+(*-> | | <-*)
+())| | Mauerspecht | |(()
+ \"| | thcepsreuaM | |"/
The Problem: Network sensors such as Suricata or Bro/Zeek have been successfully deployed in a large network, but the rate of alarms or other useful information is suspiciously low -- not even the usual background noise can be seen. Can we be sure that our sensors are fed all the relevant traffic?
An attempt at a solution: Let's generate some network traffic and see if we can transmit some magic strings to and from the outside world beyond our walled garden network -- and if we are able to detect those using our sensors.
From a user perspective:
- Generate a server configuration file that defines TCP ports and magic strings to exchange (see below for an example). Configure matching alerting rules in the network sensors.
- Start the server on a publicly accessible host.
- Start clients with the
-serverparameter pointing to one of the HTTP ports served by the server. - Analyze logs generated by the server and the network sensors.
The server writes its log output to standard error.
What happens behind the scenes:
- On startup, both server and client generate private/public NaCL key pairs.
- The client posts its public key to the server and receives the server's public key
- The client requests the server's configuration. The configuration is signed/encrypted to circumvent tampering by middleboxes.
- The client runs a few experiments, expecting every configured magic strings to be correctly transmitted via a special header, a Cookie or Set-Cookie header, the message body.
- The client posts its findings to the server.
{
"hostname": "mauerspecht.example.com",
"http-ports": [8080, 18080],
"magic-strings": [
"unique-match-string-18475910",
"START_KEYLOGGER",
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
]
}
Client:
-server string
Server URL (default "http://localhost:8080")
-proxy string
Proxy URL
Server:
-config string
Config file (default "mauerspecht.json")
If a Go toolchain with modules support is available (version
1.11 or later), simply running make all from the Git checkout is
sufficient.
For earlier Go versions, run go get github.com/DCSO/mauerspecht
change to the directory within the GOPATH where the project was
downloaded, and run make all
In both cases, the following binaries will be generated:
mauerspecht-server: The server component, a Linux/x86-64 binarymauerspecht-client-$ARCH: The clients, for various architectures
- HTTPS -- self-signed server certificates, possible use of client certificates
- Non-HTTP protocols (IRC?)
- The server stores session keys submitted by clients in memory and does not expire them yet. This is a denial-of-service vector.
- Bundled client configuration for easy single-binary deployment (see also: spyre)
Hilko Bengen <hilko.bengen@dcso.de>
Copyright 2019 Deutsche Cyber-Sicherheitsorganisation GmbH
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.