mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 16:03:17 +03:00

Files

T

mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal

- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md

2026-03-11 00:22:12 +01:00

2.9 KiB

Raw Blame History

API Reference: Implementing Network Intrusion Prevention with Suricata

Suricata Rule Syntax

action protocol src_ip src_port -> dst_ip dst_port (options;)

Actions

Action	Mode	Description
`alert`	IDS/IPS	Generate alert
`pass`	IDS/IPS	Stop inspection of packet
`drop`	IPS only	Drop packet and generate alert
`reject`	IPS only	Send RST/ICMP unreachable + drop
`rejectsrc`	IPS only	Send RST/unreachable to source
`rejectboth`	IPS only	Send RST/unreachable to both

Example Rules

# Block known malicious TLS certificate
drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Malicious TLS Cert"; tls.cert_subject; content:"CN=badactor.com"; sid:1000001; rev:1;)

# Detect and drop SQL injection attempts
drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"SQL Injection Attempt"; flow:established,to_server; http.uri; pcre:"/(\%27)|(\')|(\-\-)|(\%23)|(#)/i"; sid:1000002; rev:1;)

# Alert on DNS exfiltration (long subdomain)
alert dns $HOME_NET any -> any 53 (msg:"DNS Exfiltration Possible"; dns.query; pcre:"/^[a-z0-9]{32,}\./i"; threshold:type both, track by_src, count 10, seconds 60; sid:1000003; rev:1;)

suricata-update Commands

# Update rule sources
suricata-update update-sources
suricata-update list-sources

# Enable Emerging Threats Open ruleset
suricata-update enable-source et/open

# Update rules and reload
suricata-update
suricatasc -c reload-rules

Suricata CLI

# IDS mode (passive)
suricata -c /etc/suricata/suricata.yaml -i eth0

# IPS mode (inline via NFQUEUE)
suricata -c /etc/suricata/suricata.yaml -q 0

# Offline PCAP analysis
suricata -c /etc/suricata/suricata.yaml -r capture.pcap -l /var/log/suricata/

# Test configuration
suricata -T -c /etc/suricata/suricata.yaml

# Unix socket control
suricatasc -c reload-rules
suricatasc -c dump-counters
suricatasc -c iface-stat eth0

EVE JSON Log Format

{
  "timestamp": "2025-01-15T10:30:00.000000+0000",
  "event_type": "alert",
  "src_ip": "192.168.1.100",
  "dest_ip": "10.0.0.5",
  "src_port": 52341,
  "dest_port": 443,
  "proto": "TCP",
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 2028759,
    "rev": 3,
    "signature": "ET MALWARE Cobalt Strike Beacon",
    "category": "A Network Trojan was detected",
    "severity": 1
  }
}

Performance Tuning

Setting	Default	Recommended (IPS)
`max-pending-packets`	1024	4096-65000
`default-packet-size`	1514	1514
`runmode`	autofp	workers
`detect.profile`	medium	high
`mpm-algo`	auto	hs (Hyperscan)

References

Suricata Docs: https://docs.suricata.io/en/latest/
Suricata Rules Format: https://docs.suricata.io/en/latest/rules/intro.html
ET Open Ruleset: https://rules.emergingthreats.net/open/
suricata-update: https://suricata-update.readthedocs.io/en/latest/

2.9 KiB Raw Blame History

API Reference: Implementing Network Intrusion Prevention with Suricata

Suricata Rule Syntax

Actions

Example Rules

suricata-update Commands

Suricata CLI

EVE JSON Log Format

Performance Tuning

References

2.9 KiB

Raw Blame History