[
  {
    "path": "README.md",
    "content": "# Building a TLS-compatible Honeypot \nThis guide illustrates how to set up a honeypot that, next to unencrypted network traffic, is also capable of decrypting TLS traffic with the help of [PolarProxy](https://www.netresec.com/?page=PolarProxy). It is part of my master's thesis that uses a version of this setup to analyze attacks on specific HTTP(S) web-based applications.\n\n![Illustration of the setup](images/setup.svg)\n\nNote that this documentation is mostly a recollection and recreation of the events from the initial setup from the honeypot used in my thesis, and I have not tested them thoroughly again when writing this post. Therefore, if you find any mistake, feel free to open an issue or pull request or let me know otherwise!\n\n## Infrastructure\nFor this setup, we use two servers. The first server, called the *Gateway Server*, runs an installation of Ubuntu 20.04. It is has two network interfaces, with one connected to the internet and assigned a /24 subnet, and the other connected to the other server.\n\nThe second server, called the *Proxmox Server*, runs [Proxmox VE](https://www.proxmox.com/en/proxmox-ve), a virtualization environment that allows us to run VMs. It is connected with an Ethernet cable to the first server but not directly to the internet. \n\nUsually, getting access to a /24 subnet can be quite expensive. The main reason a /24 subnet is used in this tutorial is that the project was initially done at a university with larger subnets available for research. However, given that not all IP addresses of the subnet are needed, it can also be done with smaller subnets or multiple independent IP addresses. To replicate this setup on typical cloud providers, buying multiple IP addresses and running a VPC for the internal connection between the two servers should also work.\n\n## Initial Networking Setup\nFor demonstration purposes, we use the 198.51.100.0/24 test IPv4 address range as an example for our /24 subnet.\n\n### Network Interface Configuration\nThe general idea of the honeypot networking is that one external IP address maps to one VM. To achieve this, we manually define the external IP addresses and also define all possible VLANs, ranging from 2-255. All VLANs use a /30 subnet, with the purpose being that only the Gateway Server and a VM can reside inside a VLAN.\n\nOn the Gateway Server, we use Netplan to configure the network. `enp4s0f0` is the network interface connected to the internet and `enp7s0f0` is the network interface that connects both servers internally.\n\nAn example configuration can look like this, with the repetitive VLAN definitions ranging to `vlan.255` cut out (a full version can be found in [netplan.yaml](netplan.yaml)):\n\n```yaml\nnetwork:\n  version: 2\n  ethernets:\n    enp4s0f0:\n      addresses: \n        - 198.51.100.42/24 # Gateway server external IP address \n        - 198.51.100.4/24 # One Honeypot Service\n        - 198.51.100.12/24 # Another Honeypot Service\n      gateway4: 198.51.100.1\n      dhcp4: false\n      nameservers:\n        addresses: [8.8.8.8, 8.8.4.4]\n    enp7s0f0:\n      dhcp4: false\n      addresses: [192.168.1.1/30]\n  vlans:\n    vlan.2:\n      id: 2\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.2.1/30]\n    vlan.3:\n      id: 3\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.3.1/30]\n    ...\n```\n\nIt is possible to define the whole subnet for the external IP addresses at one go instead of each IP defined manually. However, given that we did not want to route traffic to our machine for unassigned IP addresses, we decided to opt for the latter option. This should also allow an easier adaption in case a whole /24 subnet is not available, but rather multiple IP addresses. These can be defined in the same way in this configuration.\n\n### Firewall\nBy default, we do not want to allow any incoming traffic to either the Gateway Server or the VMs that is not intended by us. Traffic to the Gateway Server itself is considered as `INPUT` in iptables, whereas traffic for the VMs is considered as `FORWARD`. \n\nBefore we drop all access by default, we need to ensure we still keep access before applying the firewall rules. First, we set an allowed subnet from which we can continue to access everything:\n\n```bash\nsudo iptables -A INPUT -i enp4s0f0 -s 192.0.2.0/24 -j ACCEPT\n```\n\nNote that `192.0.2.0/24` is used as a placeholder here to specify a subnet that is allowed to access the Proxmox management interface and SSH. It can be replaced with another specific subnet or IP address that is allowed to access these services. \n\nThen, we need to ensure that outgoing traffic is still allowed when initiated from an allowed `INPUT` or `FORWARD` rule:\n\n```bash\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n```\n\nAfter we specifically allowed incoming traffic from a trusted network and outgoing traffic back to it to ensure we do not lock ourselves out, we can eventually drop all other traffic by default:\n\n```bash\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\n```\n\nAdditionally, we can allow traffic for loopback traffic by default:\n```bash\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A OUTPUT -o lo -j ACCEPT\n```\n\n### Access to the Proxmox Server\nThe Proxmox installation on the second server is configured with the IP address 192.168.1.2 and runs outside of a VLAN. To gain access to SSH and the Proxmox management interface on the second server, we setup the following `iptable` rules on the Gateway Server that offer access to both services under the same external IP address as the Gateway Server:\n```bash\n# Proxmox management interface\nsudo iptables -A FORWARD -s 192.0.2.0/24 -d 192.168.1.2 -p tcp --dport 8006 -j ACCEPT\nsudo iptables -A FORWARD -s 192.168.1.2 -d 192.0.2.0/24 -p tcp --sport 8006 -j ACCEPT\nsudo iptables -A PREROUTING -t nat -p tcp -s 192.0.2.0/24  --dport 8006 -j DNAT --to-destination 192.168.1.2:8006\n\n# SSH\nsudo iptables -A PREROUTING -t nat -p tcp -s 192.0.2.0/24  --dport 2222 -j DNAT --to-destination 192.168.1.2:22\nsudo iptables -A FORWARD -s 192.0.2.0/24 -d 192.168.1.2 -p tcp --dport 22 -j ACCEPT\nsudo iptables -A FORWARD -d 192.0.2.0/24 -p tcp --sport 22 -j ACCEPT\n```\n\nThe same note as above applies for `192.0.2.0/24`.\n\nIn addition, we still want Proxmox itself to be able to reach the internet for updates. Therefore, we add the additional following rules to allow Proxmox to masquerade its traffic under the same external IP address as the Gateway Server:\n\n```bash\nsudo iptables -t nat -A POSTROUTING -s 192.168.1.2 -j MASQUERADE\nsudo iptables -A FORWARD -d 192.168.1.2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A FORWARD -s 192.168.1.2 -o enp4s0f0 -j ACCEPT\n```\n\n### Configuring VLAN support for Proxmox\nIn order to eventually be able to assign VLANs per VM, we need to do some additional networking configuration in Proxmox.\nAssuming that previously, the Proxmox network configuration was done over a **Network Device** in Proxmox, we need to make some changes to be able to define VLANs on the side of the Proxmox Server. \n\nUnder the \"Networking\" tap in Proxmox, we need to create a **Linux Bridge** and a **Linux VLAN** that uses the newly created bridge device for VLAN 1. \n\nThe **Linux Bridge** itself needs to be configured as VLAN-aware, with the Bridge ports being the Network Device for the internal connection between the two servers, presumably the same network device configured before. In our case, similar to the Gateway Server, this is `enp7s0f0`.\n\n<img src=\"images/bridge.png\" alt=\"Proxmox vmbr1 Linux Bridge configuration\" width=\"500\"/>\n\nThen, for the **Linux VLAN**, VLAN 1 holds the same configuration as the Network Device did before and is required to keep being able to be still able to reach the server under the same internal IP address over the Gateway Server as before. The screenshots below show the setting we used for each device, with vmbr1 being the Linux Bridge and vmbr1.1 being the Linux VLAN:\n\n<img src=\"images/vlan-1.png\" alt=\"Proxmox vmbr1.1 Linux VLAN configuration\" width=\"500\"/>\n\n\nAfterward, we can remove the IP address from the Network Device and apply the changes. \n\nIn total, the network configuration should look similar to this (with disregard to the inactive network interfaces shown):\n\n<img src=\"images/network-list.png\" alt=\"List of all network devices in Proxmox\" width=\"600\"/>\n\n## VM Setup\nWith the initial setup being done, we can now create VLANs that use the newly created Linux Bridge device `vmbr1` and assign a VLAN tag to use for the VM. For example, for a VM that, under the /24 subnet example, is supposed to be reachable under 198.51.100.150 from the Internet or 192.168.150.2 internally from the Gateway Server, we would use the VLAN tag 150. \n\n<img src=\"images/create-new-vm.png\" alt=\"Proxmox 'Network' tab during VM creation\" width=\"500\"/>\n\nAdditionally, if rate limiting is desired in case any malicious services are running when a VM gets infected, it can also be configured under the same networking tab directly in Proxmox.\n\nBefore we install any operating system inside the VM, it makes sense to create the networking rules for a single VM before we install any VM. Here, we distinct between VMs where we do not want to intercept any incoming TLS traffic, and VMs for which we do.\n\n### Non-TLS Traffic\nFor VMs not running any TLS-enabled services, we create the following rules:\n\n* Incoming traffic for a specific external IP address is translated to the internal IP address of the respective VM (DNAT)\n* Outgoing traffic from a specific VM is translated to its specific external IP address (SNAT)\n* Incoming traffic is only allowed for a specific port and already established connections (important to keep outgoing traffic alive)\n* Outgoing traffic is fully allowed, except to other VMs\n\nFor `iptables`, this can be translated into the following rules:\n\n```bash\nsudo iptables -t nat -A PREROUTING -d 198.51.100.XX/32 -j DNAT --to-destination 192.168.XX.2\nsudo iptables -t nat -A POSTROUTING -s 192.168.XX.2/32 -j SNAT --to-source 198.51.100.XX\nsudo iptables -A FORWARD -s 192.168.XX.2 -o enp4s0f0 -j ACCEPT\nsudo iptables -A FORWARD -d 192.168.XX.2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A FORWARD -d 192.168.XX.2 -p tcp --dport YY -m iprange ! --src-range 192.168.0.0-192.168.255.255 -j ACCEPT\n\n# In case Docker is installed, forbid traffic to Docker networks by default\nsudo iptables -I DOCKER-USER -s 192.168.XX.2 -d 172.16.0.0/12 -m state --state NEW -j DROP \n```\n\nXX is a place holder for the VLAN tag, and YY the port of a service we want to allow for the outside. \n\n\n### TLS Traffic\nWhen we want to intercept incoming TLS traffic with the help of [PolarProxy](https://www.netresec.com/?page=PolarProxy), it will be running on the Gateway Server itself, and not inside the VM. Therefore, we need to create an exception for the routing rules that incoming ports expecting TLS are not directly forwarded to the VM:\n\n```bash\nsudo iptables -t nat -A PREROUTING -d 198.51.100.XX/32 -j DNAT -p tcp --to-destination 192.168.XX.2 ! --dport YY\nsudo iptables -t nat -A PREROUTING -d 198.51.100.XX/32 -j DNAT --to-destination 192.168.XX.2 ! -p tcp\nsudo iptables -t nat -A POSTROUTING -s 192.168.XX.2/32 -j SNAT --to-source 198.51.100.XX\nsudo iptables -A FORWARD -s 192.168.XX.2 -o enp4s0f0 -j ACCEPT\nsudo iptables -A FORWARD -d 192.168.XX.2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nsudo iptables -A INPUT -d 198.51.100.XX -p tcp --dport YY -m iprange ! --src-range 192.168.0.0-192.168.255.255 -j ACCEPT\n\n# In case Docker is installed, forbid traffic to Docker networks by default\nsudo iptables -I DOCKER-USER -s 192.168.XX.2 -d 172.16.0.0/12 -m state --state NEW -j DROP \n```\n\nHere, we instruct the system not to forward TCP port YY to the VM directly, but all other TCP and UDP traffic is passed through, similar to the Non-TLS traffic. \n\n### VM Network Configuration\nWith these rules set in place, we can install the operating system inside the VM. For the network configuration, we use a static configuration with the following settings:\n\n* **Subnet**: 192.168.XX.0/30 (**Subnet Mask**: 255.255.255.252)\n* **IP Address**: 192.168.XX.2\n* **Gateway**: 192.168.XX.1\n* **DNS**: 8.8.8.8, 8.8.4.4 (replaceable with other public DNS servers)\n\nAn example configuration for Ubuntu 20.04 with the VLAN tag 150 is shown here:\n<img src=\"images/vm-network-config.png\" alt=\"Ubuntu 20.04 network configuration dialog\" width=\"500\"/>\n\nAfter installation, the VM should be able to access the internet. The desired honeypot service running under port YY defined with the iptables rules above can now be installed and, in case of a non-TLS port, should be exposed to the internet after installation. For a TLS port, we need to start PolarProxy in the next step before it is eventually exposed to the internet.\n\n## Capturing Network Traffic\nNow that we have our service up and running, we can start by capturing the network traffic from our Gateway Server. Here, we take a look at the global traffic (useful for unencrypted traffic) and how to capture the TLS traffic for the ports we made an exemption before.\n### Complete Network Traffic\nTo capture the global traffic of a VM, we can leverage [TShark](https://www.wireshark.org/docs/man-pages/tshark.html), which is a Terminal version of Wireshark. \n\nAfter installation, we can capture the network traffic of the VM by telling TShark to capture traffic on the network interface `vlan.XX`, with XX being the VLAN tag.\n\nAs an example, to capture traffic for the VM on VLAN tag 150, we can use the following command:\n```bash\ntshark -i vlan.150 -w /mnt/data/pcaps/vlan150.pcap\n```\n\nWhen the capture is running for a longer while, or when the VM is experiencing high traffic, it can result in either dropped packages or very large PCAP files that are hard to analyze in tools like Wireshark. Therefore, a good idea is to increase the capture buffer size with `-B`, and the ring buffer size with `-b` which automatically rotates to a new PCAP file.\n\nFor example, using a capture buffer size of 256 MB and a maximum PCAP size of 1 GB before rotating would look like this:\n\n```bash\ntshark -B 256 -b filesize:1000000 -w /mnt/data/pcaps/vlan150.pcap\n```\n\n### TLS Traffic\nIn order to host TLS service and being able to capture incoming traffic, we now leverage PolarProxy running on the Gateway Server. First, after downloading and unpacking the most recent version from the [website](https://www.netresec.com/?page=PolarProxy), we add the capability to allow PolarProxy to listen on ports <1024 without requiring to run it as root or with sudo:\n\n```bash\nsudo setcap 'cap_net_bind_service=+ep' /path/to/unpacked/PolarProxy\n```\nAfterward, we distinct between the two cases **Termination Proxy** and **Reverse Proxy**. The former is used when the server inside the VM is not running with TLS or also accepts unencrypted connections, the latter when the service inside the VM exposes a TLS port.\n\n![Illustration of the setup](images/polarproxy-modes.svg)\n\n\nTo launch PolarProxy in **Termination Proxy** mode, we can use the following command:\n\n```bash\n./PolarProxy -p 198.51.100.XX,YY,YY,ZZ -cn \"<INSERT TLS CN NAME HERE>\" -o /mnt/data/pcaps/ --terminate --connect 192.168.XX.2 --nosni 198.51.100.XX -v \n```\n\nHere, the IP address specified in `-p` and `--nosni` is the external IP address we reserved for the single VM. In case the honeypot is not just reachable by the IP address, but under a domain or other DNS name, `--nosni` should be the domain name or DNS name.\n\nThe ports in `-p` define in the given order that:\n\n* We want to listen on port YY\n* Decrypted traffic should be stored as port YY in the PCAP\n* We want to connect to port ZZ on the specified IP address in `-connect`\n\n `--connect` holds the internal IP address and `--terminate` defines that we want to terminate connect to the specified. The `-cn` argument defines the Common Name PolarProxy should use for the dynamically generated TLS certificate. While it is optional to use, it makes sense to define a manual one for a honeypot, given that we do not want to advertise to the outside world that PolarProxy is running on this port. Alternatively, a static server certificate can be used with the `--servercert` option.\n\nFor **Reverse Proxy** mode, we essentially only need to remove the `--terminate` option and adjust the target port for the `-p` argument. \n\nHowever, in the case of a honeypot, it often makes sense to use the same certificate as the underlying service that is running TLS. Given that PolarProxy expects the more unusual `.p12` format that contains both the certificate and the private key in one file, we likely first need to obtain the certificate and private key from inside the VM, and convert them with the following command:\n\n```bash\nopenssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem\n```\n\nOpenSSL will prompt for a password, for which we can just use a value such as `12345` or a more complex value, if desired.\n\n\nWith these adjustments, we can launch PolarProxy in Reverse Proxy mode with a fixed server certificate, using the same certificate and key as the service inside the VM:\n```bash\n./PolarProxy -p 198.51.100.XX,YY,YY,YY -o /mnt/data/pcaps/ --connect 192.168.XX.2 --nosni 192.168.XX.2 -v --servercert 198.51.100.XX,192.168.XX.2:/path/to/cert.p12:12345\n```\n\nAgain, if the honeypot is reachable under a domain or another DNS name, `--nosni` needs to hold the domain or DNS name, and the same name should be appended to the `--servercert` argument which also holds the list of domains the specified TLS certificate should be used for.\n\nWhen running **PolarProxy in combination with TShark**, it can make sense to exclude the TLS port from the TShark capture to avoid bloated PCAP files containing redunant encrypted traffic. This can be achieved with a capture filter in TShark:\n\n```bash\ntshark -i vlan.XX -w /mnt/data/pcaps/vlanXX.pcap -f \"not ((src net 192.168.XX.1) and (dst net 192.168.XX.2 and dst port YZ)) or ((src net 192.168.XX.2 and src port YZ) and (dst net 192.168.XX.1))\"\n```\nHere, YZ is the last port defined in `-p` for PolarProxy, which is the port from the VM PolarProxy connects to. For the examples above, it is ZZ for the termination mode and YY for the reverse proxy mode.\n\n## Suricata (IDS)\nIn order to be alerted of incoming attacks, it makes sense to install an IDS that monitors the network traffic for known attacks. For this case, we use [Suricata](https://suricata.readthedocs.io/en/latest/install.html#binary-packages), which can also monitor TLS traffic when combined with PolarProxy.\n\n### Installation\nFor the installation, we refer to the [binary package installation guide](https://suricata.readthedocs.io/en/latest/install.html#binary-packages) in the official documentation. For a broader level of attack detection, it might make sense to enable additional sources for rules.\n\nThe list of default sources for rules can be queried with the first command, and single sources can be enabled with the second command:\n```bash\nsuricata-update list-sources # Query the list of available sources\nsuricata-update enable-source <source-name> # Enable a specific source\n```\n\n### Adding dummy network interfaces for TLS traffic\n*(This step can be skipped if we do not want to monitor TLS traffic with Suricata)*\n\nSuppose we want to pipe the decrypted TLS traffic from PolarProxy to Suricata. In that case, we need to create one or multiple dummy network interfaces which Suricata can listen on next to the internet-connected network interface. Unfortunately, netplan does not support the creation of  (persistent) dummy network interfaces. Therefore, we manually create a dummy network interface which is not persistent across reboots:\n\n```bash\nsudo ip link add polarproxytls type dummy\n```\n\n### Configuration\nWhile the specific detection settings are different for each use case, the main changes we need to perform to the Suricata configuration are to adjust the `HOME_NET`, and to add any dummy network interfaces for use with PolarProxy.\n\nFor `HOME_NET`, it makes sense to add the external IP address for a complete monitoring of the whole honeypot network:\n```yaml\nHOME_NET: \"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,198.51.100.XX/24]\"\n```\n\nThen, for the network interfaces, we specifically defined only the internet-connected facing network interface to avoid capturing all possible VLAN interfaces with duplicate and redundant traffic, and the dummy interface created for PolarProxy:\n\n```yaml\naf-packet:\n  - interface: enp4s0f0\n    cluster-id: 1\n    cluster-type: cluster_flow\n    defrag: yes\n    buffer-size: 131072\n    \n  - interface: polarproxytls\n    cluster-id: 2\n    cluster-type: cluster_flow\n    defrag: yes\n```\n\nFurther adjustments can be made for other detection related settings. \n\nTo start Suricata and let it autostart upon reboot, we can use:\n```bash\nsudo systemctl enable filebeat\nsudo systemctl start filebeat\n```\n\n### Pipe TLS traffic to the dummy network interface\nTo pipe any traffic from PolarProxy to the dummy network interface Suricata listens on, we use PolarProxy's PCAP-over-IP capabilities combined with `tcpreplay`.\n\nFirst, we need to allow loopback traffic so that `tcpreplay` can connect to any PCAP-over-IP ports from PolarProxy. \n\nWe can either create a blanket rule that allows unrestricted flow of loopback traffic:\n```bash\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A OUTPUT -o lo -j ACCEPT\n```\n\nAlternatively, a specific rule to only allow a single port can also be used, with 4430 being a replaceable example port we use for PCAP-over-IP.\n\n```bash\nsudo iptables -A INPUT -i lo -p tcp --dport 4430 -j ACCEPT\n```\n\nThen, we can append `--pcapoverip 4430` to the PolarProxy arguments, start PolarProxy and in another terminal session, launch `tcpreplay`:\n```bash\nnc localhost 4430 | sudo tcpreplay -i polarproxytls -t -\n```\n\nMore details and information on how to make this setup persistent can be found in a [blog post from NETRESEC](https://www.netresec.com/?page=Blog&month=2020-01&post=Sniffing-Decrypted-TLS-Traffic-with-Security-Onion).\n\n## ELK (Gateway Machine)\nThe Elastic toolset provides a wide variety of valuable tools for SIEM. In our use case, we can use it to store and analyze the networking data from the Gateway Server but also collect events from inside the VMs themselves, such as executed commands or other suspicious activities detected by [Falco](https://falco.org/). \n\nUnfortunately, given that the setup from the master's thesis was based on Elasticsearch 7, with Elasticsearch 8 having made many changes concerning TLS, the same configuration does not make sense to use in the same way as before anymore. Therefore, this section provides a relatively high-level view of how to combine each tool, with the details being omitted.\n\n\n### ElasticSearch (Installation in Docker)\nWe assume that ElasticSearch are installed inside a Docker container on the Gateway Machine. An example of setting ElasticSearch and Kibana up together can be [the docker-compose example](https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#docker-compose-file) listed in the documentation for ElasticSearch. While it seems wasteful to have a multi-node setup running on the same host machine in terms of resources, it can lead to funky behavior later down the road when modifying the `docker-compose.yml` file to only run as a single node.\n\nTo harden the ElasticSearch setup and break any isolation between the different VMs, we disallow it to create any new outgoing connections to the VMs. Only connections initiated by the VMs should be accepted:\n```bash\nsudo iptables -I DOCKER-USER -s 172.16.0.0/12 -m state --state NEW -m iprange --dst-range 192.168.0.0-192.168.255.255 -j DROP\n```\n\nIn addition, we again only want to allow a specific trusted subnet to be able to access both Elasticsearch and Kibana from outside the machine, with all other connections being dropped:\n\n```bash\nsudo iptables -I DOCKER-USER -i enp4s0f0 -p tcp -m conntrack --ctorigdstport 5601 ! -s 192.0.2.0/24 -j DROP\nsudo iptables -I DOCKER-USER -i enp4s0f0 -p tcp -m conntrack --ctorigdstport 9200 ! -s 192.0.2.0/24 -j DROP\n```\n\nSame as before, replace `192.0.2.0/24` with your trusted subnet or IP.\n\n### Filebeat & Packetbeat\nOn the Gateway Server, we install Filebeat to collect the Suricata events, and Packetbeat to create visualizations for the network traffic.\n\nBoth services are installed outside of Docker, using the `.deb` releases using the official installation tutorial [for Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html#installation) and [for Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html#installation). Note that while using APT is also possible, unexpected upgrades can break parts of the installation, either when using inconsistent versions, or when using API keys with tight permissions (as we do later).\n\nBoth links also provide general short instructions on how to connect both Beats to Elasticserach. For the Gateway Server, we can use `localhost:9200` as the address. However, in case you did not set up the loopback firewall rules before, you either need to add the blanket \"allow all loopback\" traffic rule from before, or add the following specific exemptions:\n\n```bash\nsudo iptables -A INPUT -i lo -p tcp --dport 5601 -j ACCEPT\nsudo iptables -A INPUT -i lo -p tcp --dport 9200 -j ACCEPT\n```\n\nFor both tools, as stated in each installation tutorial, it makes sense to configure `setup.kibana` section in the config to automatically create dashboards in Kibana. In the setup from the thesis, two Kibana spaces in combination with the optional `space.id` parameter were used to distinct between the data from the Gateway Machine, and the data from the VMs.\n\nFor **Filebeat**, we enable the optional Suricata module to collect data from the Suricata EVE logs. This option needs to be enabled in Suricata, which it is by default.\n\nFirst, we enable the module:\n```bash\nsudo filebeat modules enable suricata\n``` \n\nThen, we can specify the path for the file in `/etc/filebeat/modules/suricata.yml`. In our case, this matches the default configuration:\n\n```yml\n- module: suricata\n  eve:\n    enabled: true\n    var.paths: [\"/var/log/suricata/eve.json\"]\n```\n\n\nAfterward, we can call eventuelly start Filebeat:\n```bash\nsudo filebeat setup\nsudo systemctl enable filebeat\nsudo systemctl start filebeat\n```\n\nFor **Packetbeat**, after the general connection setup to Elasticsearch and Kibana, we add or modify the following entries in the configuration:\n\n```yaml\n# Only listen on the internet-connected interface, similar to Suricata\npacketbeat.interfaces.device: enp4s0f0\n\n# Enable af_packet with a slightly increased ring buffer size\npacketbeat.interfaces.type: af_packet\npacketbeat.interfaces.buffer_size_mb: 150\n\n# Enable GeoIP enrichment\noutput.elasticsearch.pipeline: geoip-info\n```\n\nUnfortunately, we cannot define multiple network interfaces in Packetbeat similar as in Suricata without restorting to the `any` interface, which captures *all* network devices including the VLANs. Therefore, we limit ourselves here to the internet-connected network interface.\n\nNow, we can start Packetbeat in the same fashion as Filebeat:\n```bash\nsudo filebeat setup\nsudo systemctl enable filebeat\nsudo systemctl start filebeat\n```\n\nAfter the initial launch, if you did not already do it before, we can downgrade the credentials to the least possible privilege by creating an API key with minimal permissions for adding new entries. While this is not strictly necessary for the Gateway Machine, given that it is part of the \"Trusted\" infrastructure, it might still prevent some harm. Examples on how to create such an API key can be found in the official documentation for [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/beats-api-keys.html#beats-api-key-publish) and for [Packetbeat](https://www.elastic.co/guide/en/beats/filebeat/current/beats-api-keys.html#beats-api-key-publish).\n\n### Logstash (Gateway Server, Slack Alerts)\nIn addition to the Beats, Logstash can be used on the same Suricata EVE log to send alerts to a Slack channel when high-severity attacks were detected.\n\nTo replicate this, [install Logstash](https://www.elastic.co/downloads/logstash) and the 3rd-party [Slack Output Plugin](https://github.com/logstash-plugins/logstash-output-slack). Then, a Logstash configuration needs to be added. An example which automatically sends Suricata alerts with \"Level 1\" severity can be found [here](logstash-suricata.conf), though from personal experience, it can be quite noisy and therefore might need further adjustments. The configuration file(s) need to be copied to `/etc/logstash/conf.d`, and afterward, Logstash can be started:\n\n```bash\nsudo systemctl enable logstash\nsudo systemctl start logstash\n```\n\n\n## ELK & Falco (VMs)\nAfter describing the setup on the Gateway Machine in the previous section, we now switch to the configuration inside the VM that allows us to track the behavior of attackers and additional generic metrics data. Note that this setup is not 100% ideal, given that everything runs as user-space processes which attackers can potentially kill or steal the credentials for. However, due to a lack of commonly available kernel-level surveillance modules for recent kernel versions, we use a common SIEM-based approach with tight permissions that should prevent the abuse of the Elasticsearch server.\n\n### Falco\nBefore we set up the Beats, we first install Falco using the official [installation guide](https://falco.org/docs/getting-started/installation/#installing). While Falco is primarily focused on container-based attacks, it nevertheless contains useful rules for other kinds of attacks and suspicious activities. \n\nBefore we start Falco, we need to enable the file output in the configuration in order for Filebeat to be able to collect any data for Falco. This can be achieved by creating the necessary directory:\n\n```bash\nsudo mkdir /var/log/falco\n```\n\nAnd adding the following entry to `/etc/falco/falco.yaml`\n```yaml\nfile_output:\n  enabled: true\n  keep_alive: false\n  filename: /var/log/falco/falco.json\n```\n\nAfterwards, Falco can be started:\n```bash\nsudo systemctl enable falco\nsudo systemctl start falco\n```\n\n### Auditbeat, Filebeat, Metricbeat\nSimilar as for the Gateway machine, [Auditbeat](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-installation-configuration.html#install), [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html) and [Metricbeat](https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-installation-configuration.html) can be installed and configured following the official installation tutorial.\n\nFor the Elasticsearch server IP address, we need to use the internal IP address of the Gateway Server for `output.elasticsearch.hosts`:\n```yaml\noutput.elasticsearch:\n  hosts: [\"192.168.XX.1:9200\"]\n```\n\nIn addition, on the Gateway Server, we need to add an additional rule to allow a VM to make a connection to Elasticsearch:\n```bash\nsudo iptables -I DOCKER-USER -s 192.168.XX.2 -d 172.16.0.0/12 -p tcp --dport 9200 -m state --state NEW -j ACCEPT\n```\n\nGiven that the VMs run in an untrusted environment, the use of API keys is of very importance to prevent potential attackers from compromising the Elasticsearch server. However, on the very first use of the tools, the necessary indices are not created yet in Elasticsearch. The same applies to the Kibana dashboards, especially when running under a different `space.id`. Therefore, it either makes sense to run this setup in one trusted VM first with admin credentials (which should be securely wiped after the initial setup), or adapt the API key permissions to allow the creation of indicies and other required options. Following the principle of least privilege, the first option is preferable with an ephemeral trusted VM that is created to validate the setup and destroyed afterwards without any exposure to attackers.\n\nBut before we initally run each Beat, we make the following changes to the configuration:\n\n1. For **Auditbeat**, we need to add audit rules which Auditbeat should pass to the Linux kernel. For the setup in the thesis, a slightly modified ruleset from [Florian Roth's Auditd rules](https://github.com/Neo23x0/auditd), with incompatible rules for Auditbeat and Ubuntu 20.04 being removed. The used rules can be found as part of this repository in [audit-rules.conf](audit-rules.conf), though the rules might not be ideal for every use case and outdated after time of this writing.\n\n2. To integrate Falco with **Filebeat**, we need to add the following input to `/etc/filebeat/filebeat.yml`:\n```yaml\nfilebeat.inputs:\n- type: filestream\n  enabled: true\n  paths:\n    - /var/log/falco/falco.json\n  parsers:\n    - ndjson:\n      keys_under_root: true\n      add_error_key: true\n  index: \"falco-%{+yyyy.MM.dd}\"\n  ```\n\nWith all configurations into place, we can finally do an initial run for each tool using admin credentials or privileged API keys from a trusted VM.\n\nAfter the initial run, we can create API keys with the least required permissions to be used inside the honeypot VMs. We can use the official documentation to create the API keys for [Auditbeat](https://www.elastic.co/guide/en/beats/auditbeat/master/beats-api-keys.html#beats-api-key-publish) and [Metricbeat] (https://www.elastic.co/guide/en/beats/metricbeat/current/beats-api-keys.html#beats-api-key-publish).\n\nFor Filebeat, due to the additional Falco index, we need to slightly adapt the API key example from the documentation:\n\n```json\nPOST /_security/api_key\n{\n  \"name\": \"filebeat_hostXXX\", \n  \"role_descriptors\": {\n    \"filebeat_writer\": { \n      \"cluster\": [\"monitor\", \"read_ilm\", \"read_pipeline\"],\n      \"index\": [\n        {\n          \"names\": [\"filebeat-*\"],\n          \"privileges\": [\"view_index_metadata\", \"create_doc\"]\n        },\n        {\n          \"names\": [\"falco-*\"],\n          \"privileges\": [\"view_index_metadata\", \"create_doc\"]\n        }\n      ]\n    }\n  }\n}\n```\n\n### Filtering Beats traffic from the PCAPs\nWhen the Beats inside the VM communicate with the ElasticSearch server on the Gateway Server, the traffic is passed through the same network interface we are capturing. Since the Beats, especially Metricbeat, can produce quite a lot of data bloating up the PCAPs, we might not want to include it in the packet capture data we collect with TShark. \n\nUsing the same suggested filtering approach as above, we can instruct TShark to filter out any data going from or to ElasticSearch:\n```bash\ntshark -i vlan.XX -w /mnt/data/pcaps/vlanXX.pcap -f \"not ((src net 192.168.XX.1 and src port 9200) or (dst net 192.168.XX.1 and dst port 9200))\"\n```\n\nWhen already using the TLS or any other capture filter, we append the above capture filter to the existing one with an `and`. As an example with the suggested TLS filter:\n\n```bash\ntshark -i vlan.XX -w /mnt/data/pcaps/vlanXX.pcap -f \"not ((src net 192.168.XX.1) and (dst net 192.168.XX.2 and dst port YZ)) or ((src net 192.168.XX.2 and src port YZ) and (dst net 192.168.XX.1)) and not ((src net 192.168.XX.1 and src port 9200) or (dst net 192.168.XX.1 and dst port 9200))\"\n```\n\nThe letter conventions are the same as the previous examples in the packet capturing section, with XX being the VLAN ID and YZ the port from the VM PolarProxy connects to in either termination proxy mode (ZZ) or reverse proxy mode (YY)."
  },
  {
    "path": "audit-rules.conf",
    "content": "\n#      ___             ___ __      __\n#     /   | __  ______/ (_) /_____/ /\n#    / /| |/ / / / __  / / __/ __  /\n#   / ___ / /_/ / /_/ / / /_/ /_/ /\n#  /_/  |_\\__,_/\\__,_/_/\\__/\\__,_/\n#\n# Linux Audit Daemon - Best Practice Configuration\n# /etc/audit/audit.rules\n#\n# Compiled by Florian Roth\n#\n# Created  : 2017/12/05\n# Modified : 2021/09/22\n#\n# Based on rules published here:\n#   Gov.uk auditd rules\n#       https://github.com/gds-operations/puppet-auditd/pull/1\n#   CentOS 7 hardening\n# \t\thttps://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon\n# \tLinux audit repo\n# \t\thttps://github.com/linux-audit/audit-userspace/tree/master/rules\n# \tAuditd high performance linux auditing\n# \t\thttps://linux-audit.com/tuning-auditd-high-performance-linux-auditing/\n#\n# Further rules\n# \tFor PCI DSS compliance see:\n# \t\thttps://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules\n# \tFor NISPOM compliance see:\n# \t\thttps://github.com/linux-audit/audit-userspace/blob/master/rules/30-nispom.rules\n\n# Self Auditing ---------------------------------------------------------------\n\n## Audit the audit logs\n### Successful and unsuccessful attempts to read information from the audit records\n-w /var/log/audit/ -k auditlog\n\n## Auditd configuration\n### Modifications to audit configuration that occur while the audit collection functions are operating\n-w /etc/audit/ -p wa -k auditconfig\n-w /etc/libaudit.conf -p wa -k auditconfig\n-w /etc/audisp/ -p wa -k audispconfig\n\n## Monitor for use of audit management tools\n-w /sbin/auditctl -p x -k audittools\n-w /sbin/auditd -p x -k audittools\n-w /usr/sbin/augenrules -p x -k audittools\n\n# Filters ---------------------------------------------------------------------\n\n### We put these early because audit is a first match wins system.\n\n## Ignore SELinux AVC records\n-a always,exclude -F msgtype=AVC\n\n## Ignore current working directory records\n-a always,exclude -F msgtype=CWD\n\n## Cron jobs fill the logs with stuff we normally don't want (works with SELinux)\n-a never,user -F subj_type=crond_t\n-a never,exit -F subj_type=crond_t\n\n## This is not very interesting and wastes a lot of space if the server is public facing\n-a always,exclude -F msgtype=CRYPTO_KEY_USER\n\n## VMWare tools\n-a never,exit -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2\n-a never,exit -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2\n\n## High Volume Event Filter (especially on Linux Workstations)\n-a never,exit -F arch=b32 -F dir=/dev/shm -k sharedmemaccess\n-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess\n-a never,exit -F arch=b32 -F dir=/var/lock/lvm -k locklvm\n-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm\n\n## FileBeat \n-a never,exit -F arch=b32 -F path=/usr/share/filebeat -k filebeat\n-a never,exit -F arch=b64 -F path=/usr/share/filebeat -k filebeat\n\n## More information on how to filter events\n### https://access.redhat.com/solutions/2482221\n\n# Rules -----------------------------------------------------------------------\n\n## Kernel parameters\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n\n## Kernel module loading and unloading\n-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules\n-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules\n-a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n\n## Modprobe configuration\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n\n## KExec usage (all actions)\n-a always,exit -F arch=b64 -S kexec_load -k KEXEC\n-a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC\n\n## Special files\n-a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles\n-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles\n\n## Mount operations (only attributable)\n-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount\n-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount\n\n## Change swap (only attributable)\n-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap\n-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap\n\n### Local time zone\n-w /etc/localtime -p wa -k localtime\n\n## Stunnel\n-w /usr/sbin/stunnel -p x -k stunnel\n-w /usr/bin/stunnel -p x -k stunnel\n\n## Cron configuration & scheduled jobs\n-w /etc/cron.allow -p wa -k cron\n-w /etc/cron.deny -p wa -k cron\n-w /etc/cron.d/ -p wa -k cron\n-w /etc/cron.daily/ -p wa -k cron\n-w /etc/cron.hourly/ -p wa -k cron\n-w /etc/cron.monthly/ -p wa -k cron\n-w /etc/cron.weekly/ -p wa -k cron\n-w /etc/crontab -p wa -k cron\n-w /var/spool/cron/ -k cron\n\n## User, group, password databases\n-w /etc/group -p wa -k etcgroup\n-w /etc/passwd -p wa -k etcpasswd\n-w /etc/gshadow -k etcgroup\n-w /etc/shadow -k etcpasswd\n-w /etc/security/opasswd -k opasswd\n\n## Sudoers file changes\n-w /etc/sudoers -p wa -k actions\n-w /etc/sudoers.d/ -p wa -k actions\n\n## Passwd\n-w /usr/bin/passwd -p x -k passwd_modification\n\n## Tools to change group identifiers\n-w /usr/sbin/groupadd -p x -k group_modification\n-w /usr/sbin/groupmod -p x -k group_modification\n-w /usr/sbin/addgroup -p x -k group_modification\n-w /usr/sbin/useradd -p x -k user_modification\n-w /usr/sbin/userdel -p x -k user_modification\n-w /usr/sbin/usermod -p x -k user_modification\n-w /usr/sbin/adduser -p x -k user_modification\n\n## Login configuration and information\n-w /etc/login.defs -p wa -k login\n-w /etc/securetty -p wa -k login\n-w /var/log/faillog -p wa -k login\n-w /var/log/lastlog -p wa -k login\n-w /var/log/tallylog -p wa -k login\n\n## Network Environment\n### Changes to hostname\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications\n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications\n\n### Successful IPv4 Connections\n-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4\n-a always,exit -F arch=b32 -S connect -F a2=16 -F success=1 -F key=network_connect_4\n\n### Successful IPv6 Connections\n-a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6\n-a always,exit -F arch=b32 -S connect -F a2=28 -F success=1 -F key=network_connect_6\n\n### Changes to other files\n-w /etc/hosts -p wa -k network_modifications\n-w /etc/sysconfig/network -p wa -k network_modifications\n-w /etc/sysconfig/network-scripts -p w -k network_modifications\n-w /etc/network/ -p wa -k network\n-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications\n\n### Changes to issue\n-w /etc/issue -p wa -k etcissue\n-w /etc/issue.net -p wa -k etcissue\n\n## System startup scripts\n-w /etc/inittab -p wa -k init\n-w /etc/init.d/ -p wa -k init\n-w /etc/init/ -p wa -k init\n\n## Library search paths\n-w /etc/ld.so.conf -p wa -k libpath\n-w /etc/ld.so.conf.d -p wa -k libpath\n\n## Systemwide library preloads (LD_PRELOAD)\n-w /etc/ld.so.preload -p wa -k systemwide_preloads\n\n## Pam configuration\n-w /etc/pam.d/ -p wa -k pam\n-w /etc/security/limits.conf -p wa  -k pam\n-w /etc/security/limits.d -p wa  -k pam\n-w /etc/security/pam_env.conf -p wa -k pam\n-w /etc/security/namespace.conf -p wa -k pam\n-w /etc/security/namespace.d -p wa -k pam\n-w /etc/security/namespace.init -p wa -k pam\n\n## Mail configuration\n-w /etc/aliases -p wa -k mail\n-w /etc/postfix/ -p wa -k mail\n-w /etc/exim4/ -p wa -k mail\n\n## SSH configuration\n-w /etc/ssh/sshd_config -k sshd\n-w /etc/ssh/sshd_config.d -k sshd\n\n## root ssh key tampering\n-w /root/.ssh -p wa -k rootkey\n\n# Systemd\n-w /bin/systemctl -p x -k systemd\n-w /etc/systemd/ -p wa -k systemd\n\n## SELinux events that modify the system's Mandatory Access Controls (MAC)\n-w /etc/selinux/ -p wa -k mac_policy\n\n## Critical elements access failures\n-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess\n-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess\n-a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess\n-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess\n-a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess\n-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess\n-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess\n-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess\n\n## Process ID change (switching accounts) applications\n-w /bin/su -p x -k priv_esc\n-w /usr/bin/sudo -p x -k priv_esc\n-w /etc/sudoers -p rw -k priv_esc\n-w /etc/sudoers.d -p rw -k priv_esc\n\n## Power state\n-w /sbin/shutdown -p x -k power\n-w /sbin/poweroff -p x -k power\n-w /sbin/reboot -p x -k power\n-w /sbin/halt -p x -k power\n\n## Session initiation information\n-w /var/run/utmp -p wa -k session\n-w /var/log/btmp -p wa -k session\n-w /var/log/wtmp -p wa -k session\n\n## Discretionary Access Control (DAC) modifications\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S chmod  -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod\n\n# Special Rules ---------------------------------------------------------------\n\n## Reconnaissance\n-w /usr/bin/whoami -p x -k recon\n-w /usr/bin/id -p x -k recon\n-w /bin/hostname -p x -k recon\n-w /bin/uname -p x -k recon\n-w /etc/issue -p r -k recon\n-w /etc/hostname -p r -k recon\n\n## Suspicious activity\n-w /usr/bin/wget -p x -k susp_activity\n-w /usr/bin/curl -p x -k susp_activity\n-w /usr/bin/base64 -p x -k susp_activity\n-w /bin/nc -p x -k susp_activity\n-w /bin/netcat -p x -k susp_activity\n-w /usr/bin/ncat -p x -k susp_activity\n-w /usr/bin/ssh -p x -k susp_activity\n-w /usr/bin/scp -p x -k susp_activity\n-w /usr/bin/sftp -p x -k susp_activity\n-w /usr/bin/ftp -p x -k susp_activity\n-w /usr/bin/socat -p x -k susp_activity\n-w /usr/bin/wireshark -p x -k susp_activity\n-w /usr/bin/tshark -p x -k susp_activity\n-w /usr/bin/rawshark -p x -k susp_activity\n-w /usr/bin/rdesktop -p x -k susp_activity\n-w /usr/bin/nmap -p x -k susp_activity\n\n## Added to catch netcat on Ubuntu\n-w /bin/nc.openbsd -p x -k susp_activity\n-w /bin/nc.traditional -p x -k susp_activity\n\n## Sbin suspicious activity\n-w /sbin/iptables -p x -k sbin_susp\n-w /sbin/ip6tables -p x -k sbin_susp\n-w /sbin/ifconfig -p x -k sbin_susp\n-w /usr/sbin/arptables -p x -k sbin_susp\n-w /usr/sbin/ebtables -p x -k sbin_susp\n-w /sbin/xtables-nft-multi -p x -k sbin_susp\n-w /usr/sbin/nft -p x -k sbin_susp\n-w /usr/sbin/tcpdump -p x -k sbin_susp\n-w /usr/sbin/traceroute -p x -k sbin_susp\n-w /usr/sbin/ufw -p x -k sbin_susp\n\n## dbus-send invocation\n### may indicate privilege escalation CVE-2021-3560\n-w /usr/bin/dbus-send -p x -k dbus_send\n\n## pkexec invocation\n### may indicate privilege escalation CVE-2021-4034\n-w /usr/bin/pkexec -p x -k pkexec\n\n## Suspicious shells\n#-w /bin/ash -p x -k susp_shell\n#-w /bin/bash -p x -k susp_shell\n#-w /bin/csh -p x -k susp_shell\n#-w /bin/dash -p x -k susp_shell\n#-w /bin/busybox -p x -k susp_shell\n#-w /bin/ksh -p x -k susp_shell\n#-w /bin/fish -p x -k susp_shell\n#-w /bin/tcsh -p x -k susp_shell\n#-w /bin/tclsh -p x -k susp_shell\n#-w /bin/zsh -p x -k susp_shell\n\n## Shell/profile configurations\n-w /etc/profile.d/ -p wa -k shell_profiles\n-w /etc/profile -p wa -k shell_profiles\n-w /etc/shells -p wa -k shell_profiles\n-w /etc/bashrc -p wa -k shell_profiles\n-w /etc/csh.cshrc -p wa -k shell_profiles\n-w /etc/csh.login -p wa -k shell_profiles\n-w /etc/fish/ -p wa -k shell_profiles\n-w /etc/zsh/ -p wa -k shell_profiles\n\n## Injection\n### These rules watch for code injection by the ptrace facility.\n### This could indicate someone trying to do something bad or just debugging\n-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection\n-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection\n-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection\n-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection\n-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection\n-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection\n-a always,exit -F arch=b32 -S ptrace -k tracing\n-a always,exit -F arch=b64 -S ptrace -k tracing\n\n## Privilege Abuse\n### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.\n-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse\n\n# Software Management ---------------------------------------------------------\n\n# RPM (Redhat/CentOS)\n-w /usr/bin/rpm -p x -k software_mgmt\n-w /usr/bin/yum -p x -k software_mgmt\n\n# DNF (Fedora/RedHat 8/CentOS 8)\n-w /usr/bin/dnf -p x -k software_mgmt\n\n# YAST/Zypper/RPM (SuSE)\n-w /sbin/yast -p x -k software_mgmt\n-w /sbin/yast2 -p x -k software_mgmt\n-w /bin/rpm -p x -k software_mgmt\n-w /usr/bin/zypper -k software_mgmt\n\n# DPKG / APT-GET (Debian/Ubuntu)\n-w /usr/bin/dpkg -p x -k software_mgmt\n-w /usr/bin/apt -p x -k software_mgmt\n-w /usr/bin/apt-add-repository -p x -k software_mgmt\n-w /usr/bin/apt-get -p x -k software_mgmt\n-w /usr/bin/aptitude -p x -k software_mgmt\n-w /usr/bin/wajig -p x -k software_mgmt\n-w /usr/bin/snap -p x -k software_mgmt\n\n# PIP (Python installs)\n-w /usr/bin/pip -p x -k software_mgmt\n-w /usr/bin/pip3 -p x -k software_mgmt\n\n# Special Software ------------------------------------------------------------\n\n## GDS specific secrets\n-w /etc/puppet/ssl -p wa -k puppet_ssl\n\n## IBM Bigfix BESClient\n-a always,exit -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient\n-w /var/opt/BESClient/ -p wa -k soft_besclient\n\n## CHEF https://www.chef.io/chef/\n-w /etc/chef -p wa -k soft_chef\n\n## Docker\n-w /usr/bin/dockerd -k docker\n-w /usr/bin/docker -k docker\n-w /usr/bin/docker-containerd -k docker\n-w /usr/bin/docker-runc -k docker\n-w /var/lib/docker -k docker\n-w /etc/docker -k docker\n-w /etc/sysconfig/docker -k docker\n-w /etc/sysconfig/docker-storage -k docker\n-w /usr/lib/systemd/system/docker.service -k docker\n\n## Kubelet\n-w /usr/bin/kubelet -k kubelet\n\n# High Volume Events ----------------------------------------------------------\n\n## Remove them if they cause to much volume in your environment\n\n## Root command executions\n-a always,exit -F arch=b64 -F euid=0 -S execve -k rootcmd\n-a always,exit -F arch=b32 -F euid=0 -S execve -k rootcmd\n\n## File Deletion Events by User\n-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete\n-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete\n\n## File Access\n### Unauthorized Access (unsuccessful)\n-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access\n\n### Unsuccessful Creation\n-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation\n-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation\n-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation\n-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation\n\n### Unsuccessful Modification\n-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification\n-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification\n-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification\n-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification\n\n## 32bit API Exploitation\n### If you are on a 64 bit platform, everything _should_ be running\n### in 64 bit mode. This rule will detect any use of the 32 bit syscalls\n### because this might be a sign of someone exploiting a hole in the 32\n### bit API.\n-a always,exit -F arch=b32 -S all -k 32bit_api"
  },
  {
    "path": "logstash-suricata.conf",
    "content": "input {\n  file {\n    path => [\"/var/log/suricata/eve.json\"]\n    sincedb_path => [\"/var/lib/logstash/since.db\"]\n    codec => json\n    type => \"SuricataIDPS\"\n  }\n}\n\nfilter {\n  date {\n    match => [\"timestamp\", \"ISO8601\"]\n    target => \"timestamp_obj\"\n  }\n\n  ruby {\n    code => \"event.set('timestamp_pacific', event.get('timestamp_obj').time.localtime('-07:00').strftime('%Y/%m/%d %H:%M:%S'))\"\n  }\n}\n\noutput {\n    if [alert] {\n      if [alert][severity] and [alert][severity] == 1 {\n        slack {\n            url => \"https://hooks.slack.com/services/<ADD OWN SLACK HOOK HERE>\"\n            format => \"*%{timestamp_pacific} IDS ALERT*: %{src_ip} -> %{dest_ip}:%{dest_port}: %{[alert][signature]} (%{[alert][category]}, Level %{[alert][severity]})\"\n        }\n    }\n  }\n}"
  },
  {
    "path": "netplan.yaml",
    "content": "# This is the network config written by 'subiquity'\nnetwork:\n  version: 2\n  ethernets:\n    enp4s0f0:\n      addresses: \n        - 198.51.100.42/24 # Gateway server external IP address \n        - 198.51.100.4/24 # Honeypot Service\n        - 198.51.100.12/24 # Another Honeypot Service\n      gateway4: 198.51.100.1\n      dhcp4: false\n      nameservers:\n        addresses: [8.8.8.8, 8.8.4.4]\n    enp7s0f0:\n      dhcp4: false\n      addresses: [192.168.1.1/30]\n  vlans:\n    vlan.2:\n      id: 2\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.2.1/30]\n    vlan.3:\n      id: 3\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.3.1/30]\n    vlan.4:\n      id: 4\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.4.1/30]\n    vlan.5:\n      id: 5\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.5.1/30]\n    vlan.6:\n      id: 6\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.6.1/30]\n    vlan.7:\n      id: 7\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.7.1/30]\n    vlan.8:\n      id: 8\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.8.1/30]\n    vlan.9:\n      id: 9\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.9.1/30]\n    vlan.10:\n      id: 10\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.10.1/30]\n    vlan.11:\n      id: 11\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.11.1/30]\n    vlan.12:\n      id: 12\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.12.1/30]\n    vlan.13:\n      id: 13\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.13.1/30]\n    vlan.14:\n      id: 14\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.14.1/30]\n    vlan.15:\n      id: 15\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.15.1/30]\n    vlan.16:\n      id: 16\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.16.1/30]\n    vlan.17:\n      id: 17\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.17.1/30]\n    vlan.18:\n      id: 18\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.18.1/30]\n    vlan.19:\n      id: 19\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.19.1/30]\n    vlan.20:\n      id: 20\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.20.1/30]\n    vlan.21:\n      id: 21\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.21.1/30]\n    vlan.22:\n      id: 22\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.22.1/30]\n    vlan.23:\n      id: 23\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.23.1/30]\n    vlan.24:\n      id: 24\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.24.1/30]\n    vlan.25:\n      id: 25\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.25.1/30]\n    vlan.26:\n      id: 26\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.26.1/30]\n    vlan.27:\n      id: 27\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.27.1/30]\n    vlan.28:\n      id: 28\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.28.1/30]\n    vlan.29:\n      id: 29\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.29.1/30]\n    vlan.30:\n      id: 30\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.30.1/30]\n    vlan.31:\n      id: 31\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.31.1/30]\n    vlan.32:\n      id: 32\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.32.1/30]\n    vlan.33:\n      id: 33\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.33.1/30]\n    vlan.34:\n      id: 34\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.34.1/30]\n    vlan.35:\n      id: 35\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.35.1/30]\n    vlan.36:\n      id: 36\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.36.1/30]\n    vlan.37:\n      id: 37\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.37.1/30]\n    vlan.38:\n      id: 38\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.38.1/30]\n    vlan.39:\n      id: 39\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.39.1/30]\n    vlan.40:\n      id: 40\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.40.1/30]\n    vlan.41:\n      id: 41\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.41.1/30]\n    vlan.42:\n      id: 42\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.42.1/30]\n    vlan.43:\n      id: 43\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.43.1/30]\n    vlan.44:\n      id: 44\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.44.1/30]\n    vlan.45:\n      id: 45\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.45.1/30]\n    vlan.46:\n      id: 46\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.46.1/30]\n    vlan.47:\n      id: 47\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.47.1/30]\n    vlan.48:\n      id: 48\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.48.1/30]\n    vlan.49:\n      id: 49\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.49.1/30]\n    vlan.50:\n      id: 50\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.50.1/30]\n    vlan.51:\n      id: 51\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.51.1/30]\n    vlan.52:\n      id: 52\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.52.1/30]\n    vlan.53:\n      id: 53\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.53.1/30]\n    vlan.54:\n      id: 54\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.54.1/30]\n    vlan.55:\n      id: 55\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.55.1/30]\n    vlan.56:\n      id: 56\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.56.1/30]\n    vlan.57:\n      id: 57\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.57.1/30]\n    vlan.58:\n      id: 58\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.58.1/30]\n    vlan.59:\n      id: 59\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.59.1/30]\n    vlan.60:\n      id: 60\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.60.1/30]\n    vlan.61:\n      id: 61\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.61.1/30]\n    vlan.62:\n      id: 62\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.62.1/30]\n    vlan.63:\n      id: 63\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.63.1/30]\n    vlan.64:\n      id: 64\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.64.1/30]\n    vlan.65:\n      id: 65\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.65.1/30]\n    vlan.66:\n      id: 66\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.66.1/30]\n    vlan.67:\n      id: 67\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.67.1/30]\n    vlan.68:\n      id: 68\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.68.1/30]\n    vlan.69:\n      id: 69\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.69.1/30]\n    vlan.70:\n      id: 70\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.70.1/30]\n    vlan.71:\n      id: 71\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.71.1/30]\n    vlan.72:\n      id: 72\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.72.1/30]\n    vlan.73:\n      id: 73\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.73.1/30]\n    vlan.74:\n      id: 74\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.74.1/30]\n    vlan.75:\n      id: 75\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.75.1/30]\n    vlan.76:\n      id: 76\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.76.1/30]\n    vlan.77:\n      id: 77\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.77.1/30]\n    vlan.78:\n      id: 78\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.78.1/30]\n    vlan.79:\n      id: 79\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.79.1/30]\n    vlan.80:\n      id: 80\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.80.1/30]\n    vlan.81:\n      id: 81\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.81.1/30]\n    vlan.82:\n      id: 82\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.82.1/30]\n    vlan.83:\n      id: 83\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.83.1/30]\n    vlan.84:\n      id: 84\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.84.1/30]\n    vlan.85:\n      id: 85\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.85.1/30]\n    vlan.86:\n      id: 86\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.86.1/30]\n    vlan.87:\n      id: 87\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.87.1/30]\n    vlan.88:\n      id: 88\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.88.1/30]\n    vlan.89:\n      id: 89\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.89.1/30]\n    vlan.90:\n      id: 90\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.90.1/30]\n    vlan.91:\n      id: 91\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.91.1/30]\n    vlan.92:\n      id: 92\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.92.1/30]\n    vlan.93:\n      id: 93\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.93.1/30]\n    vlan.94:\n      id: 94\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.94.1/30]\n    vlan.95:\n      id: 95\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.95.1/30]\n    vlan.96:\n      id: 96\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.96.1/30]\n    vlan.97:\n      id: 97\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.97.1/30]\n    vlan.98:\n      id: 98\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.98.1/30]\n    vlan.99:\n      id: 99\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.99.1/30]\n    vlan.100:\n      id: 100\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.100.1/30]\n    vlan.101:\n      id: 101\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.101.1/30]\n    vlan.102:\n      id: 102\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.102.1/30]\n    vlan.103:\n      id: 103\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.103.1/30]\n    vlan.104:\n      id: 104\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.104.1/30]\n    vlan.105:\n      id: 105\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.105.1/30]\n    vlan.106:\n      id: 106\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.106.1/30]\n    vlan.107:\n      id: 107\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.107.1/30]\n    vlan.108:\n      id: 108\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.108.1/30]\n    vlan.109:\n      id: 109\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.109.1/30]\n    vlan.110:\n      id: 110\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.110.1/30]\n    vlan.111:\n      id: 111\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.111.1/30]\n    vlan.112:\n      id: 112\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.112.1/30]\n    vlan.113:\n      id: 113\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.113.1/30]\n    vlan.114:\n      id: 114\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.114.1/30]\n    vlan.115:\n      id: 115\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.115.1/30]\n    vlan.116:\n      id: 116\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.116.1/30]\n    vlan.117:\n      id: 117\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.117.1/30]\n    vlan.118:\n      id: 118\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.118.1/30]\n    vlan.119:\n      id: 119\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.119.1/30]\n    vlan.120:\n      id: 120\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.120.1/30]\n    vlan.121:\n      id: 121\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.121.1/30]\n    vlan.122:\n      id: 122\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.122.1/30]\n    vlan.123:\n      id: 123\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.123.1/30]\n    vlan.124:\n      id: 124\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.124.1/30]\n    vlan.125:\n      id: 125\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.125.1/30]\n    vlan.126:\n      id: 126\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.126.1/30]\n    vlan.127:\n      id: 127\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.127.1/30]\n    vlan.128:\n      id: 128\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.128.1/30]\n    vlan.129:\n      id: 129\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.129.1/30]\n    vlan.130:\n      id: 130\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.130.1/30]\n    vlan.131:\n      id: 131\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.131.1/30]\n    vlan.132:\n      id: 132\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.132.1/30]\n    vlan.133:\n      id: 133\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.133.1/30]\n    vlan.134:\n      id: 134\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.134.1/30]\n    vlan.135:\n      id: 135\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.135.1/30]\n    vlan.136:\n      id: 136\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.136.1/30]\n    vlan.137:\n      id: 137\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.137.1/30]\n    vlan.138:\n      id: 138\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.138.1/30]\n    vlan.139:\n      id: 139\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.139.1/30]\n    vlan.140:\n      id: 140\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.140.1/30]\n    vlan.141:\n      id: 141\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.141.1/30]\n    vlan.142:\n      id: 142\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.142.1/30]\n    vlan.143:\n      id: 143\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.143.1/30]\n    vlan.144:\n      id: 144\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.144.1/30]\n    vlan.145:\n      id: 145\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.145.1/30]\n    vlan.146:\n      id: 146\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.146.1/30]\n    vlan.147:\n      id: 147\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.147.1/30]\n    vlan.148:\n      id: 148\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.148.1/30]\n    vlan.149:\n      id: 149\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.149.1/30]\n    vlan.150:\n      id: 150\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.150.1/30]\n    vlan.151:\n      id: 151\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.151.1/30]\n    vlan.152:\n      id: 152\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.152.1/30]\n    vlan.153:\n      id: 153\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.153.1/30]\n    vlan.154:\n      id: 154\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.154.1/30]\n    vlan.155:\n      id: 155\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.155.1/30]\n    vlan.156:\n      id: 156\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.156.1/30]\n    vlan.157:\n      id: 157\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.157.1/30]\n    vlan.158:\n      id: 158\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.158.1/30]\n    vlan.159:\n      id: 159\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.159.1/30]\n    vlan.160:\n      id: 160\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.160.1/30]\n    vlan.161:\n      id: 161\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.161.1/30]\n    vlan.162:\n      id: 162\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.162.1/30]\n    vlan.163:\n      id: 163\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.163.1/30]\n    vlan.164:\n      id: 164\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.164.1/30]\n    vlan.165:\n      id: 165\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.165.1/30]\n    vlan.166:\n      id: 166\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.166.1/30]\n    vlan.167:\n      id: 167\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.167.1/30]\n    vlan.168:\n      id: 168\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.168.1/30]\n    vlan.169:\n      id: 169\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.169.1/30]\n    vlan.170:\n      id: 170\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.170.1/30]\n    vlan.171:\n      id: 171\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.171.1/30]\n    vlan.172:\n      id: 172\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.172.1/30]\n    vlan.173:\n      id: 173\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.173.1/30]\n    vlan.174:\n      id: 174\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.174.1/30]\n    vlan.175:\n      id: 175\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.175.1/30]\n    vlan.176:\n      id: 176\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.176.1/30]\n    vlan.177:\n      id: 177\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.177.1/30]\n    vlan.178:\n      id: 178\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.178.1/30]\n    vlan.179:\n      id: 179\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.179.1/30]\n    vlan.180:\n      id: 180\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.180.1/30]\n    vlan.181:\n      id: 181\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.181.1/30]\n    vlan.182:\n      id: 182\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.182.1/30]\n    vlan.183:\n      id: 183\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.183.1/30]\n    vlan.184:\n      id: 184\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.184.1/30]\n    vlan.185:\n      id: 185\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.185.1/30]\n    vlan.186:\n      id: 186\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.186.1/30]\n    vlan.187:\n      id: 187\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.187.1/30]\n    vlan.188:\n      id: 188\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.188.1/30]\n    vlan.189:\n      id: 189\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.189.1/30]\n    vlan.190:\n      id: 190\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.190.1/30]\n    vlan.191:\n      id: 191\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.191.1/30]\n    vlan.192:\n      id: 192\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.192.1/30]\n    vlan.193:\n      id: 193\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.193.1/30]\n    vlan.194:\n      id: 194\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.194.1/30]\n    vlan.195:\n      id: 195\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.195.1/30]\n    vlan.196:\n      id: 196\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.196.1/30]\n    vlan.197:\n      id: 197\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.197.1/30]\n    vlan.198:\n      id: 198\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.198.1/30]\n    vlan.199:\n      id: 199\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.199.1/30]\n    vlan.200:\n      id: 200\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.200.1/30]\n    vlan.201:\n      id: 201\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.201.1/30]\n    vlan.202:\n      id: 202\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.202.1/30]\n    vlan.203:\n      id: 203\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.203.1/30]\n    vlan.204:\n      id: 204\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.204.1/30]\n    vlan.205:\n      id: 205\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.205.1/30]\n    vlan.206:\n      id: 206\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.206.1/30]\n    vlan.207:\n      id: 207\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.207.1/30]\n    vlan.208:\n      id: 208\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.208.1/30]\n    vlan.209:\n      id: 209\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.209.1/30]\n    vlan.210:\n      id: 210\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.210.1/30]\n    vlan.211:\n      id: 211\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.211.1/30]\n    vlan.212:\n      id: 212\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.212.1/30]\n    vlan.213:\n      id: 213\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.213.1/30]\n    vlan.214:\n      id: 214\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.214.1/30]\n    vlan.215:\n      id: 215\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.215.1/30]\n    vlan.216:\n      id: 216\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.216.1/30]\n    vlan.217:\n      id: 217\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.217.1/30]\n    vlan.218:\n      id: 218\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.218.1/30]\n    vlan.219:\n      id: 219\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.219.1/30]\n    vlan.220:\n      id: 220\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.220.1/30]\n    vlan.221:\n      id: 221\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.221.1/30]\n    vlan.222:\n      id: 222\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.222.1/30]\n    vlan.223:\n      id: 223\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.223.1/30]\n    vlan.224:\n      id: 224\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.224.1/30]\n    vlan.225:\n      id: 225\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.225.1/30]\n    vlan.226:\n      id: 226\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.226.1/30]\n    vlan.227:\n      id: 227\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.227.1/30]\n    vlan.228:\n      id: 228\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.228.1/30]\n    vlan.229:\n      id: 229\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.229.1/30]\n    vlan.230:\n      id: 230\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.230.1/30]\n    vlan.231:\n      id: 231\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.231.1/30]\n    vlan.232:\n      id: 232\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.232.1/30]\n    vlan.233:\n      id: 233\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.233.1/30]\n    vlan.234:\n      id: 234\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.234.1/30]\n    vlan.235:\n      id: 235\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.235.1/30]\n    vlan.236:\n      id: 236\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.236.1/30]\n    vlan.237:\n      id: 237\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.237.1/30]\n    vlan.238:\n      id: 238\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.238.1/30]\n    vlan.239:\n      id: 239\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.239.1/30]\n    vlan.240:\n      id: 240\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.240.1/30]\n    vlan.241:\n      id: 241\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.241.1/30]\n    vlan.242:\n      id: 242\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.242.1/30]\n    vlan.243:\n      id: 243\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.243.1/30]\n    vlan.244:\n      id: 244\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.244.1/30]\n    vlan.245:\n      id: 245\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.245.1/30]\n    vlan.246:\n      id: 246\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.246.1/30]\n    vlan.247:\n      id: 247\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.247.1/30]\n    vlan.248:\n      id: 248\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.248.1/30]\n    vlan.249:\n      id: 249\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.249.1/30]\n    vlan.250:\n      id: 250\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.250.1/30]\n    vlan.251:\n      id: 251\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.251.1/30]\n    vlan.252:\n      id: 252\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.252.1/30]\n    vlan.253:\n      id: 253\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.253.1/30]\n    vlan.254:\n      id: 254\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.254.1/30]\n    vlan.255:\n      id: 255\n      dhcp4: false\n      link: enp7s0f0\n      addresses: [192.168.255.1/30]"
  }
]