Skip to content

1. Rules

Jump to bottom
Georgii Gennadev edited this page Feb 13, 2024 · 6 revisions

Overview

The main idea of rules is how BounceBack matches traffic, so here you can find how to configure and combine them in the most flexible way.

The rules section defines all user-created rules: their names, types and parameters. Rules are created one by one, starting from the top, so if one rule uses another, then the nested one must be declared first. An example rules configuration is shown below:

rules:
  - name: default_ip_banlist
    type: ip
    params:
      list: data/banned_ips.txt

  - *another rule*

Rule parameters:

  1. name - unique name, that will be used in pipeline to use that tule.
  2. type - rule type in format (wrapper::)*base, e.g. ip or not::ip.
  3. params - params that will be passed to the base rule. Each base rule has unique params.

Rules

AND rule

and equals boolean AND. It fires only when ALL passed rules fire.

PARAMS:

  • rules - names of rules defined above that rule.

Example:

  - name: and_usage_example
    type: and
    params:
      rules:
        - first_rule_name
        - second_rule_name
        - third_rule_name

OR rule

or equals boolean OR. It fires when ANY passed rule fires.

PARAMS:

  • rules - names of rules defined above that rule.

Example:

  - name: or_usage_example
    type: or
    params:
      rules:
        - first_rule_name
        - second_rule_name
        - third_rule_name

NOT rule

not equals boolean NOT. It fires only when passed rule does NOT fire. Better to use it as WRAPPER.

PARAMS:

  • rule - name of the rule defined above that rule.

Example:

  - name: not_usage_example
    type: not
    params:
      rule: some_rule

Example of wrapper:

  - name: example_time_ban_rule
    type: not::time
    params:
      from: 08:00
      to: 16:00
      timezone: Europe/Moscow
      weekdays: ...

IP rule

ip rule fires only when list contains INGRESS IP address. May be combined with not wrapper for allowlist.

PARAMS:

  • list - path to file with IP addresses or/and subnets.

Usage example:

  • Combine it with preconfigured security vendor's IP list to block them.
  • Combine it with not wrapper and project scope IP list to allow only organisation being tested.

Example:

  - name: default_ip_banlist
    type: ip
    params:
      list: data/banned_ips.txt

GEO rule

geo rule fires either when ANY geolocation lookup element matches with ANY regexp from list or when geolocation fully matches with ANY geolocations array element. May be combined with not wrapper for organizations allowlist.

Now supported IP lookup services. How to check IP info:

  • ip-api.com: curl -s 'http://ip-api.com/json/TARGET-IP/'
  • ipapi.co: curl -s 'https://ipapi.co/TARGET-IP/json/'

IP lookup services may be used with api keys (or with free plan), see globals config section.

PARAMS:

  • list - path to file with regexps (regexp re2), may be empty.
  • geolocations - ARRAY of geolocations to match, may be empty. All fields are re2 regexps arrays. Empty arrays will be ignored. Only one regexp must match in each field. Geolocations array elements contain next ARRAY-fields:
    • organisation - organization name (ORG, ISP and AS (if contains company name)).
    • country_code - country code (https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes).
    • country - country name.
    • region_code - region code.
    • region - region name.
    • city - city name.
    • timezone - timezone in format of Europe/Berlin.
    • asn - ASN in format of AS\d+.

Usage example:

  • Block security vendors by preconfigured blocked words wordlist.
  • Combine with not wrapper and allow traffic from tested organization's country/city/name/etc.

Example:

  - name: default_geo_rule
    type: geo
    params:
      list: data/banned_words.txt
      geolocations:
        - organisation:
            - (?i)microsoft
            - (?i)kaspersky
          country_code:
          country:
          region_code:
          region:
          city:
          timezone:
          asn:

REVERSE LOOKUP rule

reverse_lookup rule fires only when DNS PTR answer matches with any regexp from list. Can be used for domain banlist. May be combined with not wrapper/rule for domain allowlist.

PARAMS:

  • dns - DNS server to send PTR request in format ip:port.
  • list - path to file with regexps (regexp re2).

Usage example:

  • Block security vendors by preconfigured blocked words wordlist in domain names.

Example:

  - name: default_lookup_rule
    type: reverse_lookup
    params:
      dns: 1.1.1.1:53
      list: data/banned_words.txt

REGEXP rule

regexp rule fires when any regexp from list matches raw request.

PARAMS:

  • list - path to file with regexps (regexp re2).

Usage example:

  • Block User-Agents, request headers and other words by preconfigured blocked words wordlist.
  • Combine with not rule and allow only request with some secret header/value.

Example:

  - name: default_regexp_rule
    type: regexp
    params:
      list: data/banned_words.txt

MALLEABLE rule

malleable rule fires only when HTTP(s) request did not match MalleableC2 profile. May be combined with and rule to use more than one profile.

WARN: HTTP(s) ONLY, DNS not supported yet.

Latest supported CobaltStrike version: 4.9.1.

Rule algorithm:

  1. Verify user agent:
    1. UA did not match block_useragents (if not empty).
    2. UA matched allow_useragents (if not empty).
  2. Allow excluded paths.
  3. Verify user agent matches (if not empty).
  4. Any verified:
    1. Verify any http-get or http-post profile:
      1. HTTP method match.
      2. Any URI match.
      3. All parameters match.
      4. All headers match (case insensitive).
      5. Validate encoding in out, id, metadata fields.
    2. Verify any http-stager (like previous point) or other stager paths (full MSF compatibility) if host_stage flag set.

PARAMS:

  • profile - path to MalleableC2 profile.
  • exclude - array of excluded paths (regexp re2).

Usage example:

  • Allow only Cobalt Strike Beacon traffic, hosted files and stagers.
  • Allow multiple profiles with and rule.

Example:

  - name: example_malleable_rule
    type: malleable
    params:
      profile: data/default.profile
      exclude:
        - ^/some/example/.*
        - ^/some/other/example/url

TIME rule

time rule fires only when the time of request is in certain time period. May be combined with and rule for more than one time periods. May be combined with not wrapper/rule for time allowlist.

PARAMS:

  • from - start of time period in form of HH:mm.
  • to - end of time period in form of HH:mm.
  • timezone - timezone of from and to fields.
  • weekdays - list of time period weekdays, empty == all, may be: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday

Usage example:

  • Allow connections only in phishing/working/non-working time period.

Example:

  - name: example_time_ban_rule
    type: time
    params:
      from: 08:00
      to: 16:00
      timezone: Europe/Moscow
      weekdays:
        # - Monday
        # - Tuesday
        # - Wednesday
        # - Thursday
        # - Friday
        # - Saturday
        # - Sunday
Clone this wiki locally