Ambush Standalone


Ambush was designed in a server-client architecture to make it easy to deploy to lots of systems, but sometimes you just want to get it running on a single system, without the hassle of requiring a custom server setup or signature creation. This is one of the big feedbacks I got from NCCDC contestants, and the biggest reason it did not see much use there. It is still very important to use custom signature sets in production, both to make it difficult for attackers to bypass and to avoid breaking any functionality your systems depend on. But there is still clear value in having a ready to go configuration, so that is what I made.

The no-server bare-bones install

First I added the generic shellcode/meterpreter killer signature to the example signature set, then I added a compiled version of the example set to the git repository. This lets you set up Ambush with these signatures on a system without any server setup at all. All you need to do is download and install the client msi from https://github.com/scriptjunkie/Ambush/blob/master/client/Release/installer.msi?raw=true and then download the sig.dat file from https://github.com/scriptjunkie/Ambush/blob/master/sig.dat?raw=true and put it in the "Program Files\Scriptjunkie Software\Ambush\" folder. Then reboot your system to get it loaded into everything, and you'll be running with the example signature set.

The single host install

For those that want to have a real setup with the user interface to create and edit signatures, but don't want to set up a custom server, I put together a video showing how to get it set up:

Follow those steps, making sure to run
cacls C:\Sites\Ambush /S:"D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)"
after getting the rails part set up.

Then once it is all set up, whenever you need to add or change a signature, you'll need to first start the server, by right-clicking All Programs->RailsInstaller->Command Prompt with Ruby and Rails to open as Administrator, running cd \Sites\Ambush\server and then running rails server

Then go to the web interface at http://localhost:3000/ and make your changes to the signature.

Finally you'll want to manually update the client before you turn off the server. Open a command prompt as administrator and run
C:\Program Files (x86)\Scriptjunkie Software\Ambush\config.exe update
to install the signature update.

In any case, if you want to see what signatures have fired and other log data from Ambush, you can open a command prompt as administrator in the C:\Program Files (x86)\Scriptjunkie Software\Ambush\ directory and run
config dumplog FFLog.txt
to dump the local logs.

,

Comments are closed.