Yc-jafar/data-exfiltration-detection-behavorial
GitHub: Yc-jafar/data-exfiltration-detection-behavorial
基于Wazuh、Suricata和SLIPS构建的三层SIEM数据泄露检测系统,通过行为分析识别DNS隧道、C2信标等隐蔽威胁。
Stars: 1 | Forks: 0
# 数据泄露检测 — SIEM 与行为分析





## 为什么需要三层防御?
隐蔽的泄露技术(DNS tunneling、C2 beaconing、低速慢速传输)会伪装成正常流量,从而绕过传统的基于特征的 IDS。每一层都针对不同的指标家族:
| 层级 | 工具 | 检测内容 |
|---------------------|----------|----------------------------------------------------------------------|
| 网络特征 | Suricata | 已知的文档化威胁(Emerging Threats 规则集) |
| 流量记录 | Zeek | 所有网络行为,不进行判定 |
| ML 行为分析 | SLIPS | 统计异常、零日攻击、DGA、beaconing |
| SIEM 关联 | Wazuh | 统一视图、自定义规则、MITRE ATT&CK 映射、主动响应 |
## 架构
```
flowchart TD
subgraph ATTACKER["🖥️ Compromised Host"]
W1[DNS Tunneling\nMassive SCP\nLong Connection]
end
subgraph SOC["🛡️ SOC Server — Kali Linux"]
subgraph CAPTURE["Layer 1 · Network Signatures"]
S[Suricata 8.0.3\nNIDS · Emerging Threats\neve.json]
end
subgraph BEHAVIORAL["Layer 2 · Behavioral Analysis"]
SLIPS[SLIPS + Zeek\nMachine Learning\nDGA · Beaconing · Long Connection\nalerts.json]
REDIS[Redis\nML Inter-module Bus]
end
subgraph SIEM["Layer 3 · SIEM Correlation — Docker single-node"]
AGT[Wazuh Agent\nLog Collection\nTCP 1514 AES-256]
MGR[Wazuh Manager\nCustom Rules 100200→100221\nMITRE ATT&CK Mapping]
IDX[Wazuh Indexer\nOpenSearch]
DSH[Wazuh Dashboard\nSOC · Alerts · PDF Report]
end
subgraph RESPONSE["Active Response"]
AR[firewall-drop\niptables · 1h block\nRule 100210]
end
end
W1 -->|wlan0| S
W1 -->|wlan0| SLIPS
REDIS <-->|internal bus| SLIPS
S -->|eve.json| AGT
SLIPS -->|alerts.json| AGT
AGT -->|TCP 1514 AES-256| MGR
MGR --> IDX
IDX --> DSH
MGR -->|DNS Tunneling detected| AR
```
## 技术栈
- **操作系统**:Kali Linux(或任何 Debian/Ubuntu 发行版)
- **Wazuh** 4.14.3(Manager + Indexer + Dashboard)— Docker 单节点
- **Suricata** 8.0.3 — 原生运行于操作系统
- **SLIPS**(StratosphereLinuxIPS,最新版)+ **Zeek**(集成在 SLIPS 容器中)— Docker Compose
- **Redis** 7(Alpine)— SLIPS sidecar
- **Docker** 29.x + **Docker Compose** v5.x
## 前置条件
```
# 检查 Docker 和 Docker Compose
docker --version
docker compose version
# 安装必要工具
sudo apt-get update
sudo apt-get install -y gnupg apt-transport-https suricata
```
## 1. 部署 Wazuh(中心 SIEM)
### 1.1 Docker 单节点安装
```
git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.3
cd wazuh-docker/single-node/
# 生成 SSL/TLS 证书
docker compose -f generate-indexer-certs.yml run --rm generator
# 启动 stack (Manager + Indexer + Dashboard)
docker compose up -d
```
Dashboard 可通过 `https://` 访问 — 默认凭据:`admin / SecretPassword`(**请立即修改**)。
### 1.2 在主机上安装 Wazuh Agent
```
# 导入官方 GPG key
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring \
--keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import
chmod 644 /usr/share/keyrings/wazuh.gpg
# 添加 Wazuh 4.x repository
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" \
| tee -a /etc/apt/sources.list.d/wazuh.list
apt-get update
# 安装指向 Manager 的 agent
WAZUH_MANAGER="" apt-get install wazuh-agent
# 启用并启动
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
# 验证
systemctl status wazuh-agent
```
## 2. 安装并集成 Suricata
### 2.1 安装
```
sudo apt-get update
sudo apt-get install -y suricata
```
### 2.2 下载 Emerging Threats 开放规则
```
cd /tmp
curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz
sudo mkdir -p /etc/suricata/rules
sudo mv rules/*.rules /etc/suricata/rules/
sudo find /etc/suricata/rules -name "*.rules" -exec chmod 777 {} \;
```
### 2.3 `suricata.yaml` 配置
编辑 `/etc/suricata/suricata.yaml`:
```
vars:
address-groups:
HOME_NET: "[192.168.0.0/16]" # adapt to your network
EXTERNAL_NET: "any"
default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"
stats:
enabled: yes
af-packet:
- interface: eth0 # adapt to your active interface (eth0, wlan0, enp0s3...)
```
```
sudo systemctl restart suricata
```
### 2.4 通过 Wazuh Agent 收集 Suricata 日志
添加到 `/var/ossec/etc/ossec.conf`(Agent 端):
```
json
/var/log/suricata/eve.json
```
Suricata 告警会通过父规则 `86600`(默认包含的 `0515-suricata_rules.xml`)自动转发到 Wazuh。
## 3. 部署 SLIPS + Zeek
Zeek 原生集成在 SLIPS 容器中 — 无需单独安装。
### 3.1 目录结构
```
mkdir -p ~/slips-docker/{config,output,dataset}
cd ~/slips-docker
```
### 3.2 获取 SLIPS 配置文件
```
git clone https://github.com/stratosphereips/StratosphereLinuxIPS.git
cp -r StratosphereLinuxIPS/config ~/slips-docker/config
```
### 3.3 `docker-compose.yml`
```
services:
redis:
image: redis:7-alpine
container_name: slips-redis
restart: unless-stopped
network_mode: host
command: redis-server --port 6379 --daemonize no
slips:
image: stratosphereips/slips:latest
container_name: slips
restart: unless-stopped
network_mode: host
cap_add:
- NET_ADMIN
- NET_RAW
deploy:
resources:
limits:
memory: 4G
cpus: '0.35'
depends_on:
- redis
volumes:
- ./config:/StratosphereLinuxIPS/config
- ./output:/StratosphereLinuxIPS/output
- ./dataset:/StratosphereLinuxIPS/dataset
entrypoint: [
"bash", "-c",
"python3 /StratosphereLinuxIPS/slips.py -i wlan0 -o /StratosphereLinuxIPS/output & sleep 15 && /StratosphereLinuxIPS/webinterface.sh"
]
```
### 3.4 启动
```
cd ~/slips-docker
docker compose up -d
```
### 3.5 Wazuh 收集 SLIPS 告警
添加到 `/var/ossec/etc/ossec.conf`(Agent 端):
```
json
/home//slips-docker/output/alerts.json
```
## 4. SLIPS → Wazuh 集成:自定义解码器和规则
### 4.1 SLIPS 解码器
在 Manager 容器中创建 `/var/ossec/etc/decoders/slips_decoders.xml`:
```
"Nom": "Slips"
Slips
true
JSON_Decoder
```
### 4.2 包含 MITRE ATT&CK 映射的 SLIPS 检测规则
在 Manager 容器中创建 `/var/ossec/etc/rules/slips_rules.xml`:
```
Slips
SLIPS: JSON event received
slips,exfiltration,behavioral
100200
dns tunneling|dns exfiltration|NXDOMAIN|long subdomain|DGA
SLIPS: DNS Tunneling exfiltration detected - T1071.004
T1071.004
slips,exfiltration,dns,
100200
beaconing|C2|periodic connection
SLIPS: C2 Beaconing behavior detected - T1071.001
T1071.001
slips,c2,beaconing,exfiltration,behavioral
100200
long connection|persistent connection|Low and Slow
SLIPS: Suspicious persistent connection - Low and Slow channel - T1041
T1041
slips,exfiltration,persistence,behavioral
100200
large data upload|volume|traffic
SLIPS: Abnormal upload volume - Probable exfiltration - T1048
T1048
slips,exfiltration,traffic,behavioral
```
在 Manager 容器中应用这些文件:
```
docker exec -it single-node-wazuh.manager-1 bash
# 复制文件到 /var/ossec/etc/decoders/ 和 /var/ossec/etc/rules/
# 然后重启 manager
systemctl restart wazuh-manager
```
## 5. 主动响应 — 自动阻断 DNS Tunneling
在 Manager 的 `/var/ossec/etc/ossec.conf` 中添加:
```
firewall-drop
firewall-drop
yes
no
firewall-drop
local
100210
3600
```
## 6. 验证测试
### DNS Tunneling (T1071.004)
```
# PowerShell (来自同一网络上的 Windows 机器)
for ($i=1; $i -le 10; $i++) {
Resolve-DnsName "random-domain-$i.invalid" -ErrorAction SilentlyContinue
}
```
**预期结果**:SLIPS 生成 `HIGH` 级别告警(检测到 DGA/DNS tunneling),并在约 5 分钟内在 Wazuh 中关联为级别 13 的规则 `100218`。
### 大规模 SCP 传输 (T1048)
```
# 创建测试文件
dd if=/dev/urandom of=/tmp/large-file.bin bs=1M count=150
# 传输到目标机器
scp /tmp/large-file.bin user@:/tmp/
```
**预期结果**:SLIPS 报告 `Large data upload`,Wazuh 将其关联为级别 12 的规则 `100221`。
### 持续低速慢速连接 (T1041)
在浏览器中打开一个指向外部地址的标签页,并保持打开状态超过 20 分钟。SLIPS 会报告 `Long Connection` — 此场景也说明了误报的情况,以及需要在 `slips.yaml` 中校准 `long_connection_threshold` 的必要性。
## 检测覆盖范围
| 攻击技术 | MITRE ID | 检测方 | Wazuh 规则 | 级别 |
|-------------------------|------------|--------------------|------------|-------|
| DNS Tunneling / DGA | T1071.004 | SLIPS + Suricata | 100218 | 13 |
| C2 Beaconing | T1071.001 | SLIPS | 100219 | 8 |
| 低速慢速连接 | T1041 | SLIPS + Zeek | 100220 | 10 |
| 大量数据上传 | T1048 | SLIPS | 100221 | 12 |
## 参考
- [Wazuh 文档](https://documentation.wazuh.com/current/)
- [Suricata 文档](https://docs.suricata.io/en/suricata-8.0.3/)
- [StratosphereLinuxIPS (SLIPS)](https://github.com/stratosphereips/StratosphereLinuxIPS)
- [Zeek 文档](https://docs.zeek.org/en/master/reference/logs/index.html)
- [MITRE ATT&CK — 外泄 (TA0010)](https://attack.mitre.org/tactics/TA0010/)
- [Emerging Threats 开放规则](https://rules.emergingthreats.net/)
## 作者
**Yc-jafar** — 蓝队 | SOC | 威胁检测
如果这个项目对您有帮助,欢迎给仓库点个 ⭐,也欢迎提交 Issue 提供反馈或改进建议!
标签:Apex, IP 地址批量处理, Metaprompt, Suricata, Wazuh, 搜索引擎查询, 数据泄露防护, 机器学习, 版权保护, 现代安全运营, 网络探测, 网络流量分析