Posts

Crowdsec CTI API Integration with Suricata

Crowdsec CTI Integration python script I’ve been working on an integration between Crowdsec CTI and Suricata, both running on OPNsense. The purpose of the integration is to have Suricata in IPS mode with a set of preferred rules configured to alert only. All triggered alerts are logged in the fast.log format. A CrowdSec CTI script made in python parses the fast.log file and queries all entries in the log. If an IP is marked as Malicious or Suspicious by the CrowdSec CTI, it is added to a new log called filtered-fast.log and subsequently blocked based on the Suricata collection. The script implements a TTL cache mechanism with a 1-hour duration to avoid excessive queries and conserve allocated API requests when an IP triggers multiple alerts. IPs marked as Benign, Safe, Known, or Unknown are skipped and not added to filtered-fast.log. The public IP of the gateway (in my case, the WAN/PPPoE interface) is also explicitly excluded from queries. In this version of the script I am also sending Benign IP’s to the filterd-fast.log and filtering out Nmap alerts. You can define in the script if there is anything that you want to exclude from the query search. The script also maintains its own logs for informational and debugging purposes, stored at /usr/local/bin/crowdsec/crowdsec_cti.log and /usr/local/bin/crowdsec/crowdsec_cti_debug.log. The script handles API errors (e.g., 429 rate limits with exponential back off, 404 for unknown IPs)and caches “Unknown” responses for failed queries. Before having the CTI integration functional, have a look on how to Integrate Crowdsec with Suricata and push the logs to fast.log In order for this integration to work you also need the Crowdsec for Suricata Collection installed ...

Suricata Nmap Rules

sudo nmap -sU -p 0-60000 x.x.x.x -T5 sudo nmap -sS -p 0-60000 x.x.x.x -T2 sudo nmap -sX -p 0-60000 x.x.x.x -T1 # For NMAP scan detection between scan speeds of T1-T5 # SYN SCAN -sS (speeds T1-T5) alert tcp any any -> any [21,22,23,25,53,80,88,110,135,137,138,139,143,161,389,443,445,465,514,587,636,853,993,995,1194,1433,1720,3306,3389,8080,8443,11211,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sS)"; flow:to_server,stateless; flags:S; window:1024; tcp.mss:1460; threshold:type threshold, track by_src, count 20, seconds 70; classtype:attempted-recon; sid:3400001; priority:2; rev:1;) alert tcp any any -> any ![21,22,23,25,53,80,88,110,135,137,138,139,143,161,389,443,445,465,514,587,636,853,993,995,1194,1433,1720,3306,3389,8080,8443,11211,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sS)"; flow:to_server,stateless; flags:S; window:1024; tcp.mss:1460; threshold:type threshold, track by_src, count 7, seconds 135; classtype:attempted-recon; sid:3400002; priority:2; rev:2;) # SYN-ACK 3-WAY SCAN -sT (speeds T2-T5) alert tcp any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] -> any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] (msg:"POSSBL PORT SCAN (NMAP -sT)"; flow:to_server; window:32120; flags:S; threshold:type threshold, track by_src, count 20, seconds 70; classtype:attempted-recon; sid:3400003; rev:3;) # ACK SCAN -sA (speeds T2-T5) alert tcp any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] -> any ![22,25,53,80,88,143,443,445,465,587,853,993,1194,8080,51820] (msg:"POSSBL PORT SCAN (NMAP -sA)"; flags:A; flow:stateless; window:1024; threshold:type threshold, track by_dst, count 20, seconds 70; classtype:attempted-recon; sid:3400004; priority:2; rev:5;) # CHRISTMAS TREE SCAN -sX (speeds T1-T5) alert tcp any any -> any any (msg:"POSSBL PORT SCAN (NMAP -sX)"; flags:FPU; flow:to_server,stateless; threshold:type threshold, track by_src, count 3, seconds 120; classtype:attempted-recon; sid:3400005; rev:2;) # FRAGMENTED SCAN -f (speeds T1-T5) alert ip any any -> any any (msg:"POSSBL SCAN FRAG (NMAP -f)"; fragbits:M+D; threshold:type limit, track by_src, count 3, seconds 1210; classtype:attempted-recon; sid:3400006; priority:2; rev:6;) # UDP SCAN -sU (speeds T1-T5) alert udp any any -> any [53,67,68,69,123,161,162,389,520,1026,1027,1028,1029,1194,1434,1900,11211,12345,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sU)"; flow:to_server,stateless; classtype:attempted-recon; sid:3400007; priority:2; rev:6; threshold:type threshold, track by_src, count 20, seconds 70; dsize:0;) alert udp any any -> any ![53,67,68,69,123,161,162,389,520,1026,1027,1028,1029,1194,1434,1900,11211,12345,27017,51820] (msg:"POSSBL PORT SCAN (NMAP -sU)"; flow:to_server,stateless; classtype:attempted-recon; sid:3400008; priority:2; rev:6; threshold:type threshold, track by_src, count 7, seconds 135; dsize:0;) # For all usages of destination port 4444: # TCP destination port: 4444 alert tcp any ![21,22,23,25,53,80,88,110,135,137,138,139,143,161,389,443,445,465,514,587,636,853,993,995,1194,1433,1720,3306,3389,8080,8443,11211,27017,51820] -> any 4444 (msg:"POSSBL SCAN SHELL M-SPLOIT TCP"; classtype:trojan-activity; sid:3400020; priority:1; rev:2;) # UDP destination port: 4444 alert udp any ![53,67,68,69,123,161,162,389,520,1026,1027,1028,1029,1194,1434,1900,11211,12345,27017,51820] -> any 4444 (msg:"POSSBL SCAN SHELL M-SPLOIT UDP"; classtype:trojan-activity; sid:3400021; priority:1; rev:2;) Suricata rules are stored in these two locations Create a new file called namp.rules in the following two locations and paste the above rules. Restart Suricata after that with sudo service suricata restart ...

The Swiss Army Knife of Remote Access

Local Port Forwarding (Top Left) Usage: Command: ssh -L 8080:localhost:80 user@server This command sets up a local port forward where the SSH client listens on localhost:8080 and forwards any connections to localhost:80 on the remote server. Benefits: Accessing Internal Services: This is useful when you need to access a service running on a remote server that is not publicly accessible. For example, if you have a web server running on localhost:80 on the remote machine, you can access it through localhost:8080 on your local machine. ...

Crowdsec Integration with Suricata

Crowdsec integration with Suricata and Pushover notifications In this post I will walk you through the steps of integrating Suricata with Crowdsec, having the alerting and detection made in Suricata and the decision making in Crowdsec. Since Crowdsec also has a nice Cloud Console we can further visualize the alerts / decisions made, there. I will also show you how to integrate Crowdsec with Pushover so you get notified each time the Crowdsec Engine makes a decision. ...

Cloudflare Zero Trust tunnel for OPNSense

Cloudflare Tunnel Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnelcan connect HTTP web servers, SSH servers , remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypassCloudflare. ...

ZSH Autocompletion

Enabling Command Autocompletion in ZSH This guide will help you enable command autocomplete in Zsh using the zsh-autosuggestions plugin. Follow the steps below to get started, and if any issues arise, refer to the troubleshooting tips to help resolve common problems. Prerequisites Ensure you have Oh My Zsh installed. This helps manage plugins and customize your Zsh experience. If you’re on macOS, Zsh is likely installed by default, but you may need to install Oh My Zsh separately. To install Oh My Zsh: 1sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" Step 1: Update Your .zshrc file Add zsh-autosuggestions to the plugins array in your .zshrc file to enable it: ...

Neohtop

Best MacOS system monitor A modern, cross-platform system monitor built on top of Svelte, Rust, and Tauri. Features: 🚀 Real-time process monitoring 💻 CPU and Memory usage tracking 🎨 Beautiful, modern UI with dark/light themes 🔍 Advanced process search and filtering 📌 Pin important processes 🛠 Process management (kill processes) 🎯 Sort by any column 🔄 Auto-refresh system stats⚡️ Zero-install: use from any machine with SSH client installed Search Functionality Search for processes by name, command, or PID. Use commas to search for multiple terms simultaneously. Regular expressions are supported for advanced filtering. ...

Cloudflare Zero Trust

Securely exposing a self-hosted application using Cloudflare Zero Trust Many thanks to and Cloudflare for offering an enterprise service for free, helping to build a better, more secure internet. In this walkthrough, I will explain how to publicly expose a self-hosted application without port forwarding. I’ll be using Cloudflare’s Zero Trust service to securely expose a @QNAP_nas. https://developers.cloudflare.com/cloudflare-one/ Create the tunnel Add your domain name and point it to the internal IP address on winch your service that you want to securely expose is running. An internal port of the service can also be specified. ...