.io/en/latest/
|
|
- Suricata Rules Format: https://docs.suricata.io/en/latest/rules/intro.html
|
|
- ET Open Ruleset: https://rules.emergingthreats.net/open/
|
|
- suricata-update: https://suricata-update.readthedocs.io/en/latest/
|