btab

Blue team analyisis box is a tool for blue team security analyisis.

BTAB (Blue Team Analyisis Box) is a Blue team analyisis box，focusing on attack signature analysis。It can assist security operation personnel in scenarios such as traffic packet analysis and Trojan horse analysis. Currently, it has integrated traffic packet detection, SQL injection detection, Webshell detection, bash command execution detection, and Decoding serialization and other tools.

English - 简体中文

contents

• btab
  • contents
  • items
  • Function
  • screenshot of functional interface
  • Get started
  • Development and compilation instructions
    • Front-end development
    • Back-end development
  • Plug-in module development instructions
    • Plug-in structure interface
  • technology stack
  • Q&A
  • comminicate
  • Update log
    • v0.5.x
    • v0.3.x
  • Stargazers over time

items

• key contents

Development and compilation instructions

Plug-in module development instructions

Investigation and Analysis Function Description

• slides

btab蓝队分析工具箱-ali0th-v1.0.pdf

Function

The initial version mainly implements basic functions and overall processes, mainly including the following three types of functions:

1. Threat warehouse:

Used to store lists of traffic packets, payload files, and webshell files;

2. Risk detection:

Including traffic packet detection, HTTP deep analysis, SQLi detection, XSS detection and other detection items;

3. Auxiliary tools:

Including jq, deserialization analysis, data encryption and decryption and other processing tools;

4. Investigation and analysis capabilities

Using jupyter-based capabilities, you can write python scripts for analysis;

screenshot of functional interface

• web server

• juyter analyse

Get started

• Download

Go to releases to download

• Configuration

1. Requires tshark dependency, specify the tshark path in the config.yaml file, as follows:

pcapAnalyseConfig:
# tsharkPath: tshark # unix environment
tsharkPath: C:\Program Files\Wireshark\tshark.exe # win environment

2. (Optional) Java environment, some functions require the system to have a Java environment.

3. (Optional) Use jupyter notebook related dependencies

pip install jupyterlab
pip install grpcio-tools

• Execute

Double-click to execute. After startup, visit the local port 8001: http://localhost:8001

Development and compilation instructions

Front-end development

• Install dependencies

cd frontend

yarn install

• Run

yarn dev

• Packaging

yarn build

• Embed the front-end into the back-end

You need to copy the ./frontend/dist/ directory to ./backend/web/dist, and then execute it under ./backend/ to package the front-end into a go file

go-bindata-assetfs -o web/bindata.go -pkg web web/dist/...

Back-end development

• Install modules

cd ./backend
go mod tidy
go mod vendor

• Packaging

cd ./backend
go mod tidy
go mod vendor
go build

Plug-in module development instructions

Using standard interfaces to implement unified plug-in module specifications, it is convenient to add new plug-in modules in the future. There are currently three modules, jq, pcap, and SerializationDumper. As long as there are new scenarios, they can be added.

In addition, these plug-ins can be called by the engine and used as analysis tools in the investigation and analysis process. In theory, the capabilities can be expanded infinitely.

For detailed code, see plugin

Plug-in structure interface

type Plugin interface {
   Init() // Initialization
   Set(key string, value interface{}) // Set the variables required by the plug-in
   Check() error // Check the value of the set variable
   Exec() error // Execute this plug-in
   GetState() int // Get the plug-in task progress
   GetFinalStatus() int // Get the final result
   GetResult() string // Get the output result
}

technology stack

Modules	Technology	Remarks
front-end framework	vue
Front-end UI framework	naive ui
backend language	golang
Backend Web	gin
Traffic packet detection logic	python	grpc / jupyter
java class detection engine	java	embedding implementation using go embed

Q&A

What is the background of the development of this tool?

Since the author has been engaged in the security industry, he has been focusing on the field of traffic security analysis, and is also interested in software research and development. On the one hand, this project is to share the usual research results and promote exchanges and learning. On the other hand, there is too little communication with the blue team in China. Now there are more red teams. I hope this way can be used to form a blue team. communication group

Will this tool be open source?

At best, it can only partially open source. Because of the commercial issues involved, some core detection items within the company are not convenient to open source, but some non-sensitive functional modules can be open sourced as separate projects for learning reference.

comminicate

You can join the group chat or add my Ali0th friend to enter the group chat.

Update log

v0.5.x

The first version implements the general framework, but in order to achieve no dependency, the overall packaging is difficult, the volume is large, and the expansion capability is insufficient. The second version needs to be optimized. The analysis capability is increased through DSL syntax and python jupyter, and the expansion capability is achieved through grpc.

• Plug-in module
• General joint debugging engine to achieve multi-module serial processing
• DSL syntax query function
• Jupyter traffic packet analysis function
• grpc implementation

v0.3.x

• Basic framework implementation

Stargazers over time