SF-TAP Tutorial Flow Abstractor ver.

Transcript

1. SF-TAP Tutorial Flow Abstractor ver. National Institute of Information and

   Communications Technology Yuuki Takano

2. 8IBU
   'MPX
   "CTUSBDUPS
   %P 2 /8
   *' )551
   *' 5-4
   *' 'MPX
   "CTUSBDUPS 'MPX $MBTTJpFS 5-4
   "OBMZ[FS )551
   "OBMZ[FS

   )551
   1SPYZ 5$1
   BOE
   6%1
   )BOEMFS pMUFS
   BOE DMBTTJpFS SVMF -
   -PPQCBDL
   *' %# 'PSFOTJD *%4*14 FUD "QQMJDBUJPO 1SPUPDPM
   "OBMZ[FS FUD 5$1
   %FGBVMU
   *' 6%1
   %FGBVMU
   *' "OBMZ[FS
   1MBOF "CTUSBDUPS
   1MBOF 'MPX *EFOUJpFS 4'5"1
   $FMM *1
   1BDLFU %FGSBHNFOUFS 'MPX
   $MBTTJGJDBUJPO 5$1
   3FBTTFNCMF *1
   %FGSBHNFOUBUJPO :PV
   DBO
   FBTJMZ
   EFWFMPQ
   BQQMJDBUJPO
   MFWFM
   BOBMZ[FST

3. 0QFSBUJOH
   4ZTUFNT
   PO
   XIJDI
   'MPX
   "CTUSBDUPS
   DBO
   3VO -JOVY
   #4%
   .BD04
   9 3

4. 3FRVJSFE
   -JCSBSJFT %FQFOEFODJFT
   #PPTU
   $
   -JCSBSZ
   MJCQDBQ
   MJCFWFOU
   
   PS
   MBUFS
   3&
   ZBNMDQQ
   

   0UIFS
   5PPMT
   DNBLF
   HJU
   $ 
   $PNQJMFS
   HDD
   PS
   DMBOH 4

5. *OTUBMM
   3FRVJSFE
   -JCSBSJFT
   "TTVNJOH
   6CVOUV
    5 $ sudo apt-get install build-essential cmake \

   git libevent-dev libboost-all-dev libpcap-dev \ libre2-dev libyaml-cpp-dev

6. %PXOMPBE
   4PVSDF
   $PEF
   BOE
   $PNQJMF
   *U 6 $ git clone https://github.com/SF-TAP/flow- abstractor.git $ cd

   flow-abstractor $ cmake -DCMAKE_BUILD_TYPE=Release CMakeLists.txt $ make

7. $POGJHVSBUJPO
   'JMF
   DPOU 7 # global configuration global: home: /tmp/sf-tap #

   directory, on which UNIX domain files are placed timeout: 600 # close long-lived (over 600[s]) but do-nothing connections lru: yes # bring the least recently used pattern to front of list cache: yes # use cache for regex # loopback interface for injecting L7 traffic to the flow abstractor loopback7: if: loopback7 format: text tcp_default: if: default # for every flow that wasn't matched by any rules proto: TCP format: text body: yes udp_default: if: default # for every flow that wasn't matched by any rules proto: UDP format: text body: yes

8. $POGJHVSBUJPO
   'JMF 8 http: up: '^[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+)' down: '^HTTP/1\.[01]

   [1-9][0-9]{2} .+\r?\n' proto: TCP # TCP or UDP if: http # file name of UNIX domain socket format: text # text or binary body: yes # if specified 'no', only header is output nice: 100 # the smaller a value is, the higher a priority is # balance = 2 # flows are balanced by 2 interfaces dns_udp: proto: UDP if: dns port: 53 # port number format: text nice: 200

9. 3VO
   'MPX
   "CTUSBDUPS 9 $ sudo ./src/sftap_fabs -i en1 -c ./examples/fabs.yaml SVO
   UIF
   GPX
   BCTUSBDUPS

   $ ls -R /tmp/sf-tap loopback7= tcp/ udp/ /tmp/sf-tap/tcp: default= http= smtp= torrent_tracker= dns= http_proxy= ssh= websocket= ftp= irc= ssl= /tmp/sf-tap/udp: default= dns= torrent_dht= DPOGJSN
   UIBU
   GMPX
   BCTUSBDUJPO
   JOUFSGBDFT
   XFSF
   DSFBUFE

10. 4OJGG
    )551
    'MPXT 10 $ sudo nc -U /tmp/sf-tap/tcp/http $ curl http://www.google.com/

    SFBE
    UIF
    BCTUSBDUJPO
    JOUFSGBDF
    PG
    )551 BDDFTT
    TPNF
    XFC
    TJUFT

11. 1SPUPDPM
    'PSNBU
    PG
    'MPX
    "CTUSBDUJPO
    *OUFSGBDFT 11 $ sudo nc -U /tmp/sf-tap/tcp/http ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=CREATED

    ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=2,match=down,len=494 HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: http://www.google.co.jp/?gfe_rd=cr&ei=oVcLVvL7JsHD8AfZnYHQAQ (omitted) ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=1,match=up,len=78 GET / HTTP/1.1 Host: www.google.com User-Agent: curl/7.43.0 Accept: */* ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DESTROYED IFBEFS IFBEFS EBUB IFBEFS EBUB IFBEFS

12. )FBEFS
    'PSNBU $47
    MJLF
    LFZWBMVF
    QBJST
    $POTJTUJOH
    PG
    POF
    MJOF
    FOEFE
    XJUI
    aO 12 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0, l3=ipv4,l4=tcp,event=CREATED { “ip1”: “192.168.24.54”,

    “ip2”: “216.58.221.196”, “port1”: 59547, “port2”: 80, “hop”: 0, “l3”: “ipv4”, “l4”: “tcp”, “event”: “CREATED” } FRVJWBMFOUT
    GPS

13. -JGF
    $ZDMF
    PG
    B
    'MPX 13 $3&"5&% %&4530:&% %"5" 8IFO
    5$1
    DPOOFDUJPO
    JT
    FTUBCMJTIFE
    QFSGPSNFE
    XBZ
    IBOETIBLF
    $3&"5&%
    FWFOU
    JT
    JOWPLFE 8IFO
    5$1
    DPOOFDUJPO
    JT
    EFTUSPZFE
    

    SFDFJWFE
    '*/345
    PS
    UJNFPVU
    %&4530:&%
    FWFOU
    JT
    JOWPLFE 8IFO
    BSSJWJOH
    EBUB
    %"5"
    FWFOU
    JT
    JOWPLFE

14. 1SPUPDPMT
    PG
    6%1 6%1
    JT
    OPU
    DPOOFDUJPO
    PSJFOUFE
    5IFSFGPSF
    POMZ
    %"5"
    FWFOU
    JT
    JOWPLFE 14

15. 'MPX
    *EFOUJGJDBUJPO &BDI
    GMPX
    JT
    JEFOUJGJFE
    CZ
    *1
    BEESFTTFT
    1PSU
    OVNCFST
    BOE
    IPQ
    DPVOU
    'MPXT
    BSF
    *EFOUJGJFE
    CZ
    UVQMF
    PG

    JQ
    QPSU
    JQ
    QPSU

    
    IPQ
    )PQ
    GJMFE
    JOEJDBUFT
    UIBU
    IPX
    NBOZ
    UJNFT
    UIF
    GMPX
    JT
    SFJOKFDUFE
    UP
    UIF
    -
    MPPQCBDL
    JOUFSGBDF 15 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80, hop=0,l3=ipv4,l4=tcp,event=CREATED

16. 0SJHJO
    PG
    %"5" 5$1
    JT
    DPOOFDUJPO
    PSJFOUFE
    5IFSFGPSF
    EBUB
    JT
    DPNJOH
    GSPN
    
    PSJHJOT 16 JQ
    QPSU JQ
    QPSU EBUB
    GSPN
    IPTU

    EBUB
    GSPN
    IPTU IPTU IPTU ip1=192.168.24.54,ip2=216.58.221.196,po rt1=59547,port2=80,hop=0,l3=ipv4,l4=tcp ,event=DATA,from=2,match=down,len=494 GSPN
    GJFME
    JOEJDBUFT
    UIF
    PSJHJO
    PG
    EBUB

17. -FOHUI
    PG
    %"5" -FO
    GJMFE
    JOEJDBUFT
    UIF
    MFOHUI
    PG
    EBUB 17 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0, l3=ipv4,l4=tcp,event=DATA,from=2,match=down,len=494 IFBEFS
    FWFOU%"5" MFO EBUB
    
    CZUFT

18. 6QTUSFBN
    BOE
    %PXOTUSFBN .BUDI
    GJMFE
    JOEJDBUFT
    UIBU
    XIJDI
    QBUUFSO
    JT
    VTFE
    GPS
    NBUDIJOH 18 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=2,match=down,len=494 http: up: '^[-a-zA-Z]+ .+

    HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+)' down: '^HTTP/1\.[01] [1-9][0-9]{2} .+\r?\n' proto: TCP # TCP or UDP if: http # file name of UNIX domain socket format: text # text or binary body: yes # if specified 'no', only header is output nice: 100 # the smaller a value is, the higher a priority is # balance = 2 # flows are balanced by 2 interfaces $POGJHVSBUJPO .BUDIFE
    XJUI
    UIF
    QBUUFSO
    PG
    EPXOTUSFBN .BUDIFE
    XJUI
    UIF
    QBUUFSO
    PG
    VQTUSFBN ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=1,match=up,len=78

19. 8SJUF
    :PVS
    0XO
    "OBMZ[FST
    4LFMUPO
    JO
    1TFVEP
    $PEF 19 // connect to socket s = socket();

    connect(s, “/tmp/sf-tap/tcp/http”); for (;;) { // read header readline(s, line); h = parse_header(line); // generate session ID sid = new sessionID(h[“ip1”], h[“ip2”], h[“port1”], h[“port2”], h[“hop”]); if (h[“event”] == “DATA”) { read(s, buf, h[“len”]); } }

20. 4LFMUPO
    JO
    1ZUIPO 20 IUUQTHJTUHJUIVCDPNZUBLBOPGDCEGDDD

21. &YBNQMFT
    1SPUPDPM
    1BSTFST 21 $ git clone https://github.com/SF-TAP/protocol- parser.git $ cd

    protocol-parser/http $ sudo python3 sftap_http.py NPSF
    JOGPSNBUJPO
    JT
    BWBJMBCMF
    PO
    IUUQTHJUIVCDPN4'5"1EPDVNFOUTCMPCNBTUFS UVUPSJBM@GBCT@VCVOUVNE