Update of list-vagrant

ansible/inventory/host_files/list-vagrant/fail2ban/jail.local

@@ -0,0 +1,8 @@
+[DEFAULT]
+bantime = 3600
+
+[sshd]
+enabled = true
+action  = iptables[name=SSH, port=ssh, protocol=tcp]
+          f2b-warden[name=SSH, port=ssh, protocol=tcp, wardenpath=/data/warden/]
+

ansible/inventory/host_files/list-vagrant/ipfixcol/profiles.xml

@@ -1,75 +1,132 @@
 <?xml version="1.0"?>
 <!-- Live profile (default - always must exists) -->
 <profile name="live">
-	<!--## Type of a profile -->
-	<type>normal</type>
-	<!--## Directory for data store of valuable data and statistics -->
-	<directory>/data/flow/live/</directory>
+  <!--## Type of a profile -->
+  <type>normal</type>
+  <!--## Directory for data store of valuable data and statistics -->
+  <directory>/data/flow/live/</directory>
+  <!-- List of channels that belong to the profile -->
+  <channelList>
+    <channel name="ipv4">
+      <!--## List of sources from which channel will receive data -->
+      <sourceList>
+        <!--## Live profile always use "*" -->
+        <source>*</source>
+      </sourceList>
+      <!--## Filter applied on records, specifying whether it belongs to the profile -->
+      <filter>ipVersion = 4</filter>
+    </channel>
+    <channel name="ipv6">
+      <sourceList>
+        <source>*</source>
+      </sourceList>
+      <filter>ipv6</filter>
+    </channel>
 
-	<!-- List of channels that belong to the profile -->
-	<channelList>
-		<channel name="ipv4">
-			<!--## List of sources from which channel will receive data -->
-			<sourceList>
-				<!--## Live profile always use "*" -->
-				<source>*</source>
-			</sourceList>
-			<!--## Filter applied on records, specifying whether it belongs to the profile -->
-			<filter>ipVersion = 4</filter>
-		</channel>
-		<channel name="ipv6">
-			<sourceList>
-				<source>*</source>
-			</sourceList>
-			<filter>ipv6</filter>
-		</channel>
-	</channelList>
+    <!-- Channels by Observation Domain ID -->
+    <!--
+    <channel name="mynet1">
+      <sourceList>
+        <source>*</source>
+      </sourceList>
+      <filter>odid = 1</filter>
+    </channel>
+    <channel name="mynet2">
+      <sourceList>
+        <source>*</source>
+      </sourceList>
+      <filter>odid = 2</filter>
+    </channel>
+    -->
 
-	<!--## List of subprofiles that belong to the live profile -->
-	<subprofileList>
-		<!--## Example subprofile for -->
-		<profile name="emails">
-			<type>normal</type>
-			<directory>/data/flow/live/emails/</directory>
+  </channelList>
+  <!--## List of subprofiles that belong to the live profile -->
+  <subprofileList>
+    <!--## Example subprofile for -->
+    <profile name="emails">
+      <type>normal</type>
+      <directory>/data/flow/live/emails/</directory>
+      <channelList>
+        <!-- POP3 flows -->
+        <channel name="pop3">
+          <sourceList>
+            <!--## Sources are channels only from the parent profile -->
+            <source>ipv4</source>
+            <source>ipv6</source>
+          </sourceList>
+          <filter>port in [110 995]</filter>
+        </channel>
+        <!-- IMAP flows -->
+        <channel name="imap">
+          <sourceList>
+            <source>ipv4</source>
+            <source>ipv6</source>
+          </sourceList>
+          <filter>port in [143 993]</filter>
+        </channel>
+        <!-- SMTP flows -->
+        <channel name="smtp">
+          <sourceList>
+            <source>ipv4</source>
+            <source>ipv6</source>
+          </sourceList>
+          <filter>port in [25 465]</filter>
+        </channel>
+      </channelList>
+    </profile>
 
-			<channelList>
-				<!-- POP3 flows -->
-				<channel name="pop3">
-					<sourceList>
-						<!--## Sources are channels only from the parent profile -->
-						<source>ipv4</source>
-						<source>ipv6</source>
-					</sourceList>
-					<filter>
-						port in [110 995 ]
-					</filter>
-				</channel>
+    <!-- Subprofiles by Interface per each Observation Domain ID -->
+    <!--
+    <profile name="mynet1">
+      <type>normal</type>
+      <directory>/data/flow/live/mynet1/</directory>
+      <channelList>
+        <channel name="wan">
+          <sourceList>
+            <source>mynet1</source>
+          </sourceList>
+          <filter>ingressInterface = 0</filter>
+        </channel>
+        <channel name="lan">
+          <sourceList>
+            <source>mynet1</source>
+          </sourceList>
+          <filter>ingressInterface = 1</filter>
+        </channel>
+        <channel name="guest">
+          <sourceList>
+            <source>mynet1</source>
+          </sourceList>
+          <filter>ingressInterface = 2</filter>
+        </channel>
+      </channelList>
+    </profile>
+    <profile name="mynet2">
+      <type>normal</type>
+      <directory>/data/flow/live/mynet2/</directory>
+      <channelList>
+        <channel name="wan">
+          <sourceList>
+            <source>mynet2</source>
+          </sourceList>
+          <filter>ingressInterface = 0</filter>
+        </channel>
+        <channel name="lan">
+          <sourceList>
+            <source>mynet2</source>
+          </sourceList>
+          <filter>ingressInterface = 1</filter>
+        </channel>
+        <channel name="guest">
+          <sourceList>
+            <source>mynet2</source>
+          </sourceList>
+          <filter>ingressInterface = 2</filter>
+        </channel>
+      </channelList>
+    </profile>
+    -->
 
-				<!-- IMAP flows -->
-				<channel name="imap">
-					<sourceList>
-						<source>ipv4</source>
-						<source>ipv6</source>
-					</sourceList>
-					<filter>
-						port in [143 993]
-					</filter>
-				</channel>
-
-				<!-- SMTP flows -->
-				<channel name="smtp">
-					<sourceList>
-						<source>ipv4</source>
-						<source>ipv6</source>
-					</sourceList>
-					<filter>
-						sourceTransportPort == 25 or
-						destinationTransportPort == 25 or
-						sourceTransportPort == 465 or
-						destinationTransportPort == 465
-					</filter>
-				</channel>
-			</channelList>
-		</profile>
-	</subprofileList>
+  </subprofileList>
 </profile>
+

ansible/inventory/host_files/list-vagrant/nemea/detectors/blacklistfilter.sup

@@ -10,7 +10,7 @@
 <name>ipblacklistfilter</name>
 <enabled>true</enabled>
 <path>/usr/bin/nemea/ipblacklistfilter</path>
-<params> </params>
+<params/>
 <trapinterfaces>
 <interface>
   <type>UNIXSOCKET</type>

ansible/inventory/host_files/list-vagrant/nemea/detectors/blacklistfilter_with_af.sup.example

@@ -0,0 +1,158 @@
+<module>
+<name>blacklist_downloader</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/bl_downloader.py</path>
+<params>--repo-path /data/blacklistfilter/blacklist_repo</params>
+<trapinterfaces/>
+</module>
+
+<module>
+<name>ipblacklistfilter</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/ipblacklistfilter</path>
+<params/>
+<trapinterfaces>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>flow_data_source</params>
+</interface>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>OUT</direction>
+  <params>ipblacklist_aggregator_ur_sock</params>
+</interface>
+</trapinterfaces>
+</module>
+
+<module>
+<name>ipblacklist_aggregator_ur</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/agg</path>
+<params>-k SRC_IP -k DST_IP -k PROTOCOL -k DST_PORT -s BYTES -s PACKETS -o SRC_BLACKLIST -o DST_BLACKLIST -t g:60</params>
+<trapinterfaces>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>ipblacklist_aggregator_ur_sock</params>
+</interface>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>OUT</direction>
+  <params>blacklist_aggregator_ip:timeout=1000</params>
+</interface>
+</trapinterfaces>
+</module>
+
+<module>
+<name>blacklist_aggregator_json</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/blacklist_aggregator.py</path>
+<params>-t 5</params>
+<trapinterfaces>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>blacklist_aggregator_ip</params>
+</interface>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>blacklist_aggregator_url</params>
+</interface>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>OUT</direction>
+  <params>adaptive_ip_url2:timeout=NO_WAIT</params>
+</interface>
+</trapinterfaces>
+</module>
+
+<module>
+<name>urlblacklistfilter</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/urlblacklistfilter</path>
+<params/>
+<trapinterfaces>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>http_data_source</params>
+</interface>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>OUT</direction>
+  <params>blacklist_aggregator_url</params>
+</interface>
+</trapinterfaces>
+</module>
+
+<module>
+<name>dnsblacklistfilter</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/dnsblacklistfilter</path>
+<params/>
+<trapinterfaces>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>dns_data_source</params>
+</interface>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>OUT</direction>
+  <params>adaptive_dns</params>
+</interface>
+</trapinterfaces>
+</module>
+
+<module>
+<name>adaptive_ipblacklistfilter</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/ipblacklistfilter</path>
+<params>-4 /tmp/blacklistfilter/adaptive.blist</params>
+<trapinterfaces>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>flow_data_source</params>
+</interface>
+<interface>
+  <type>FILE</type>
+  <direction>OUT</direction>
+  <params>/data/blacklistfilter/evidence_adaptive</params>
+</interface>
+</trapinterfaces>
+</module>
+
+<module>
+<name>adaptive_filter</name>
+<enabled>true</enabled>
+<path>/usr/bin/nemea/adaptive_filter</path>
+<params>-p 30 -l 20 -e 300</params>
+<trapinterfaces>
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>adaptive_ip_url2</params>
+</interface>
+
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>IN</direction>
+  <params>adaptive_dns</params>
+</interface>
+
+<interface>
+  <type>UNIXSOCKET</type>
+  <direction>OUT</direction>
+  <params>blacklist2idea_sock:timeout=NO_WAIT</params>
+</interface>
+
+<interface>
+  <type>FILE</type>
+  <direction>OUT</direction>
+  <params>/data/blacklistfilter/evidence_detection</params>
+</interface>
+</trapinterfaces>
+</module>

ansible/inventory/host_files/list-vagrant/nemea/detectors/dnstunnel_detection.sup

@@ -6,7 +6,7 @@
 <interface>
   <type>UNIXSOCKET</type>
   <direction>IN</direction>
-  <params>flow_data_source</params>
+  <params>dns_data_source</params>
 </interface>
 <interface>
   <type>TCP</type>