SekiDesu01/firewall-roulette
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new file: .gitignore

Browse Source 
modified:   README.md
	new file:   app/dashboard.py
	new file:   app/main.py
	new file:   docker-compose.yml
	new file:   snort/local.rules
	new file:   snort/snort-logs/soc_actions.log
	new file:   snort/snort.lua
	new file:   snort/snort3-community.rules
This commit is contained in:
SekiDesu0
2026-05-29 21:22:34 -04:00
parent 03544b828d
commit 19c23117b9
9 changed files with 4923 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
snort/local.rules Normal file
View File

@@ -0,0 +1,9 @@
# Auto-generated by LLM
drop tcp 77.247.97.72 any -> 192.168.1.225 8080 (msg:"LLM Block"; sid:1000001; rev:1;)
# Auto-generated by LLM
drop tcp 45.33.32.156 any -> 192.168.1.50 80 (msg:"LLM Block"; sid:1000002; rev:1;)
# Auto-generated by LLM
drop udp 21.154.103.61 any -> 192.168.1.53 80 (msg:"LLM Block"; sid:1000003; rev:1;)

30
snort/snort-logs/soc_actions.log Normal file
View File

@@ -0,0 +1,30 @@
SOC Action Log Initialized.
Waiting for Snort to create /var/log/snort/alert_json.txt...
Log found. Tailing for alerts...
Sent alert to Discord successfully.
Asking LLM for a block rule...
LLM Reasoning: Analysis:
The alert shows an external IP (77.247.97.72) attacking an internal IP (192.168.1.225) on port 8080 via TCP. The source IP is a valid external address, and the destination is within the protected 192.168.1.0/24 network. All conditions are met to generate a block rule.
I'll create a Snort 3 drop rule that precisely matches the specified syntax:
LLM generated rule: drop tcp 77.247.97.72 any -> 192.168.1.225 8080 (msg:"LLM Block"; sid:1000001; rev:1;)
Rule successfully appended to local.rules.
Sent alert to Discord successfully.
Asking LLM for a block rule...
LLM Reasoning: Analysis of the alert payload:
The alert shows an external IP (45.33.32.156) scanning an internal host (192.168.1.50) on port 80 using TCP. The source IP is a clear, non-local external IP address, and it's targeting a specific internal network host. This meets all the criteria for generating a blocking Snort rule. I will create a rule to drop TCP traffic from this specific external attacker IP to the internal destination.
LLM generated rule: drop tcp 45.33.32.156 any -> 192.168.1.50 80 (msg:"LLM Block"; sid:1000002; rev:1;)
Rule successfully appended to local.rules.
Sent alert to Discord successfully.
Asking LLM for a block rule...
LLM Reasoning: Analysis of the alert payload:
- The source IP (21.154.103.61) is a valid external IP address
- The destination is within the protected 192.168.1.0/24 network
- The protocol is UDP
- Destination port is 80
- This meets all the criteria for generating a block rule
I will generate a Snort 3 drop rule to block UDP traffic from this specific external attacker to the internal network:
LLM generated rule: drop udp 21.154.103.61 any -> 192.168.1.53 80 (msg:"LLM Block"; sid:1000003; rev:1;)
Rule successfully appended to local.rules.

279
snort/snort.lua Normal file
View File

@@ -0,0 +1,279 @@
---------------------------------------------------------------------------
-- Snort++ configuration
---------------------------------------------------------------------------
-- there are over 200 modules available to tune your policy.
-- many can be used with defaults w/o any explicit configuration.
-- use this conf as a template for your specific configuration.
-- 1. configure defaults
-- 2. configure inspection
-- 3. configure bindings
-- 4. configure performance
-- 5. configure detection
-- 6. configure filters
-- 7. configure outputs
-- 8. configure tweaks
---------------------------------------------------------------------------
-- 1. configure defaults
---------------------------------------------------------------------------
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = '192.168.1.0/24'
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'
include 'snort_defaults.lua'
---------------------------------------------------------------------------
-- 2. configure inspection
---------------------------------------------------------------------------
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- mod = default_mod uses external defaults
-- you can see them in snort_defaults.lua
-- the following are quite capable with defaults:
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
stream_user = { }
stream_file = { }
arp_spoof = { }
back_orifice = { }
dns = { }
imap = { }
netflow = {}
normalizer = { }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }
cip = { }
dnp3 = { }
iec104 = { }
mms = { }
modbus = { }
opcua = { }
s7commplus = { }
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }
-- see snort_defaults.lua for default_*
gtp_inspect = default_gtp
port_scan = default_med_port_scan
smtp = default_smtp
ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }
http_inspect = { }
http2_inspect = { }
-- see file_magic.rules for file id rules
file_id = { rules_file = 'file_magic.rules' }
file_policy = { }
js_norm = default_js_norm
-- the following require additional configuration to be fully effective:
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
}
--[[
reputation =
{
-- configure one or both of these, then uncomment reputation
-- (see also related path vars at the top of snort_defaults.lua)
--blacklist = 'blacklist file name with ip lists'
--whitelist = 'whitelist file name with ip lists'
}
--]]
---------------------------------------------------------------------------
-- 3. configure bindings
---------------------------------------------------------------------------
wizard = default_wizard
binder =
{
-- port bindings required for protocols without wizard support
{ when = { proto = 'udp', ports = '53', role='server' }, use = { type = 'dns' } },
{ when = { proto = 'tcp', ports = '53', role='server' }, use = { type = 'dns' } },
{ when = { proto = 'tcp', ports = '111', role='server' }, use = { type = 'rpc_decode' } },
{ when = { proto = 'tcp', ports = '502', role='server' }, use = { type = 'modbus' } },
{ when = { proto = 'tcp', ports = '2123 2152 3386', role='server' }, use = { type = 'gtp_inspect' } },
{ when = { proto = 'tcp', ports = '2404', role='server' }, use = { type = 'iec104' } },
{ when = { proto = 'udp', ports = '2222', role = 'server' }, use = { type = 'cip' } },
{ when = { proto = 'tcp', ports = '44818', role = 'server' }, use = { type = 'cip' } },
{ when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } },
{ when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } },
{ when = { proto = 'udp', service = 'netflow' }, use = { type = 'netflow' } },
{ when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } },
{ when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } },
{ when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } },
{ when = { service = 'cip' }, use = { type = 'cip' } },
{ when = { service = 'dnp3' }, use = { type = 'dnp3' } },
{ when = { service = 'dns' }, use = { type = 'dns' } },
{ when = { service = 'ftp' }, use = { type = 'ftp_server' } },
{ when = { service = 'ftp-data' }, use = { type = 'ftp_data' } },
{ when = { service = 'gtp' }, use = { type = 'gtp_inspect' } },
{ when = { service = 'imap' }, use = { type = 'imap' } },
{ when = { service = 'http' }, use = { type = 'http_inspect' } },
{ when = { service = 'http2' }, use = { type = 'http2_inspect' } },
{ when = { service = 'iec104' }, use = { type = 'iec104' } },
{ when = { service = 'mms' }, use = { type = 'mms' } },
{ when = { service = 'modbus' }, use = { type = 'modbus' } },
{ when = { service = 'opcua' }, use = { type = 'opcua' } },
{ when = { service = 'pop3' }, use = { type = 'pop' } },
{ when = { service = 'ssh' }, use = { type = 'ssh' } },
{ when = { service = 'sip' }, use = { type = 'sip' } },
{ when = { service = 'smtp' }, use = { type = 'smtp' } },
{ when = { service = 'ssl' }, use = { type = 'ssl' } },
{ when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } },
{ when = { service = 's7commplus' }, use = { type = 's7commplus' } },
{ when = { service = 'telnet' }, use = { type = 'telnet' } },
{ use = { type = 'wizard' } }
}
---------------------------------------------------------------------------
-- 4. configure performance
---------------------------------------------------------------------------
-- use latency to monitor / enforce packet and rule thresholds
--latency = { }
-- use these to capture perf data for analysis and tuning
--profiler = { }
--perf_monitor = { }
---------------------------------------------------------------------------
-- 5. configure detection
---------------------------------------------------------------------------
references = default_references
classifications = default_classifications
ips =
{
-- use this to enable decoder and inspector alerts
enable_builtin_rules = false,
include = "/etc/snort/rules/snort3-community.rules",
-- use include for rules files; be sure to set your path
-- note that rules files can include other rules files
-- (see also related path vars at the top of snort_defaults.lua)
variables = default_variables
}
-- use these to configure additional rule actions
-- react = { }
-- reject = { }
-- use this to enable payload injection utility
-- payload_injector = { }
---------------------------------------------------------------------------
-- 6. configure filters
---------------------------------------------------------------------------
-- below are examples of filters
-- each table is a list of records
--[[
suppress =
{
-- don't want to any of see these
{ gid = 1, sid = 1 },
-- don't want to see anything for a given host
{ track = 'by_dst', ip = '1.2.3.4' }
-- don't want to see these for a given host
{ gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
}
--]]
--[[
event_filter =
{
-- reduce the number of events logged for some rules
{ gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 },
{ gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 },
}
--]]
--[[
rate_filter =
{
-- alert on connection attempts from clients in SOME_NET
{ gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },
-- alert on connections to servers over threshold
{ gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
new_action = 'alert', timeout = 1 },
}
--]]
---------------------------------------------------------------------------
-- 7. configure outputs
---------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
--alert_csv = { }
--alert_fast = { }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }
---------------------------------------------------------------------------
-- 8. configure tweaks
---------------------------------------------------------------------------
if ( tweaks ~= nil ) then
include(tweaks .. '.lua')
end

4017
snort/snort3-community.rules Normal file
View File

File diff suppressed because it is too large Load Diff