大柚子

这世界不过如此

概述

在某些安全事件场景中,可能某些设备监测到有异常流量,但是上机排查时用netstat却看不到对应网络连接,可能存在库劫持或rootkit,这里介绍一款内核级工具systemtap检测网络连接请求,当然它的功能远不至于此,这是只是提供一些实用小脚本。

安装


rpm -ivh kernel-debuginfo-common-x86_64-2.6.32-642.el6.x86_64.rpm

rpm -ivh kernel-debuginfo-2.6.32-642.el6.x86_64.rpm

rpm -ivh kernel-devel-2.6.32-642.el6.x86_64.rpm

yum install systemtap systemtap-runtime       #yum安装systemtap

使用范例

监控内对外网络请求

监控本地网卡所有对外连接请求

注:请求包量大的时候容易出现目标端口识别问题

[root@VM-0-10-centos jiemi]# stap -e 'probe begin{printf("%16s\t%s\t%s\t%s\t%21s\t%s\t%21s\t%s\n","ProcessName","UID","PID","PPID","Source","Direct","DST","Cmdline")} probe netfilter.ip.local_out{printf("%16s\t%d\t%d\t%d\t%16s:%5d\t%s\t%16s:%5d\t%s\n",execname(),uid(),pid(),ppid(),saddr,sport,"-->",daddr,dport,cmdline_str());}'

监控对外ping请求

[root@VM-0-10-centos jiemi]# stap -e 'probe netfilter.ip.local_out{ if(dport==0) printf("%s[PID:%d,TID:%d]\tsend %d to %s:%d\tcmdline:%s\n",execname(),pid(),tid(),length,daddr,dport,cmdline_str())} probe netfilter.ip.local_in{if(sport==0) printf("%s recv %d from %s:%d\tcmdline:%s\n",execnam),length,saddr,sport,cmdline_str())}'

监控对外dns解析请求

[root@VM-0-10-centos jiemi]# stap -e 'probe netfilter.ip.local_out{ if(dport==53) printf("processName:%s\tPID:%d,TID:%d\tsent packet to\t%s:%d\tcmdline:%s\n",execname(),pid(),tid(),daddr,dport,cmdline_str())}'

监控tcp对外连接

注:只针对tcp连接,不管连接成功与否

[root@VM-0-10-centos jiemi]# stap -e 'probe syscall.connect{ if(uaddr_af=="AF_INET" || uaddr_af=="AF_INET6") printf("%s[%d]:%s\tcmdline:%s\n",execname(),pid(),argstr,cmdline_str());}'

监控外对内网络连接请求

监控所有外对内网络连接

[root@VM-0-10-centos jiemi]# stap -e 'probe begin{printf("%16s\t%s\t%s\t%s\t%21s\t%s\t%21s\t%s\n","ProcessName","UID","PID","PPID","Source","Direct","DST","Cmdline")} probe netfilter.ip.local_in{printf("%16s\t%d\t%d\t%d\t%16s:%5d\t%s\t%16s:%5d\t%s\n",execname(),uid(),pid(),ppid(),daddr,dport,"<--",saddr,sport,cmdline_str());}'

监控所有外对内TCP网络连接

stap -e ' probe begin, timer.s(1) {
    ansi_clear_screen()
    printf("-----------------------------------------------------------------\n")
    printf("       Source IP  SPort         Dest IP  DPort  U  A  P  R  S  F \n")
    printf("-----------------------------------------------------------------\n")
}

probe tcp.receive {
    printf(" %15s %5d  %15s  %5d  %d  %d  %d  %d  %d  %d\n",
        saddr, sport, daddr, dport, urg, ack, psh, rst, syn, fin)
}
'

更多使用脚本参考:

脚本参考:https://github.com/soarpenguin/systemtap-script

函数参考:https://sourceware.org/systemtap/tapsets/index.html

使用问题小计

1、报错信息

semantic error: while resolving probe point: identifier 'kernel' at /usr/share/systemtap/tapset/linux/tcp.stp:668:26
        source: probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

semantic error: while resolving probe point: identifier 'tcp' at :664:21
        source: probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
                                    ^

semantic error: no match

semantic error: while resolving probe point: identifier 'kernel' at :693:26
        source: probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

Missing separate debuginfos, use: debuginfo-install kernel-3.10.0-1160.66.1.el7.x86_64
Pass 2: analysis failed.  [man error::pass2]
Number of similar error messages suppressed: 3.
Rerun with -v to see them.
[root@VM-0-10-centos jiemi]# vi tcpconnect.stp
[root@VM-0-10-centos jiemi]# stap tcpconnect.stp
semantic error: while resolving probe point: identifier 'kernel' at /usr/share/systemtap/tapset/linux/tcp.stp:668:26
        source: probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

semantic error: while resolving probe point: identifier 'tcp' at :664:21
        source: probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
                                    ^

semantic error: no match

semantic error: while resolving probe point: identifier 'kernel' at :693:26
        source: probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

Missing separate debuginfos, use: debuginfo-install kernel-3.10.0-1160.66.1.el7.x86_64
Pass 2: analysis failed.  [man error::pass2]
Number of similar error messages suppressed: 3.
Rerun with -v to see them.

解决方法:

  • 开启/etc/yum.repos.d/CentOS-Debuginfo.repo”文件的enable=1
  • debuginfo-install kernel-3.10.0-1160.66.1.el7.x86_64

参考来源

http://blog.nsfocus.net/systemtap/
https://www.ucloud.cn/yun/11530.html

Print Friendly, PDF & Email

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注