一、基础环境配置
- 安全捕获环境搭建
# 创建隔离环境并抓包
sudo ip link set eth0 promisc on
sudo tcpdump -i eth0 -s 0 -w /mnt/isolated/evidence.pcap- 高危协议快速过滤
tcp.port in {135,139,445,3389} || udp.port in {53,123,161,500,4500}- 关键字段标记技巧
- 右键IP →
Apply as Column - 设置TTL异常值染色规则:
TTL<64 or TTL>128
二、攻击行为检测
- 扫描行为识别
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size<=1024- 暴力破解特征捕获
tcp.port==22 and (tcp.flags.reset==1 or tcp.analysis.retransmission)- DNS隐蔽隧道检测
dns and frame.len > 256 && !contains(dns.qry.name, ".google.")- WebShell通信特征
http.content_type=="application/octet-stream"
&& http.request.method=="POST"
&& frame.len>1024三、数据泄露监控
- 信用卡外泄检测
frame matches "\\b[3456]\\d{3}[ -]?\\d{4}[ -]?\\d{4}[ -]?\\d{4}\\b"- 数据库拖库行为
mysql.query contains "SELECT" && frame.len>1500 && tcp.srcport==3306四、高级威胁狩猎
- Cobalt Strike心跳包检测
tcp.payload matches "\\x00\\x00\\x00..\\xff\\xff\\xff"
&& tcp.len between 20 and 50- 域渗透横向移动
smb || kerberos && (ip.src==<域控IP> or ip.dst==<域控IP>)五、加密流量分析
- 恶意TLS指纹识别
tls.handshake.ja3 contains "6734f37431670b3ab4292b8f60f29984"- 异常证书检测
tls.handshake.certificate &&
(x509sat.uTF8String=="Phishing Ltd" ||
x509ce.dNSName=="freevpn.malicious.ru")六、实战应急响应
- 攻击时间轴重建
tshark -r attack.pcap -T fields -e frame.time -e ip.src -e ip.dst -e tcp.port > timeline.csv- 恶意文件提取
tshark -r infection.pcap --export-object http,./malware**七、金融攻防实战案例
域前置攻击检测实录
攻击者使用CDN伪装C2通信:
HTTP/2 200 OK
:authority: legit-cdn.com
x-amz-cf-pop: SIN2-C1 # 新加坡节点致命破绽:TLS证书暴露真实域名
x509ce.dNSName: c2-malicious.tk通过0.5秒协议解析差异,成功阻断千万级资金损失
八、法律合规要点
- 取证规范:
editcap保留原始时间戳 - 哈希校验:
sha256sum evidence.pcap > chain_of_custody.txt - 隐私过滤:
tcprewrite --infile=raw.pcap --outfile=anon.pcap \
--dstipmap=192.168.1.0/24:10.0.0.0/24附:分析师必备过滤库
# 内网横向移动
smb || ldap || winrm || wmi
# 加密挖矿特征
tcp contains "stratum+tcp" || http contains "xmr"
# 钓鱼页面识别
http contains "login" && http contains "password"
&& !(http.host contains "corp")