# full rules configuration info can be found here: # https://github.com/D00Movenok/BounceBack/wiki/1.-Rules rules: # "ip" rule fires only when "list" contains INGRESS IP address. # May be combined with "not" wrapper for allowlist. # PARAMS: # * list - path to file with IP addresses or/and subnets. # - name: default_ip_banlist type: ip params: list: data/banned_ips.txt - name: default_ip_allowlist type: not::ip params: list: data/allowed_ips.txt - name: default_ip_acceptlist type: ip params: list: data/allowed_ips.txt # "geo" rule fires only either when ANY geolocation lookup element matches # with ANY regexp from "list" OR when geolocation fully matches with # ANY "geolocations" array element. # May be combined with "not" wrapper for organisations allowlist. # Now supported IP lookup services. How to check IP info: # * ip-api.com: curl -s 'http://ip-api.com/json/TARGET-IP' # * ipapi.co: curl -s 'https://ipapi.co/TARGET-IP/json/' # May be used with api keys (or with free plan), see "globals" config section. # PARAMS: # * list - path to file with regexps (regexp re2), may be empty. # * geolocations - ARRAY of geolocations to match. All fields are re2 # regexps arrays. Empty arrays will be ignored. # Only one regexp must match in each field. # Geolocations array elements contain next ARRAY-fields: # * organisation - organisation name (ORG, ISP and AS (if contains company name)). # * country_code - country code (https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). # * country - country name. # * region_code - region code. # * region - region name. # * city - city name. # * timezone - timezone in format of Europe/Berlin. # * asn - ASN in format of "AS\d+". # - name: default_geo_rule type: geo params: list: data/banned_words.txt # geolocations: # - organisation: # - (?i)microsoft # - (?i)kaspersky # country_code: # country: # region_code: # region: # city: # timezone: # asn: # "reverse_lookup" rule fires only when DNS PTR answer matches # with any regexp from "list". Can be used for domain banlist. # May be combined with "not" wrapper/rule for domain allowlist. # PARAMS: # * dns - dns server to send PTR request if form of ip:port. # * list - path to file with regexps (regexp re2). # - name: default_lookup_rule type: reverse_lookup params: dns: 1.1.1.1:53 list: data/banned_words.txt # "time" rule fires only when time of request is in certain time period. # May be combined with "and" rule for more than one time periods. # May be combined with "not" wrapper/rule for time allowlist. # PARAMS: # * from - start of time period in form of HH:mm. # * to - end of time period in form of HH:mm. # * timezone - timezone of "from" and "to" fields. # * weekdays - list of time period weekdays, empty == all, # may be: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday # - name: example_not_time_rule type: not::time params: from: 08:00 to: 16:00 timezone: Europe/Moscow weekdays: # - Monday # - Tuesday # - Wednesday # - Thursday # - Friday # - Saturday # - Sunday # "regexp" rule fires when any regexp from "list" matches raw request. # PARAMS: # * list - path to file with regexps (regexp re2). # - name: default_regexp_rule type: regexp params: list: data/banned_words.txt # "malleable" rule fires only when HTTP(s) request did not # match MalleableC2 profile. # May be combined with "and" rule to use more than one profile. # Rule algorithm: # 1. Verify useragent lists: # a. UA did not match "block_useragents" (if not empty). # b. UA matched "allow_useragents" (if not empty). # 2. Allow excluded paths. # 3. Verify useragent match (if not empty). # 4. Any verified: # a. Verify any "http-get" or "http-post" profile: # i. HTTP method match. # ii. Any URI match. # iii. All parameters exist. # iv. All headers exist. # v. Validate encoding in "out", "id", "metadata" fields. # b. Verify any "http-stager" (like previous letter) or other # stager paths (full MSF compatibility) if "host_stage" flag set. # PARAMS: # * profile - path to MalleableC2 profile. # * exclude - array of exluded paths (regexp re2). # - name: example_malleable_rule type: malleable params: profile: data/default.profile exclude: - ^/some/example/.* - ^/some/other/example/url # "and" rule equals boolean AND. # It fires only when ALL passed rules fire. # PARAMS: # * rules - names of rules defined above that rule. # - name: and_usage_example type: and params: rules: - default_ip_banlist - default_ip_allowlist # "or" rule equals boolean OR. # It fires when ANY passed rule fires. # PARAMS: # * rules - names of rules defined above that rule. # - name: or_usage_example type: or params: rules: - default_ip_banlist - default_ip_allowlist # "not" rule equals boolean NOT. # It fires only when passed rule does NOT fire. # May be used as BASE (type: not) rule # or WRAPPER rule (type: not::someruletype). # PARAMS for BASE rule: # * rule - name of the rule defined above that rule. # - name: not_usage_example type: not params: rule: default_ip_allowlist # full globals configuration info can be found here: # https://github.com/D00Movenok/BounceBack/wiki/3.-Globals globals: # API keys that will be used to fetch geo info with "geo" rules. ip-apicom_key: "" # optional ipapico_key: "" # optional # full proxies configuration info can be found here: # https://github.com/D00Movenok/BounceBack/wiki/2.-Proxies proxies: - name: example http proxy type: http listen: 0.0.0.0:80 target: http://127.0.0.1:8080 timeout: 10s # tls: # - cert: test/testdata/tls/cert_bounceback_test.pem # key: test/testdata/tls/key_bounceback_test.pem # - cert: test/testdata/tls/cert_example_com.pem # key: test/testdata/tls/key_example_com.pem # - cert: test/testdata/tls/cert_example_com.pem # key: test/testdata/tls/key_example_com.pem # domains: # - "anotherexample.org" # - "*.anotherexample.org" filter_settings: reject_action: redirect reject_url: https://www.youtube.com/watch?v=dQw4w9WgXcQ noreject_threshold: 5 reject_threshold: 5 filters: - rule: default_ip_acceptlist action: accept - rule: default_ip_banlist action: reject # - rule: default_ip_allowlist # action: reject - rule: default_geo_rule action: reject - rule: default_lookup_rule action: reject # - rule: example_not_time_rule # action: reject - rule: default_regexp_rule action: reject # - rule: example_malleable_rule # action: reject - name: example dns proxy type: dns listen: 0.0.0.0:53 target: 127.0.0.1:50053 timeout: 10s filter_settings: reject_action: proxy reject_url: 1.1.1.1:53 noreject_threshold: 5 reject_threshold: 5 filters: - rule: default_ip_acceptlist action: accept - rule: default_ip_banlist action: reject # - rule: default_ip_allowlist # action: reject - rule: default_geo_rule action: reject - rule: default_lookup_rule action: reject # - rule: example_not_time_rule # action: reject - rule: default_regexp_rule action: reject - name: example tcp proxy type: tcp listen: 0.0.0.0:4443 target: tcp://127.0.0.1:4444 timeout: 10s # tls: # - cert: test/testdata/tls/cert_bounceback_test.pem # key: test/testdata/tls/key_bounceback_test.pem # - cert: test/testdata/tls/cert_example_com.pem # key: test/testdata/tls/key_example_com.pem # - cert: test/testdata/tls/cert_example_com.pem # key: test/testdata/tls/key_example_com.pem # domains: # - "anotherexample.org" # - "*.anotherexample.org" filter_settings: reject_action: drop noreject_threshold: 5 reject_threshold: 5 filters: - rule: default_ip_acceptlist action: accept - rule: default_ip_banlist action: reject # - rule: default_ip_allowlist # action: reject - rule: default_geo_rule action: reject - rule: default_lookup_rule action: reject # - rule: example_not_time_rule # action: reject - rule: default_regexp_rule action: reject - name: example udp proxy type: udp listen: 0.0.0.0:4445 target: 127.0.0.1:4446 timeout: 10s filter_settings: reject_action: none noreject_threshold: 5 reject_threshold: 5 filters: - rule: default_ip_acceptlist action: accept - rule: default_ip_banlist action: reject # - rule: default_ip_allowlist # action: reject - rule: default_geo_rule action: reject - rule: default_lookup_rule action: reject # - rule: example_not_time_rule # action: reject - rule: default_regexp_rule action: reject