应急排查网络连接之—Systemtap

最新推荐文章于 2024-10-09 21:42:04 发布

dayouziei

最新推荐文章于 2024-10-09 21:42:04 发布

阅读量524

点赞数

分类专栏：应急响应文章标签：网络安全安全系统安全 linux

本文链接：https://blog.youkuaiyun.com/youuzi/article/details/130251650

版权

应急响应专栏收录该内容

30 篇文章

订阅专栏

本文介绍了如何利用Systemtap这款内核级工具来监控网络连接请求，包括对外和对内的网络请求、DNS解析、TCP连接等。在遇到安全事件，如异常流量或隐藏连接时，Systemtap能提供帮助。在安装Systemtap及相关依赖后，给出了多个监控网络活动的示例脚本。在使用过程中可能会遇到缺少kernel模块debuginfo的问题，可以通过启用debuginforepo并安装相应包来解决。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

概述

在某些安全事件场景中，可能某些设备监测到有异常流量，但是上机排查时用netstat却看不到对应网络连接，可能存在库劫持或rootkit，这里介绍一款内核级工具systemtap检测网络连接请求，当然它的功能远不至于此，这里只是提供一些实用小脚本。

安装

rpm -ivh kernel-debuginfo-common-x86_64-2.6.32-642.el6.x86_64.rpm

rpm -ivh kernel-debuginfo-2.6.32-642.el6.x86_64.rpm

rpm -ivh kernel-devel-2.6.32-642.el6.x86_64.rpm

yum install systemtap systemtap-runtime       #yum安装systemtap

使用范例

监控内——》外网络请求

监控本地网卡所有对外连接请求

注：请求包量大的时候容易出现目标端口识别问题

[root@VM-0-10-centos jiemi]# stap -e 'probe begin{printf("%16s\t%s\t%s\t%s\t%21s\t%s\t%21s\t%s\n","ProcessName","UID","PID","PPID","Source","Direct","DST","Cmdline")} probe netfilter.ip.local_out{printf("%16s\t%d\t%d\t%d\t%16s:%5d\t%s\t%16s:%5d\t%s\n",execname(),uid(),pid(),ppid(),saddr,sport,"-->",daddr,dport,cmdline_str());}'

监控对外ping请求

[root@VM-0-10-centos jiemi]# stap -e 'probe netfilter.ip.local_out{ if(dport==0) printf("%s[PID:%d,TID:%d]\tsend %d to %s:%d\tcmdline:%s\n",execname(),pid(),tid(),length,daddr,dport,cmdline_str())} probe netfilter.ip.local_in{if(sport==0) printf("%s recv %d from %s:%d\tcmdline:%s\n",execnam),length,saddr,sport,cmdline_str())}'

监控对外DNS解析请求

[root@VM-0-10-centos jiemi]# stap -e 'probe netfilter.ip.local_out{ if(dport==53) printf("processName:%s\tPID:%d,TID:%d\tsent packet to\t%s:%d\tcmdline:%s\n",execname(),pid(),tid(),daddr,dport,cmdline_str())}'

监控TCP对外连接

注：只针对tcp连接，不管连接成功与否

[root@VM-0-10-centos jiemi]# stap -e 'probe syscall.connect{ if(uaddr_af=="AF_INET" || uaddr_af=="AF_INET6") printf("%s[%d]:%s\tcmdline:%s\n",execname(),pid(),argstr,cmdline_str());}'

监控外———》内网络连接请求

监控所有外对内网络连接

[root@VM-0-10-centos jiemi]# stap -e 'probe begin{printf("%16s\t%s\t%s\t%s\t%21s\t%s\t%21s\t%s\n","ProcessName","UID","PID","PPID","Source","Direct","DST","Cmdline")} probe netfilter.ip.local_in{printf("%16s\t%d\t%d\t%d\t%16s:%5d\t%s\t%16s:%5d\t%s\n",execname(),uid(),pid(),ppid(),daddr,dport,"<--",saddr,sport,cmdline_str());}'

监控所有外对内TCP网络连接

stap -e ' probe begin, timer.s(1) {
    ansi_clear_screen()
    printf("-----------------------------------------------------------------\n")
    printf("       Source IP  SPort         Dest IP  DPort  U  A  P  R  S  F \n")
    printf("-----------------------------------------------------------------\n")
}

probe tcp.receive {
    printf(" %15s %5d  %15s  %5d  %d  %d  %d  %d  %d  %d\n",
        saddr, sport, daddr, dport, urg, ack, psh, rst, syn, fin)
}
'

更多使用脚本参考：

脚本参考：https://github.com/soarpenguin/systemtap-script

函数参考：https://sourceware.org/systemtap/tapsets/index.html

使用问题小计

1、报错信息

semantic error: while resolving probe point: identifier 'kernel' at /usr/share/systemtap/tapset/linux/tcp.stp:668:26
        source: probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

semantic error: while resolving probe point: identifier 'tcp' at :664:21
        source: probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
                                    ^

semantic error: no match

semantic error: while resolving probe point: identifier 'kernel' at :693:26
        source: probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

Missing separate debuginfos, use: debuginfo-install kernel-3.10.0-1160.66.1.el7.x86_64
Pass 2: analysis failed.  [man error::pass2]
Number of similar error messages suppressed: 3.
Rerun with -v to see them.
[root@VM-0-10-centos jiemi]# vi tcpconnect.stp
[root@VM-0-10-centos jiemi]# stap tcpconnect.stp
semantic error: while resolving probe point: identifier 'kernel' at /usr/share/systemtap/tapset/linux/tcp.stp:668:26
        source: probe tcp.ipv4.receive = kernel.function("tcp_v4_rcv")
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

semantic error: while resolving probe point: identifier 'tcp' at :664:21
        source: probe tcp.receive = tcp.ipv4.receive, tcp.ipv6.receive
                                    ^

semantic error: no match

semantic error: while resolving probe point: identifier 'kernel' at :693:26
        source: probe tcp.ipv6.receive = kernel.function("tcp_v6_rcv")!,
                                         ^

semantic error: missing x86_64 kernel/module debuginfo [man warning::debuginfo] under '/lib/modules/3.10.0-1160.66.1.el7.x86_64/build'

Missing separate debuginfos, use: debuginfo-install kernel-3.10.0-1160.66.1.el7.x86_64
Pass 2: analysis failed.  [man error::pass2]
Number of similar error messages suppressed: 3.
Rerun with -v to see them.

2、解决办法