github.com/ilyaglow/badcapt

Detect malicious packets


Keywords
mirai, libpcap, elastic, zmap, masscan, gopacket
License
Apache-2.0
Install
go get github.com/ilyaglow/badcapt

Documentation

Build Status

About

Badcapt is a project inspired by Bad Packets' work and the Remote Identification of Port Scan Toolchains paper by Vincent Ghiette, Norbert Blenn, Christian Doerr.

It will try to detect malicious packets and export them to the Elastic storage or output to the stdout for your further processing.

Install

The app is built on top of gopacket package which provides C bindings for the libpcap, so you should have libpcap-dev package installed first.

go get github.com/ilyaglow/badcapt/cmd/badcapt

Also you can use the docker image (see below on how to use it):

docker build -t badcapt https://github.com/ilyaglow/badcapt.git

or

docker pull ilyaglow/badcapt

Usage

./badcapt -h
Usage of badcapt:
  -e string
    	Elasticsearch URL (optional)
  -i string
    	Interface name to listen

If no Elasticsearch URL provided, badcapt will simply output records to the screen.

To use the dockerized version you must run it with --net=host switch:

docker run -d --net=host ilyaglow/badcapt -i eth0

You can also take a look at the badsearch companion script for the Elasticsearch: it dumps all records in the database for the last 24 hours.