基于Scala+Flink实现实时冰蝎(Behinder)流量检测源码+部署文档+全部资料齐全 高分项目.zip

# Maneo-Detect-Behinder 基于Flink的实时冰蝎(Behinder)流量检测 ## 构建测试环境 基于kubernetes构建受害主机，[冰蝎Kubernetes环境构建](https://github.com/xing-xiao/Maneo-Detect-Behinder/tree/master/k8s-behinder-env) pod中运行container分别为 - webshell: apache+php容器，提供webservice - tcpdump: 抓取网络流量pcap包 - suricata、zeek: 抓取日志 - filebeat: 向SIEM logstash发送日志 ## 行为分析 取到的日志如下 ``` {"uuid":"hehindor-0x01","event_name":"bro-http","ts":"2019-09-26T08:52:50.998415Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":1,"method":"GET","host":"192.168.17.2","uri":"/shell.php?pass=918","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":0,"response_body_len":16,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FV0tp34bEkQzuIT3M8"],"resp_mime_types":["text/plain"],"header_host":"192.168.17.2:8080","header_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","header_connection":"keep-alive","header_content_type":"application/x-www-form-urlencoded","server_header_names":["DATE","SERVER","X-POWERED-BY","SET-COOKIE","EXPIRES","CACHE-CONTROL","PRAGMA","CONTENT-LENGTH","KEEP-ALIVE","CONNECTION","CONTENT-TYPE"],"server_header_values":["Thu, 26 Sep 2019 08:50:31 GMT","Apache/2.4.25 (Debian)","PHP/7.0.33","PHPSESSID=a3d51cad592f042f3bc2f4d0d88ce015; path=/","Thu, 19 Nov 1981 08:52:00 GMT","no-store, no-cache, must-revalidate","no-cache","16","timeout=5, max=100","Keep-Alive","text/html; charset=UTF-8"],"body":"121f28cf6172a20a","http_response_time":0.001194} {"uuid":"hehindor-0x02","event_name":"bro-http","ts":"2019-09-26T08:52:51.008729Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":2,"method":"GET","host":"192.168.17.2","uri":"/shell.php?pass=230","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":0,"response_body_len":16,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FUTA6c80gCk8iHm8j"],"resp_mime_types":["text/plain"],"header_host":"192.168.17.2:8080","header_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","header_connection":"keep-alive","header_content_type":"application/x-www-form-urlencoded","server_header_names":["DATE","SERVER","X-POWERED-BY","SET-COOKIE","EXPIRES","CACHE-CONTROL","PRAGMA","CONTENT-LENGTH","KEEP-ALIVE","CONNECTION","CONTENT-TYPE"],"server_header_values":["Thu, 26 Sep 2019 08:50:31 GMT","Apache/2.4.25 (Debian)","PHP/7.0.33","PHPSESSID=0974cb5601ef4eaa3c15081b50c75179; path=/","Thu, 19 Nov 1981 08:52:00 GMT","no-store, no-cache, must-revalidate","no-cache","16","timeout=5, max=99","Keep-Alive","text/html; charset=UTF-8"],"body":"39ac0864a89c5c01","http_response_time":0.000804} {"uuid":"hehindor-0x03","event_name":"bro-http","ts":"2019-09-26T08:52:51.011900Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":3,"method":"POST","host":"192.168.17.2","uri":"/shell.php","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":1112,"response_body_len":128,"status_code":200,"status_msg":"OK","tags":[],"orig_fuids":["Fcop9A1viCj9JThXn8"],"orig_mime_types":["text/plain"],"resp_fuids":["FSt7FV3XCRGGCkTbLa"],"resp_mime_types":["text/plain"],"post_body":"5jwfZRdoTznxAGNImafH3S5tFnXRDpj3+1kiFRFw4mzKhi3umkKWpXbKUgJRKegemv0uvF36rgdKutUVhtnMUW9CinNuOoC4l4n0xoAJfFNlTuxRPZ9/lobBY4BwzFpX4q2kW33RMCHhpNukeJ24hsWoxW+pCI+dQBYS2meszBOz1xWmioYAl8YGG2+p8wDXKZlu78sD...5jwfZRdoTznxAGNImafH3S5tFnXRDpj3+1kiFRFw4mzKhi3umkKWpXbKUgJRKegemv0uvF36rgdKutUVhtnMUW9CinNuOoC4l4n0xoAJfFNlTuxRPZ9/lobBY4BwzFpX4q2kW33RMCHhpNukeJ24hsWoxW+pCI+dQBYS2meszBOz1xWmioYAl8YGG2+p8wDXKZlu78sDU9JTvY0jaatkSP2oRQgOinou3Bzy9+l7584Wh0JArnwInFc4dmqWQLsba58a1odG7ruWHHLaVwRfskZ6KaYCQ+OPcgCm2kk8tb/VlRZlmqgTN08vNchRWh26kdIdifJc9qdDZMwE0hHNiz3Taof2g7e4g/7bFt+UDt4hNPfTfNGNACdKw9PwgL5nNsrzwR8CBxPGheIk+JtibirUw+9pCEpqLaelXjsdYJ5m0GY0RqmcCZwNKanJd1rHCIbdV+OYFNPP4GGK7kz2ZFkPRQLblz1FR0JtzH7A6xbWeppPx65ABuj3Jg7cSVcegUxVTK9eWyD4Sw45d5l6atET1m1El2LCWejGc4arw65EGoYEEzimQTXDrRZ/OBCv5LEYkLDwxoC17sEd6u6hoZhyz6M/efeq/+aqCIXei2GO3BRPrMeCBYS4NfXRZDidNcWL4vcjpxmoFN+RenaX7LhvAFPrLbbpyjWVp2cbkWP3ma2m9ap9JTqayOtSVZzupaMqqvRCyuMu+03R31Hopy1FDXvJnvjGsL46643ezUP7e8+1j7yTRAiKWc7QVEW7zaQwj3sC1fJ0ZUjXk0Lpr7mviEnxAtE+ZGrEnAGjUhpkh2zbsMiiircnl2xsD4If1zy49r5swGiEY2RnaoTA1H5FE5PvXcRvk2vntdBK52W8xB0PHa1nXHLdewmScPRLR0zaXxxizfES1xZw3HsUDypAjsjcZLBmiTISxKrH5JM03qpO/lgjGTyrNzbgpv+yPuf2mt6rY25zJWmHSutnAT9Q1JbZwc86rPRHbHoN33/zcvZ5ObBRxXqZ4GVW64USIUFed90BAWTpJpIkAbfv8S/y53PBO22aM4dtUAWon5VzYp0qgM5XOz7VzTbgrRfAf+obxFTEnxXCB6v0Bqp1OA==","header_host":"192.168.17.2:8080","header_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","header_connection":"keep-alive","header_cookie":"PHPSESSID=0974cb5601ef4eaa3c15081b50c75179; path=/","header_content_length":"1112","header_content_type":"application/x-www-form-urlencoded","server_header_names":["DATE","SERVER","X-POWERED-BY","EXPIRES","CACHE-CONTROL","PRAGMA","VARY","CONTENT-LENGTH","KEEP-ALIVE","CONNECTION","CONTENT-TYPE"],"server_header_values":["Thu, 26 Sep 2019 08:50:31 GMT","Apache/2.4.25 (Debian)","PHP/7.0.33","Thu, 19 Nov 1981 08:52:00 GMT","no-store, no-cache, must-revalidate","no-cache","Accept-Encoding","128","timeout=5, max=98","Keep-Alive","text/html; charset=UTF-8"],"body":"P9EFB41x+3gdZi9HJ8iyf5sXkOkcuCuIPA1wxvghxbzH99SH+jvS+yl6fvHH19WOufx5+BA9b7E4x4g3UBhLlgxLhSuUPCKK83aj9Gzzl91HFx8/Ulhy/GOLmV+xTJzE","http_response_time":0.000791,"cookie_vars":["PHPSESSID","path"]} {"uuid":"hehindor-0x04","event_name":"bro-http","ts":"2019-09-26T08:52:51.015303Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":4,"method":"POST","host":"192.168.17.2","uri":"/shell.php","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":2220,"response_body_len":160128,"status_code":200,"status_msg":"OK","tags":[],"orig_fuids":["FJtxT62pun6hhMFSk5"],"orig_mime_types":["text/plain"],"resp_fuids":["FINOwu2IADKnzzPCti"],"resp_mime_types":["text/plain"],"post_body":"5jwfZRdoTznxAGNImafH3TuwKogooJYGEdn/prs1SpZQk6fHaXguLDrhjpND5am7OudYViWzKNPZzzaZSDH8hS+VXJqPMCdR7wKG3upwDME4qhJISt24UImMIiavajImQLhMwWhGpbR4DEdwgYBhXlegjUE4MaRCNmcBVBeP3WiUq+QqqqtxMUxGWjt5/eEcgWGCHKKd...5jwfZRdoTznxAGNImafH3TuwKogooJYGEdn/prs1SpZQk6fHaXguLDrhjpND5am7OudYViWzKNPZzzaZSDH8hS+VXJqPMCdR7wKG3upwDME4qhJISt24UImMIiavajImQLhMwWhGpbR4DEdwgYBhXlegjUE4MaRCNmcBVBeP3WiUq+QqqqtxMUxGWjt5/eEcgWGCHKKdxNDeJUeIReiSR5EHXNfAntbYQ6/ad5r8+Ev5wyn4kb1tex7NqANSn5N+Ime6M8+gGve1ap4iBUnSAC9kG/hfV/bWcShjbZZmnyOqxD7TzCIV0HWP4YP+aodNeyiXFXwYJUX7TmVM1R0oBGvmyuDUov4Mdij6xPdji4mHqDHloiqrAHN8W3qunK81WJ2qdB/6Gmou8ppTHalU6r6JGpHNyEAIehKZp7Vv3KHXZ3o3uv5hIRJ6HSV6v/C8AsbFBPkHTdlSAkAlqGeG8KVsxhQ78vk/kJNys9Kx3s2AFlhN5+MypEvK3AUCqexBMqsHk4kh6c9XYbm4uCENhscFvZM3yiSJdmpSdE5Q2tpMks64867/gYWF96bmScAan9XdQfdtlL6EL8FEpSI5yoK1dpFd6jRGMzQcEfaGRBCwJxvTlZutbzL2+Oryd8AGeEbFcYyQ717h/gKBj16koh8yb5H/Edruk89fI1T57wcSAMUi49WHb6HRfZ8VtTVyT647QXuOvJPp9H0CoT896itaA2/P8xEJqvJ6V1tkqbsYE9dEO97oqTXuM0AoMcwC9mx5E4jHBWBl89FzPSG1MRLpGilokJ/RjfxYnxcR9g9CYJI6/9ebQ7UaythC7+Iyd90LSBDpYp61uHzpBGlMph1LdsFKcYNwq3SXV3yGQuC11vZISAS19cfOjhBXJ6hlqjD5gfdM4FNoR/oz+p8ejw8Jlr5GEfboYbUHx7y0P43U5AzQvdgHrfqfZNVllHQA1U4OXixTcd06wJOmIrxvHnilLoTEcrVlK+EvoDO6SuzBrUlLgUzrgJMcXxrl83i2xVXPg3G0+G3sc4r4CPXcQrme70w2Mn3wzUHs4x44vIXwKFS1/XFEBxZsKRvbKnBcfz9u01jLoocezgfYYYeLUuc9XVIr4t+2QCO0ywnrBHFxjOnr/F/lpXWSo26Q+m50/TJGtmfC89jvgzI39Rr8iPcipOgx6sxB05mBe9ojP3kQN6X/yPg1kHVejtDvIIxvYz+kIMDEcNocp+NRCeFc7pFP3XNipk4sQMMGtZn0N