项目作者: ilyaglow

项目描述 :
Detect malicious packets
高级语言: Go
项目地址: git://github.com/ilyaglow/badcapt.git
创建时间: 2018-07-19T22:44:21Z
项目社区:https://github.com/ilyaglow/badcapt

开源协议:Apache License 2.0

下载


Build Status

About

Badcapt is a project inspired by
Bad Packets’ work and the
Remote Identification of Port Scan Toolchains
paper by Vincent Ghiette, Norbert Blenn, Christian Doerr.

It will try to detect malicious packets and export them to the Elastic storage or
output to the stdout for your further processing.

Install

The app is built on top of gopacket package which provides C bindings for the
libpcap, so you should have libpcap-dev package installed first.

  1. go get github.com/ilyaglow/badcapt/cmd/badcapt

Also you can use the docker image (see below on how to use it):

  1. docker build -t badcapt https://github.com/ilyaglow/badcapt.git

or

  1. docker pull ilyaglow/badcapt

Usage

  1. ./badcapt -h
  2. Usage of badcapt:
  3. -e string
  4. Elasticsearch URL (optional)
  5. -i string
  6. Interface name to listen
  7. -ns string
  8. Path to nmap-services file, by default on linux it's /usr/share/nmap/nmap-services

If no Elasticsearch URL provided, badcapt will simply output records to stdout.

To use the dockerized version you must run it with --net=host switch:

  1. docker run -d --net=host ilyaglow/badcapt -i eth0

You can also take a look at the
badsearch
companion script for the Elasticsearch: it dumps all records in the database for
the last 24 hours.