From ecd94928814037645ca0475d05f0a3914faee252 Mon Sep 17 00:00:00 2001 From: Random936 Date: Fri, 7 Feb 2025 21:52:05 -0800 Subject: [PATCH] Added blackbox and moved suricata config to separate file --- config/assets/blackbox.yml | 14 ++ config/assets/suricata.yaml | 109 ++++++++++++++ config/logging.nix | 281 ++++++++++++++++++++---------------- 3 files changed, 277 insertions(+), 127 deletions(-) create mode 100644 config/assets/blackbox.yml create mode 100644 config/assets/suricata.yaml diff --git a/config/assets/blackbox.yml b/config/assets/blackbox.yml new file mode 100644 index 0000000..d361621 --- /dev/null +++ b/config/assets/blackbox.yml @@ -0,0 +1,14 @@ +modules: + icmp: + prober: icmp + http_2xx: + prober: http + http: + preferred_ip_protocol: ip4 + http_2xx_tls_no_verify: + prober: http + http: + tls_config: + insecure_skip_verify: true + + diff --git a/config/assets/suricata.yaml b/config/assets/suricata.yaml new file mode 100644 index 0000000..dee2272 --- /dev/null +++ b/config/assets/suricata.yaml @@ -0,0 +1,109 @@ + %YAML 1.1 + --- + + vars: + address-groups: + HOME_NET: "[192.168.100.0/24]" + EXTERNAL_NET: "!$HOME_NET" + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + + default-log-dir: /home/logging/logs + classification-file: /etc/suricata/classification.config + reference-config-file: /etc/suricata/reference.config + default-rule-path: /etc/suricata/rules + rule-files: + - suricata.rules + + stats: + enabled: yes + + af-packet: + - interface: enp6s18 + use-mmap: yes + tpacket-v3: yes + cluster-id: 99 + cluster-type: cluster_flow + defrag: yes + + outputs: + - fast: + enabled: yes + filename: fast.log + append: yes + + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: yes + - http: + extended: yes + - http2 + - dns: + enabled: yes + - tls: + extended: yes + - flow + - mqtt + - ssh + - dhcp: + enabled: yes + - arp: + enabled: yes + - ldap + - quic + - sip + - rfb + - snmp + - bittorrent-dht + - krb5 + - dcerpc + - ike + - tftp + - smb + - nfs + - rdp + - ftp + - websocket + - smtp + + - pcap-log: + enabled: yes + filename: log.pcap + limit: 1gb + max-files: 20 + + - stats: + enabled: yes + filename: stats.log + append: yes + totals: yes + threads: no + diff --git a/config/logging.nix b/config/logging.nix index 8b0593a..21d0ddb 100644 --- a/config/logging.nix +++ b/config/logging.nix @@ -6,7 +6,7 @@ (import ./networking.nix { hostname = "r330-logging"; ip_address = "192.168.100.41"; - open_ports = [ 3000 9001 ]; + open_ports = [ 3000 9001 9003 ]; inherit lib; }) ]; @@ -26,23 +26,163 @@ }; }; + + + services.prometheus.exporters.blackbox = { + enable = true; + port = 9003; + configFile = assets/blackbox.yml; + }; + services.prometheus = { enable = true; port = 9001; globalConfig.scrape_interval = "10s"; - scrapeConfigs = [ + scrapeConfigs = let + node_port = toString config.services.prometheus.exporters.node.port; + blackbox_relabel = [ + { + source_labels = [ "__address__" ]; + target_label = "__param_target"; + } + { + target_label = "__address__"; + replacement = "127.0.0.1:9003"; + } + ]; + in [ { - job_name = "r330-logging"; - static_configs = [{ - targets = let - node_port = toString config.services.prometheus.exporters.node.port; - in [ - "127.0.0.1:${node_port}" - "192.168.100.40:${node_port}" - "192.168.100.42:${node_port}" - "192.168.100.45:${node_port}" - ]; - }]; + job_name = "node"; + static_configs = [ + { + targets = [ "127.0.0.1:${node_port}" ]; + labels.instance = "r330-logging"; + } + { + targets = [ "192.168.100.40:${node_port}" ]; + labels.instance = "r330-media"; + } + { + targets = [ "192.168.100.42:${node_port}" ]; + labels.instance = "sampledb-dev"; + } + { + targets = [ "192.168.100.45:${node_port}" ]; + labels.instance = "mindforge"; + } + { + targets = [ "192.168.100.1:9100" ]; + labels.instance = "GL-MT6000"; + } + ]; + } + { + job_name = "blackbox_icmp"; + metrics_path = "/probe"; + params = { module = ["icmp"]; }; + static_configs = [ + { + targets = [ "127.0.0.1" ]; + labels.instance = "r330-media"; + } + { + targets = [ "192.168.100.1" ]; + labels.instance = "GL-MT6000"; + } + { + targets = [ "192.168.100.11" ]; + labels.instance = "r330-idrac"; + } + { + targets = [ "192.168.100.12" ]; + labels.instance = "r730xd-idrac"; + } + { + targets = [ "192.168.100.20" ]; + labels.instance = "ideapad"; + } + { + targets = [ "192.168.100.21" ]; + labels.instance = "r330-proxmox"; + } + { + targets = [ "192.168.100.22" ]; + labels.instance = "r730xd-proxmox"; + } + { + targets = [ "192.168.100.40" ]; + labels.instance = "r330-media"; + } + { + targets = [ "192.168.100.42" ]; + labels.instance = "sampledb-dev"; + } + { + targets = [ "192.168.100.42" ]; + labels.instance = "sampledb-dev"; + } + { + targets = [ "192.168.100.45" ]; + labels.instance = "mindforge"; + } + { + targets = [ "1.1.1.1" ]; + labels.instance = "Cloudflare"; + } + { + targets = [ "8.8.8.8" ]; + labels.instance = "Google"; + } + ]; + relabel_configs = blackbox_relabel; + } + { + job_name = "blackbox_http_2xx"; + metrics_path = "/probe"; + params = { module = ["http_2xx"]; }; + static_configs = [ + { + targets = [ "http://192.168.100.40:6011" ]; + labels.instance = "Qbittorrent"; + } + { + targets = [ "http://192.168.100.40:7878" ]; + labels.instance = "Radarr"; + } + { + targets = [ "http://192.168.100.40:8989" ]; + labels.instance = "Sonarr"; + } + { + targets = [ "http://192.168.100.40:9696" ]; + labels.instance = "Prowlarr"; + } + { + targets = [ "https://randomctf.com" ]; + labels.instance = "RandomCTF.com"; + } + { + targets = [ "https://git.randomctf.com" ]; + labels.instance = "Gitea"; + } + { + targets = [ "https://nextcloud.randomctf.com" ]; + labels.instance = "Nextcloud"; + } + ]; + relabel_configs = blackbox_relabel; + } + { + job_name = "blackbox_http_2xx_no_verify"; + metrics_path = "/probe"; + params = { module = ["http_2xx_tls_no_verify"]; }; + static_configs = [ + { + targets = [ "https://192.168.100.40:5006" ]; + labels.instance = "Actual"; + } + ]; + relabel_configs = blackbox_relabel; } ]; }; @@ -60,120 +200,7 @@ }; }; - environment.etc."suricata.yaml".source = pkgs.writeTextFile { - name = "suricata.yaml"; - text = '' - %YAML 1.1 - --- - - vars: - address-groups: - HOME_NET: "[192.168.100.0/24]" - EXTERNAL_NET: "!$HOME_NET" - HTTP_SERVERS: "$HOME_NET" - SMTP_SERVERS: "$HOME_NET" - SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" - TELNET_SERVERS: "$HOME_NET" - AIM_SERVERS: "$EXTERNAL_NET" - DC_SERVERS: "$HOME_NET" - DNP3_SERVER: "$HOME_NET" - DNP3_CLIENT: "$HOME_NET" - MODBUS_CLIENT: "$HOME_NET" - MODBUS_SERVER: "$HOME_NET" - ENIP_CLIENT: "$HOME_NET" - ENIP_SERVER: "$HOME_NET" - port-groups: - HTTP_PORTS: "80" - SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 - FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - GENEVE_PORTS: 6081 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 - SIP_PORTS: "[5060, 5061]" - - default-log-dir: /home/logging/logs - classification-file: /etc/suricata/classification.config - reference-config-file: /etc/suricata/reference.config - default-rule-path: /etc/suricata/rules - rule-files: - - suricata.rules - - stats: - enabled: yes - - af-packet: - - interface: enp6s18 - use-mmap: yes - tpacket-v3: yes - cluster-id: 99 - cluster-type: cluster_flow - defrag: yes - - outputs: - - fast: - enabled: yes - filename: fast.log - append: yes - - - eve-log: - enabled: yes - filetype: regular - filename: eve.json - types: - - alert: - tagged-packets: yes - - http: - extended: yes - - http2 - - dns: - enabled: yes - - tls: - extended: yes - - flow - - mqtt - - ssh - - dhcp: - enabled: yes - - arp: - enabled: yes - - ldap - - quic - - sip - - rfb - - snmp - - bittorrent-dht - - krb5 - - dcerpc - - ike - - tftp - - smb - - nfs - - rdp - - ftp - - websocket - - smtp - - - pcap-log: - enabled: yes - filename: log.pcap - limit: 1gb - max-files: 20 - - - stats: - enabled: yes - filename: stats.log - append: yes - totals: yes - threads: no - - ''; - }; + environment.etc."suricata.yaml".source = ./assets/suricata.yaml; environment.etc."suricata/classification.config".text = '' '';