流影---开源网络流量分析平台(五）（成果展示）

前沿

前四章我们已经成功安装了流影的各个功能，那么接下来我们就看看这个开源工具的实力，本实验将进行多个攻击手段（ip扫描，端口扫描，sql注入）攻击靶机，来看看流影的态感效果

攻击过程

首先本实验ens33网卡作为web控制配置，ens34作为靶机的受体，我们把探针部署在ens34网卡上并启动

css 复制代码

[root@localhost ~]# lyprobe -T "%IN_SRC_MAC %OUT_DST_MAC %IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %SRC_TOS %IN_PKTS %IN_BYTES %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME" -n 127.0.0.1:9995 -e 0 -w 32768 -G -i ens34  #这里作为输入命令


03/Apr/2025 01:05:16 [nprobe.c:2374] Welcome to lyprobe v.1.0.0 ($Revision: 2212 $) for x86_64-unknown-linux-gnu 
03/Apr/2025 01:05:16 [plugin.c:145] Loading plugins from ./plugins ...... Not Found.
03/Apr/2025 01:05:16 [plugin.c:150] Loading plugins from /bin/plugins ...... Loaded.
03/Apr/2025 01:05:16 [servicePlugin.c:766] No pattern found in ./fp-patterns
03/Apr/2025 01:05:16 [servicePlugin.c:763] Load pattern in /bin/plugins/fp-patterns
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 44 protocol patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 15 device patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 16 os patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 25 midware patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:505] >load 16 threat patterns.
03/Apr/2025 01:05:16 [servicePlugin.c:792] >>Loaded 116 patterns totally.
03/Apr/2025 01:05:16 [plugin.c:585] 1 plugin(s) enabled
03/Apr/2025 01:05:16 [nprobe.c:3564] Capturing packets from interface ens34

同时打开/etc/rc.local文件，确定有以下内容

Delphi 复制代码

#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local
modprobe  pf_ring
lyprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %DNS_REQ_DOMAIN %DNS_REQ_TYPE %HTTP_URL %HTTP_REQ_METHOD %HTTP_HOST %HTTP_MIME %HTTP_RET_CODE %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %ICMP_DATA %ICMP_SEQ_NUM %ICMP_PAYLOAD_LEN %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME" -i ens34 -n 172.20.10.4:9995 -G -e 0 -w 32768 -k 1 -K /data/cap/3
/Agent/bin/nfcapd -w -D -l /data/flow/3 -p 9995
~

然后查看进程

Delphi 复制代码

[root@localhost ~]# ps aux |grep lyprobe   #查看lyprobe探针是否启动
root       1299  0.0  0.2 303584  9912 ?        Ssl  4月02   0:13 lyprobe -T %IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %DNS_REQ_DOMAIN %DNS_REQ_TYPE %HTTP_URL %HTTP_REQ_METHOD %HTTP_HOST %HTTP_MIME %HTTP_RET_CODE %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %ICMP_DATA %ICMP_SEQ_NUM %ICMP_PAYLOAD_LEN %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME -i ens34 -n 172.20.10.4:9995 -G -e 0 -w 32768 -k 1 -K /data/cap/3
root      10292  0.1  0.1 303584  7200 ?        Ssl  01:05   0:00 lyprobe -T %IN_SRC_MAC %OUT_DST_MAC %IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %SRC_TOS %IN_PKTS %IN_BYTES %SRV_TYPE %SRV_NAME %SRV_VERS %DEV_TYPE %DEV_NAME %DEV_VEND %DEV_VERS %OS_TYPE %OS_NAME %OS_VERS %MID_TYPE %MID_NAME %MID_VERS %THREAT_TYPE %THREAT_NAME %THREAT_VERS %SRV_TIME %DEV_TIME %OS_TIME %MID_TIME %THREAT_TIME -n 127.0.0.1:9995 -e 0 -w 32768 -G -i ens34
root      10300  0.0  0.0 112828   980 pts/2    S+   01:08   0:00 grep --color=auto lyprobe


[root@localhost ~]# ps aux |grep nfcapd    #查看nfcapd分析工具是否启动
root       1317  0.0  0.1  21348  4164 ?        S    4月02   0:00 /Agent/bin/nfcapd -w -D -l /data/flow/3 -p 9995
root      10388  0.0  0.0 112828   980 pts/2    S+   01:10   0:00 grep --color=auto nfcapd

然后浏览器输入http://ip地址:18080/ui,

点击配置> 规则，对各种规则进行设置（ip设置为0.0.0.0，流量如果小的话，阈值可以设置低点，要不然效果不明显，）关于规则具体的参数建议都设置小点（如果用的是流量包回放），不会的看官方文档：流影: 系统配置

然后导入流量包，我这里使用的是tcpreplay回放工具，可以先安装

Delphi 复制代码

# 安装tcpreplay回放工具
sudo yum install epel-release
sudo yum install tcpreplay


# 然后导入流量包（流量包在我前面的文章中有）
[root@localhost ~]# cd pcap_file
[root@localhost pcap_file]# ls
dnstun_cobalt_strike.pcap  ip_scan.pcap        mining_monerohash.pcap  sql_inject.pcap
icmptun_ptunnel_ssh.pcap   mining_common.pcap  port_scan.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 dnstun_cobalt_strike.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 ip_scan.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 mining_monerohash.pcap
[root@localhost pcap_file]# tcpreplay -i ens34sql_inject.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 icmptun_ptunnel_ssh.pcap 
[root@localhost pcap_file]# tcpreplay -i ens34 mining_common.pcap
[root@localhost pcap_file]# tcpreplay -i ens34 port_scan.pcap

查看