Stenographer - Full Packet Capture System

📋 Kopieren Alle Stenographer Commands 📄 Erstellung von Stenographen PDF Guide

Stenographer ist ein Full-Packet-Capture-Dienstprogramm zum Puffern von Paketen auf Festplatte für Intrusions-Erkennung und auftreffende Reaktionszwecke. Es bietet eine einfache, leistungsstarke Schnittstelle zum Speichern und Abrufen von Netzwerkpaketen im Maßstab.

Installation

Ubuntu/Debian

```bash

Install dependencies

sudo apt update sudo apt install build-essential git libpcap-dev libsnappy-dev libleveldb-dev

Install Go (if not already installed)

wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin

Clone and build Stenographer

git clone https://github.com/google/stenographer.git cd stenographer go build ./...

Install binaries

sudo cp stenographer stenoread stenocurl /usr/local/bin/ sudo chmod +x /usr/local/bin/steno* ```_

CentOS/RHEL/Fedora

```bash

Install dependencies

sudo yum groupinstall "Development Tools" sudo yum install git libpcap-devel snappy-devel leveldb-devel

Install Go

sudo yum install golang

Clone and build

git clone https://github.com/google/stenographer.git cd stenographer go build ./...

Install binaries

sudo cp stenographer stenoread stenocurl /usr/local/bin/ ```_

Docker Installation

```bash

Build Docker image

git clone https://github.com/google/stenographer.git cd stenographer docker build -t stenographer .

Run container

docker run -d --name stenographer \ --net=host \ --privileged \ -v /opt/stenographer:/opt/stenographer \ stenographer ```_

Konfiguration

Grundkonfiguration

```bash

Create configuration directory

sudo mkdir -p /etc/stenographer sudo mkdir -p /var/lib/stenographer

Create basic configuration file

sudo tee /etc/stenographer/config << 'EOF' \\{ "Threads": [ \\{ "PacketsDirectory": "/var/lib/stenographer/packets", "IndexDirectory": "/var/lib/stenographer/index", "MaxDirectoryFiles": 30000, "DiskFreePercentage": 10 \\} ], "StenotypePath": "/usr/local/bin/stenotype", "Interface": "eth0", "Port": 1234, "Host": "127.0.0.1", "Flags": [], "CertPath": "/etc/stenographer/certs" \\} EOF ```_

Erweiterte Konfiguration

json \\\\{ "Threads": [ \\\\{ "PacketsDirectory": "/data/stenographer/packets0", "IndexDirectory": "/data/stenographer/index0", "MaxDirectoryFiles": 50000, "DiskFreePercentage": 5 \\\\}, \\\\{ "PacketsDirectory": "/data/stenographer/packets1", "IndexDirectory": "/data/stenographer/index1", "MaxDirectoryFiles": 50000, "DiskFreePercentage": 5 \\\\} ], "StenotypePath": "/usr/local/bin/stenotype", "Interface": "eth0", "Port": 1234, "Host": "0.0.0.0", "Flags": [ "--threads=2", "--fanout_type=FANOUT_HASH" ], "CertPath": "/etc/stenographer/certs", "RateLimit": "1000MB", "MaxAge": "7d" \\\\}_

Zertifikat Setup

```bash

Create certificate directory

sudo mkdir -p /etc/stenographer/certs

Generate certificates

cd /etc/stenographer/certs sudo openssl genrsa -out stenographer.key 2048 sudo openssl req -new -x509 -key stenographer.key -out stenographer.crt -days 365 \ -subj "/C=US/ST=State/L=City/O=Organization/CN=stenographer"

Set permissions

sudo chown -R stenographer:stenographer /etc/stenographer/certs sudo chmod 600 /etc/stenographer/certs/* ```_

Basisnutzung

Starten Stenograph

```bash

Start stenographer daemon

sudo stenographer --config /etc/stenographer/config

Start as systemd service

sudo systemctl start stenographer sudo systemctl enable stenographer

Check status

sudo systemctl status stenographer ```_

Basic Pack Retrieval

```bash

Query packets by time range

stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T01:00:00Z"

Query packets by host

stenocurl -q "host 192.168.1.100"

Query packets by port

stenocurl -q "port 80"

Query packets by protocol

stenocurl -q "tcp"

Combine queries

stenocurl -q "host 192.168.1.100 and port 80" ```_

Ausgabeformate

```bash

Output to PCAP file

stenocurl -q "host 192.168.1.100" -w output.pcap

Output to stdout

stenocurl -q "port 443"|tcpdump -r -

Count packets only

stenocurl -q "tcp" -c

Limit number of packets

stenocurl -q "udp" -n 1000 ```_

Quersprache

Grundfilter

```bash

Host filters

stenocurl -q "host 10.0.0.1" stenocurl -q "src host 10.0.0.1" stenocurl -q "dst host 10.0.0.1"

Network filters

stenocurl -q "net 192.168.1.0/24" stenocurl -q "src net 10.0.0.0/8" stenocurl -q "dst net 172.16.0.0/12"

Port filters

stenocurl -q "port 80" stenocurl -q "src port 1234" stenocurl -q "dst port 443" stenocurl -q "portrange 1000-2000" ```_

Protokollfilter

```bash

Protocol types

stenocurl -q "tcp" stenocurl -q "udp" stenocurl -q "icmp" stenocurl -q "ip" stenocurl -q "ip6"

Application protocols

stenocurl -q "http" stenocurl -q "https" stenocurl -q "dns" stenocurl -q "ssh" stenocurl -q "ftp" ```_

Erweiterte Abfragen

```bash

Logical operators

stenocurl -q "host 10.0.0.1 and port 80" stenocurl -q "tcp or udp" stenocurl -q "not port 22" stenocurl -q "(host 10.0.0.1 or host 10.0.0.2) and port 443"

Packet size filters

stenocurl -q "greater 1500" stenocurl -q "less 64" stenocurl -q "len = 1518"

TCP flags

stenocurl -q "tcp[tcpflags] & tcp-syn != 0" stenocurl -q "tcp[tcpflags] & tcp-ack != 0" stenocurl -q "tcp[tcpflags] & tcp-rst != 0" ```_

Zeitbasierte Abfragen

```bash

Specific time range

stenocurl -s "2023-01-01T10:00:00Z" -e "2023-01-01T11:00:00Z" -q "tcp"

Last hour

stenocurl -s "$(date -d '1 hour ago' -Iseconds)" -q "dns"

Last 24 hours

stenocurl -s "$(date -d '1 day ago' -Iseconds)" -q "http"

Combine time and filters

stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T23:59:59Z" -q "host 192.168.1.100 and tcp" ```_

Erweiterte Funktionen

Multi-Threaded Capture

json \\\\{ "Threads": [ \\\\{ "PacketsDirectory": "/fast-disk/packets0", "IndexDirectory": "/fast-disk/index0", "MaxDirectoryFiles": 100000, "DiskFreePercentage": 5 \\\\}, \\\\{ "PacketsDirectory": "/fast-disk/packets1", "IndexDirectory": "/fast-disk/index1", "MaxDirectoryFiles": 100000, "DiskFreePercentage": 5 \\\\} ], "Flags": [ "--threads=4", "--fanout_type=FANOUT_HASH", "--blocks=8192", "--blocksize=2097152" ] \\\\}_

Leistung Tuning

```bash

Optimize network interface

sudo ethtool -G eth0 rx 4096 tx 4096 sudo ethtool -K eth0 gro off lro off tso off gso off

Set CPU affinity

sudo taskset -c 0,1 stenographer --config /etc/stenographer/config

Increase buffer sizes

echo 'net.core.rmem_max = 134217728'|sudo tee -a /etc/sysctl.conf echo 'net.core.rmem_default = 134217728'|sudo tee -a /etc/sysctl.conf sudo sysctl -p ```_

Lagerverwaltung

```bash

Monitor disk usage

stenoread --stats

Clean old packets

stenoread --clean --before "2023-01-01T00:00:00Z"

Verify packet integrity

stenoread --verify

Export statistics

stenoread --stats --json > stenographer_stats.json ```_

Integration von Sicherheitswerkzeugen

Zeek Integration

```bash

Configure Zeek to use Stenographer

In local.zeek:

@load policy/misc/capture-loss

redef Pcap::snaplen = 65535; redef Pcap::bufsize = 128;

Extract packets for Zeek analysis

stenocurl -q "tcp and port 80" -w http_traffic.pcap zeek -r http_traffic.pcap ```_

Integration von Surat

```bash

Extract packets for Suricata analysis

stenocurl -q "tcp" -s "$(date -d '1 hour ago' -Iseconds)" -w recent_tcp.pcap

Run Suricata on extracted packets

suricata -r recent_tcp.pcap -c /etc/suricata/suricata.yaml -l /var/log/suricata/ ```_

Integration von Wirshark

```bash

Extract packets for Wireshark analysis

stenocurl -q "host 192.168.1.100" -w investigation.pcap

Open in Wireshark

wireshark investigation.pcap

Use tshark for command-line analysis

tshark -r investigation.pcap -T fields -e ip.src -e ip.dst -e tcp.port ```_

SIEM Integration

```bash

Export packet metadata to JSON

| stenocurl -q "dns" -j | jq '.[] | \\{timestamp, src_ip, dst_ip, protocol\\}' |

Send to Elasticsearch

stenocurl -q "http" -j|curl -X POST "localhost:9200/packets/_bulk" \ -H "Content-Type: application/json" --data-binary @-

Integration with Splunk

stenocurl -q "tcp" -j|splunk add oneshot -sourcetype stenographer ```_

Überwachung und Alarmierung

Gesundheitsüberwachung

```bash

!/bin/bash

Stenographer health check script

Check if stenographer is running

if ! pgrep -f stenographer > /dev/null; then echo "CRITICAL: Stenographer is not running" exit 2 fi

Check disk space

| DISK_USAGE=$(df /var/lib/stenographer | tail -1 | awk '\\{print $5\\}' | sed 's/%//') | if [ $DISK_USAGE -gt 90 ]; then echo "WARNING: Disk usage is $\\{DISK_USAGE\\}%" exit 1 fi

Check packet capture rate

STATS=$(stenoread --stats --json) PACKETS_PER_SEC=$(echo $STATS|jq '.packets_per_second') if [ $(echo "$PACKETS_PER_SEC < 100"|bc) -eq 1 ]; then echo "WARNING: Low packet capture rate: $PACKETS_PER_SEC pps" exit 1 fi

echo "OK: Stenographer is healthy" exit 0 ```_

Leistungsüberwachung

```bash

Monitor capture statistics

watch -n 5 'stenoread --stats'

Monitor system resources

| iostat -x 1 | grep -E "(Device | stenographer)" | top -p $(pgrep stenographer)

Network interface statistics

watch -n 1 'cat /proc/net/dev|grep eth0' ```_

Automatisierte Reinigung

```bash

!/bin/bash

Automated cleanup script

Configuration

MAX_AGE_DAYS=7 DISK_THRESHOLD=85 PACKETS_DIR="/var/lib/stenographer/packets"

Check disk usage

| DISK_USAGE=$(df $PACKETS_DIR | tail -1 | awk '\\{print $5\\}' | sed 's/%//') |

if [ $DISK_USAGE -gt $DISK_THRESHOLD ]; then echo "Disk usage $\\{DISK_USAGE\\}% exceeds threshold $\\{DISK_THRESHOLD\\}%"

# Clean packets older than MAX_AGE_DAYS
CUTOFF_DATE=$(date -d "$\\\\{MAX_AGE_DAYS\\\\} days ago" -Iseconds)
stenoread --clean --before "$CUTOFF_DATE"

echo "Cleaned packets older than $CUTOFF_DATE"

fi ```_

Fehlerbehebung

Gemeinsame Themen

```bash

Check stenographer logs

sudo journalctl -u stenographer -f

Verify configuration

stenographer --config /etc/stenographer/config --check

Test network interface

sudo tcpdump -i eth0 -c 10

Check permissions

ls -la /var/lib/stenographer/ sudo chown -R stenographer:stenographer /var/lib/stenographer/ ```_

Leistungsfragen

```bash

Check for packet drops

cat /proc/net/dev|grep eth0 ethtool -S eth0|grep drop

Monitor CPU usage

top -p $(pgrep stenographer)

Check I/O wait

iostat -x 1

Verify disk performance

dd if=/dev/zero of=/var/lib/stenographer/test bs=1M count=1000 oflag=direct ```_

Netzwerkprobleme

```bash

Test connectivity

stenocurl -q "icmp" -c

Check interface configuration

ip addr show eth0 ip route show

Verify capture filter

tcpdump -i eth0 -d "tcp and port 80" ```_

Sicherheit Best Practices

Zugriffskontrolle

```bash

Create dedicated user

sudo useradd -r -s /bin/false stenographer

Set file permissions

sudo chown -R stenographer:stenographer /var/lib/stenographer/ sudo chmod 750 /var/lib/stenographer/ sudo chmod 640 /etc/stenographer/config

Restrict certificate access

sudo chmod 600 /etc/stenographer/certs/* ```_

Netzwerksicherheit

```bash

Use TLS for remote access

stenocurl --cert /etc/stenographer/certs/client.crt \ --key /etc/stenographer/certs/client.key \ --ca /etc/stenographer/certs/ca.crt \ -q "tcp"

Firewall configuration

sudo ufw allow from 192.168.1.0/24 to any port 1234 sudo ufw deny 1234 ```_

Datenschutz

```bash

Encrypt packet storage

sudo cryptsetup luksFormat /dev/sdb1 sudo cryptsetup luksOpen /dev/sdb1 stenographer-data sudo mkfs.ext4 /dev/mapper/stenographer-data sudo mount /dev/mapper/stenographer-data /var/lib/stenographer/

Secure deletion

sudo shred -vfz -n 3 /var/lib/stenographer/packets/* ```_

Dieses umfassende Stenographer-Catsheet umfasst Installation, Konfiguration, Nutzung und Integration mit Sicherheitswerkzeugen. Stenographer bietet leistungsstarke Full-Packet-Capture-Fähigkeiten für die Überwachung der Netzwerksicherheit und Notfall-Reaktionsoperationen.