# Maneo-Detect-Behinder
基于Flink的实时冰蝎(Behinder)流量检测
## 构建测试环境
基于kubernetes构建受害主机,[冰蝎Kubernetes环境构建](https://github.com/xing-xiao/Maneo-Detect-Behinder/tree/master/k8s-behinder-env)
pod中运行container分别为
- webshell: apache+php容器,提供webservice
- tcpdump: 抓取网络流量pcap包
- suricata、zeek: 抓取日志
- filebeat: 向SIEM logstash发送日志
## 行为分析
取到的日志如下
```
{"uuid":"hehindor-0x01","event_name":"bro-http","ts":"2019-09-26T08:52:50.998415Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":1,"method":"GET","host":"192.168.17.2","uri":"/shell.php?pass=918","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":0,"response_body_len":16,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FV0tp34bEkQzuIT3M8"],"resp_mime_types":["text/plain"],"header_host":"192.168.17.2:8080","header_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","header_connection":"keep-alive","header_content_type":"application/x-www-form-urlencoded","server_header_names":["DATE","SERVER","X-POWERED-BY","SET-COOKIE","EXPIRES","CACHE-CONTROL","PRAGMA","CONTENT-LENGTH","KEEP-ALIVE","CONNECTION","CONTENT-TYPE"],"server_header_values":["Thu, 26 Sep 2019 08:50:31 GMT","Apache/2.4.25 (Debian)","PHP/7.0.33","PHPSESSID=a3d51cad592f042f3bc2f4d0d88ce015; path=/","Thu, 19 Nov 1981 08:52:00 GMT","no-store, no-cache, must-revalidate","no-cache","16","timeout=5, max=100","Keep-Alive","text/html; charset=UTF-8"],"body":"121f28cf6172a20a","http_response_time":0.001194}
{"uuid":"hehindor-0x02","event_name":"bro-http","ts":"2019-09-26T08:52:51.008729Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":2,"method":"GET","host":"192.168.17.2","uri":"/shell.php?pass=230","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":0,"response_body_len":16,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FUTA6c80gCk8iHm8j"],"resp_mime_types":["text/plain"],"header_host":"192.168.17.2:8080","header_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","header_connection":"keep-alive","header_content_type":"application/x-www-form-urlencoded","server_header_names":["DATE","SERVER","X-POWERED-BY","SET-COOKIE","EXPIRES","CACHE-CONTROL","PRAGMA","CONTENT-LENGTH","KEEP-ALIVE","CONNECTION","CONTENT-TYPE"],"server_header_values":["Thu, 26 Sep 2019 08:50:31 GMT","Apache/2.4.25 (Debian)","PHP/7.0.33","PHPSESSID=0974cb5601ef4eaa3c15081b50c75179; path=/","Thu, 19 Nov 1981 08:52:00 GMT","no-store, no-cache, must-revalidate","no-cache","16","timeout=5, max=99","Keep-Alive","text/html; charset=UTF-8"],"body":"39ac0864a89c5c01","http_response_time":0.000804}
{"uuid":"hehindor-0x03","event_name":"bro-http","ts":"2019-09-26T08:52:51.011900Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":3,"method":"POST","host":"192.168.17.2","uri":"/shell.php","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":1112,"response_body_len":128,"status_code":200,"status_msg":"OK","tags":[],"orig_fuids":["Fcop9A1viCj9JThXn8"],"orig_mime_types":["text/plain"],"resp_fuids":["FSt7FV3XCRGGCkTbLa"],"resp_mime_types":["text/plain"],"post_body":"5jwfZRdoTznxAGNImafH3S5tFnXRDpj3+1kiFRFw4mzKhi3umkKWpXbKUgJRKegemv0uvF36rgdKutUVhtnMUW9CinNuOoC4l4n0xoAJfFNlTuxRPZ9/lobBY4BwzFpX4q2kW33RMCHhpNukeJ24hsWoxW+pCI+dQBYS2meszBOz1xWmioYAl8YGG2+p8wDXKZlu78sD...5jwfZRdoTznxAGNImafH3S5tFnXRDpj3+1kiFRFw4mzKhi3umkKWpXbKUgJRKegemv0uvF36rgdKutUVhtnMUW9CinNuOoC4l4n0xoAJfFNlTuxRPZ9/lobBY4BwzFpX4q2kW33RMCHhpNukeJ24hsWoxW+pCI+dQBYS2meszBOz1xWmioYAl8YGG2+p8wDXKZlu78sDU9JTvY0jaatkSP2oRQgOinou3Bzy9+l7584Wh0JArnwInFc4dmqWQLsba58a1odG7ruWHHLaVwRfskZ6KaYCQ+OPcgCm2kk8tb/VlRZlmqgTN08vNchRWh26kdIdifJc9qdDZMwE0hHNiz3Taof2g7e4g/7bFt+UDt4hNPfTfNGNACdKw9PwgL5nNsrzwR8CBxPGheIk+JtibirUw+9pCEpqLaelXjsdYJ5m0GY0RqmcCZwNKanJd1rHCIbdV+OYFNPP4GGK7kz2ZFkPRQLblz1FR0JtzH7A6xbWeppPx65ABuj3Jg7cSVcegUxVTK9eWyD4Sw45d5l6atET1m1El2LCWejGc4arw65EGoYEEzimQTXDrRZ/OBCv5LEYkLDwxoC17sEd6u6hoZhyz6M/efeq/+aqCIXei2GO3BRPrMeCBYS4NfXRZDidNcWL4vcjpxmoFN+RenaX7LhvAFPrLbbpyjWVp2cbkWP3ma2m9ap9JTqayOtSVZzupaMqqvRCyuMu+03R31Hopy1FDXvJnvjGsL46643ezUP7e8+1j7yTRAiKWc7QVEW7zaQwj3sC1fJ0ZUjXk0Lpr7mviEnxAtE+ZGrEnAGjUhpkh2zbsMiiircnl2xsD4If1zy49r5swGiEY2RnaoTA1H5FE5PvXcRvk2vntdBK52W8xB0PHa1nXHLdewmScPRLR0zaXxxizfES1xZw3HsUDypAjsjcZLBmiTISxKrH5JM03qpO/lgjGTyrNzbgpv+yPuf2mt6rY25zJWmHSutnAT9Q1JbZwc86rPRHbHoN33/zcvZ5ObBRxXqZ4GVW64USIUFed90BAWTpJpIkAbfv8S/y53PBO22aM4dtUAWon5VzYp0qgM5XOz7VzTbgrRfAf+obxFTEnxXCB6v0Bqp1OA==","header_host":"192.168.17.2:8080","header_accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2","header_connection":"keep-alive","header_cookie":"PHPSESSID=0974cb5601ef4eaa3c15081b50c75179; path=/","header_content_length":"1112","header_content_type":"application/x-www-form-urlencoded","server_header_names":["DATE","SERVER","X-POWERED-BY","EXPIRES","CACHE-CONTROL","PRAGMA","VARY","CONTENT-LENGTH","KEEP-ALIVE","CONNECTION","CONTENT-TYPE"],"server_header_values":["Thu, 26 Sep 2019 08:50:31 GMT","Apache/2.4.25 (Debian)","PHP/7.0.33","Thu, 19 Nov 1981 08:52:00 GMT","no-store, no-cache, must-revalidate","no-cache","Accept-Encoding","128","timeout=5, max=98","Keep-Alive","text/html; charset=UTF-8"],"body":"P9EFB41x+3gdZi9HJ8iyf5sXkOkcuCuIPA1wxvghxbzH99SH+jvS+yl6fvHH19WOufx5+BA9b7E4x4g3UBhLlgxLhSuUPCKK83aj9Gzzl91HFx8/Ulhy/GOLmV+xTJzE","http_response_time":0.000791,"cookie_vars":["PHPSESSID","path"]}
{"uuid":"hehindor-0x04","event_name":"bro-http","ts":"2019-09-26T08:52:51.015303Z","uid":"COCJ2z4rtgv6TLSVd7","src_ip":"192.168.10.1","src_port":51550,"dst_ip":"192.168.17.2","dst_port":8080,"trans_depth":4,"method":"POST","host":"192.168.17.2","uri":"/shell.php","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50","request_body_len":2220,"response_body_len":160128,"status_code":200,"status_msg":"OK","tags":[],"orig_fuids":["FJtxT62pun6hhMFSk5"],"orig_mime_types":["text/plain"],"resp_fuids":["FINOwu2IADKnzzPCti"],"resp_mime_types":["text/plain"],"post_body":"5jwfZRdoTznxAGNImafH3TuwKogooJYGEdn/prs1SpZQk6fHaXguLDrhjpND5am7OudYViWzKNPZzzaZSDH8hS+VXJqPMCdR7wKG3upwDME4qhJISt24UImMIiavajImQLhMwWhGpbR4DEdwgYBhXlegjUE4MaRCNmcBVBeP3WiUq+QqqqtxMUxGWjt5/eEcgWGCHKKd...5jwfZRdoTznxAGNImafH3TuwKogooJYGEdn/prs1SpZQk6fHaXguLDrhjpND5am7OudYViWzKNPZzzaZSDH8hS+VXJqPMCdR7wKG3upwDME4qhJISt24UImMIiavajImQLhMwWhGpbR4DEdwgYBhXlegjUE4MaRCNmcBVBeP3WiUq+QqqqtxMUxGWjt5/eEcgWGCHKKdxNDeJUeIReiSR5EHXNfAntbYQ6/ad5r8+Ev5wyn4kb1tex7NqANSn5N+Ime6M8+gGve1ap4iBUnSAC9kG/hfV/bWcShjbZZmnyOqxD7TzCIV0HWP4YP+aodNeyiXFXwYJUX7TmVM1R0oBGvmyuDUov4Mdij6xPdji4mHqDHloiqrAHN8W3qunK81WJ2qdB/6Gmou8ppTHalU6r6JGpHNyEAIehKZp7Vv3KHXZ3o3uv5hIRJ6HSV6v/C8AsbFBPkHTdlSAkAlqGeG8KVsxhQ78vk/kJNys9Kx3s2AFlhN5+MypEvK3AUCqexBMqsHk4kh6c9XYbm4uCENhscFvZM3yiSJdmpSdE5Q2tpMks64867/gYWF96bmScAan9XdQfdtlL6EL8FEpSI5yoK1dpFd6jRGMzQcEfaGRBCwJxvTlZutbzL2+Oryd8AGeEbFcYyQ717h/gKBj16koh8yb5H/Edruk89fI1T57wcSAMUi49WHb6HRfZ8VtTVyT647QXuOvJPp9H0CoT896itaA2/P8xEJqvJ6V1tkqbsYE9dEO97oqTXuM0AoMcwC9mx5E4jHBWBl89FzPSG1MRLpGilokJ/RjfxYnxcR9g9CYJI6/9ebQ7UaythC7+Iyd90LSBDpYp61uHzpBGlMph1LdsFKcYNwq3SXV3yGQuC11vZISAS19cfOjhBXJ6hlqjD5gfdM4FNoR/oz+p8ejw8Jlr5GEfboYbUHx7y0P43U5AzQvdgHrfqfZNVllHQA1U4OXixTcd06wJOmIrxvHnilLoTEcrVlK+EvoDO6SuzBrUlLgUzrgJMcXxrl83i2xVXPg3G0+G3sc4r4CPXcQrme70w2Mn3wzUHs4x44vIXwKFS1/XFEBxZsKRvbKnBcfz9u01jLoocezgfYYYeLUuc9XVIr4t+2QCO0ywnrBHFxjOnr/F/lpXWSo26Q+m50/TJGtmfC89jvgzI39Rr8iPcipOgx6sxB05mBe9ojP3kQN6X/yPg1kHVejtDvIIxvYz+kIMDEcNocp+NRCeFc7pFP3XNipk4sQMMGtZn0N
没有合适的资源?快使用搜索试试~ 我知道了~
基于Scala+Flink实现实时冰蝎(Behinder)流量检测源码+部署文档+全部资料齐全 高分项目.zip
共13个文件
yaml:5个
md:2个
sbt:2个
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 177 浏览量
2024-05-13
19:18:17
上传
评论
收藏 34KB ZIP 举报
温馨提示
【资源说明】 基于Scala+Flink实现实时冰蝎(Behinder)流量检测源码+部署文档+全部资料齐全 高分项目.zip基于Scala+Flink实现实时冰蝎(Behinder)流量检测源码+部署文档+全部资料齐全 高分项目.zip 【备注】 1、该项目是个人高分项目源码,已获导师指导认可通过,答辩评审分达到95分 2、该资源内项目代码都经过测试运行成功,功能ok的情况下才上传的,请放心下载使用! 3、本项目适合计算机相关专业(人工智能、通信工程、自动化、电子信息、物联网等)的在校学生、老师或者企业员工下载使用,也可作为毕业设计、课程设计、作业、项目初期立项演示等,当然也适合小白学习进阶。 4、如果基础还行,可以在此代码基础上进行修改,以实现其他功能,也可直接用于毕设、课设、作业等。 欢迎下载,沟通交流,互相学习,共同进步!
资源推荐
资源详情
资源评论
收起资源包目录
基于Scala+Flink实现实时冰蝎(Behinder)流量检测源码+部署文档+全部资料齐全 高分项目.zip (13个子文件)
Maneo-Detect-Behinder-master
k8s-behinder-env
pcap-pv.yaml 309B
webshell-php-behinder.yaml 855B
filebeat-cm.yaml 6KB
pcap-pvc.yaml 225B
vicitm-behinder.yaml 3KB
.gitignore 188B
README.md 24KB
flink-behinder-detector
src
main
scala
com
maneo
Behinder
behinder.scala 5KB
build.sbt 1KB
project
build.properties 19B
plugins.sbt 56B
部署说明文档.md 14KB
171265889347208773632.zip 416B
共 13 条
- 1
资源评论
不走小道
- 粉丝: 3210
- 资源: 5120
下载权益
C知道特权
VIP文章
课程特权
开通VIP
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功