digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-20 13:50:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7cf89236b7662280f84a43aab23607e43089caac
SecGen/scenarios/labs/response_and_investigation/4_ids.xml

356 lines
11 KiB
XML
Raw Blame History

<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>IDS lab</name>
<author>Z. Cliffe Schreuders</author>
<description>A Hackerbot lab. Work through the labsheet, then when prompted interact with Hackerbot. </description>
<type>ctf-lab</type>
<type>hackerbot-lab</type>
<type>lab-sheet</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="SOIM" topic="Monitor: Data Sources">
<keyword>network traffic</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="Analyse: Analysis Methods">
<keyword>misuse detection</keyword>
<keyword>anomaly detection</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="Execute: Mitigation and Countermeasures">
<keyword>intrusion prevention systems</keyword>
</CyBOK>
<CyBOK KA="NS" topic="Network Defence Tools">
<keyword>packet filters</keyword>
<keyword>intrusion detection systems</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Malware Detection">
<keyword>attack detection</keyword>
</CyBOK>
<video>
<title>The Cloud</title>
<by>Z. Cliffe Schreuders</by>
<url>https://youtu.be/raR0HstMnjg</url>
<type>lecture-prerecorded</type>
<CyBOK KA="SOIM" topic="Execute: Mitigation and Countermeasures">
<keyword>DATA REDUNDANCY</keyword>
<keyword>REDUNDANCY IN NETWORK SERVICES</keyword>
</CyBOK>
<CyBOK KA="DSS" topic="CLOUD - COMPUTING - SERVICES">
<keyword>CLOUD COMPUTING - DEPLOYMENT MODELS</keyword>
<keyword>CLOUD COMPUTING - RESOURCE POOLING</keyword>
<keyword>CLOUD COMPUTING - SERVICE MODELS - IAAS</keyword>
<keyword>CLOUD COMPUTING - SERVICE MODELS - PAAS</keyword>
<keyword>CLOUD COMPUTING - SERVICE MODELS - SAAS</keyword>
<keyword>CLOUD COMPUTING - STORAGE</keyword>
</CyBOK>
<CyBOK KA="OSV" topic="CLOUD - COMPUTING - SERVICES">
<keyword>CLOUD COMPUTING - VIRTUALIZATION</keyword>
</CyBOK>
<CyBOK KA="POR" topic="Confidentiality">
<keyword>CLOUD COMPUTING - PRIVACY CONCERNS</keyword>
</CyBOK>
</video>
<video>
<title>Redundancy and RAID</title>
<by>Z. Cliffe Schreuders</by>
<url>https://youtu.be/3oDVTSFhl8Y</url>
<type>lecture-prerecorded</type>
<CyBOK KA="SOIM" topic="Execute: Mitigation and Countermeasures">
<keyword>DATA REDUNDANCY</keyword>
</CyBOK>
</video>
<video>
<title>Intrusion Detection and Prevention Systems (IDS IPS)</title>
<by>Z. Cliffe Schreuders</by>
<url>https://youtu.be/M6MisvbU32M</url>
<type>lecture-prerecorded</type>
<CyBOK KA="SOIM" topic="Monitor: Data Sources">
<keyword>network traffic</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="Analyse: Analysis Methods">
<keyword>misuse detection</keyword>
<keyword>anomaly detection</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="Execute: Mitigation and Countermeasures">
<keyword>intrusion prevention systems</keyword>
</CyBOK>
<CyBOK KA="NS" topic="Network Defence Tools">
<keyword>packet filters</keyword>
<keyword>intrusion detection systems</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Malware Detection">
<keyword>attack detection</keyword>
</CyBOK>
</video>
<system>
<system_name>desktop</system_name>
<base distro="Debian 10" type="desktop" name="KDE"/>
<input into_datastore="IP_addresses">
<value>172.16.0.2</value>
<value>172.16.0.3</value>
<value>172.16.0.4</value>
<value>172.16.0.5</value>
</input>
<input into_datastore="organisation">
<generator type="organisation"/>
</input>
<!--generate two accounts, YOU and someone else-->
<input into_datastore="accounts">
<generator type="account">
<input into="username">
<generator type="random_sanitised_word">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
</input>
<input into="password">
<value>tiaspbiqe2r</value>
</input>
<input into="super_user">
<value>true</value>
</input>
<input into="leaked_filenames">
<value></value>
</input>
<input into="strings_to_leak">
<value></value>
</input>
</generator>
<generator type="account">
<input into="username">
<generator type="random_sanitised_word">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
</input>
<input into="password">
<value>test</value>
</input>
<input into="super_user">
<value>false</value>
</input>
<input into="leaked_filenames">
<value></value>
</input>
<input into="strings_to_leak">
<value></value>
</input>
</generator>
<generator type="account">
<input into="username">
<generator type="random_sanitised_word">
<input into="wordlist">
<value>mythical_creatures</value>
</input>
</generator>
</input>
<input into="password">
<value>test</value>
</input>
<input into="super_user">
<value>false</value>
</input>
<input into="leaked_filenames">
<value></value>
</input>
<input into="strings_to_leak">
<value></value>
</input>
</generator>
</input>
<input into_datastore="hackerbot_access_root_password">
<generator type="strong_password_generator"/>
</input>
<!--Create the users-->
<utility module_path=".*/parameterised_accounts">
<input into="accounts">
<datastore>accounts</datastore>
</input>
</utility>
<utility module_path=".*/kde_minimal">
<input into="autologin_user">
<datastore access="0" access_json="['username']">accounts</datastore>
</input>
<input into="accounts">
<datastore>accounts</datastore>
</input>
<input into="autostart_konsole">
<value>true</value>
</input>
</utility>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<utility module_path=".*/iceweasel">
<input into="accounts">
<datastore>accounts</datastore>
</input>
<input into="autostart">
<value>true</value>
</input>
<input into="start_page">
<datastore access="3">IP_addresses</datastore>
</input>
</utility>
<utility module_path=".*/pidgin">
<input into="server_ip">
<datastore access="3">IP_addresses</datastore>
</input>
<input into="accounts">
<datastore access="0">accounts</datastore>
</input>
</utility>
<vulnerability module_path=".*/ssh_root_login">
<input into="root_password">
<datastore>hackerbot_access_root_password</datastore>
</input>
</vulnerability>
<network type="private_network" >
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>ids_snoop</system_name>
<base distro="Debian 10" type="desktop" name="KDE"/>
<utility module_path=".*/parameterised_accounts">
<input into="accounts">
<datastore>accounts</datastore>
</input>
</utility>
<utility module_path=".*/kde_minimal">
<input into="autologin_user">
<datastore access="0" access_json="['username']">accounts</datastore>
</input>
<input into="accounts">
<datastore>accounts</datastore>
</input>
<input into="autostart_konsole">
<value>true</value>
</input>
</utility>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/snort"/>
<utility module_path=".*/wireshark"/>
<utility module_path=".*/nmap"/>
<vulnerability module_path=".*/ssh_root_login">
<input into="root_password">
<datastore>hackerbot_access_root_password</datastore>
</input>
</vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>web_server</system_name>
<base platform="linux" distro="Debian 9" type="server"/>
<utility module_path=".*/parameterised_accounts">
<input into="accounts">
<datastore>accounts</datastore>
</input>
</utility>
<vulnerability module_path=".*/distcc_exec"/>
<!--TODO: FIXME ftp modules are currently broken-->
<!--<service module_path=".*/vsftpd"/>-->
<!--TODO: Fix the apache module -->
<service type="httpd" module_path=".*/apache.*"/>
<!--<service module_path="services/unix/http/parameterised_website">
<input into="organisation">
<datastore>organisation</datastore>
</input>
</service>-->
<vulnerability module_path=".*/ssh_root_login">
<input into="root_password">
<datastore>hackerbot_access_root_password</datastore>
</input>
</vulnerability>
<network type="private_network" >
<input into="IP_address">
<datastore access="2">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>hackerbot_server</system_name>
<base distro="Kali" name="MSF"/>
<service type="ircd"/>
<utility module_path=".*/metasploit_framework"/>
<utility module_path=".*/handy_cli_tools"/>
<utility module_path=".*/nmap"/>
<service type="httpd" module_path=".*/apache.*"/>
<utility module_path=".*/hackerbot">
<input into="hackerbot_configs" into_datastore="hackerbot_instructions">
<generator module_path=".*/ids">
<input into="accounts">
<datastore>accounts</datastore>
</input>
<input into="root_password">
<datastore>hackerbot_access_root_password</datastore>
</input>
<input into="ids_server_ip">
<datastore access="1">IP_addresses</datastore>
</input>
<input into="web_server_ip">
<datastore access="2">IP_addresses</datastore>
</input>
<input into="hackerbot_server_ip">
<datastore access="3">IP_addresses</datastore>
</input>
</generator>
</input>
</utility>
<network type="private_network" >
<input into="IP_address">
<datastore access="3">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<generator type="strong_password_generator"/>
</input>
</build>
</system>
</scenario>
Reference in New Issue View Git Blame Copy Permalink