Yc-jafar/data-exfiltration-detection-behavorial

GitHub: Yc-jafar/data-exfiltration-detection-behavorial

基于Wazuh、Suricata和SLIPS构建的三层SIEM数据泄露检测系统,通过行为分析识别DNS隧道、C2信标等隐蔽威胁。

Stars: 1 | Forks: 0

# 数据泄露检测 — SIEM 与行为分析 ![蓝队](https://img.shields.io/badge/Blue%20Team-Defensive%20Security-blue) ![MITRE ATT&CK](https://img.shields.io/badge/MITRE-ATT%26CK-red) ![Wazuh](https://img.shields.io/badge/Wazuh-4.14.3-orange) ![Docker](https://img.shields.io/badge/Docker-Compose-2496ED?logo=docker) ![许可证](https://img.shields.io/badge/License-MIT-green) ## 为什么需要三层防御? 隐蔽的泄露技术(DNS tunneling、C2 beaconing、低速慢速传输)会伪装成正常流量,从而绕过传统的基于特征的 IDS。每一层都针对不同的指标家族: | 层级 | 工具 | 检测内容 | |---------------------|----------|----------------------------------------------------------------------| | 网络特征 | Suricata | 已知的文档化威胁(Emerging Threats 规则集) | | 流量记录 | Zeek | 所有网络行为,不进行判定 | | ML 行为分析 | SLIPS | 统计异常、零日攻击、DGA、beaconing | | SIEM 关联 | Wazuh | 统一视图、自定义规则、MITRE ATT&CK 映射、主动响应 | ## 架构 ``` flowchart TD subgraph ATTACKER["🖥️ Compromised Host"] W1[DNS Tunneling\nMassive SCP\nLong Connection] end subgraph SOC["🛡️ SOC Server — Kali Linux"] subgraph CAPTURE["Layer 1 · Network Signatures"] S[Suricata 8.0.3\nNIDS · Emerging Threats\neve.json] end subgraph BEHAVIORAL["Layer 2 · Behavioral Analysis"] SLIPS[SLIPS + Zeek\nMachine Learning\nDGA · Beaconing · Long Connection\nalerts.json] REDIS[Redis\nML Inter-module Bus] end subgraph SIEM["Layer 3 · SIEM Correlation — Docker single-node"] AGT[Wazuh Agent\nLog Collection\nTCP 1514 AES-256] MGR[Wazuh Manager\nCustom Rules 100200→100221\nMITRE ATT&CK Mapping] IDX[Wazuh Indexer\nOpenSearch] DSH[Wazuh Dashboard\nSOC · Alerts · PDF Report] end subgraph RESPONSE["Active Response"] AR[firewall-drop\niptables · 1h block\nRule 100210] end end W1 -->|wlan0| S W1 -->|wlan0| SLIPS REDIS <-->|internal bus| SLIPS S -->|eve.json| AGT SLIPS -->|alerts.json| AGT AGT -->|TCP 1514 AES-256| MGR MGR --> IDX IDX --> DSH MGR -->|DNS Tunneling detected| AR ``` ## 技术栈 - **操作系统**:Kali Linux(或任何 Debian/Ubuntu 发行版) - **Wazuh** 4.14.3(Manager + Indexer + Dashboard)— Docker 单节点 - **Suricata** 8.0.3 — 原生运行于操作系统 - **SLIPS**(StratosphereLinuxIPS,最新版)+ **Zeek**(集成在 SLIPS 容器中)— Docker Compose - **Redis** 7(Alpine)— SLIPS sidecar - **Docker** 29.x + **Docker Compose** v5.x ## 前置条件 ``` # 检查 Docker 和 Docker Compose docker --version docker compose version # 安装必要工具 sudo apt-get update sudo apt-get install -y gnupg apt-transport-https suricata ``` ## 1. 部署 Wazuh(中心 SIEM) ### 1.1 Docker 单节点安装 ``` git clone https://github.com/wazuh/wazuh-docker.git -b v4.14.3 cd wazuh-docker/single-node/ # 生成 SSL/TLS 证书 docker compose -f generate-indexer-certs.yml run --rm generator # 启动 stack (Manager + Indexer + Dashboard) docker compose up -d ``` Dashboard 可通过 `https://` 访问 — 默认凭据:`admin / SecretPassword`(**请立即修改**)。 ### 1.2 在主机上安装 Wazuh Agent ``` # 导入官方 GPG key curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring \ --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import chmod 644 /usr/share/keyrings/wazuh.gpg # 添加 Wazuh 4.x repository echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" \ | tee -a /etc/apt/sources.list.d/wazuh.list apt-get update # 安装指向 Manager 的 agent WAZUH_MANAGER="" apt-get install wazuh-agent # 启用并启动 systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent # 验证 systemctl status wazuh-agent ``` ## 2. 安装并集成 Suricata ### 2.1 安装 ``` sudo apt-get update sudo apt-get install -y suricata ``` ### 2.2 下载 Emerging Threats 开放规则 ``` cd /tmp curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz sudo tar -xvzf emerging.rules.tar.gz sudo mkdir -p /etc/suricata/rules sudo mv rules/*.rules /etc/suricata/rules/ sudo find /etc/suricata/rules -name "*.rules" -exec chmod 777 {} \; ``` ### 2.3 `suricata.yaml` 配置 编辑 `/etc/suricata/suricata.yaml`: ``` vars: address-groups: HOME_NET: "[192.168.0.0/16]" # adapt to your network EXTERNAL_NET: "any" default-rule-path: /etc/suricata/rules rule-files: - "*.rules" stats: enabled: yes af-packet: - interface: eth0 # adapt to your active interface (eth0, wlan0, enp0s3...) ``` ``` sudo systemctl restart suricata ``` ### 2.4 通过 Wazuh Agent 收集 Suricata 日志 添加到 `/var/ossec/etc/ossec.conf`(Agent 端): ``` json /var/log/suricata/eve.json ``` Suricata 告警会通过父规则 `86600`(默认包含的 `0515-suricata_rules.xml`)自动转发到 Wazuh。 ## 3. 部署 SLIPS + Zeek Zeek 原生集成在 SLIPS 容器中 — 无需单独安装。 ### 3.1 目录结构 ``` mkdir -p ~/slips-docker/{config,output,dataset} cd ~/slips-docker ``` ### 3.2 获取 SLIPS 配置文件 ``` git clone https://github.com/stratosphereips/StratosphereLinuxIPS.git cp -r StratosphereLinuxIPS/config ~/slips-docker/config ``` ### 3.3 `docker-compose.yml` ``` services: redis: image: redis:7-alpine container_name: slips-redis restart: unless-stopped network_mode: host command: redis-server --port 6379 --daemonize no slips: image: stratosphereips/slips:latest container_name: slips restart: unless-stopped network_mode: host cap_add: - NET_ADMIN - NET_RAW deploy: resources: limits: memory: 4G cpus: '0.35' depends_on: - redis volumes: - ./config:/StratosphereLinuxIPS/config - ./output:/StratosphereLinuxIPS/output - ./dataset:/StratosphereLinuxIPS/dataset entrypoint: [ "bash", "-c", "python3 /StratosphereLinuxIPS/slips.py -i wlan0 -o /StratosphereLinuxIPS/output & sleep 15 && /StratosphereLinuxIPS/webinterface.sh" ] ``` ### 3.4 启动 ``` cd ~/slips-docker docker compose up -d ``` ### 3.5 Wazuh 收集 SLIPS 告警 添加到 `/var/ossec/etc/ossec.conf`(Agent 端): ``` json /home//slips-docker/output/alerts.json ``` ## 4. SLIPS → Wazuh 集成:自定义解码器和规则 ### 4.1 SLIPS 解码器 在 Manager 容器中创建 `/var/ossec/etc/decoders/slips_decoders.xml`: ``` "Nom": "Slips" Slips true JSON_Decoder ``` ### 4.2 包含 MITRE ATT&CK 映射的 SLIPS 检测规则 在 Manager 容器中创建 `/var/ossec/etc/rules/slips_rules.xml`: ``` Slips SLIPS: JSON event received slips,exfiltration,behavioral 100200 dns tunneling|dns exfiltration|NXDOMAIN|long subdomain|DGA SLIPS: DNS Tunneling exfiltration detected - T1071.004 T1071.004 slips,exfiltration,dns, 100200 beaconing|C2|periodic connection SLIPS: C2 Beaconing behavior detected - T1071.001 T1071.001 slips,c2,beaconing,exfiltration,behavioral 100200 long connection|persistent connection|Low and Slow SLIPS: Suspicious persistent connection - Low and Slow channel - T1041 T1041 slips,exfiltration,persistence,behavioral 100200 large data upload|volume|traffic SLIPS: Abnormal upload volume - Probable exfiltration - T1048 T1048 slips,exfiltration,traffic,behavioral ``` 在 Manager 容器中应用这些文件: ``` docker exec -it single-node-wazuh.manager-1 bash # 复制文件到 /var/ossec/etc/decoders/ 和 /var/ossec/etc/rules/ # 然后重启 manager systemctl restart wazuh-manager ``` ## 5. 主动响应 — 自动阻断 DNS Tunneling 在 Manager 的 `/var/ossec/etc/ossec.conf` 中添加: ``` firewall-drop firewall-drop yes no firewall-drop local 100210 3600 ``` ## 6. 验证测试 ### DNS Tunneling (T1071.004) ``` # PowerShell (来自同一网络上的 Windows 机器) for ($i=1; $i -le 10; $i++) { Resolve-DnsName "random-domain-$i.invalid" -ErrorAction SilentlyContinue } ``` **预期结果**:SLIPS 生成 `HIGH` 级别告警(检测到 DGA/DNS tunneling),并在约 5 分钟内在 Wazuh 中关联为级别 13 的规则 `100218`。 ### 大规模 SCP 传输 (T1048) ``` # 创建测试文件 dd if=/dev/urandom of=/tmp/large-file.bin bs=1M count=150 # 传输到目标机器 scp /tmp/large-file.bin user@:/tmp/ ``` **预期结果**:SLIPS 报告 `Large data upload`,Wazuh 将其关联为级别 12 的规则 `100221`。 ### 持续低速慢速连接 (T1041) 在浏览器中打开一个指向外部地址的标签页,并保持打开状态超过 20 分钟。SLIPS 会报告 `Long Connection` — 此场景也说明了误报的情况,以及需要在 `slips.yaml` 中校准 `long_connection_threshold` 的必要性。 ## 检测覆盖范围 | 攻击技术 | MITRE ID | 检测方 | Wazuh 规则 | 级别 | |-------------------------|------------|--------------------|------------|-------| | DNS Tunneling / DGA | T1071.004 | SLIPS + Suricata | 100218 | 13 | | C2 Beaconing | T1071.001 | SLIPS | 100219 | 8 | | 低速慢速连接 | T1041 | SLIPS + Zeek | 100220 | 10 | | 大量数据上传 | T1048 | SLIPS | 100221 | 12 | ## 参考 - [Wazuh 文档](https://documentation.wazuh.com/current/) - [Suricata 文档](https://docs.suricata.io/en/suricata-8.0.3/) - [StratosphereLinuxIPS (SLIPS)](https://github.com/stratosphereips/StratosphereLinuxIPS) - [Zeek 文档](https://docs.zeek.org/en/master/reference/logs/index.html) - [MITRE ATT&CK — 外泄 (TA0010)](https://attack.mitre.org/tactics/TA0010/) - [Emerging Threats 开放规则](https://rules.emergingthreats.net/) ## 作者 **Yc-jafar** — 蓝队 | SOC | 威胁检测 如果这个项目对您有帮助,欢迎给仓库点个 ⭐,也欢迎提交 Issue 提供反馈或改进建议!
标签:Apex, IP 地址批量处理, Metaprompt, Suricata, Wazuh, 搜索引擎查询, 数据泄露防护, 机器学习, 版权保护, 现代安全运营, 网络探测, 网络流量分析