...
This commit is contained in:
parent
ab1d7e2546
commit
20c9f1ae56
44
12/1.txt
Normal file
44
12/1.txt
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
Używając polecenia `ethtool -k <interface>` możemy zobaczyć poniższe opcje (wyciąłem te fixed):
|
||||||
|
Features for enp2s0f0:
|
||||||
|
|
||||||
|
rx-checksumming: on
|
||||||
|
|
||||||
|
tx-checksumming: on
|
||||||
|
|
||||||
|
tx-checksum-ipv4: on
|
||||||
|
|
||||||
|
tx-checksum-ipv6: on
|
||||||
|
|
||||||
|
scatter-gather: on
|
||||||
|
|
||||||
|
tx-scatter-gather: on
|
||||||
|
|
||||||
|
tcp-segmentation-offload: on
|
||||||
|
|
||||||
|
tx-tcp-segmentation: on
|
||||||
|
|
||||||
|
tx-tcp-mangleid-segmentation: off
|
||||||
|
|
||||||
|
tx-tcp6-segmentation: on
|
||||||
|
|
||||||
|
generic-segmentation-offload: on
|
||||||
|
|
||||||
|
generic-receive-offload: on
|
||||||
|
|
||||||
|
large-receive-offload: off
|
||||||
|
|
||||||
|
rx-vlan-offload: on
|
||||||
|
|
||||||
|
tx-vlan-offload: on
|
||||||
|
|
||||||
|
receive-hashing: on
|
||||||
|
|
||||||
|
rx-vlan-filter: on
|
||||||
|
|
||||||
|
tx-udp_tnl-segmentation: on
|
||||||
|
|
||||||
|
tx-udp_tnl-csum-segmentation: on
|
||||||
|
|
||||||
|
tx-gso-partial: on
|
||||||
|
|
||||||
|
tx-nocache-copy: off
|
11
13/1.txt
11
13/1.txt
@ -3,21 +3,18 @@
|
|||||||
|
|
||||||
2. Dodawanie sygnatur
|
2. Dodawanie sygnatur
|
||||||
a) HTML
|
a) HTML
|
||||||
ClamAV contains HTML normalization code which makes it easier to write signatures for HTML data that might differ based on white space, capitalization, and other insignificant differences. Running sigtool --html-normalise on a HTML file can be used to see what a file’s contents will look like after normalization. This command should generate the following files:
|
ClamAV zawiera znormalizowany dla ułatwienia HTML. Uruchomienie `sigtool --html-normalise <file.html>` pokaże nam jakby wyglądał znormalizowany. Ta komenda wyprodukuje:
|
||||||
|
|
||||||
nocomment.html - znormalizowany, lower-case, wyrzucone komentarze i white-spaces
|
nocomment.html - znormalizowany, lower-case, wyrzucone komentarze i white-spaces
|
||||||
notags.html - jak powyżej, ale tagi html są wyrzucone
|
notags.html - jak powyżej, ale tagi html są wyrzucone
|
||||||
javascript - any script contents are normalized and the results appended to this file
|
javascript - każdy skrypt jaki był załączony w html'u, również znormalizowany
|
||||||
|
|
||||||
The code automatically decodes JScript.encode parts and char ref’s (e.g. f). To create a successful signature for the input file type, the rule must match on the contents of one of the created files. Signatures matching on normalized HTML should have a target type of 3. For reference, see Target Types.
|
|
||||||
|
|
||||||
|
|
||||||
b) Pliki tekstowe
|
b) Pliki tekstowe
|
||||||
Similarly to HTML all ASCII text files get normalized (converted to lower-case, all superfluous white space and control characters removed, etc.) before scanning. Running sigtool --ascii-normalise on a text file will result in a normalized version being written to the file named ‘normalised_text’. Rules matching on normalized ASCII text should have a target type of 7. For reference, see Target Types.
|
Tak jak powyżej, znormalizowane pliki ASCII. Uruchomienie `sigtool --ascii-normalise <file.txt>` pokaże nam jakby wyglądał znormalizowany. Ta komenda wyprodukuje plik ‘normalised_text’. Reguły dopasowania normalizacji ASCII powinny być typu siódmego.
|
||||||
|
|
||||||
|
|
||||||
c) Skompresowane pliki wykonywalne (UPX, FSG, Petite, ...)
|
c) Skompresowane pliki wykonywalne (UPX, FSG, Petite, ...)
|
||||||
ClamAV będzie próbował automatycznie wypakować plik. To inspect the executable that results from ClamAV’s unpacking process, run clamscan with --debug --leave-temps. Example output for a FSG compressed file:
|
ClamAV będzie próbował automatycznie wypakować plik. By zobaczyć wynik uruchom clamscan z opcjami --debug --leave-temps. Przykładowy wynik:
|
||||||
|
|
||||||
LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
|
LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
|
||||||
LibClamAV debug: FSG: found old EP @119e0
|
LibClamAV debug: FSG: found old EP @119e0
|
||||||
|
107
13/2/2.html
Normal file
107
13/2/2.html
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<meta charset="utf-8" />
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
|
||||||
|
<link
|
||||||
|
rel="stylesheet"
|
||||||
|
href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css"
|
||||||
|
integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO"
|
||||||
|
crossorigin="anonymous"
|
||||||
|
/>
|
||||||
|
<title>CAS UAM</title>
|
||||||
|
<link type="text/css" rel="stylesheet" href="https://cas.amu.edu.pl/cas/css/casuam.css" />
|
||||||
|
</head>
|
||||||
|
|
||||||
|
<body class="text-center">
|
||||||
|
<div class="cas-container">
|
||||||
|
<div class="cas-top">
|
||||||
|
<img class="mb-4" src="https://cas.amu.edu.pl/cas/images/uam-znak-biale.svg" alt="" />
|
||||||
|
<div class="cas-name">
|
||||||
|
<p><span class="first">C</span>ENTRALNY <span class="first">S</span>YSTEM</p>
|
||||||
|
<p><span class="first">U</span>WIERZYTELNIANIA</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="cas-content">
|
||||||
|
<form id="fm1" class="form-signin" onsubmit="return warner_not_bros(this)">
|
||||||
|
<h2>Wprowadź dane logowania</h2>
|
||||||
|
|
||||||
|
<input
|
||||||
|
type="text"
|
||||||
|
id="username"
|
||||||
|
name="username"
|
||||||
|
class="form-control"
|
||||||
|
placeholder="Identyfikator użytkownika:"
|
||||||
|
tabindex="1"
|
||||||
|
path="username"
|
||||||
|
autocomplete="false"
|
||||||
|
htmlEscape="true"
|
||||||
|
required
|
||||||
|
autofocus
|
||||||
|
/>
|
||||||
|
|
||||||
|
<input
|
||||||
|
type="password"
|
||||||
|
id="password"
|
||||||
|
name="password"
|
||||||
|
class="form-control"
|
||||||
|
placeholder="Hasło:"
|
||||||
|
tabindex="2"
|
||||||
|
path="password"
|
||||||
|
htmlEscape="true"
|
||||||
|
autocomplete="off"
|
||||||
|
required
|
||||||
|
/>
|
||||||
|
|
||||||
|
<div class="cas-buttons">
|
||||||
|
<input type="hidden" name="lt" value="LT-221304-JDAOk2hSHQrigNyWdnD5j7Obx4VIYE" />
|
||||||
|
<input type="hidden" name="execution" value="e1s1" />
|
||||||
|
<input type="hidden" name="_eventId" value="submit" />
|
||||||
|
|
||||||
|
<button class="btn btn-sm btn-outline-secondary" type="submit" name="submit" accesskey="l" tabindex="4">
|
||||||
|
ZALOGUJ
|
||||||
|
</button>
|
||||||
|
<button class="btn btn-sm btn-outline-secondary" type="reset" name="reset" accesskey="c" tabindex="5">
|
||||||
|
WYCZYŚĆ
|
||||||
|
</button>
|
||||||
|
</div>
|
||||||
|
<div class="cas-locale">
|
||||||
|
<a
|
||||||
|
href="login?service=https%3A%2F%2Fusosweb.amu.edu.pl%2Fkontroler.php%3F_action%3Dlogowaniecas%2Findex&locale=pl"
|
||||||
|
>Polski</a
|
||||||
|
>
|
||||||
|
|
|
||||||
|
<a
|
||||||
|
href="login?service=https%3A%2F%2Fusosweb.amu.edu.pl%2Fkontroler.php%3F_action%3Dlogowaniecas%2Findex&locale=en"
|
||||||
|
>English</a
|
||||||
|
>
|
||||||
|
</div>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
<div class="cas-bottom">
|
||||||
|
<p>
|
||||||
|
<span class="first">U</span>NIWERSYTET IM. <span class="first">A</span>DAMA
|
||||||
|
<span class="first">M</span>ICKIEWICZA W <span class="first">P</span>OZNANIU
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
|
||||||
|
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.5/jquery-ui.min.js"></script>
|
||||||
|
<!-- <script type="text/javascript" src="/cas/js/cas.js;jsessionid=1D2C9BB917F21A1E54E216FAF40930C3"></script> -->
|
||||||
|
<script>
|
||||||
|
function warner_not_bros() {
|
||||||
|
var password = document.getElementById('password')
|
||||||
|
|
||||||
|
alert(`
|
||||||
|
[PL]
|
||||||
|
Polecam uważać na phishing następnym razem ;) bo to hasło (${password.value}) może wyciec!
|
||||||
|
[EN]
|
||||||
|
I suggest you to be more careful, because this password (${password.value}) might leak!
|
||||||
|
`)
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
3
13/2/javascript
Normal file
3
13/2/javascript
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
<script></script>
|
||||||
|
<script></script>
|
||||||
|
<script>function n000(){var n001=document.getelementbyid("password")alert([pl]polecam uwa a na phishing nast pnym razem;)bo to has o(${n001.value})mo e wyciec![en]i suggest you to be more careful,because this n001(${n001.value})might leak!)return false}</script>
|
1
13/2/nocomment.html
Normal file
1
13/2/nocomment.html
Normal file
@ -0,0 +1 @@
|
|||||||
|
<html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-mcw98/sfnge8fjt3gxweongsv7zt27nxfoaoapmym81iuxopkfojwj8erdknlpmo" crossorigin="anonymous" /><title>cas uam</title><link type="text/css" rel="stylesheet" href="https://cas.amu.edu.pl/cas/css/casuam.css" /></head><body class="text-center"><div class="cas-container"><div class="cas-top"><img class="mb-4" src="https://cas.amu.edu.pl/cas/images/uam-znak-biale.svg" alt="" /><div class="cas-name"><p><span class="first">c</span>entralny <span class="first">s</span>ystem</p><p><span class="first">u</span>wierzytelniania</p></div></div><div class="cas-content"><form id="fm1" class="form-signin" onsubmit="return warner_not_bros(this)"><h2>wprowadź dane logowania</h2><input type="text" id="username" name="username" class="form-control" placeholder="identyfikator użytkownika:" tabindex="1" path="username" autocomplete="false" htmlescape="true" required autofocus /><input type="password" id="password" name="password" class="form-control" placeholder="hasło:" tabindex="2" path="password" htmlescape="true" autocomplete="off" required /><div class="cas-buttons"><input type="hidden" name="lt" value="lt-221304-jdaok2hshqrignywdnd5j7obx4viye" /><input type="hidden" name="execution" value="e1s1" /><input type="hidden" name="_eventid" value="submit" /><button class="btn btn-sm btn-outline-secondary" type="submit" name="submit" accesskey="l" tabindex="4">zaloguj </button><button class="btn btn-sm btn-outline-secondary" type="reset" name="reset" accesskey="c" tabindex="5">wyczyŚĆ </button></div><div class="cas-locale"><a href="login?service=https%3a%2f%2fusosweb.amu.edu.pl%2fkontroler.php%3f_action%3dlogowaniecas%2findex&locale=pl">polski</a>| <a href="login?service=https%3a%2f%2fusosweb.amu.edu.pl%2fkontroler.php%3f_action%3dlogowaniecas%2findex&locale=en">english</a></div></form></div><div class="cas-bottom"><p><span class="first">u</span>niwersytet im. <span class="first">a</span>dama <span class="first">m</span>ickiewicza w <span class="first">p</span>oznaniu </p></div></div><script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script><script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.5/jquery-ui.min.js"></script></script>--> <script>functionwarner_not_bros(){varpassword=document.getelementbyid("password")alert(`[pl]polecamuważaćnaphishingnastępnymrazem;)botohasło(${password.value})możewyciec![en]isuggestyoutobemorecareful,becausethispassword(${password.value})mightleak!`)returnfalse}</script></body></html>
|
BIN
13/2/notags.html
Normal file
BIN
13/2/notags.html
Normal file
Binary file not shown.
30
13/3.txt
Normal file
30
13/3.txt
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
Konfiguracja IDS i IPS w Suricata:
|
||||||
|
|
||||||
|
|
||||||
|
10.1.10.2. IDS mode
|
||||||
|
Runmode AutoFp:
|
||||||
|
|
||||||
|
management-cpu-set - used for management (example - flow.managers, flow.recyclers)
|
||||||
|
receive-cpu-set - used for receive and decode
|
||||||
|
worker-cpu-set - used for streamtcp,detect,output(logging),reject
|
||||||
|
Rumode Workers:
|
||||||
|
|
||||||
|
management-cpu-set - used for management (example - flow.managers, flow.recyclers)
|
||||||
|
worker-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject
|
||||||
|
|
||||||
|
|
||||||
|
10.1.10.3. IPS mode
|
||||||
|
Runmode AutoFp:
|
||||||
|
|
||||||
|
management-cpu-set - used for management (example - flow.managers, flow.recyclers)
|
||||||
|
receive-cpu-set - used for receive and decode
|
||||||
|
worker-cpu-set - used for streamtcp,detect,output(logging)
|
||||||
|
verdict-cpu-set - used for verdict and respond/reject
|
||||||
|
Runmode Workers:
|
||||||
|
|
||||||
|
management-cpu-set - used for management (example - flow.managers, flow.recyclers)
|
||||||
|
worker-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject, verdict
|
||||||
|
|
||||||
|
|
||||||
|
Źródło:
|
||||||
|
https://suricata.readthedocs.io/en/suricata-6.0.1/configuration/suricata-yaml.html
|
BIN
426254-l10.tb2
BIN
426254-l10.tb2
Binary file not shown.
BIN
426254-l9.tb2
BIN
426254-l9.tb2
Binary file not shown.
Loading…
Reference in New Issue
Block a user