README
¶
About
Badcapt is a project inspired by Bad Packets' work and the Remote Identification of Port Scan Toolchains paper by Vincent Ghiette, Norbert Blenn, Christian Doerr.
It will try to detect malicious packets and export them to the Elastic storage or output to the stdout for your further processing.
Install
The app is built on top of gopacket package which provides C bindings for the
libpcap, so you should have libpcap-dev package installed first.
go get github.com/ilyaglow/badcapt/cmd/badcapt
Also you can use the docker image (see below on how to use it):
docker build -t badcapt https://github.com/ilyaglow/badcapt.git
or
docker pull ilyaglow/badcapt
Usage
./badcapt -h
Usage of badcapt:
-e string
Elasticsearch URL (optional)
-i string
Interface name to listen
If no Elasticsearch URL provided, badcapt will simply output records to the screen.
To use the dockerized version you must run it with --net=host switch:
docker run -d --net=host ilyaglow/badcapt -i eth0
You can also take a look at the badsearch companion script for the Elasticsearch: it dumps all records in the database for the last 24 hours.
Documentation
¶
Index ¶
- func AddPacketMarker(m Marker) func(*Badcapt) error
- func LowMSSIdentifier(p gopacket.Packet) []string
- func MasscanIdentifier(p gopacket.Packet) []string
- func MiraiIdentifier(p gopacket.Packet) []string
- func SetElastic(client *elastic.Client) func(*Badcapt) error
- func SetElasticDocType(doc string) func(*Badcapt) error
- func SetElasticIndexName(name string) func(*Badcapt) error
- func ZmapIdentifier(p gopacket.Packet) []string
- type Badcapt
- type Marker
- type Record
- type TaggedPacket
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddPacketMarker ¶
AddPacketMarker adds a packet marking routine.
func LowMSSIdentifier ¶ added in v0.3.0
LowMSSIdentifier adds low-mss tag for a packet which TCP Maximum Segment Size is less than 500. This fact indicates potential SACK Panic attack (CVE-2019-11477). Details: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md#1-cve-2019-11477-sack-panic-linux--2629
func MasscanIdentifier ¶
MasscanIdentifier adds masscan tag for a packet which IP ID header = dstip ⊕ dstport ⊕ tcpseq.
func MiraiIdentifier ¶
MiraiIdentifier adds mirai tag for a packet which TCP sequence equals destination IP-address in a decimal format
func SetElastic ¶
SetElastic sets elasticsearch client to export events to.
func SetElasticDocType ¶
SetElasticDocType sets the events documents type.
func SetElasticIndexName ¶
SetElasticIndexName sets an index name where events are going to be written.
func ZmapIdentifier ¶
ZmapIdentifier adds zmap tag for a packet which IP ID header equals 54321.
Types ¶
type Badcapt ¶
type Badcapt struct {
// contains filtered or unexported fields
}
Badcapt defines badcapt configuration
type Record ¶
type Record struct {
SrcIP net.IP `json:"src_ip,omitempty"`
Protocols []string `json:"protocols,omitempty"`
SrcPort uint16 `json:"src_port,omitempty"`
DstIP net.IP `json:"dst_ip,omitempty"`
DstPort uint16 `json:"dst_port,omitempty"`
Timestamp time.Time `json:"date"`
Tags []string `json:"tags"`
Payload []byte `json:"payload,omitempty"`
PayloadString string `json:"payload_str,omitempty"`
}
Record contains packet data, that is ready to be exported
func NewRecord ¶
func NewRecord(tp *TaggedPacket) (*Record, error)
NewRecord constructs a record to write to the database
type TaggedPacket ¶
TaggedPacket represents a packet that went through markers.
Source Files
Directories