Blue team analyisis box is a tool for blue team security analyisis.
BTAB (Blue Team Analyisis Box) is a Blue team analyisis box,focusing on attack signature analysis。It can assist security operation personnel in scenarios such as traffic packet analysis and Trojan horse analysis. Currently, it has integrated traffic packet detection, SQL injection detection, Webshell detection, bash command execution detection, and Decoding serialization and other tools.
English - 简体中文
- btab
- key contents
Development and compilation instructions
Plug-in module development instructions
Investigation and Analysis Function Description
- slides
The initial version mainly implements basic functions and overall processes, mainly including the following three types of functions:
- Threat warehouse:
Used to store lists of traffic packets, payload files, and webshell files;
- Risk detection:
Including traffic packet detection, HTTP deep analysis, SQLi detection, XSS detection and other detection items;
- Auxiliary tools:
Including jq, deserialization analysis, data encryption and decryption and other processing tools;
- Investigation and analysis capabilities
Using jupyter-based capabilities, you can write python scripts for analysis;
- web server
- juyter analyse
- Download
- Configuration
- Requires tshark dependency, specify the tshark path in the
config.yamlfile, as follows:
pcapAnalyseConfig:
# tsharkPath: tshark # unix environment
tsharkPath: C:\Program Files\Wireshark\tshark.exe # win environment
-
(Optional) Java environment, some functions require the system to have a Java environment.
-
(Optional) Use jupyter notebook related dependencies
pip install jupyterlab
pip install grpcio-tools- Execute
Double-click to execute. After startup, visit the local port 8001: http://localhost:8001
- Install dependencies
cd frontend
yarn install
- Run
yarn dev- Packaging
yarn build- Embed the front-end into the back-end
You need to copy the ./frontend/dist/ directory to ./backend/web/dist, and then execute it under ./backend/ to package the front-end into a go file
go-bindata-assetfs -o web/bindata.go -pkg web web/dist/...- Install modules
cd ./backend
go mod tidy
go mod vendor- Packaging
cd ./backend
go mod tidy
go mod vendor
go buildUsing standard interfaces to implement unified plug-in module specifications, it is convenient to add new plug-in modules in the future. There are currently three modules, jq, pcap, and SerializationDumper. As long as there are new scenarios, they can be added.
In addition, these plug-ins can be called by the engine and used as analysis tools in the investigation and analysis process. In theory, the capabilities can be expanded infinitely.
For detailed code, see plugin
type Plugin interface {
Init() // Initialization
Set(key string, value interface{}) // Set the variables required by the plug-in
Check() error // Check the value of the set variable
Exec() error // Execute this plug-in
GetState() int // Get the plug-in task progress
GetFinalStatus() int // Get the final result
GetResult() string // Get the output result
}| Modules | Technology | Remarks |
|---|---|---|
| front-end framework | vue | |
| Front-end UI framework | naive ui | |
| backend language | golang | |
| Backend Web | gin | |
| Traffic packet detection logic | python | grpc / jupyter |
| java class detection engine | java | embedding implementation using go embed |
What is the background of the development of this tool?
Since the author has been engaged in the security industry, he has been focusing on the field of traffic security analysis, and is also interested in software research and development. On the one hand, this project is to share the usual research results and promote exchanges and learning. On the other hand, there is too little communication with the blue team in China. Now there are more red teams. I hope this way can be used to form a blue team. communication group
Will this tool be open source?
At best, it can only partially open source. Because of the commercial issues involved, some core detection items within the company are not convenient to open source, but some non-sensitive functional modules can be open sourced as separate projects for learning reference.
You can join the group chat or add my Ali0th friend to enter the group chat.
The first version implements the general framework, but in order to achieve no dependency, the overall packaging is difficult, the volume is large, and the expansion capability is insufficient. The second version needs to be optimized. The analysis capability is increased through DSL syntax and python jupyter, and the expansion capability is achieved through grpc.
- Plug-in module
- General joint debugging engine to achieve multi-module serial processing
- DSL syntax query function
- Jupyter traffic packet analysis function
- grpc implementation
- Basic framework implementation
