metadata: version: 3.0 io_settings: save_agent_actions: true save_step_metadata: false save_pcap_logs: false save_sys_logs: false game: max_episode_length: 128 ports: - HTTP - POSTGRES_SERVER protocols: - ICMP - TCP - UDP thresholds: nmne: high: 10 medium: 5 low: 0 agents: - ref: client_2_green_user team: GREEN type: probabilistic-agent agent_settings: action_probabilities: 0: 0.3 1: 0.6 2: 0.1 action_space: action_map: 0: action: do-nothing options: {} 1: action: node-application-execute options: node_name: client_2 application_name: web-browser 2: action: node-application-execute options: node_name: client_2 application_name: database-client reward_function: reward_components: - type: webpage-unavailable-penalty weight: 0.25 options: node_hostname: client_2 - type: green-admin-database-unreachable-penalty weight: 0.05 options: node_hostname: client_2 - ref: client_1_green_user team: GREEN type: probabilistic-agent agent_settings: action_probabilities: 0: 0.3 1: 0.6 2: 0.1 action_space: action_map: 0: action: do-nothing options: {} 1: action: node-application-execute options: node_name: client_1 application_name: web-browser 2: action: node-application-execute options: node_name: client_1 application_name: web-browser reward_function: reward_components: - type: webpage-unavailable-penalty weight: 0.25 options: node_hostname: client_1 - type: green-admin-database-unreachable-penalty weight: 0.05 options: node_hostname: client_1 - ref: data_manipulation_attacker team: RED type: red-database-corrupting-agent agent_settings: # options specific to this particular agent type, basically args of __init__(self) possible_start_nodes: [client_1, client_2] target_application: data-manipulation-bot start_step: 25 frequency: 20 variance: 5 - ref: defender team: BLUE type: proxy-agent observation_space: type: custom options: components: - type: nodes label: NODES options: hosts: - hostname: domain_controller - hostname: web_server services: - service_name: web-server - hostname: database_server folders: - folder_name: database files: - file_name: database.db - hostname: backup_server - hostname: security_suite - hostname: client_1 - hostname: client_2 num_services: 1 num_applications: 0 num_folders: 1 num_files: 1 num_nics: 2 include_num_access: false include_nmne: true routers: - hostname: router_1 num_ports: 0 ip_list: - 192.168.1.10 - 192.168.1.12 - 192.168.1.14 - 192.168.1.16 - 192.168.1.110 - 192.168.10.21 - 192.168.10.22 - 192.168.10.110 wildcard_list: - 0.0.0.1 port_list: - HTTP - POSTGRES_SERVER protocol_list: - ICMP - TCP - UDP num_rules: 10 - type: links label: LINKS options: link_references: - router_1:eth-1<->switch_1:eth-8 - router_1:eth-2<->switch_2:eth-8 - switch_1:eth-1<->domain_controller:eth-1 - switch_1:eth-2<->web_server:eth-1 - switch_1:eth-3<->database_server:eth-1 - switch_1:eth-4<->backup_server:eth-1 - switch_1:eth-7<->security_suite:eth-1 - switch_2:eth-1<->client_1:eth-1 - switch_2:eth-2<->client_2:eth-1 - switch_2:eth-7<->security_suite:eth-2 - type: "none" label: ICS options: {} action_space: action_map: 0: action: do-nothing options: {} # scan webapp service 1: action: node-service-scan options: node_name: web_server service_name: web-server # stop webapp service 2: action: node-service-stop options: node_name: web_server service_name: web-server # start webapp service 3: action: "node-service-start" options: node_name: web_server service_name: web-server 4: action: "node-service-pause" options: node_name: web_server service_name: web-server 5: action: "node-service-resume" options: node_name: web_server service_name: web-server 6: action: "node-service-restart" options: node_name: web_server service_name: web-server 7: action: "node-service-disable" options: node_name: web_server service_name: web-server 8: action: "node-service-enable" options: node_name: web_server service_name: web-server 9: # check database.db file action: "node-file-scan" options: node_name: database_server folder_name: database file_name: database.db 10: action: "node-file-scan" # CHECKHASH replaced by SCAN - but the behaviour is the same in this context. options: node_name: database_server folder_name: database file_name: database.db 11: action: "node-file-delete" options: node_name: database_server folder_name: database file_name: database.db 12: action: "node-file-repair" options: node_name: database_server folder_name: database file_name: database.db 13: action: "node-service-fix" options: node_name: database_server service_name: database-service 14: action: "node-folder-scan" options: node_name: database_server folder_name: database 15: action: "node-folder-scan" # CHECKHASH replaced by SCAN - but the behaviour is the same in this context. options: node_name: database_server folder_name: database 16: action: "node-folder-repair" options: node_name: database_server folder_name: database 17: action: "node-folder-restore" options: node_name: database_server folder_name: database 18: action: "node-os-scan" options: node_name: domain_controller 19: action: "node-shutdown" options: node_name: domain_controller 20: action: node-startup options: node_name: domain_controller 21: action: node-reset options: node_name: domain_controller 22: action: "node-os-scan" options: node_name: web_server 23: action: "node-shutdown" options: node_name: web_server 24: action: node-startup options: node_name: web_server 25: action: node-reset options: node_name: web_server 26: # old action num: 18 action: "node-os-scan" options: node_name: database_server 27: action: "node-shutdown" options: node_name: database_server 28: action: node-startup options: node_name: database_server 29: action: node-reset options: node_name: database_server 30: action: "node-os-scan" options: node_name: backup_server 31: action: "node-shutdown" options: node_name: backup_server 32: action: node-startup options: node_name: backup_server 33: action: node-reset options: node_name: backup_server 34: action: "node-os-scan" options: node_name: security_suite 35: action: "node-shutdown" options: node_name: security_suite 36: action: node-startup options: node_name: security_suite 37: action: node-reset options: node_name: security_suite 38: action: "node-os-scan" options: node_name: client_1 39: # old action num: 19 # shutdown client 1 action: "node-shutdown" options: node_name: client_1 40: # old action num: 20 action: node-startup options: node_name: client_1 41: # old action num: 21 action: node-reset options: node_name: client_1 42: action: "node-os-scan" options: node_name: client_2 43: action: "node-shutdown" options: node_name: client_2 44: action: node-startup options: node_name: client_2 45: action: node-reset options: node_name: client_2 46: # old action num: 22 # "acl: ADDRULE - Block outgoing traffic from client 1" action: "router-acl-add-rule" options: target_router: router_1 position: 1 permission: DENY src_ip: 192.168.10.21 # client 1 dst_ip: ALL # ALL src_port: ALL dst_port: ALL protocol_name: ALL src_wildcard: NONE dst_wildcard: NONE 47: # old action num: 23 # "acl: ADDRULE - Block outgoing traffic from client 2" action: "router-acl-add-rule" options: target_router: router_1 position: 2 permission: DENY src_ip: 192.168.10.22 # client 2 dst_ip: ALL # ALL src_port: ALL dst_port: ALL protocol_name: ALL src_wildcard: NONE dst_wildcard: NONE 48: # old action num: 24 # block tcp traffic from client 1 to web app action: "router-acl-add-rule" options: target_router: router_1 position: 3 permission: DENY src_ip: 192.168.10.21 # client 1 dst_ip: 192.168.1.12 # web server src_port: ALL dst_port: ALL protocol_name: TCP src_wildcard: NONE dst_wildcard: NONE 49: # old action num: 25 # block tcp traffic from client 2 to web app action: "router-acl-add-rule" options: target_router: router_1 position: 4 permission: DENY src_ip: 192.168.10.22 # client 2 dst_ip: 192.168.1.12 # web server src_port: ALL dst_port: ALL protocol_name: TCP src_wildcard: NONE dst_wildcard: NONE 50: # old action num: 26 action: "router-acl-add-rule" options: target_router: router_1 position: 5 permission: DENY src_ip: 192.168.10.21 # client 1 dst_ip: 192.168.1.14 # database src_port: ALL dst_port: ALL protocol_name: TCP src_wildcard: NONE dst_wildcard: NONE 51: # old action num: 27 action: "router-acl-add-rule" options: target_router: router_1 position: 6 permission: DENY src_ip: 192.168.10.22 # client 2 dst_ip: 192.168.1.14 # database src_port: ALL dst_port: ALL protocol_name: TCP src_wildcard: NONE dst_wildcard: NONE 52: # old action num: 28 action: "router-acl-remove-rule" options: target_router: router_1 position: 0 53: # old action num: 29 action: "router-acl-remove-rule" options: target_router: router_1 position: 1 54: # old action num: 30 action: "router-acl-remove-rule" options: target_router: router_1 position: 2 55: # old action num: 31 action: "router-acl-remove-rule" options: target_router: router_1 position: 3 56: # old action num: 32 action: "router-acl-remove-rule" options: target_router: router_1 position: 4 57: # old action num: 33 action: "router-acl-remove-rule" options: target_router: router_1 position: 5 58: # old action num: 34 action: "router-acl-remove-rule" options: target_router: router_1 position: 6 59: # old action num: 35 action: "router-acl-remove-rule" options: target_router: router_1 position: 7 60: # old action num: 36 action: "router-acl-remove-rule" options: target_router: router_1 position: 8 61: # old action num: 37 action: "router-acl-remove-rule" options: target_router: router_1 position: 9 62: # old action num: 38 action: "host-nic-disable" options: node_name: domain_controller nic_num: 1 63: # old action num: 39 action: "host-nic-enable" options: node_name: domain_controller nic_num: 1 64: # old action num: 40 action: "host-nic-disable" options: node_name: web_server nic_num: 1 65: # old action num: 41 action: "host-nic-enable" options: node_name: web_server nic_num: 1 66: # old action num: 42 action: "host-nic-disable" options: node_name: database_server nic_num: 1 67: # old action num: 43 action: "host-nic-enable" options: node_name: database_server nic_num: 1 68: # old action num: 44 action: "host-nic-disable" options: node_name: backup_server nic_num: 1 69: # old action num: 45 action: "host-nic-enable" options: node_name: backup_server nic_num: 1 70: # old action num: 46 action: "host-nic-disable" options: node_name: security_suite nic_num: 1 71: # old action num: 47 action: "host-nic-enable" options: node_name: security_suite nic_num: 1 72: # old action num: 48 action: "host-nic-disable" options: node_name: security_suite nic_num: 2 73: # old action num: 49 action: "host-nic-enable" options: node_name: security_suite nic_num: 2 74: # old action num: 50 action: "host-nic-disable" options: node_name: client_1 nic_num: 1 75: # old action num: 51 action: "host-nic-enable" options: node_name: client_1 nic_num: 1 76: # old action num: 52 action: "host-nic-disable" options: node_name: client_2 nic_num: 1 77: # old action num: 53 action: "host-nic-enable" options: node_name: client_2 nic_num: 1 78: action: node-application-install options: node_name: domain_controller application_name: dos-bot 79: action: node-application-remove options: node_name: domain_controller application_name: dos-bot 80: action: node-application-remove options: node_name: domain_controller application_name: web-browser 81: action: node-application-execute options: node_name: domain_controller application_name: dos-bot 82: action: configure-dos-bot options: node_name: domain_controller target_ip_address: 192.168.1.14 target_port: POSTGRES_SERVER reward_function: reward_components: - type: database-file-integrity weight: 0.40 options: node_hostname: database_server folder_name: database file_name: database.db - type: shared-reward weight: 1.0 options: agent_name: client_1_green_user - type: shared-reward weight: 1.0 options: agent_name: client_2_green_user agent_settings: flatten_obs: true simulation: network: nmne_config: capture_nmne: true nmne_capture_keywords: - DELETE nodes: - hostname: router_1 type: router num_ports: 5 ports: 1: ip_address: 192.168.1.1 subnet_mask: 255.255.255.0 2: ip_address: 192.168.10.1 subnet_mask: 255.255.255.0 acl: 18: action: PERMIT src_port: POSTGRES_SERVER dst_port: POSTGRES_SERVER 19: action: PERMIT src_port: DNS dst_port: DNS 20: action: PERMIT src_port: FTP dst_port: FTP 21: action: PERMIT src_port: HTTP dst_port: HTTP 22: action: PERMIT src_port: ARP dst_port: ARP 23: action: PERMIT protocol: ICMP - hostname: switch_1 type: switch num_ports: 8 - hostname: switch_2 type: switch num_ports: 8 - hostname: domain_controller type: server ip_address: 192.168.1.10 subnet_mask: 255.255.255.0 default_gateway: 192.168.1.1 services: - type: dns-server options: domain_mapping: arcd.com: 192.168.1.12 # web server - hostname: web_server type: server ip_address: 192.168.1.12 subnet_mask: 255.255.255.0 default_gateway: 192.168.1.1 dns_server: 192.168.1.10 services: - type: web-server applications: - type: database-client options: db_server_ip: 192.168.1.14 - hostname: database_server type: server ip_address: 192.168.1.14 subnet_mask: 255.255.255.0 default_gateway: 192.168.1.1 dns_server: 192.168.1.10 services: - type: database-service options: backup_server_ip: 192.168.1.16 - type: ftp-client - hostname: backup_server type: server ip_address: 192.168.1.16 subnet_mask: 255.255.255.0 default_gateway: 192.168.1.1 dns_server: 192.168.1.10 services: - type: ftp-server - hostname: security_suite type: server ip_address: 192.168.1.110 subnet_mask: 255.255.255.0 default_gateway: 192.168.1.1 dns_server: 192.168.1.10 network_interfaces: 2: # unfortunately this number is currently meaningless, they're just added in order and take up the next available slot ip_address: 192.168.10.110 subnet_mask: 255.255.255.0 - hostname: client_1 type: computer ip_address: 192.168.10.21 subnet_mask: 255.255.255.0 default_gateway: 192.168.10.1 dns_server: 192.168.1.10 applications: - type: data-manipulation-bot options: port_scan_p_of_success: 0.8 data_manipulation_p_of_success: 0.8 payload: "DELETE" server_ip: 192.168.1.14 - type: web-browser options: target_url: http://arcd.com/users/ - type: database-client options: db_server_ip: 192.168.1.14 services: - type: dns-client - hostname: client_2 type: computer ip_address: 192.168.10.22 subnet_mask: 255.255.255.0 default_gateway: 192.168.10.1 dns_server: 192.168.1.10 applications: - type: web-browser options: target_url: http://arcd.com/users/ - type: data-manipulation-bot options: port_scan_p_of_success: 0.8 data_manipulation_p_of_success: 0.8 payload: "DELETE" server_ip: 192.168.1.14 - type: database-client options: db_server_ip: 192.168.1.14 services: - type: dns-client links: - endpoint_a_hostname: router_1 endpoint_a_port: 1 endpoint_b_hostname: switch_1 endpoint_b_port: 8 - endpoint_a_hostname: router_1 endpoint_a_port: 2 endpoint_b_hostname: switch_2 endpoint_b_port: 8 - endpoint_a_hostname: switch_1 endpoint_a_port: 1 endpoint_b_hostname: domain_controller endpoint_b_port: 1 - endpoint_a_hostname: switch_1 endpoint_a_port: 2 endpoint_b_hostname: web_server endpoint_b_port: 1 - endpoint_a_hostname: switch_1 endpoint_a_port: 3 endpoint_b_hostname: database_server endpoint_b_port: 1 - endpoint_a_hostname: switch_1 endpoint_a_port: 4 endpoint_b_hostname: backup_server endpoint_b_port: 1 - endpoint_a_hostname: switch_1 endpoint_a_port: 7 endpoint_b_hostname: security_suite endpoint_b_port: 1 - endpoint_a_hostname: switch_2 endpoint_a_port: 1 endpoint_b_hostname: client_1 endpoint_b_port: 1 - endpoint_a_hostname: switch_2 endpoint_a_port: 2 endpoint_b_hostname: client_2 endpoint_b_port: 1 - endpoint_a_hostname: switch_2 endpoint_a_port: 7 endpoint_b_hostname: security_suite endpoint_b_port: 2