Sliver#

InfraGuard parses Sliver’s HTTP C2 configuration YAML to extract URI paths and headers.

Config#

domains:
  api.example.com:
    upstream: "${SLIVER_UPSTREAM}"
    profile_path: "profiles/sliver-http.yaml"
    profile_type: "sliver"

    drop_action:
      type: "redirect"
      target: "https://api.example.com/docs"

See config/examples/c2-sliver.yaml.

Profile YAML Format#

InfraGuard reads the Sliver HTTP C2 config exported via implants generate --save-config. Key fields extracted:

  • c2.paths — URI path list
  • c2.headers — required request headers
  • implant.useragent — expected User-Agent
pipeline:
  filter_mode: "scoring"
  block_score_threshold: 0.65
  enable_profile_filter: true
  enable_replay_filter: true
  replay_persist: true
  enable_sandbox_filter: true
Backward Brute Ratel C4 Havoc Forward