[研究] HoneyBadger (蜜獾) TCP網路流分析工具 安裝
2015-10-28
2015-10-28
TCP attack inquisitor and 0-day catcher
TCP 攻擊盤問者,零天捕捉者。
蜜獾 honey badger
開始安裝
# make.bash 需要 gcc
# go build 需要 pcap.h,也就是 libpcap-devel
cd $HOME
yum -y install git gcc libpcap libpcap-devel
git clone https://go.googlesource.com/go
cd go
git checkout go1.4.2
cd src
./make.bash
#設定環境變數 export GOPATH=$HOME/go/gopath export PATH=$PATH:$HOME/go/bin:$HOME/go/gopath/bin #編譯 cd $HOME/go mkdir -p gopath/src/github.com/google cd gopath/src/github.com/google git clone https://github.com/google/gopacket.git mkdir -p $HOME/go/gopath/src/github.com/david415 cd $HOME/go/gopath/src/github.com/david415 git clone https://github.com/david415/HoneyBadger.git cd HoneyBadger/cmd/honeyBadger go build
#準備執行
# CentOS 7.1 網卡預設不叫 eth0,而是 eno16777736
ethtool -K eno16777736 gso off
ethtool -K eno16777736 tso off
ethtool -K eno16777736 gro off
setcap cap_net_raw,cap_net_admin=eip honeyBadger
|
測試
[root@localhost honeyBadger]# ./honeyBadger -h
Usage of ./honeyBadger:
-archive_dir="": archive directory for storing attack logs and related pcap files
-connection_max_buffer=0:
Max packets to buffer for a single connection before skipping over a gap in data
and continuing to stream the connection after the buffer. If zero or less, this
is infinite.
-daq="libpcap": Data AcQuisition packet source
-detect_coalesce_injection=true: Detect coalesce injection attacks
-detect_hijack=true: Detect handshake hijack attacks
-detect_injection=true: Detect injection attacks
-f="tcp": BPF filter for pcap
-i="eth0": Interface to get packets from
-l="": incoming log dir used initially for pcap files if packet logging is enabled
-log_packets=false: if set to true then log all packets for each tracked TCP connection
-max_concurrent_connections=0: Maximum number of concurrent connection to track.
-max_pcap_log_size=1: maximum pcap size per rotation in megabytes
-max_pcap_rotations=10: maximum number of pcap rotations per connection
-max_ring_packets=40: Max packets per connection stream ring buffer
-metadata_attack_log=true: if set to true then attack reports will only include metadata
-pcapfile="": pcap filename to read packets from rather than a wire interface.
-s=65536: SnapLen for pcap packet capture
-tcp_idle_timeout=5m0s: tcp idle timeout duration
-total_max_buffer=0:
Max packets to buffer total before skipping over gaps in connections and
continuing to stream connection data. If zero or less, this is infinite
-w="3s": timeout for reading packets off the wire
[root@localhost honeyBadger]#
Usage of ./honeyBadger:
-archive_dir="": archive directory for storing attack logs and related pcap files
-connection_max_buffer=0:
Max packets to buffer for a single connection before skipping over a gap in data
and continuing to stream the connection after the buffer. If zero or less, this
is infinite.
-daq="libpcap": Data AcQuisition packet source
-detect_coalesce_injection=true: Detect coalesce injection attacks
-detect_hijack=true: Detect handshake hijack attacks
-detect_injection=true: Detect injection attacks
-f="tcp": BPF filter for pcap
-i="eth0": Interface to get packets from
-l="": incoming log dir used initially for pcap files if packet logging is enabled
-log_packets=false: if set to true then log all packets for each tracked TCP connection
-max_concurrent_connections=0: Maximum number of concurrent connection to track.
-max_pcap_log_size=1: maximum pcap size per rotation in megabytes
-max_pcap_rotations=10: maximum number of pcap rotations per connection
-max_ring_packets=40: Max packets per connection stream ring buffer
-metadata_attack_log=true: if set to true then attack reports will only include metadata
-pcapfile="": pcap filename to read packets from rather than a wire interface.
-s=65536: SnapLen for pcap packet capture
-tcp_idle_timeout=5m0s: tcp idle timeout duration
-total_max_buffer=0:
Max packets to buffer total before skipping over gaps in connections and
continuing to stream connection data. If zero or less, this is infinite
-w="3s": timeout for reading packets off the wire
[root@localhost honeyBadger]#
(完)
沒有留言:
張貼留言