189 lines
4.3 KiB
Nix
189 lines
4.3 KiB
Nix
{ lib, config, pkgs, inputs, ... }: {
|
|
|
|
imports = [
|
|
../hardware/logging.nix
|
|
./headless.nix
|
|
(import ./networking.nix {
|
|
hostname = "r330-logging";
|
|
ip_address = "192.168.100.41";
|
|
open_ports = [ 3000 9001 ];
|
|
inherit lib;
|
|
})
|
|
];
|
|
|
|
users.users.logging = import ./user.nix;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
suricata
|
|
];
|
|
|
|
services.grafana = {
|
|
enable = true;
|
|
settings.server = {
|
|
http_addr = "0.0.0.0";
|
|
http_port = 3000;
|
|
domain = "logging.randomctf.local";
|
|
};
|
|
};
|
|
|
|
services.prometheus = {
|
|
enable = true;
|
|
port = 9001;
|
|
scrapeConfigs = [
|
|
{
|
|
job_name = "r330-logging";
|
|
static_configs = [{
|
|
targets = let
|
|
port = toString config.services.prometheus.exporters.node.port;
|
|
in [
|
|
"127.0.0.1:${port}"
|
|
"192.168.100.40:${port}"
|
|
"192.168.100.42:${port}"
|
|
"192.168.100.43:${port}"
|
|
];
|
|
}];
|
|
}
|
|
];
|
|
};
|
|
|
|
systemd.services.suricata = {
|
|
description = "Suricata IDS/IPS";
|
|
wantedBy = ["multi-user.target"];
|
|
serviceConfig = {
|
|
type = "simple";
|
|
User = "logging";
|
|
ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s18";
|
|
Restart = "on-failure";
|
|
CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
|
|
AmbientCapabilities = "CAP_NET_RAW CAP_NET_ADMIN";
|
|
};
|
|
};
|
|
|
|
environment.etc."suricata.yaml".source = pkgs.writeTextFile {
|
|
name = "suricata.yaml";
|
|
text = ''
|
|
%YAML 1.1
|
|
---
|
|
|
|
vars:
|
|
address-groups:
|
|
HOME_NET: "[192.168.100.0/24]"
|
|
EXTERNAL_NET: "!$HOME_NET"
|
|
HTTP_SERVERS: "$HOME_NET"
|
|
SMTP_SERVERS: "$HOME_NET"
|
|
SQL_SERVERS: "$HOME_NET"
|
|
DNS_SERVERS: "$HOME_NET"
|
|
TELNET_SERVERS: "$HOME_NET"
|
|
AIM_SERVERS: "$EXTERNAL_NET"
|
|
DC_SERVERS: "$HOME_NET"
|
|
DNP3_SERVER: "$HOME_NET"
|
|
DNP3_CLIENT: "$HOME_NET"
|
|
MODBUS_CLIENT: "$HOME_NET"
|
|
MODBUS_SERVER: "$HOME_NET"
|
|
ENIP_CLIENT: "$HOME_NET"
|
|
ENIP_SERVER: "$HOME_NET"
|
|
port-groups:
|
|
HTTP_PORTS: "80"
|
|
SHELLCODE_PORTS: "!80"
|
|
ORACLE_PORTS: 1521
|
|
SSH_PORTS: 22
|
|
DNP3_PORTS: 20000
|
|
MODBUS_PORTS: 502
|
|
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
|
|
FTP_PORTS: 21
|
|
GENEVE_PORTS: 6081
|
|
VXLAN_PORTS: 4789
|
|
TEREDO_PORTS: 3544
|
|
SIP_PORTS: "[5060, 5061]"
|
|
|
|
default-log-dir: /home/logging/logs
|
|
classification-file: /etc/suricata/classification.config
|
|
reference-config-file: /etc/suricata/reference.config
|
|
default-rule-path: /etc/suricata/rules
|
|
rule-files:
|
|
- suricata.rules
|
|
|
|
stats:
|
|
enabled: yes
|
|
|
|
af-packet:
|
|
- interface: enp6s18
|
|
use-mmap: yes
|
|
tpacket-v3: yes
|
|
cluster-id: 99
|
|
cluster-type: cluster_flow
|
|
defrag: yes
|
|
|
|
outputs:
|
|
- fast:
|
|
enabled: yes
|
|
filename: fast.log
|
|
append: yes
|
|
|
|
- eve-log:
|
|
enabled: yes
|
|
filetype: regular
|
|
filename: eve.json
|
|
types:
|
|
- alert:
|
|
tagged-packets: yes
|
|
- http:
|
|
extended: yes
|
|
- http2
|
|
- dns:
|
|
enabled: yes
|
|
- tls:
|
|
extended: yes
|
|
- flow
|
|
- mqtt
|
|
- ssh
|
|
- dhcp:
|
|
enabled: yes
|
|
- arp:
|
|
enabled: yes
|
|
- ldap
|
|
- quic
|
|
- sip
|
|
- rfb
|
|
- snmp
|
|
- bittorrent-dht
|
|
- krb5
|
|
- dcerpc
|
|
- ike
|
|
- tftp
|
|
- smb
|
|
- nfs
|
|
- rdp
|
|
- ftp
|
|
- websocket
|
|
- smtp
|
|
|
|
- pcap-log:
|
|
enabled: yes
|
|
filename: log.pcap
|
|
limit: 1gb
|
|
max-files: 20
|
|
|
|
- stats:
|
|
enabled: yes
|
|
filename: stats.log
|
|
append: yes
|
|
totals: yes
|
|
threads: no
|
|
|
|
'';
|
|
};
|
|
|
|
environment.etc."suricata/classification.config".text = ''
|
|
'';
|
|
|
|
environment.etc."suricata/reference.config".text = ''
|
|
'';
|
|
|
|
environment.etc."suricata/threshold.config".text = ''
|
|
'';
|
|
|
|
environment.etc."suricata/rules/suricata.rules".text = ''
|
|
'';
|
|
}
|