-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrules.yaml
35 lines (30 loc) · 969 Bytes
/
rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
- name: block v2ex http
action: block
analyzer: http
expr: props["http"]["headers"]["host"].ends_with("v2ex.com")
- name: github dns poisoning
action: modify
analyzer: dns
modifier:
name: dns
args:
a: "110.242.68.66"
aaaa: "::"
expr: props["dns"]["qr"] == "1" && !props["dns"]["questions"].filter(|q| q["name"].ends_with("github.com")).is_empty()
- name: google dns poisoning
action: modify
analyzer: dns
modifier:
name: dns
args:
a: "0.0.0.0"
aaaa: "::"
expr: props["dns"]["qr"] == "1" && !props["dns"]["questions"].filter(|q| q["name"].ends_with("google.com")).is_empty()
- name: block wireguard by handshake response
action: drop
analyzer: wireguard
expr: props["wireguard"]["handshake_response"]["receiver_index_matched"] == "1"
- name: Block OpenVPN
action: block
analyzer: openvpn
expr: props["openvpn"] != None && props["openvpn"]["rx_pkt_cnt"] + props["openvpn"]["tx_pkt_cnt"] > 50