Sténographe - Système de capture de paquets complets
Sténographer est un utilitaire complet de capture de paquets pour tamponner les paquets vers le disque à des fins de détection d'intrusion et de réponse incidente. Il fournit une interface simple et puissante pour stocker et récupérer les paquets réseau à l'échelle.
Installation
Ubuntu/Debian
# Install dependencies
sudo apt update
sudo apt install build-essential git libpcap-dev libsnappy-dev libleveldb-dev
# Install Go (if not already installed)
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# Clone and build Stenographer
git clone https://github.com/google/stenographer.git
cd stenographer
go build ./...
# Install binaries
sudo cp stenographer stenoread stenocurl /usr/local/bin/
sudo chmod +x /usr/local/bin/steno*
CentOS/RHEL/Fedora
# Install dependencies
sudo yum groupinstall "Development Tools"
sudo yum install git libpcap-devel snappy-devel leveldb-devel
# Install Go
sudo yum install golang
# Clone and build
git clone https://github.com/google/stenographer.git
cd stenographer
go build ./...
# Install binaries
sudo cp stenographer stenoread stenocurl /usr/local/bin/
```_
### Installation Docker
```bash
# Build Docker image
git clone https://github.com/google/stenographer.git
cd stenographer
docker build -t stenographer .
# Run container
docker run -d --name stenographer \
--net=host \
--privileged \
-v /opt/stenographer:/opt/stenographer \
stenographer
```_
## Configuration
### Configuration de base
```bash
# Create configuration directory
sudo mkdir -p /etc/stenographer
sudo mkdir -p /var/lib/stenographer
# Create basic configuration file
sudo tee /etc/stenographer/config << 'EOF'
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/var/lib/stenographer/packets",
"IndexDirectory": "/var/lib/stenographer/index",
"MaxDirectoryFiles": 30000,
"DiskFreePercentage": 10
\\\\}
],
"StenotypePath": "/usr/local/bin/stenotype",
"Interface": "eth0",
"Port": 1234,
"Host": "127.0.0.1",
"Flags": [],
"CertPath": "/etc/stenographer/certs"
\\\\}
EOF
Configuration avancée
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/data/stenographer/packets0",
"IndexDirectory": "/data/stenographer/index0",
"MaxDirectoryFiles": 50000,
"DiskFreePercentage": 5
\\\\},
\\\\{
"PacketsDirectory": "/data/stenographer/packets1",
"IndexDirectory": "/data/stenographer/index1",
"MaxDirectoryFiles": 50000,
"DiskFreePercentage": 5
\\\\}
],
"StenotypePath": "/usr/local/bin/stenotype",
"Interface": "eth0",
"Port": 1234,
"Host": "0.0.0.0",
"Flags": [
"--threads=2",
"--fanout_type=FANOUT_HASH"
],
"CertPath": "/etc/stenographer/certs",
"RateLimit": "1000MB",
"MaxAge": "7d"
\\\\}
Configuration du certificat
# Create certificate directory
sudo mkdir -p /etc/stenographer/certs
# Generate certificates
cd /etc/stenographer/certs
sudo openssl genrsa -out stenographer.key 2048
sudo openssl req -new -x509 -key stenographer.key -out stenographer.crt -days 365 \
-subj "/C=US/ST=State/L=City/O=Organization/CN=stenographer"
# Set permissions
sudo chown -R stenographer:stenographer /etc/stenographer/certs
sudo chmod 600 /etc/stenographer/certs/*
Utilisation de base
Démarrage de Sténographe
# Start stenographer daemon
sudo stenographer --config /etc/stenographer/config
# Start as systemd service
sudo systemctl start stenographer
sudo systemctl enable stenographer
# Check status
sudo systemctl status stenographer
Récupération des paquets de base
# Query packets by time range
stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T01:00:00Z"
# Query packets by host
stenocurl -q "host 192.168.1.100"
# Query packets by port
stenocurl -q "port 80"
# Query packets by protocol
stenocurl -q "tcp"
# Combine queries
stenocurl -q "host 192.168.1.100 and port 80"
Formats de sortie
# Output to PCAP file
stenocurl -q "host 192.168.1.100" -w output.pcap
# Output to stdout
stenocurl -q "port 443"|tcpdump -r -
# Count packets only
stenocurl -q "tcp" -c
# Limit number of packets
stenocurl -q "udp" -n 1000
Langue de requête
Filtres de base
# Host filters
stenocurl -q "host 10.0.0.1"
stenocurl -q "src host 10.0.0.1"
stenocurl -q "dst host 10.0.0.1"
# Network filters
stenocurl -q "net 192.168.1.0/24"
stenocurl -q "src net 10.0.0.0/8"
stenocurl -q "dst net 172.16.0.0/12"
# Port filters
stenocurl -q "port 80"
stenocurl -q "src port 1234"
stenocurl -q "dst port 443"
stenocurl -q "portrange 1000-2000"
Filtres de protocole
# Protocol types
stenocurl -q "tcp"
stenocurl -q "udp"
stenocurl -q "icmp"
stenocurl -q "ip"
stenocurl -q "ip6"
# Application protocols
stenocurl -q "http"
stenocurl -q "https"
stenocurl -q "dns"
stenocurl -q "ssh"
stenocurl -q "ftp"
Demandes de renseignements avancées
# Logical operators
stenocurl -q "host 10.0.0.1 and port 80"
stenocurl -q "tcp or udp"
stenocurl -q "not port 22"
stenocurl -q "(host 10.0.0.1 or host 10.0.0.2) and port 443"
# Packet size filters
stenocurl -q "greater 1500"
stenocurl -q "less 64"
stenocurl -q "len = 1518"
# TCP flags
stenocurl -q "tcp[tcpflags] & tcp-syn != 0"
stenocurl -q "tcp[tcpflags] & tcp-ack != 0"
stenocurl -q "tcp[tcpflags] & tcp-rst != 0"
Demandes de renseignements dans le temps
# Specific time range
stenocurl -s "2023-01-01T10:00:00Z" -e "2023-01-01T11:00:00Z" -q "tcp"
# Last hour
stenocurl -s "$(date -d '1 hour ago' -Iseconds)" -q "dns"
# Last 24 hours
stenocurl -s "$(date -d '1 day ago' -Iseconds)" -q "http"
# Combine time and filters
stenocurl -s "2023-01-01T00:00:00Z" -e "2023-01-01T23:59:59Z" -q "host 192.168.1.100 and tcp"
Caractéristiques avancées
Capture multithreaded
\\\\{
"Threads": [
\\\\{
"PacketsDirectory": "/fast-disk/packets0",
"IndexDirectory": "/fast-disk/index0",
"MaxDirectoryFiles": 100000,
"DiskFreePercentage": 5
\\\\},
\\\\{
"PacketsDirectory": "/fast-disk/packets1",
"IndexDirectory": "/fast-disk/index1",
"MaxDirectoryFiles": 100000,
"DiskFreePercentage": 5
\\\\}
],
"Flags": [
"--threads=4",
"--fanout_type=FANOUT_HASH",
"--blocks=8192",
"--blocksize=2097152"
]
\\\\}
Analyse des performances
# Optimize network interface
sudo ethtool -G eth0 rx 4096 tx 4096
sudo ethtool -K eth0 gro off lro off tso off gso off
# Set CPU affinity
sudo taskset -c 0,1 stenographer --config /etc/stenographer/config
# Increase buffer sizes
echo 'net.core.rmem_max = 134217728'|sudo tee -a /etc/sysctl.conf
echo 'net.core.rmem_default = 134217728'|sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Gestion du stockage
# Monitor disk usage
stenoread --stats
# Clean old packets
stenoread --clean --before "2023-01-01T00:00:00Z"
# Verify packet integrity
stenoread --verify
# Export statistics
stenoread --stats --json > stenographer_stats.json
Intégration avec les outils de sécurité
Intégration Zeek
# Configure Zeek to use Stenographer
# In local.zeek:
@load policy/misc/capture-loss
redef Pcap::snaplen = 65535;
redef Pcap::bufsize = 128;
# Extract packets for Zeek analysis
stenocurl -q "tcp and port 80" -w http_traffic.pcap
zeek -r http_traffic.pcap
Intégration de Suricata
# Extract packets for Suricata analysis
stenocurl -q "tcp" -s "$(date -d '1 hour ago' -Iseconds)" -w recent_tcp.pcap
# Run Suricata on extracted packets
suricata -r recent_tcp.pcap -c /etc/suricata/suricata.yaml -l /var/log/suricata/
Intégration de Wireshark
# Extract packets for Wireshark analysis
stenocurl -q "host 192.168.1.100" -w investigation.pcap
# Open in Wireshark
wireshark investigation.pcap
# Use tshark for command-line analysis
tshark -r investigation.pcap -T fields -e ip.src -e ip.dst -e tcp.port
SIEM Intégration
# Export packet metadata to JSON
stenocurl -q "dns" -j|jq '.[]|\\\\{timestamp, src_ip, dst_ip, protocol\\\\}'
# Send to Elasticsearch
stenocurl -q "http" -j|curl -X POST "localhost:9200/packets/_bulk" \
-H "Content-Type: application/json" --data-binary @-
# Integration with Splunk
stenocurl -q "tcp" -j|splunk add oneshot -sourcetype stenographer
Surveillance et alerte
Surveillance de la santé
#!/bin/bash
# Stenographer health check script
# Check if stenographer is running
if ! pgrep -f stenographer > /dev/null; then
echo "CRITICAL: Stenographer is not running"
exit 2
fi
# Check disk space
DISK_USAGE=$(df /var/lib/stenographer|tail -1|awk '\\\\{print $5\\\\}'|sed 's/%//')
if [ $DISK_USAGE -gt 90 ]; then
echo "WARNING: Disk usage is $\\\\{DISK_USAGE\\\\}%"
exit 1
fi
# Check packet capture rate
STATS=$(stenoread --stats --json)
PACKETS_PER_SEC=$(echo $STATS|jq '.packets_per_second')
if [ $(echo "$PACKETS_PER_SEC < 100"|bc) -eq 1 ]; then
echo "WARNING: Low packet capture rate: $PACKETS_PER_SEC pps"
exit 1
fi
echo "OK: Stenographer is healthy"
exit 0
Surveillance de la performance
# Monitor capture statistics
watch -n 5 'stenoread --stats'
# Monitor system resources
iostat -x 1|grep -E "(Device|stenographer)"
top -p $(pgrep stenographer)
# Network interface statistics
watch -n 1 'cat /proc/net/dev|grep eth0'
Nettoyage automatisé
#!/bin/bash
# Automated cleanup script
# Configuration
MAX_AGE_DAYS=7
DISK_THRESHOLD=85
PACKETS_DIR="/var/lib/stenographer/packets"
# Check disk usage
DISK_USAGE=$(df $PACKETS_DIR|tail -1|awk '\\\\{print $5\\\\}'|sed 's/%//')
if [ $DISK_USAGE -gt $DISK_THRESHOLD ]; then
echo "Disk usage $\\\\{DISK_USAGE\\\\}% exceeds threshold $\\\\{DISK_THRESHOLD\\\\}%"
# Clean packets older than MAX_AGE_DAYS
CUTOFF_DATE=$(date -d "$\\\\{MAX_AGE_DAYS\\\\} days ago" -Iseconds)
stenoread --clean --before "$CUTOFF_DATE"
echo "Cleaned packets older than $CUTOFF_DATE"
fi
Dépannage
Questions communes
# Check stenographer logs
sudo journalctl -u stenographer -f
# Verify configuration
stenographer --config /etc/stenographer/config --check
# Test network interface
sudo tcpdump -i eth0 -c 10
# Check permissions
ls -la /var/lib/stenographer/
sudo chown -R stenographer:stenographer /var/lib/stenographer/
Problèmes de performance
# Check for packet drops
cat /proc/net/dev|grep eth0
ethtool -S eth0|grep drop
# Monitor CPU usage
top -p $(pgrep stenographer)
# Check I/O wait
iostat -x 1
# Verify disk performance
dd if=/dev/zero of=/var/lib/stenographer/test bs=1M count=1000 oflag=direct
Questions relatives aux réseaux
# Test connectivity
stenocurl -q "icmp" -c
# Check interface configuration
ip addr show eth0
ip route show
# Verify capture filter
tcpdump -i eth0 -d "tcp and port 80"
Pratiques exemplaires en matière de sécurité
Contrôle d'accès
# Create dedicated user
sudo useradd -r -s /bin/false stenographer
# Set file permissions
sudo chown -R stenographer:stenographer /var/lib/stenographer/
sudo chmod 750 /var/lib/stenographer/
sudo chmod 640 /etc/stenographer/config
# Restrict certificate access
sudo chmod 600 /etc/stenographer/certs/*
Sécurité du réseau
# Use TLS for remote access
stenocurl --cert /etc/stenographer/certs/client.crt \
--key /etc/stenographer/certs/client.key \
--ca /etc/stenographer/certs/ca.crt \
-q "tcp"
# Firewall configuration
sudo ufw allow from 192.168.1.0/24 to any port 1234
sudo ufw deny 1234
Protection des données
# Encrypt packet storage
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 stenographer-data
sudo mkfs.ext4 /dev/mapper/stenographer-data
sudo mount /dev/mapper/stenographer-data /var/lib/stenographer/
# Secure deletion
sudo shred -vfz -n 3 /var/lib/stenographer/packets/*
Cette feuille sténographe complète couvre l'installation, la configuration, l'utilisation et l'intégration avec les outils de sécurité. Sténographe fournit des capacités de capture complètes puissantes pour la surveillance de la sécurité du réseau et les opérations d'intervention en cas d'incident.