Try   HackMD

藍隊工具小抄

tags: 藍隊 資安

Suricata

https://docs.suricata.io/en/latest/rules/index.html

rule format

<action> <protocol> <src ip> <src port> <direction> <dst ip> <dst port> (<rule option>; <rule option>)

actions

  • alert : 發出告警訊息
  • pass : 接受封包
  • drop : 丟棄封包,不會發出訊息給來源端,同時發出告警訊息
  • reject : 拒絕封包,會發送 RST / ICMP 錯誤訊息給來源端,此外也會發出告警訊息
  • rejectsrc : 與 reject 相同
  • rejectdst : 與 reject 相同,但是是發送給⽬的端
  • rejectboth : 與 reject 相同,但是是發送給來源端和⽬的端
  • ip: CIDR, ! inverse, [] grouping, any, $HOME_NET
  • port: : range, ! inverse, [] grouping, any
  • direction: ->, <>

example

  • alert tls any any -> any any (msg: "[TLS test] client hello"; ssl_state: client_hello; sid: 1;)
  • alert tcp any any -> $HOME_NET any (msg: "[SYN Scan test]"; tcp.flags: S; threshold: type both, track by_dst, count 1000, seconds 3; sid: 1;)

Yara

https://yara.readthedocs.io/en/stable/writingrules.html

rule format

rule <rule name>
{
    meta:
        <metadata> = <metadata>
    strings:
        $<string name> = "<string>"
        $<string name> = { <hex string> }
    condition:
        $<string name> <op> $<string name>
}

metadata

optional

condition

  • and, or
  • #<string name> counting
  • at offset, in (<start>..<end>) range
  • filesize file size keyword
  • entrypoint entrypoint keyword
  • uint32(<addr>) address pointer
  • <number> of ($<string name>, $<string name>)
  • for expression of string_set : ( boolean_expression )

example

rule silent_banker
{
    meta:
        description = "This is just an example" 
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} 
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

mitmproxy script

https://docs.mitmproxy.org/stable/api/events.html
example: https://github.com/mitmproxy/mitmproxy/blob/main/examples/addons/http-trailers.py

from mitmproxy import http
from mitmproxy.http import Headers


def request(flow: http.HTTPFlow):
    if flow.request.trailers:
        print("HTTP Trailers detected! Request contains:", flow.request.trailers)

    if flow.request.path == "/inject_trailers":
        if flow.request.is_http10:
            # HTTP/1.0 doesn't support trailers
            return
        elif flow.request.is_http11:
            if not flow.request.content:
                # Avoid sending a body on GET requests or a 0 byte chunked body with trailers.
                # Otherwise some servers return 400 Bad Request.
                return
            # HTTP 1.1 requires transfer-encoding: chunked to send trailers
            flow.request.headers["transfer-encoding"] = "chunked"
        # HTTP 2+ supports trailers on all requests/responses

        flow.request.headers["trailer"] = "x-my-injected-trailer-header"
        flow.request.trailers = Headers([(b"x-my-injected-trailer-header", b"foobar")])
        print("Injected a new request trailer...", flow.request.headers["trailer"])


def response(flow: http.HTTPFlow):
    assert flow.response
    if flow.response.trailers:
        print("HTTP Trailers detected! Response contains:", flow.response.trailers)

    if flow.request.path == "/inject_trailers":
        if flow.request.is_http10:
            return
        elif flow.request.is_http11:
            if not flow.response.content:
                return
            flow.response.headers["transfer-encoding"] = "chunked"

        flow.response.headers["trailer"] = "x-my-injected-trailer-header"
        flow.response.trailers = Headers([(b"x-my-injected-trailer-header", b"foobar")])
        print("Injected a new response trailer...", flow.response.headers["trailer"])