B0bTheSkull/netsentinel

# NetSentinel     ## 检测内容 | 威胁 | 检测方法 | 严重程度 | |--------|-----------------|----------| | **ARP Spoofing** | 会话中途 IP→MAC 映射发生变化 | CRITICAL | | **Port Scan** | 滑动窗口内对 N+ 个端口发送 SYN 包 | HIGH | | **ICMP Flood** | Echo 请求超过阈值 | HIGH | | **DNS Hijacking** | 域名突然解析到新的 IP | HIGH | | **DNS Tunneling** | 高熵子域名标签（C2/数据渗透） | MEDIUM | ## 安装说明 ``` git clone https://github.com/B0bTheSkull/netsentinel.git cd netsentinel pip install -r requirements.txt ``` ## 使用说明 ``` # Monitor 默认 interface (来自 config.yaml) sudo python netsentinel.py # 指定不同的 interface sudo python netsentinel.py --interface wlan0 # 使用自定义 config 文件 sudo python netsentinel.py --config my_config.yaml # 分析 event log (无需 root) python netsentinel.py --summary ``` ## 配置说明 编辑 `config.yaml` 以调整阈值和行为： ``` interface: "eth0" log_file: "netsentinel.json" thresholds: port_scan_ports: 15 # ports hit in scan_window seconds = alert port_scan_window: 10 # window in seconds icmp_flood_count: 50 # ICMP packets in icmp_flood_window seconds icmp_flood_window: 5 whitelist_ips: - "127.0.0.1" - "10.0.0.1" # your router dns_monitoring: enabled: true track_changes: true entropy_threshold: 3.5 # higher = less sensitive to DNS tunneling ``` ## 警报示例 ``` 14:32:01 [CRITICAL] ARP SPOOFING | 192.168.1.55 → LAN | ARP table poisoning: 192.168.1.1 was aa:bb:cc:dd:ee:ff, now claiming 11:22:33:44:55:66 14:32:44 [HIGH] PORT SCAN | 203.0.113.45 → 192.168.1.10 | Port scan detected: 22 ports in 10s 14:33:01 [HIGH] ICMP FLOOD | 10.0.0.200 → 192.168.1.10 | ICMP flood: 87 echo requests in 5s 14:35:12 [HIGH] DNS HIJACKING | 8.8.8.8 → legitimate-bank.com | legitimate-bank.com now resolves to 185.220.101.77 (previously: 93.184.216.34) 14:36:05 [MEDIUM] DNS TUNNELING SUSPECT | 8.8.8.8 → xKf93mQpL7nR2vWs.c2domain.com | High entropy subdomain (entropy=4.21) ``` ## 日志格式 所有事件都以换行分隔的 JSON 格式写入 `netsentinel.json`： ``` { "timestamp": "2024-06-14T14:32:01.123456", "severity": "CRITICAL", "event_type": "arp_spoofing", "source_ip": "192.168.1.55", "destination": "LAN", "detail": "ARP table poisoning: 192.168.1.1 was aa:bb:cc:dd:ee:ff, now claiming 11:22:33:44:55:66", "old_mac": "aa:bb:cc:dd:ee:ff", "new_mac": "11:22:33:44:55:66" } ``` ## 日志摘要 ``` python netsentinel.py --summary ``` ``` ================================================== NetSentinel Log Summary — 47 total events ================================================== By Severity: CRITICAL: 2 HIGH: 31 MEDIUM: 14 By Event Type: port_scan: 28 arp_spoofing: 2 dns_tunneling_suspect: 14 icmp_flood: 3 Top Source IPs: 203.0.113.45: 19 events 185.220.101.77: 12 events ``` ## MITRE ATT&CK 覆盖范围 NetSentinel 的检测对应以下 MITRE ATT&CK 技术。`netsentinel.json` 中的每个警报都反映了攻击者用于横向移动、侦察或破坏的行为。 | 检测项 | 战术 | 技术 | |---|---|---| | ARP Spoofing | 凭证访问 / 收集 | [T1557.002 — ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002/) | | Port Scan | 发现 | [T1046 — Network Service Discovery](https://attack.mitre.org/techniques/T1046/) | | ICMP Flood | 影响 | [T1499.003 — Application Exhaustion Flood](https://attack.mitre.org/techniques/T1499/003/) | | DNS Hijacking | 命令与控制 | [T1071.004 — Application Layer Protocol: DNS](https://attack.mitre.org/techniques/T1071/004/) | | DNS Tunneling (高熵子域名) | 渗透 / C2 | [T1041 — Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/), [T1071.004 — DNS](https://attack.mitre.org/techniques/T1071/004/) | ## 路线图 - [ ] Slack/Discord webhook 警报通知 - [ ] 被动 OS 指纹识别 - [ ] 触发警报时捕获 PCAP - [ ] Web 仪表盘 (Flask) - [ ] 用于持续监控的 `systemd` 服务文件 ## 许可证 MIT — 请参阅 [LICENSE](LICENSE)

标签：AMSI绕过, ARP spoofing, ARP欺骗检测, DNS劫持, DNS异常检测, DNS隧道, GitHub, ICMP洪水, IP 地址批量处理, MIT开源, Python, Scapy, 信息熵分析, 入侵检测系统, 命令与控制检测, 威胁检测, 安全数据湖, 密码管理, 局域网安全, 异常检测, 插件系统, 无后门, 端口扫描检测, 网络安全, 网络流量分析, 蓝军防御, 轻量级安全, 逆向工具, 隐私保护