2015年10月28日 星期三

[研究] HoneyBadger (蜜獾) TCP網路流分析工具 安裝

[研究]   HoneyBadger  (蜜獾) TCP網路流分析工具 安裝

2015-10-28

TCP attack inquisitor and 0-day catcher
TCP 攻擊盤問者,零天捕捉者。

蜜獾 honey badger

開始安裝


# make.bash 需要 gcc
#  go build 需要 pcap.h,也就是 libpcap-devel

cd $HOME
yum  -y  install  git  gcc   libpcap libpcap-devel
git clone https://go.googlesource.com/go
cd go
git checkout go1.4.2
cd src
./make.bash

#設定環境變數
export GOPATH=$HOME/go/gopath
export PATH=$PATH:$HOME/go/bin:$HOME/go/gopath/bin

#編譯
cd $HOME/go
mkdir -p gopath/src/github.com/google
cd gopath/src/github.com/google
git clone https://github.com/google/gopacket.git
mkdir -p $HOME/go/gopath/src/github.com/david415
cd $HOME/go/gopath/src/github.com/david415
git clone https://github.com/david415/HoneyBadger.git
cd HoneyBadger/cmd/honeyBadger
go build

#準備執行
# CentOS 7.1 網卡預設不叫 eth0,而是 eno16777736
ethtool -K eno16777736 gso off
ethtool -K eno16777736 tso off
ethtool -K eno16777736 gro off

setcap cap_net_raw,cap_net_admin=eip honeyBadger



測試

[root@localhost honeyBadger]# ./honeyBadger -h
Usage of ./honeyBadger:
  -archive_dir="": archive directory for storing attack logs and related pcap files
  -connection_max_buffer=0:
Max packets to buffer for a single connection before skipping over a gap in data
and continuing to stream the connection after the buffer.  If zero or less, this
is infinite.
  -daq="libpcap": Data AcQuisition packet source
  -detect_coalesce_injection=true: Detect coalesce injection attacks
  -detect_hijack=true: Detect handshake hijack attacks
  -detect_injection=true: Detect injection attacks
  -f="tcp": BPF filter for pcap
  -i="eth0": Interface to get packets from
  -l="": incoming log dir used initially for pcap files if packet logging is enabled
  -log_packets=false: if set to true then log all packets for each tracked TCP connection
  -max_concurrent_connections=0: Maximum number of concurrent connection to track.
  -max_pcap_log_size=1: maximum pcap size per rotation in megabytes
  -max_pcap_rotations=10: maximum number of pcap rotations per connection
  -max_ring_packets=40: Max packets per connection stream ring buffer
  -metadata_attack_log=true: if set to true then attack reports will only include metadata
  -pcapfile="": pcap filename to read packets from rather than a wire interface.
  -s=65536: SnapLen for pcap packet capture
  -tcp_idle_timeout=5m0s: tcp idle timeout duration
  -total_max_buffer=0:
Max packets to buffer total before skipping over gaps in connections and
continuing to stream connection data.  If zero or less, this is infinite
  -w="3s": timeout for reading packets off the wire
[root@localhost honeyBadger]#



(完)

沒有留言:

張貼留言