netsniff恶意流量识别和匹配解读
代码整体框架
流量扫描函数调用
加载配置文件的代码调用
获取扫描的条数
重点匹配函数
流量eg:'\x00\x04\x00\x01\x00\x06\x00\x16>\x10\x1d>SW\x08\x00E\x00\x00\xbf\xb3\x1a@\x00@\x06\x03\xac\xac\x18\x0e.ddd\xc8\xed\xea\x00P\x04FF\xfa\x97\xc3\x8a\xedP\x18\x00\xe5\x84$\x00\x00
GET /latest/meta-data/region-id HTTP/1.1\r\nHost: 100.100.100.200\r\nAccept: /\r\nContent-Type: application/json; charset=utf-8\r\nAgent: linux/1.0.2.580\r\n\r\n'
前面是ip tcp的头部,后面则是http的部分。
首先判断是否是http部分,如果是扫描进入http部分,我们就开始匹配有没有出现下图中子串出现在流量里面,如果存在就返回对应的位置index,进行下一步的判断或者下一个包的扫描。因此在恶意流量匹配环节,和maltrail最大的不同就是更换了正则匹配的逻辑
static int matchFound(void *user, void *tree, int index, void *data, void *neglist) {
char logbuf[256];
struct BnfaResponse *resp = (struct BnfaResponse *) data;
match_item *entry = (match_item *) user;
// WRITE_LOG(" -- Regex::Bnfa::MatchFound | index %ld", r->index);
// save matched info
(resp->matchedCount)++;
resp->matchedEntries[resp->matchedCount - 1] = entry;
printf("MatchFound line %d, index %d\n", entry->idx, index);
#if 0
if (r->isOnBlackList)
{
resp->isOnBlackList = true;
return 1;
}
else
{
resp->isOnBlackList = false;
}
#endif
// 流量eg:'\x00\x04\x00\x01\x00\x06\x00\x16>\x10\x1d>SW\x08\x00E\x00\x00\xbf\xb3\x1a@\x00@\x06\x03\xac\xac\x18\x0e.ddd\xc8\xed\xea\x00P\x04FF\xfa\x97\xc3\x8a\xedP\x18\x00\xe5\x84$\x00\x00
//data GET /latest/meta-data/region-id HTTP/1.1\r\nHost: 100.100.100.200\r\nAccept: /\r\nContent-Type: application/json; charset=utf-8\r\nAgent: linux/1.0.2.580\r\n\r\n'
//idx是规则配置的编号 匹配不到后面的
if (entry->idx < (int) HTP_TAG_END) // http
{
switch (entry->idx) {
case HTP_TAG_HTTP:
// index为 HTTP/ 这标签的后一位 if语句就是判断是否是http打头
// entry->length_of_tag user对象传进来获取的
if (index == entry->length_of_tag) {
resp->startWithHTTP = true;
return SEARCH_CONTINUE;
}
break;
case method_post:
case method_get:
case method_connect:
if (index < resp->dataLength) {
resp->hasHost = true;
// 获得路径/latest/meta-data/region-id的其实位置
resp->path = resp->data + index;
resp->hasPath = true;
}
break;
case WHITELIST_cgi:
case WHITELIST__vti_bin:
case WHITELIST_bin:
case WHITELIST_bios:
case WHITELIST_pc:
case WHITELIST_pub:
case WHITELIST_scripts:
case sig:
resp->hasPath = false;
case SUS_apk:
case SUS_chm:
case SUS_dll:
case SUS_egg:
case SUS_exe:
case SUS_hta:
case SUS_hwp:
case SUS_pac:
case SUS_ps1:
case SUS_scr:
case SUS_sct:
case SUS_xpi:
if (resp->hasPath){
int len = snprintf(logbuf,
256,
"TRAIL.HTTP,%s:%d,%s:%d,%d,direct download (suspicious)",
resp->pkt->src_ip,
resp->pkt->src_port,
resp->pkt->dst_ip,
resp->pkt->dst_port,
entry->idx);
fwrite(logbuf, 1, len, resp->pkt->context->tcp_syn_log);
return SEARCH_CONTINUE;
}
case PATH_START_HTTP:
resp->hasBadPath = true;
break;
case path_probe:
case path_proxy:
case path_echo:
case path_check:
if (resp->hasBadPath){
int len = snprintf(logbuf,
256,
"TRAIL.HTTP,%s:%d,%s:%d,%d,potential proxy probe (suspicious)",
resp->pkt->src_ip,
resp->pkt->src_port,
resp->pkt->dst_ip,
resp->pkt->dst_port,
entry->idx);
fwrite(logbuf, 1, len, resp->pkt->context->tcp_syn_log);
return SEARCH_CONTINUE;
}
break;
case GENERIC_SINKHOLE_START:
case GENERIC_SINKHOLE_2:
case GENERIC_SINKHOLE_3:
case GENERIC_SINKHOLE_4:
case GENERIC_SINKHOLE_5:
case GENERIC_SINKHOLE_6:
case GENERIC_SINKHOLE_7:
case GENERIC_SINKHOLE_8:
case GENERIC_SINKHOLE_9:
case GENERIC_SINKHOLE_10:
case GENERIC_SINKHOLE_11:
case GENERIC_SINKHOLE_12:
case GENERIC_SINKHOLE_13:
case GENERIC_SINKHOLE_END:
if (resp->startWithHTTP) {
// log_event((sec, usec, src_ip, src_port, dst_ip, dst_port, PROTO.TCP, TRAIL.HTTP, trail, "sinkhole response (malware)", "(heuristic)"), packet)
int len = snprintf(logbuf,
256,
"TRAIL.HTTP,%s:%d,%s:%d,%d,sinkhole response (malware)",
resp->pkt->src_ip,
resp->pkt->src_port,
resp->pkt->dst_ip,
resp->pkt->dst_port,
entry->idx);
fwrite(logbuf, 1, len, resp->pkt->context->tcp_syn_log);
return SEARCH_CONTINUE;
}
break;
case HTP_TAG_CONTENTTYPE:
// 如果小于整包长度
if (index < resp->dataLength) {
//
resp->hasContentType = true;
// 下面的data是 tcp和ip的之后的 负载数据
resp->contentType = resp->data + index;//才是指向index当前的数据
resp->lengthOfContentType = getStringLength(resp->contentType, resp->dataLength - index + 1);
}
break;
case SUSPICIOUS_CONTENT_START:
case SUSPICIOUS_CONTENT_2:
case SUSPICIOUS_CONTENT_3:
case SUSPICIOUS_CONTENT_4:
case SUSPICIOUS_CONTENT_5:
case SUSPICIOUS_CONTENT_6:
case SUSPICIOUS_CONTENT_7:
case SUSPICIOUS_CONTENT_8:
case SUSPICIOUS_CONTENT_END:
if (resp->hasContentType) {
// log_event((sec, usec, src_ip, src_port, dst_ip, dst_port, PROTO.TCP, TRAIL.HTTP, content_type, "content type (suspicious)", "(heuristic)"), packet)
int len = snprintf(logbuf,
256,
"TRAIL.HTTP,%s:%d,%s:%d,%d,content type (suspicious)",
resp->pkt->src_ip,
resp->pkt->src_port,
resp->pkt->dst_ip,
resp->pkt->dst_port,
entry->idx);
fwrite(logbuf, 1, len, resp->pkt->context->tcp_syn_log);
return SEARCH_CONTINUE;
}
break;
case HTP_TAG_HOST:
if (resp->hasHost) {
// data+index是指向host的后一位,获取到host ip第一位的指针
resp->host_ip = resp->data+index;
resp->hostIpIndex = getStringLength(resp->host_ip,resp->dataLength-index+1);
string hostIP;
int index = 0;
while (index<resp->hostIpIndex){
// 如果遇到大写字母变成小写字母
hostIP+=strlwr(resp->host_ip);
resp->host_ip++;
index++;
}
if (endsWith(hostIP,":80")==1){
hostIP = hostIP[sizeof(hostIP)-3];
}
// 遍历trails log输出。host and host[0].isalpha() and dst_ip in trails
auto ret = g_ip4MalwareAddrs.find(resp->pkt->raw_dst);
if (ret != g_ip4MalwareAddrs.end()){
int len = snprintf(logbuf,
256,
"tcpsyn,%s:%d,%s:%d,%d",
resp->pkt->src_ip,
resp->pkt->src_port,
resp->pkt->dst_ip,
resp->pkt->dst_port,
entry->idx);
fwrite(logbuf, 1, len, pkt->context->tcp_syn_log);
return SEARCH_CONTINUE;
}else{
resp->IsIotMalware = true;
}
}
break;
case Host_arm:
case Host_m68k:
case Host_mips:
case Host_mpsl:
case Host_powerpc:
case Host_ppc:
case Host_x86:
case Host_x32:
case Host_x64:
case Host_i586:
case Host_i686:
case Host_sparc:
case Host_sh:
case Host_yarn:
case Host_zte:
if (resp->IsIotMalware){
int len = snprintf(logbuf,
256,
"tcpsyn,%s:%d,%s:%d,%d,potential iot-malware download (suspicious)",
resp->pkt->src_ip,
resp->pkt->src_port,
resp->pkt->dst_ip,
resp->pkt->dst_port,
entry->idx);
fwrite(logbuf, 1, len, pkt->context->tcp_syn_log);
}
break;
case HTP_TAG_UA:
break;
case HTP_TAG_TITLE_BEGIN:
case HTP_TAG_TITLE_END:resp->hasHTTPTitle = true;
return SEARCH_CONTINUE;
break;
case SEIZED_DOMAIN_BEGIN:
case SEIZED_DOMAIN_END:
if (resp->hasHTTPTitle) {
// log_event((sec, usec, src_ip, src_port, dst_ip, dst_port, PROTO.TCP, TRAIL.HTTP, title, "seized domain (suspicious)", "(heuristic)"), packet)
int len = snprintf(logbuf,
256,
"TRAIL.HTTP,%s:%d,%s:%d,%d,seized domain (suspicious)",
resp->pkt->src_ip,
resp->pkt->src_port,
resp->pkt->dst_ip,
resp->pkt->dst_port,
entry->idx);
fwrite(logbuf, 1, len, resp->pkt->context->tcp_syn_log);
return SEARCH_CONTINUE;
}
break;
default:;
}
} // else if
if (resp->matchedCount == REGEX_MAX_MATCH_ITEM) {
//WRITE_LOG(" -- Regex::Bnfa::MatchFound | Can't save more info, matched index", r->index);
return SEARCH_REACHMAX;
}
return 0;
}
netsniff恶意流量识别和匹配解读的更多相关文章
- 识别TLS加密恶意流量
利用背景流量数据(contexual flow data)识别TLS加密恶意流量 识别出加密流量中潜藏的安全威胁具有很大挑战,现已存在一些检测方法利用数据流的元数据来进行检测,包括包长度和到达间隔时间 ...
- 利用背景流量数据(contexual flow data) 识别TLS加密恶意流量
识别出加密流量中潜藏的安全威胁具有很大挑战,现已存在一些检测方法利用数据流的元数据来进行检测,包括包长度和到达间隔时间等.来自思科的研究人员扩展现有的检测方法提出一种新的思路(称之为“dataomni ...
- 利用神经网络进行网络流量识别——特征提取的方法是(1)直接原始报文提取前24字节,24个报文组成596像素图像CNN识别;或者直接去掉header后payload的前1024字节(2)传输报文的大小分布特征;也有加入时序结合LSTM后的CNN综合模型
国外的文献汇总: <Network Traffic Classification via Neural Networks>使用的是全连接网络,传统机器学习特征工程的技术.top10特征如下 ...
- EKFiddle:基于Fiddler研究恶意流量的框架
转载自FreeBuf.COM EKFiddle是一个基于Fiddler web debugger的,用于研究漏洞利用套件.恶意软件和恶意流量的框架. 安装 下载并安装最新版本的Fiddler http ...
- CIKM 18 | 蚂蚁金服论文:基于异构图神经网络的恶意账户识别方法
小蚂蚁说: ACM CIKM 2018 全称是 The 27th ACM International Conference on Information and Knowledge Managemen ...
- 利用CNN进行流量识别 本质上就是将流量视作一个图像
from:https://netsec2018.files.wordpress.com/2017/12/e6b7b1e5baa6e5ada6e4b9a0e59ca8e7bd91e7bb9ce5ae89 ...
- CVPR2020行人重识别算法论文解读
CVPR2020行人重识别算法论文解读 Cross-modalityPersonre-identificationwithShared-SpecificFeatureTransfer 具有特定共享特征变换 ...
- 利用fiddler+nginx模拟流量识别与转发
最近看到一些关于全链路压测的文章,全链路压测主要处理以下问题: 数据清洗压测流量标记,识别 压测流量标记的传递测试数据与线上数据隔离等等... 要实现全链路压测,必然要对原有的业务系统进行升级,要怎么 ...
- 端到端文本识别CRNN论文解读
CRNN 论文: An End-to-End Trainable Neural Network for Image-based Sequence Recognition and Its Applica ...
随机推荐
- python3 Redis未授权检测脚本
`import sys import getopt import socket def get_target(): opts, args = getopt.getopt(sys.argv[1:], ' ...
- C++基础练习1
1 /* 2 //读入一个双精度浮点数,保留12位小数输出这个浮点数. 3 #include<iostream> 4 #include <iomanip> 5 using na ...
- LeetCode 041 First Missing Positive
题目要求:First Missing Positive Given an unsorted integer array, find the first missing positive integer ...
- Mybatis log plugin 破解!!!
前言 今天重新装了IDEA2020,顺带重装了一些插件,毕竟这些插件都是习惯一直在用,其中一款就是Mybatis Log plugin,按照往常的思路,在IDEA插件市场搜索安装,艹,眼睛一瞟,竟然收 ...
- 20191017_datatable.select() 数据源中没有dataRow
filterStr =" 记录时间 >= '2019/10/17 00:00:00' and 记录时间 <='2019/10/20 23:59:59' " 代码: dg ...
- win10拔下电源会黑一下屏
- Log4net 的 ASP.NET Core 扩展库
给大家安利一款 log4net 的 ASP.NET Core 扩展库,它是基于 log4net 开发的. 简单易用,开源免费,使用ASP.NET Core自身提供的DI容器来实现服务的注册和消费.直接 ...
- opencv-python imread、imshow浏览目录下的图片文件
☞ ░ 前往老猿Python博文目录 ░ 一.几个知识点 1.1.使用Python查找目录下的文件 具体请参考<Python正则表达式re模块和os模块实现文件搜索模式匹配>. 1.2.o ...
- Android使用阿里镜像
在学习room时项目一直在编译中,最后排查发现是依赖没有下载完导致.随后查询将依赖下载源改为阿里源,即可正常使用. 需要修改 build.gradle (project),改为以下内容: // Top ...
- 测试与发布( Alpha版本 )
THE BUG 团队 杨梓琦 温海源 李华 陈杰才 郑堡恩 钟明康 软件说明 本软件用MYSQL数据库保存所有的数据内容,因此可以通过查询数据库查询功能是否正常进行. 测试过程 在测试过程中,左右两张 ...