Stenographer - Full Packet Capture System¶
Stenographer ist ein Full-Packet-Capture-Dienstprogramm zum Puffern von Paketen auf Festplatte für Intrusions-Erkennung und auftreffende Reaktionszwecke. Es bietet eine einfache, leistungsstarke Schnittstelle zum Speichern und Abrufen von Netzwerkpaketen im Maßstab.
Installation¶
Ubuntu/Debian¶
```bash
Install dependencies¶
sudo apt update sudo apt install build-essential git libpcap-dev libsnappy-dev libleveldb-dev
Install Go (if not already installed)¶
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin
Clone and build Stenographer¶
git clone https://github.com/google/stenographer.git cd stenographer go build ./...
Install binaries¶
sudo cp stenographer stenoread stenocurl /usr/local/bin/ sudo chmod +x /usr/local/bin/steno* ```_
CentOS/RHEL/Fedora¶
```bash
Install dependencies¶
sudo yum groupinstall "Development Tools" sudo yum install git libpcap-devel snappy-devel leveldb-devel
Install Go¶
sudo yum install golang
Clone and build¶
git clone https://github.com/google/stenographer.git cd stenographer go build ./...
Install binaries¶
sudo cp stenographer stenoread stenocurl /usr/local/bin/ ```_
Docker Installation¶
```bash
Build Docker image¶
git clone https://github.com/google/stenographer.git cd stenographer docker build -t stenographer .
Run container¶
docker run -d --name stenographer \ --net=host \ --privileged \ -v /opt/stenographer:/opt/stenographer \ stenographer ```_
Konfiguration¶
Grundkonfiguration¶
```bash
Create configuration directory¶
sudo mkdir -p /etc/stenographer sudo mkdir -p /var/lib/stenographer
Create basic configuration file¶
sudo tee /etc/stenographer/config << 'EOF' \\{ "Threads": [ \\{ "PacketsDirectory": "/var/lib/stenographer/packets", "IndexDirectory": "/var/lib/stenographer/index", "MaxDirectoryFiles": 30000, "DiskFreePercentage": 10 \\} ], "StenotypePath": "/usr/local/bin/stenotype", "Interface": "eth0", "Port": 1234, "Host": "127.0.0.1", "Flags": [], "CertPath": "/etc/stenographer/certs" \\} EOF ```_
Erweiterte Konfiguration¶
json
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/data/stenographer/packets0",
"IndexDirectory": "/data/stenographer/index0",
"MaxDirectoryFiles": 50000,
"DiskFreePercentage": 5
\\\\},
\\\\{
"PacketsDirectory": "/data/stenographer/packets1",
"IndexDirectory": "/data/stenographer/index1",
"MaxDirectoryFiles": 50000,
"DiskFreePercentage": 5
\\\\}
],
"StenotypePath": "/usr/local/bin/stenotype",
"Interface": "eth0",
"Port": 1234,
"Host": "0.0.0.0",
"Flags": [
"--threads=2",
"--fanout_type=FANOUT_HASH"
],
"CertPath": "/etc/stenographer/certs",
"RateLimit": "1000MB",
"MaxAge": "7d"
\\\\}_
Zertifikat Setup¶
```bash
Create certificate directory¶
sudo mkdir -p /etc/stenographer/certs
Generate certificates¶
cd /etc/stenographer/certs sudo openssl genrsa -out stenographer.key 2048 sudo openssl req -new -x509 -key stenographer.key -out stenographer.crt -days 365 \ -subj "/C=US/ST=State/L=City/O=Organization/CN=stenographer"
Set permissions¶
sudo chown -R stenographer:stenographer /etc/stenographer/certs sudo chmod 600 /etc/stenographer/certs/* ```_
Basisnutzung¶
Starten Stenograph¶
```bash
Start stenographer daemon¶
sudo stenographer --config /etc/stenographer/config
Start as systemd service¶
sudo systemctl start stenographer sudo systemctl enable stenographer
Check status¶
sudo systemctl status stenographer ```_
Basic Pack Retrieval¶
```bash
Query packets by time range¶
stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T01:00:00Z"
Query packets by host¶
stenocurl -q "host 192.168.1.100"
Query packets by port¶
stenocurl -q "port 80"
Query packets by protocol¶
stenocurl -q "tcp"
Combine queries¶
stenocurl -q "host 192.168.1.100 and port 80" ```_
Ausgabeformate¶
```bash
Output to PCAP file¶
stenocurl -q "host 192.168.1.100" -w output.pcap
Output to stdout¶
stenocurl -q "port 443"|tcpdump -r -
Count packets only¶
stenocurl -q "tcp" -c
Limit number of packets¶
stenocurl -q "udp" -n 1000 ```_
Quersprache¶
Grundfilter¶
```bash
Host filters¶
stenocurl -q "host 10.0.0.1" stenocurl -q "src host 10.0.0.1" stenocurl -q "dst host 10.0.0.1"
Network filters¶
stenocurl -q "net 192.168.1.0/24" stenocurl -q "src net 10.0.0.0/8" stenocurl -q "dst net 172.16.0.0/12"
Port filters¶
stenocurl -q "port 80" stenocurl -q "src port 1234" stenocurl -q "dst port 443" stenocurl -q "portrange 1000-2000" ```_
Protokollfilter¶
```bash
Protocol types¶
stenocurl -q "tcp" stenocurl -q "udp" stenocurl -q "icmp" stenocurl -q "ip" stenocurl -q "ip6"
Application protocols¶
stenocurl -q "http" stenocurl -q "https" stenocurl -q "dns" stenocurl -q "ssh" stenocurl -q "ftp" ```_
Erweiterte Abfragen¶
```bash
Logical operators¶
stenocurl -q "host 10.0.0.1 and port 80" stenocurl -q "tcp or udp" stenocurl -q "not port 22" stenocurl -q "(host 10.0.0.1 or host 10.0.0.2) and port 443"
Packet size filters¶
stenocurl -q "greater 1500" stenocurl -q "less 64" stenocurl -q "len = 1518"
TCP flags¶
stenocurl -q "tcp[tcpflags] & tcp-syn != 0" stenocurl -q "tcp[tcpflags] & tcp-ack != 0" stenocurl -q "tcp[tcpflags] & tcp-rst != 0" ```_
Zeitbasierte Abfragen¶
```bash
Specific time range¶
stenocurl -s "2023-01-01T10:00:00Z" -e "2023-01-01T11:00:00Z" -q "tcp"
Last hour¶
stenocurl -s "$(date -d '1 hour ago' -Iseconds)" -q "dns"
Last 24 hours¶
stenocurl -s "$(date -d '1 day ago' -Iseconds)" -q "http"
Combine time and filters¶
stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T23:59:59Z" -q "host 192.168.1.100 and tcp" ```_
Erweiterte Funktionen¶
Multi-Threaded Capture¶
json
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/fast-disk/packets0",
"IndexDirectory": "/fast-disk/index0",
"MaxDirectoryFiles": 100000,
"DiskFreePercentage": 5
\\\\},
\\\\{
"PacketsDirectory": "/fast-disk/packets1",
"IndexDirectory": "/fast-disk/index1",
"MaxDirectoryFiles": 100000,
"DiskFreePercentage": 5
\\\\}
],
"Flags": [
"--threads=4",
"--fanout_type=FANOUT_HASH",
"--blocks=8192",
"--blocksize=2097152"
]
\\\\}_
Leistung Tuning¶
```bash
Optimize network interface¶
sudo ethtool -G eth0 rx 4096 tx 4096 sudo ethtool -K eth0 gro off lro off tso off gso off
Set CPU affinity¶
sudo taskset -c 0,1 stenographer --config /etc/stenographer/config
Increase buffer sizes¶
echo 'net.core.rmem_max = 134217728'|sudo tee -a /etc/sysctl.conf echo 'net.core.rmem_default = 134217728'|sudo tee -a /etc/sysctl.conf sudo sysctl -p ```_
Lagerverwaltung¶
```bash
Monitor disk usage¶
stenoread --stats
Clean old packets¶
stenoread --clean --before "2023-01-01T00:00:00Z"
Verify packet integrity¶
stenoread --verify
Export statistics¶
stenoread --stats --json > stenographer_stats.json ```_
Integration von Sicherheitswerkzeugen¶
Zeek Integration¶
```bash
Configure Zeek to use Stenographer¶
In local.zeek:¶
@load policy/misc/capture-loss
redef Pcap::snaplen = 65535; redef Pcap::bufsize = 128;
Extract packets for Zeek analysis¶
stenocurl -q "tcp and port 80" -w http_traffic.pcap zeek -r http_traffic.pcap ```_
Integration von Surat¶
```bash
Extract packets for Suricata analysis¶
stenocurl -q "tcp" -s "$(date -d '1 hour ago' -Iseconds)" -w recent_tcp.pcap
Run Suricata on extracted packets¶
suricata -r recent_tcp.pcap -c /etc/suricata/suricata.yaml -l /var/log/suricata/ ```_
Integration von Wirshark¶
```bash
Extract packets for Wireshark analysis¶
stenocurl -q "host 192.168.1.100" -w investigation.pcap
Open in Wireshark¶
wireshark investigation.pcap
Use tshark for command-line analysis¶
tshark -r investigation.pcap -T fields -e ip.src -e ip.dst -e tcp.port ```_
SIEM Integration¶
```bash
Export packet metadata to JSON¶
stenocurl -q "dns" -j|jq '.[]|\\{timestamp, src_ip, dst_ip, protocol\\}'
Send to Elasticsearch¶
stenocurl -q "http" -j|curl -X POST "localhost:9200/packets/_bulk" \ -H "Content-Type: application/json" --data-binary @-
Integration with Splunk¶
stenocurl -q "tcp" -j|splunk add oneshot -sourcetype stenographer ```_
Überwachung und Alarmierung¶
Gesundheitsüberwachung¶
```bash
!/bin/bash¶
Stenographer health check script¶
Check if stenographer is running¶
if ! pgrep -f stenographer > /dev/null; then echo "CRITICAL: Stenographer is not running" exit 2 fi
Check disk space¶
DISK_USAGE=$(df /var/lib/stenographer|tail -1|awk '\\{print $5\\}'|sed 's/%//') if [ $DISK_USAGE -gt 90 ]; then echo "WARNING: Disk usage is $\\{DISK_USAGE\\}%" exit 1 fi
Check packet capture rate¶
STATS=\((stenoread --stats --json) PACKETS_PER_SEC=\)(echo $STATS|jq '.packets_per_second') if [ \((echo "\)PACKETS_PER_SEC < 100"|bc) -eq 1 ]; then echo "WARNING: Low packet capture rate: $PACKETS_PER_SEC pps" exit 1 fi
echo "OK: Stenographer is healthy" exit 0 ```_
Leistungsüberwachung¶
```bash
Monitor capture statistics¶
watch -n 5 'stenoread --stats'
Monitor system resources¶
iostat -x 1|grep -E "(Device|stenographer)" top -p $(pgrep stenographer)
Network interface statistics¶
watch -n 1 'cat /proc/net/dev|grep eth0' ```_
Automatisierte Reinigung¶
```bash
!/bin/bash¶
Automated cleanup script¶
Configuration¶
MAX_AGE_DAYS=7 DISK_THRESHOLD=85 PACKETS_DIR="/var/lib/stenographer/packets"
Check disk usage¶
DISK_USAGE=$(df $PACKETS_DIR|tail -1|awk '\\{print $5\\}'|sed 's/%//')
if [ $DISK_USAGE -gt $DISK_THRESHOLD ]; then echo "Disk usage $\\{DISK_USAGE\\}% exceeds threshold $\\{DISK_THRESHOLD\\}%"
# Clean packets older than MAX_AGE_DAYS
CUTOFF_DATE=$(date -d "$\\\\{MAX_AGE_DAYS\\\\} days ago" -Iseconds)
stenoread --clean --before "$CUTOFF_DATE"
echo "Cleaned packets older than $CUTOFF_DATE"
fi ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Check stenographer logs¶
sudo journalctl -u stenographer -f
Verify configuration¶
stenographer --config /etc/stenographer/config --check
Test network interface¶
sudo tcpdump -i eth0 -c 10
Check permissions¶
ls -la /var/lib/stenographer/ sudo chown -R stenographer:stenographer /var/lib/stenographer/ ```_
Leistungsfragen¶
```bash
Check for packet drops¶
cat /proc/net/dev|grep eth0 ethtool -S eth0|grep drop
Monitor CPU usage¶
top -p $(pgrep stenographer)
Check I/O wait¶
iostat -x 1
Verify disk performance¶
dd if=/dev/zero of=/var/lib/stenographer/test bs=1M count=1000 oflag=direct ```_
Netzwerkprobleme¶
```bash
Test connectivity¶
stenocurl -q "icmp" -c
Check interface configuration¶
ip addr show eth0 ip route show
Verify capture filter¶
tcpdump -i eth0 -d "tcp and port 80" ```_
Sicherheit Best Practices¶
Zugriffskontrolle¶
```bash
Create dedicated user¶
sudo useradd -r -s /bin/false stenographer
Set file permissions¶
sudo chown -R stenographer:stenographer /var/lib/stenographer/ sudo chmod 750 /var/lib/stenographer/ sudo chmod 640 /etc/stenographer/config
Restrict certificate access¶
sudo chmod 600 /etc/stenographer/certs/* ```_
Netzwerksicherheit¶
```bash
Use TLS for remote access¶
stenocurl --cert /etc/stenographer/certs/client.crt \ --key /etc/stenographer/certs/client.key \ --ca /etc/stenographer/certs/ca.crt \ -q "tcp"
Firewall configuration¶
sudo ufw allow from 192.168.1.0/24 to any port 1234 sudo ufw deny 1234 ```_
Datenschutz¶
```bash
Encrypt packet storage¶
sudo cryptsetup luksFormat /dev/sdb1 sudo cryptsetup luksOpen /dev/sdb1 stenographer-data sudo mkfs.ext4 /dev/mapper/stenographer-data sudo mount /dev/mapper/stenographer-data /var/lib/stenographer/
Secure deletion¶
sudo shred -vfz -n 3 /var/lib/stenographer/packets/* ```_
Dieses umfassende Stenographer-Catsheet umfasst Installation, Konfiguration, Nutzung und Integration mit Sicherheitswerkzeugen. Stenographer bietet leistungsstarke Full-Packet-Capture-Fähigkeiten für die Überwachung der Netzwerksicherheit und Notfall-Reaktionsoperationen.