# 藍隊工具小抄 ###### tags: `藍隊` `資安` ## Suricata https://docs.suricata.io/en/latest/rules/index.html rule format ```! <action> <protocol> <src ip> <src port> <direction> <dst ip> <dst port> (<rule option>; <rule option>) ``` ### actions - alert : 發出告警訊息 - pass : 接受封包 - drop : 丟棄封包，不會發出訊息給來源端，同時發出告警訊息 - reject : 拒絕封包，會發送 RST / ICMP 錯誤訊息給來源端，此外也會發出告警訊息 - rejectsrc : 與 reject 相同 - rejectdst : 與 reject 相同，但是是發送給⽬的端 - rejectboth : 與 reject 相同，但是是發送給來源端和⽬的端 ### header - ip: CIDR, `!` inverse, `[]` grouping, `any`, `$HOME_NET` - port: `:` range, `!` inverse, `[]` grouping, `any` - direction: `->`, `<>` ### example - `alert tls any any -> any any (msg: "[TLS test] client hello"; ssl_state: client_hello; sid: 1;)` - `alert tcp any any -> $HOME_NET any (msg: "[SYN Scan test]"; tcp.flags: S; threshold: type both, track by_dst, count 1000, seconds 3; sid: 1;)` ## Yara https://yara.readthedocs.io/en/stable/writingrules.html rule format ```json rule <rule name> { meta: <metadata> = <metadata> strings: $<string name> = "<string>" $<string name> = { <hex string> } condition: $<string name> <op> $<string name> } ``` ### metadata optional ### condition - `and`, `or` - `#<string name>` counting - `at` offset, `in (<start>..<end>)` range - `filesize` file size keyword - `entrypoint` entrypoint keyword - `uint32(<addr>)` address pointer - `<number> of ($<string name>, $<string name>)` - `for expression of string_set : ( boolean_expression )` ### example ```json rule silent_banker { meta: description = "This is just an example" threat_level = 3 in_the_wild = true strings: $a = {6A 40 68 00 30 00 00 6A 14 8D 91} $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" condition: $a or $b or $c } ``` ## mitmproxy script https://docs.mitmproxy.org/stable/api/events.html example: https://github.com/mitmproxy/mitmproxy/blob/main/examples/addons/http-trailers.py ```python from mitmproxy import http from mitmproxy.http import Headers def request(flow: http.HTTPFlow): if flow.request.trailers: print("HTTP Trailers detected! Request contains:", flow.request.trailers) if flow.request.path == "/inject_trailers": if flow.request.is_http10: # HTTP/1.0 doesn't support trailers return elif flow.request.is_http11: if not flow.request.content: # Avoid sending a body on GET requests or a 0 byte chunked body with trailers. # Otherwise some servers return 400 Bad Request. return # HTTP 1.1 requires transfer-encoding: chunked to send trailers flow.request.headers["transfer-encoding"] = "chunked" # HTTP 2+ supports trailers on all requests/responses flow.request.headers["trailer"] = "x-my-injected-trailer-header" flow.request.trailers = Headers([(b"x-my-injected-trailer-header", b"foobar")]) print("Injected a new request trailer...", flow.request.headers["trailer"]) def response(flow: http.HTTPFlow): assert flow.response if flow.response.trailers: print("HTTP Trailers detected! Response contains:", flow.response.trailers) if flow.request.path == "/inject_trailers": if flow.request.is_http10: return elif flow.request.is_http11: if not flow.response.content: return flow.response.headers["transfer-encoding"] = "chunked" flow.response.headers["trailer"] = "x-my-injected-trailer-header" flow.response.trailers = Headers([(b"x-my-injected-trailer-header", b"foobar")]) print("Injected a new response trailer...", flow.response.headers["trailer"]) ```