cybermaggedon / cyberprobe Goto Github PK

View Code? Open in Web Editor NEW

173.0 17.0 66.0 5.85 MB

Capturing, analysing and responding to cyber attacks

Home Page: https://cybermaggedon.github.io/cyberprobe-docs/

License: Other

Makefile 0.72% Shell 17.04% Lua 5.69% M4 3.72% C++ 44.79% C 19.93% Python 7.92% HTML 0.18%

network-monitoring network packet-processing packet-analyser network-defense cybersecurity protocol-analyser

cyberprobe's People

Contributors

Stargazers

Watchers

cyberprobe's Issues

the visualization steps please

1-the new version of elastic-search doesn't support ttl version 2.3.5 does how you will update that in the new version since the old versions are ugly very much.
2-https-server in the visualization what does it means

3-Dns -QUERY HOW CAN I GET IT

4-the packets bring to me ipv4:192.222.1.50 , i dont want to show ipv4 in the kibana please answer my questions

Documentation texinfo error

cyberprobe.texi:4332: warning: @table has text but no @item

High latency in packet capture in latest Fedora 30

For some reason packet capture seems to be high latency. Looks like a PCAP buffer. Has settings changed?

IP compilation warning

ip.C: In static member function 'static void cybermon::ip::handle_nxt_proto(cybermon::manager&, cybermon::context_ptr, uint8_t, const cybermon::pdu_slice&, uint16_t, uint8_t)':
ip.C:21:14: warning: variable 'e' set but not used [-Wunused-but-set-variable]
     pdu_iter e = sl.end;

cybermon subscribers don't work in containers

Errors from import pika.

The port to AMQP was never quite finished.

ERROR RUNNING DB.lua

Exception: Error running script: /etc/cyberprobe/mime.lua:12 module 'mime.core' not found

Inconsistency in thread handling: stop vs join

Sometimes thread stop() methods call join(), sometimes not. Is this a problem?

Compilation warning: socket.C

socket.C: In member function 'virtual int tcpip::tcp_socket::read(char*, int)':
socket.C:456:12: warning: unused variable 'then' [-Wunused-variable]
     time_t then = time(0);
            ^~~~
socket.C: In constructor 'tcpip::ssl_socket::ssl_socket()':
socket.C:855:42: warning: 'const SSL_METHOD* TLSv1_2_method()' is deprecated [-Wdeprecated-declarations]
     context = SSL_CTX_new(TLSv1_2_method());
                                          ^
In file included from /usr/include/openssl/opensslconf.h:42,
                 from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:45,
                 from ../include/cybermon/socket.h:5,
                 from socket.C:2:
/usr/include/openssl/ssl.h:1644:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
 ^~~~~~~~~~~~~~~~~~
socket.C:855:42: warning: 'const SSL_METHOD* TLSv1_2_method()' is deprecated [-Wdeprecated-declarations]
     context = SSL_CTX_new(TLSv1_2_method());
                                          ^
In file included from /usr/include/openssl/opensslconf.h:42,
                 from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:45,
                 from ../include/cybermon/socket.h:5,
                 from socket.C:2:
/usr/include/openssl/ssl.h:1644:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
 ^~~~~~~~~~~~~~~~~~
socket.C: In constructor 'tcpip::ssl_socket::ssl_socket(int)':
socket.C:932:42: warning: 'const SSL_METHOD* TLSv1_2_method()' is deprecated [-Wdeprecated-declarations]
     context = SSL_CTX_new(TLSv1_2_method());
                                          ^
In file included from /usr/include/openssl/opensslconf.h:42,
                 from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:45,
                 from ../include/cybermon/socket.h:5,
                 from socket.C:2:
/usr/include/openssl/ssl.h:1644:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
 ^~~~~~~~~~~~~~~~~~
socket.C:932:42: warning: 'const SSL_METHOD* TLSv1_2_method()' is deprecated [-Wdeprecated-declarations]
     context = SSL_CTX_new(TLSv1_2_method());
                                          ^
In file included from /usr/include/openssl/opensslconf.h:42,
                 from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:45,
                 from ../include/cybermon/socket.h:5,
                 from socket.C:2:
/usr/include/openssl/ssl.h:1644:1: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */

is cyberprobe SIEM ?

iwant to know can we use cyberprobe as SIEM and ifnot are you going to intergrate the plugins of the SIEM project into cyberprobe and how can i use it as SIEM project in my company or anything else ?

Auto tests fails with tls.pcap on Ubuntu Bionic

#                             -*- compilation -*-
12. testsuite.at:114: testing tls.pcap ...
./testsuite.at:119: diff output1 output2
--- /dev/null   2019-07-04 04:50:59.260698767 +0000
+++ /usr/local/src/cyberprobe/cyberprobe-2.0.2/cyberprobe-2.0.2/tests/testsuite.dir/at-groups/12/stdout 2019-07-04 04:57:13.309990192 +0000
@@ -0,0 +1,4 @@
+56c56
+<     data              -> 0x8BF58C92B8EBB92669CDCFEBEBD6A992CE88EF536198FCD81C646B96
+---
+>     data              -> 0x8BF58C92B8EBB92669CDCFEBEBD6A992CE88EF536198FCD81C646B00
./testsuite.at:119: exit code was 1, expected 0
12. testsuite.at:114: 12. tls.pcap (testsuite.at:114): FAILED (testsuite.at:119)

The endpoint lock remains locked while any endpoint is in the process of connecting

When any endpoint is trying to connect (say the receiver is down), the endpoint lock remains locked. Don't know what this locks out. One thing that definitely blocks is the get-endpoints management API call.

do you prefer working with docker in all project or virtual machines separated

iwant to know the best example on how to make to project simple deplyment and running up am now at the step of gaffer database and accumlu and zookeeper and hadoop ..... do i need to work to docker or how ? any answers to help me

Missing pulsar.lua in RPM package

Compilation warning, 2.5.0

libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -I../include -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -c protocol/tls.C -o protocol/tls.o >/dev/null 2>&1
In file included from ../include/cyberprobe/event/event_protobuf.h:10,
                 from event/event_protobuf.C:7:
./cyberprobe.pb.h: In function 'void cyberprobe::event::protobufify(cyberprobe::event::proto_addr&, cyberprobe::ProtocolAddress*)':
./cyberprobe.pb.h:11617:13: warning: 'prot' may be used uninitialized in this function [-Wmaybe-uninitialized]
11617 |   protocol_ = value;
      |   ~~~~~~~~~~^~~~~~~
event/event_protobuf.C:129:34: note: 'prot' was declared here
  129 |             cyberprobe::Protocol prot;
      |                                  ^~~~

cybermon-elasticsearch 1.6.8

cybermon-elasticsearch
elasticsearch: Exception: HTTPConnectionPool(host='localhost', port=9200): Max retries exceeded with url: //cyberprobe (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7f7cc5ddab50>: Failed to establish a new connection: [Errno 111] Connection refused',))
Traceback (most recent call last):
File "/usr/local/bin/cybermon-elasticsearch", line 204, in
init()
File "/usr/local/bin/cybermon-elasticsearch", line 94, in init
time.sleep(1)
NameError: global name 'time' is not defined

Auto-tests fail for tls-with-cert.pcap on Debian Stretch

Auto-tests fail for building on some Debian/Ubuntu cases.

tls-with-cert.pcap test case.

< .action tls_handshake_complete 2
---
> .action tls_handshake_complete 1
17c17
< .dest.0 ipv4:93.184.216.34 13
---
> .dest.0 ipv4:93.184.216.34 12
19c19
< .dest.1 tcp:443 13
---
> .dest.1 tcp:443 12
23,24c23,24
< .dest.2 tls 25
< .device PCAP 33
---
> .dest.2 tls 24
> .device PCAP 32
37c37
< .src.0 ipv4:172.17.0.2 15
---
> .src.0 ipv4:172.17.0.2 14
40c40
< .src.1 tcp:43258 13
---
> .src.1 tcp:43258 12
45c45
< .src.2 tls 25
---
> .src.2 tls 24
156c156
< .tls_handshake_complete.tls None 2
---
> .tls_handshake_complete.tls None 1

Getting error of UUID4 for EleasticSearch

Hello,

I am getting an error of UUID4 for eleasticSearch script. I have installed Cyberpprobe 1.6.0, NODEJS v6, Node v3, and ELK 6.1.1 on Ubuntu 16.04. I need your help in this regard to fix it.

Thanks.

Cybermon -f option doesn't work with raw IP packets

Have to use latest pcap2etsi instead.

Can this option be fixed or the option removed to prevent confusion?

while make the cyberprobe project

warning -std=c++11 or -gnu=c++11 how i can solve it ?

largest cyberprobe implementations?

I think this project is very interesting and appreciate the great documentation. Do you know if this is deployed on 100+, 1000+ node networks and what specs are required to handle the traffic volume?

How to configure without systemd

Hi , i was compiling your tool on my system but then it stopped , it looks that your tool needs systemd init boot system to work .
My question is : Who to compile it without systemd ?
My linux does not work with the new systemd implementation .

new error at new cybprobe

cybermon -p 10000 -c /usr/local/etc/cyberprobe/db.lua
Segmentation fault (core dumped)

Compiler warning, target.C

target.C: In function 'void target::from_json(const json&, target::spec&)':
target.C:58:13: warning: unused variable 'mask' [-Wunused-variable]
         int mask;
             ^~~~

SEGV in cyberprobe::event::protobufify

Crash when processing maccdc2012_00000.pcap to protobuf.

Thread 2 "cybermon" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6a54700 (LWP 3443)]
cyberprobe::event::protobufify (pe=<optimized out>, ke=...)
    at event/event_protobuf.C:848
848	            dhanon->set_prime(ke.dhanon->p.data(), ke.dhanon->p.size());
Missing separate debuginfos, use: dnf debuginfo-install boost-program-options-1.69.0-18.fc32.x86_64 c-ares-1.15.0-5.fc32.x86_64 gperftools-libs-2.7-7.fc32.x86_64 libgcc-10.1.1-1.fc32.x86_64 libpcap-1.9.1-3.fc32.x86_64 libstdc++-10.1.1-1.fc32.x86_64 libunwind-1.3.1-5.fc32.x86_64 lua-libs-5.3.5-7.fc32.x86_64 lua-socket-3.0-0.22.rc1.fc32.x86_64 ncurses-libs-6.1-15.20191109.fc32.x86_64 openssl-libs-1.1.1g-1.fc32.x86_64 readline-8.0-4.fc32.x86_64 zlib-1.2.11-21.fc32.x86_64

Stack trace...

#0  cyberprobe::event::protobufify (pe=<optimized out>, ke=...)
    at event/event_protobuf.C:848
#1  cyberprobe::event::protobufify (e=..., pe=...)
    at event/event_protobuf.C:867
#2  0x00007ffff7e54751 in cyberprobe::event::event::to_protobuf(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ()
    at event/event.C:999
#3  0x00007ffff7e547fd in cyberprobe::event::event::lua_protobuf(lua_State*) ()
    at /usr/include/c++/10/bits/shared_ptr_base.h:1324
#4  0x00007ffff7b7721f in luaD_precall () from /lib64/liblua-5.3.so
#5  0x00007ffff7b8e34d in luaV_execute () from /lib64/liblua-5.3.so
#6  0x00007ffff7b775e8 in luaD_callnoyield () from /lib64/liblua-5.3.so
#7  0x00007ffff7b76937 in luaD_rawrunprotected () from /lib64/liblua-5.3.so
#8  0x00007ffff7b7798f in luaD_pcall () from /lib64/liblua-5.3.so
#9  0x00007ffff7b6d5ce in lua_pcallk () from /lib64/liblua-5.3.so
#10 0x00007ffff7e0e15c in cyberprobe::analyser::lua_state::call (res=0, 
    args=1, this=0x7fffffffb040) at ../include/cyberprobe/analyser/lua.h:293

Problem compiling ARM on Pi

cybermon-lua.C:242:14: error: call of overloaded 'push(int64_t&)' is ambiguous
     push(posn);
              ^
cybermon-lua.C:242:14: note: candidates are:
In file included from cybermon-lua.C:4:0:
../include/cybermon/cybermon-lua.h:199:7: note: void cybermon::lua_state::push(double)
  void push(double num) { 
       ^
../include/cybermon/cybermon-lua.h:194:7: note: void cybermon::lua_state::push(long unsigned int)
  void push(unsigned long num) { 
       ^
../include/cybermon/cybermon-lua.h:189:7: note: void cybermon::lua_state::push(unsigned int)
  void push(unsigned int num) { 
       ^
../include/cybermon/cybermon-lua.h:184:7: note: void cybermon::lua_state::push(long int)
  void push(long num) { 
       ^
../include/cybermon/cybermon-lua.h:179:7: note: void cybermon::lua_state::push(int)
  void push(int num) { 
       ^
../include/cybermon/cybermon-lua.h:170:7: note: void cybermon::lua_state::push(const string&) <near match>
  void push(const std::string& s) { 
       ^
../include/cybermon/cybermon-lua.h:170:7: note:   no known conversion for argument 1 from 'int64_t {aka long long int}' to 'const string& {aka const std::basic_string<char>&}'
Makefile:719: recipe for target 'cybermon-lua.lo' failed
make[2]: *** [cybermon-lua.lo] Error 1
make[2]: Leaving directory '/home/pi/dev/cyberprobe/src'
Makefile:488: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/pi/dev/cyberprobe'
Makefile:394: recipe for target 'all' failed
make: *** [all] Error 2

Compiler warning

snort_alert.C: In member function 'virtual void snort_alert::snort_alerter::run()':
snort_alert.C:177:28: warning: 'src' may be used uninitialized in this function [-Wmaybe-uninitialized]
      << ", targeting " << *src
                            ^~~

cyberprobe configuration file

<!-- filter element is optional.  Can be used to make sure you don't
     sniff the outbound streams. -->
<interface name="eth0" filter="not port 10001 and not port 10002"/>

<-- The delay attribute can be used to specify a delay before
       packets are processed.  In seconds. --> 
<interface name="eth1" delay="0.5"/>

i find that there is an error when adding this part of the xml.file other are working

cybermon-bigquery

File "/usr/local/bin/cybermon-bigquery", line 78, in
scopes=scopes)
File "/usr/local/lib/python2.7/dist-packages/oauth2client/service_account.py", line 219, in from_json_keyfile_name
with open(filename, 'r') as file_obj:
IOError: [Errno 2] No such file or directory: '/etc/cyberprobe/private.json'

Read off end-of-array if port number is 65535.

udp_ports::fn udp_ports::port_handler[65535] = {};

socket binding

etsi-rcvr 10000 | tcpdump -n -r -
reading from file -, link-type RAW (Raw IP)
Exception: Socket bind failed.

how can i solve it and what is -n -r refere to

the configuration file is c.xml

cyberprobe docker

hi, Can u please give a highlight on how to use cyberprobe with docker.. Thank you

TLS compilation warning

TLS warning:

tls.C: In static member function 'static const cybermon::tls::header* cybermon::tls::verifyHeader(const cybermon::pdu_slice&)':
tls.C:197:41: warning: comparison of integer expressions of different signedness: '__gnu_cxx::__normal_iterator<const unsigned char*, std::vector<unsigned char> >::difference_type' {aka 'long int'} and 'long unsigned int' [-Wsign-compare]
  197 |     if ((pduSlice.end - pduSlice.start) < sizeof(header))
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~

cybermon.C compilation warning

cybermon.C: In constructor 'interface_input::interface_input(const string&, cyberprobe::analyser::engine&, const string&)':
cybermon.C:139:54: warning: base 'cyberprobe::pcap::interface' will be initialized after [-Wreorder]
  139 |         interface(*this, iface), pcap_input(e, device)
      |                                                      ^
cybermon.C:139:54: warning:   base 'pcap_input' [-Wreorder]
cybermon.C:137:5: warning:   when initialized here [-Wreorder]
  137 |     interface_input(const std::string& iface, engine& e,
      |     ^~~~~~~~~~~~~~~
cybermon.C: In constructor 'file_input::file_input(const string&, cyberprobe::analyser::engine&, const string&)':
cybermon.C:168:50: warning: base 'cyberprobe::pcap::reader' will be initialized after [-Wreorder]
  168 |         reader(*this, file), pcap_input(e, device)
      |                                                  ^
cybermon.C:168:50: warning:   base 'pcap_input' [-Wreorder]
cybermon.C:166:5: warning:   when initialized here [-Wreorder]
  166 |     file_input(const std::string& file, engine& e,
      |     ^~~~~~~~~~

Hangs when using gRPC (cybermon and eventstream-service)

Observing 100% CPU and failure to initialise when using gRPC. Both:

cybermon using grpc.lua
evenstream-service

cybermaggedon / cyberprobe Goto Github PK

cyberprobe's People

Contributors

Stargazers

Watchers

Forkers

cyberprobe's Issues

Recommend Projects

Recommend Topics

Recommend Org