Stenographer - Full Packet Capture System
"Display: flex; brecha: 10px; margen-bottom: 20px;" butbutton onclick="navigator.clipboard.writeText(document.querySelector('pre').textContent)"style="background: #007acc; color: blanco; frontera: ninguno; relleno: 8px 16px; border-radius: 4px; cursor: pointer;" Copiar todos los comandos Stenographer butbutton onclick="window.print()"style="background: #28a745; color: blanco; frontera: ninguno; relleno: 8px 16px; border-radius: 4px; cursor: pointer;" Generar Stenographer PDF Guía ■/div titulada
Stenographer es una utilidad completa para guardar paquetes en disco para detectar intrusiones y responder a incidentes. Proporciona una interfaz sencilla y potente para almacenar y recuperar paquetes de red a escala.
Instalación
Ubuntu/Debian
# Install dependencies
sudo apt update
sudo apt install build-essential git libpcap-dev libsnappy-dev libleveldb-dev
# Install Go (if not already installed)
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# Clone and build Stenographer
git clone https://github.com/google/stenographer.git
cd stenographer
go build ./...
# Install binaries
sudo cp stenographer stenoread stenocurl /usr/local/bin/
sudo chmod +x /usr/local/bin/steno*
CentOS/RHEL/Fedora
# Install dependencies
sudo yum groupinstall "Development Tools"
sudo yum install git libpcap-devel snappy-devel leveldb-devel
# Install Go
sudo yum install golang
# Clone and build
git clone https://github.com/google/stenographer.git
cd stenographer
go build ./...
# Install binaries
sudo cp stenographer stenoread stenocurl /usr/local/bin/
Docker Instalación
# Build Docker image
git clone https://github.com/google/stenographer.git
cd stenographer
docker build -t stenographer .
# Run container
docker run -d --name stenographer \
--net=host \
--privileged \
-v /opt/stenographer:/opt/stenographer \
stenographer
Configuración
Configuración básica
# Create configuration directory
sudo mkdir -p /etc/stenographer
sudo mkdir -p /var/lib/stenographer
# Create basic configuration file
sudo tee /etc/stenographer/config << 'EOF'
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/var/lib/stenographer/packets",
"IndexDirectory": "/var/lib/stenographer/index",
"MaxDirectoryFiles": 30000,
"DiskFreePercentage": 10
\\\\}
],
"StenotypePath": "/usr/local/bin/stenotype",
"Interface": "eth0",
"Port": 1234,
"Host": "127.0.0.1",
"Flags": [],
"CertPath": "/etc/stenographer/certs"
\\\\}
EOF
Configuración avanzada
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/data/stenographer/packets0",
"IndexDirectory": "/data/stenographer/index0",
"MaxDirectoryFiles": 50000,
"DiskFreePercentage": 5
\\\\},
\\\\{
"PacketsDirectory": "/data/stenographer/packets1",
"IndexDirectory": "/data/stenographer/index1",
"MaxDirectoryFiles": 50000,
"DiskFreePercentage": 5
\\\\}
],
"StenotypePath": "/usr/local/bin/stenotype",
"Interface": "eth0",
"Port": 1234,
"Host": "0.0.0.0",
"Flags": [
"--threads=2",
"--fanout_type=FANOUT_HASH"
],
"CertPath": "/etc/stenographer/certs",
"RateLimit": "1000MB",
"MaxAge": "7d"
\\\\}
Configuración de certificados
# Create certificate directory
sudo mkdir -p /etc/stenographer/certs
# Generate certificates
cd /etc/stenographer/certs
sudo openssl genrsa -out stenographer.key 2048
sudo openssl req -new -x509 -key stenographer.key -out stenographer.crt -days 365 \
-subj "/C=US/ST=State/L=City/O=Organization/CN=stenographer"
# Set permissions
sudo chown -R stenographer:stenographer /etc/stenographer/certs
sudo chmod 600 /etc/stenographer/certs/*
Uso básico
Stenographer
# Start stenographer daemon
sudo stenographer --config /etc/stenographer/config
# Start as systemd service
sudo systemctl start stenographer
sudo systemctl enable stenographer
# Check status
sudo systemctl status stenographer
Retrieval de paquete básico
# Query packets by time range
stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T01:00:00Z"
# Query packets by host
stenocurl -q "host 192.168.1.100"
# Query packets by port
stenocurl -q "port 80"
# Query packets by protocol
stenocurl -q "tcp"
# Combine queries
stenocurl -q "host 192.168.1.100 and port 80"
Formatos de salida
# Output to PCAP file
stenocurl -q "host 192.168.1.100" -w output.pcap
# Output to stdout
stenocurl -q "port 443"|tcpdump -r -
# Count packets only
stenocurl -q "tcp" -c
# Limit number of packets
stenocurl -q "udp" -n 1000
Query Language
Filtros básicos
# Host filters
stenocurl -q "host 10.0.0.1"
stenocurl -q "src host 10.0.0.1"
stenocurl -q "dst host 10.0.0.1"
# Network filters
stenocurl -q "net 192.168.1.0/24"
stenocurl -q "src net 10.0.0.0/8"
stenocurl -q "dst net 172.16.0.0/12"
# Port filters
stenocurl -q "port 80"
stenocurl -q "src port 1234"
stenocurl -q "dst port 443"
stenocurl -q "portrange 1000-2000"
Filtros de protocolo
# Protocol types
stenocurl -q "tcp"
stenocurl -q "udp"
stenocurl -q "icmp"
stenocurl -q "ip"
stenocurl -q "ip6"
# Application protocols
stenocurl -q "http"
stenocurl -q "https"
stenocurl -q "dns"
stenocurl -q "ssh"
stenocurl -q "ftp"
Consultas avanzadas
# Logical operators
stenocurl -q "host 10.0.0.1 and port 80"
stenocurl -q "tcp or udp"
stenocurl -q "not port 22"
stenocurl -q "(host 10.0.0.1 or host 10.0.0.2) and port 443"
# Packet size filters
stenocurl -q "greater 1500"
stenocurl -q "less 64"
stenocurl -q "len = 1518"
# TCP flags
stenocurl -q "tcp[tcpflags] & tcp-syn != 0"
stenocurl -q "tcp[tcpflags] & tcp-ack != 0"
stenocurl -q "tcp[tcpflags] & tcp-rst != 0"
Consultas basadas en el tiempo
# Specific time range
stenocurl -s "2023-01-01T10:00:00Z" -e "2023-01-01T11:00:00Z" -q "tcp"
# Last hour
stenocurl -s "$(date -d '1 hour ago' -Iseconds)" -q "dns"
# Last 24 hours
stenocurl -s "$(date -d '1 day ago' -Iseconds)" -q "http"
# Combine time and filters
stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T23:59:59Z" -q "host 192.168.1.100 and tcp"
Características avanzadas
Captura multi-teleada
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/fast-disk/packets0",
"IndexDirectory": "/fast-disk/index0",
"MaxDirectoryFiles": 100000,
"DiskFreePercentage": 5
\\\\},
\\\\{
"PacketsDirectory": "/fast-disk/packets1",
"IndexDirectory": "/fast-disk/index1",
"MaxDirectoryFiles": 100000,
"DiskFreePercentage": 5
\\\\}
],
"Flags": [
"--threads=4",
"--fanout_type=FANOUT_HASH",
"--blocks=8192",
"--blocksize=2097152"
]
\\\\}
Performance Tuning
# Optimize network interface
sudo ethtool -G eth0 rx 4096 tx 4096
sudo ethtool -K eth0 gro off lro off tso off gso off
# Set CPU affinity
sudo taskset -c 0,1 stenographer --config /etc/stenographer/config
# Increase buffer sizes
echo 'net.core.rmem_max = 134217728'|sudo tee -a /etc/sysctl.conf
echo 'net.core.rmem_default = 134217728'|sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Gestión del almacenamiento
# Monitor disk usage
stenoread --stats
# Clean old packets
stenoread --clean --before "2023-01-01T00:00:00Z"
# Verify packet integrity
stenoread --verify
# Export statistics
stenoread --stats --json > stenographer_stats.json
Integración con Herramientas de Seguridad
Zeek Integration
# Configure Zeek to use Stenographer
# In local.zeek:
@load policy/misc/capture-loss
redef Pcap::snaplen = 65535;
redef Pcap::bufsize = 128;
# Extract packets for Zeek analysis
stenocurl -q "tcp and port 80" -w http_traffic.pcap
zeek -r http_traffic.pcap
Suricata Integration
# Extract packets for Suricata analysis
stenocurl -q "tcp" -s "$(date -d '1 hour ago' -Iseconds)" -w recent_tcp.pcap
# Run Suricata on extracted packets
suricata -r recent_tcp.pcap -c /etc/suricata/suricata.yaml -l /var/log/suricata/
Wireshark Integration
# Extract packets for Wireshark analysis
stenocurl -q "host 192.168.1.100" -w investigation.pcap
# Open in Wireshark
wireshark investigation.pcap
# Use tshark for command-line analysis
tshark -r investigation.pcap -T fields -e ip.src -e ip.dst -e tcp.port
SIEM Integración
# Export packet metadata to JSON
stenocurl -q "dns" -j|jq '.[]|\\\\{timestamp, src_ip, dst_ip, protocol\\\\}'
# Send to Elasticsearch
stenocurl -q "http" -j|curl -X POST "localhost:9200/packets/_bulk" \
-H "Content-Type: application/json" --data-binary @-
# Integration with Splunk
stenocurl -q "tcp" -j|splunk add oneshot -sourcetype stenographer
Vigilancia y alerta
Vigilancia de la salud
#!/bin/bash
# Stenographer health check script
# Check if stenographer is running
if ! pgrep -f stenographer > /dev/null; then
echo "CRITICAL: Stenographer is not running"
exit 2
fi
# Check disk space
DISK_USAGE=$(df /var/lib/stenographer|tail -1|awk '\\\\{print $5\\\\}'|sed 's/%//')
if [ $DISK_USAGE -gt 90 ]; then
echo "WARNING: Disk usage is $\\\\{DISK_USAGE\\\\}%"
exit 1
fi
# Check packet capture rate
STATS=$(stenoread --stats --json)
PACKETS_PER_SEC=$(echo $STATS|jq '.packets_per_second')
if [ $(echo "$PACKETS_PER_SEC < 100"|bc) -eq 1 ]; then
echo "WARNING: Low packet capture rate: $PACKETS_PER_SEC pps"
exit 1
fi
echo "OK: Stenographer is healthy"
exit 0
Supervisión de la ejecución
# Monitor capture statistics
watch -n 5 'stenoread --stats'
# Monitor system resources
iostat -x 1|grep -E "(Device|stenographer)"
top -p $(pgrep stenographer)
# Network interface statistics
watch -n 1 'cat /proc/net/dev|grep eth0'
Limpieza automatizada
#!/bin/bash
# Automated cleanup script
# Configuration
MAX_AGE_DAYS=7
DISK_THRESHOLD=85
PACKETS_DIR="/var/lib/stenographer/packets"
# Check disk usage
DISK_USAGE=$(df $PACKETS_DIR|tail -1|awk '\\\\{print $5\\\\}'|sed 's/%//')
if [ $DISK_USAGE -gt $DISK_THRESHOLD ]; then
echo "Disk usage $\\\\{DISK_USAGE\\\\}% exceeds threshold $\\\\{DISK_THRESHOLD\\\\}%"
# Clean packets older than MAX_AGE_DAYS
CUTOFF_DATE=$(date -d "$\\\\{MAX_AGE_DAYS\\\\} days ago" -Iseconds)
stenoread --clean --before "$CUTOFF_DATE"
echo "Cleaned packets older than $CUTOFF_DATE"
fi
Solución de problemas
Cuestiones comunes
# Check stenographer logs
sudo journalctl -u stenographer -f
# Verify configuration
stenographer --config /etc/stenographer/config --check
# Test network interface
sudo tcpdump -i eth0 -c 10
# Check permissions
ls -la /var/lib/stenographer/
sudo chown -R stenographer:stenographer /var/lib/stenographer/
Cuestiones de ejecución
# Check for packet drops
cat /proc/net/dev|grep eth0
ethtool -S eth0|grep drop
# Monitor CPU usage
top -p $(pgrep stenographer)
# Check I/O wait
iostat -x 1
# Verify disk performance
dd if=/dev/zero of=/var/lib/stenographer/test bs=1M count=1000 oflag=direct
Cuestiones de red
# Test connectivity
stenocurl -q "icmp" -c
# Check interface configuration
ip addr show eth0
ip route show
# Verify capture filter
tcpdump -i eth0 -d "tcp and port 80"
Prácticas óptimas de seguridad
Control de acceso
# Create dedicated user
sudo useradd -r -s /bin/false stenographer
# Set file permissions
sudo chown -R stenographer:stenographer /var/lib/stenographer/
sudo chmod 750 /var/lib/stenographer/
sudo chmod 640 /etc/stenographer/config
# Restrict certificate access
sudo chmod 600 /etc/stenographer/certs/*
Network Security
# Use TLS for remote access
stenocurl --cert /etc/stenographer/certs/client.crt \
--key /etc/stenographer/certs/client.key \
--ca /etc/stenographer/certs/ca.crt \
-q "tcp"
# Firewall configuration
sudo ufw allow from 192.168.1.0/24 to any port 1234
sudo ufw deny 1234
Protección de datos
# Encrypt packet storage
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 stenographer-data
sudo mkfs.ext4 /dev/mapper/stenographer-data
sudo mount /dev/mapper/stenographer-data /var/lib/stenographer/
# Secure deletion
sudo shred -vfz -n 3 /var/lib/stenographer/packets/*
Esta amplia hoja de trampa Stenographer cubre la instalación, configuración, uso e integración con herramientas de seguridad. Stenographer ofrece potentes capacidades de captura de paquetes completos para operaciones de vigilancia de seguridad de la red y respuesta a incidentes.