More comments on example HAproxy config

outflanknl · Feb 20, 2020 · 4369c39 · 4369c39
1 parent f9cc4af
commit 4369c39
Showing 1 changed file with 14 additions and 8 deletions.
diff --git a/example-data-and-configs/HAProxy/haproxy.cfg b/example-data-and-configs/HAProxy/haproxy.cfg
@@ -28,8 +28,10 @@ defaults
  timeout connect  5000
  timeout client  10000
  timeout server  10000
+ # exact log-format setup is important for RedELK!
  log-format "GMT:%T frontend:%f/%H/%fi:%fp backend:%b client:%ci:%cp xforwardedfor:%[capture.req.hdr(3)] headers:%hr statuscode:%ST request:%r"
 
+# frontend name can be whatever you like
 frontend www-https
  option http-buffer-request
  declare capture request len 40000
@@ -47,10 +49,11 @@ frontend www-https
  acl path_cs path -m beg /submit.php
  acl path_cs path -m beg /TRAINING-BEACON
  acl path_cs path_reg  ^/[0-z][0-z][0-z][0-z]$
- use_backend cobaltstrike-https if path_cs
- default_backend www-decoy
+ use_backend c2-https if path_cs
+ default_backend decoy-www
  timeout client 1m
 
+# frontend name can be whatever you like
 frontend www-http
  mode http
  option http-buffer-request
@@ -69,21 +72,24 @@ frontend www-http
  acl path_cs path -m beg /submit.php
  acl path_cs path -m beg /TRAINING-BEACON
  acl path_cs path_reg  ^/[0-z][0-z][0-z][0-z]$
- use_backend cobaltstrike-http if path_cs
- default_backend www-decoy
+ use_backend c2-http if path_cs
+ default_backend decoy-www
  timeout client 1m
 
-backend www-decoy
+# backend name should start with decoy or with c2
+backend decoy-staticerror
  mode http
  http-request set-header Host 127.0.0.1
  server 127.0.0.1 127.0.0.1:8070
 
-backend cobaltstrike-https
+# backend name should start with decoy or with c2
+backend c2-https
  # Insert X-Forwarded-For header to have Cobalt Strike display the proper IP address of target. Uncomment if you want this funcitonality
  # Remark: when using Domain Fronting/CDNs, this needs to be commented out as Cobalt Strike does not understand a double inserted X-Forwarded-For header: it will display the IP of the CDN endpoint
  #option forwardfor
  server teamserver $$IP_OF_YOUR_C2SERVER:443 check ssl verify none
 
-backend cobaltstrike-http
+# backend name should start with decoy or with c2
+backend c2-http
  #option forwardfor
- server teamserver $$IP_OF_YOUR_C2SERVER:80
+ server teamserver $$IP_OF_YOUR_C2SERVER:80