1. Wireshark/tcpdump — 抓包示例

tcpdump 命令抓取指定端口流量,保存到文件:

sudo tcpdump -i eth0 port 80 -w capture_http.pcap
  • -i eth0 指定网卡
  • port 80 过滤HTTP流量
  • -w 写入文件

2. Volatility — 内存取证示例

假设你已经有了内存镜像memory.img,执行列举Windows进程:

volatility -f memory.img --profile=Win10x64_18362 pslist
  • --profile 指定系统版本
  • pslist 显示进程列表

3. YARA — 编写简单规则检测恶意样本

创建规则文件malware_rule.yar

rule ExampleMalware {
  strings:
    $a = "malicious_string"
    $b = {6A 40 68 00 30 00 00 6A 14 8D 91}
  condition:
    any of them
}

命令扫描目录:

yara -r malware_rule.yar /path/to/samples/

4. ELK Stack — Logstash 采集日志示例配置片段

logstash.conf

input {
  file {
    path => "/var/log/auth.log"
    start_position => "beginning"
  }
}
filter {
  grok {
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:message}" }
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "auth-%{+YYYY.MM.dd}"
  }
  stdout { codec => rubydebug }
}

5. Nmap — 扫描示例

扫描某网段所有主机开放的80、443端口:

nmap -p 80,443 192.168.1.0/24

6. Python示例:自动批量计算文件SHA256哈希(用于样本验证)

import os
import hashlib

def sha256sum(filename):
    h = hashlib.sha256()
    with open(filename, 'rb') as f:
        while chunk := f.read(8192):
            h.update(chunk)
    return h.hexdigest()

folder = "/path/to/samples"
for file in os.listdir(folder):
    path = os.path.join(folder, file)
    if os.path.isfile(path):
        print(f"{file}: {sha256sum(path)}")

7. 简单Shell脚本:监控指定日志文件新增的可疑登录失败次数

#!/bin/bash

LOGFILE="/var/log/auth.log"
PATTERN="Failed password"
THRESHOLD=5

count=$(grep "$PATTERN" $LOGFILE | wc -l)

if [ $count -gt $THRESHOLD ]; then
  echo "警告:登录失败次数超过阈值,当前失败次数:$count"
fi