{"id":13530180,"url":"https://github.com/DCSO/mauerspecht","last_synced_at":"2025-04-01T17:32:08.286Z","repository":{"id":128725761,"uuid":"194120481","full_name":"DCSO/mauerspecht","owner":"DCSO","description":"Simple Probing Tool for Corporate Walled Garden Networks","archived":false,"fork":false,"pushed_at":"2025-03-14T10:40:17.000Z","size":31,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-14T11:30:45.584Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DCSO.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-27T15:30:31.000Z","updated_at":"2025-03-14T10:35:41.000Z","dependencies_parsed_at":"2025-03-14T11:26:22.722Z","dependency_job_id":"41306780-49bf-4df5-98af-cb51c70db48b","html_url":"https://github.com/DCSO/mauerspecht","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DCSO%2Fmauerspecht","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DCSO%2Fmauerspecht/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DCSO%2Fmauerspecht/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DCSO%2Fmauerspecht/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DCSO","download_url":"https://codeload.github.com/DCSO/mauerspecht/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246680386,"owners_count":20816689,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T07:00:45.217Z","updated_at":"2025-04-01T17:32:08.278Z","avatar_url":"https://github.com/DCSO.png","language":"Go","funding_links":[],"categories":["Operations, Monitoring and Troubleshooting"],"sub_categories":[],"readme":"```\n+(*-\u003e |             | \u003c-*)\n+())| | Mauerspecht | |(()\n+ \\\"| | thcepsreuaM | |\"/\n```\n\n# Simple Probing Tool for Corporate Walled Garden Networks\n\nThe Problem: Network sensors such as\n[Suricata](https://suricata-ids.org/) or [Zeek](https://zeek.org/)\nhave been successfully deployed in a large network, but the rate of\nalarms or other useful information is suspiciously low -- not even the\nusual background noise can be seen. Can we be sure that our sensors\nare fed all the relevant traffic?\n\nAn attempt at a solution: Let's generate some network traffic and see\nif we can transmit some magic strings to and from the outside world\nbeyond our walled garden network -- and if we are able to detect those\nusing our sensors.\n\n## Operation\n\nFrom a user perspective:\n\n1. Generate a server configuration file that defines TCP ports and\n   magic strings to exchange (see below for an example). Configure\n   matching alerting rules in the network sensors.\n2. Start the server on a publicly accessible host.\n3. Start clients with the `-server` parameter pointing to one of the\n   HTTP ports served by the server.\n4. Analyze logs generated by the server and the network sensors.\n\nThe server writes its log output to standard error.\n\nWhat happens behind the scenes:\n\n1. On startup, both server and client generate private/public NaCL key\n   pairs.\n2. The client posts its public key to the server and receives the\n   server's public key\n3. The client requests the server's configuration. The configuration\n   is signed/encrypted to circumvent tampering by middleboxes.\n4. The client runs a few experiments, expecting every configured magic\n   strings to be correctly transmitted via a special header, a Cookie\n   or _Set-Cookie_ header, the message body.\n5. The client posts its findings to the server.\n\n### Example server configuration file\n\n```\n{\n    \"hostname\": \"mauerspecht.example.com\",\n    \"http-ports\": [8080, 18080],\n    \"magic-strings\": [\n        \"unique-match-string-18475910\",\n        \"START_KEYLOGGER\",\n        \"X5O!P%@AP[4\\\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\"\n    ]\n}\n```\n\n### Command line parameters\n\nClient:\n```\n  -server string\n    \tServer URL (default \"http://localhost:8080\")\n  -proxy string\n    \tProxy URL\n```\nServer:\n```\n  -config string\n    \tConfig file (default \"mauerspecht.json\")\n```\n\n## Building\n\nFor recent Go versions, simply running `make all` from the Git checkout is\nsufficient.\n\nThe following binaries will be generated:\n- `mauerspecht-server`: The server component, a Linux/x86-64 binary\n- `mauerspecht-client-$ARCH`: The clients, for various architectures\n\n## Limitations, possible future features\n\n- HTTPS -- self-signed server certificates, possible use of client certificates\n- Non-HTTP protocols (IRC?)\n- The server stores session keys submitted by clients in memory and does\n  not expire them yet. This is a denial-of-service vector.\n- Bundled client configuration for easy single-binary deployment (see\n  also: [spyre](https://github.com/spyre-project/spyre))\n\n## Contact\n\nSascha Steinbiss \u003c\u003csascha.steinbiss@dcso.de\u003e\u003e\n\nOriginal Author: Hilko Bengen\n\n## Copyright\n\nCopyright 2019, 2024 Deutsche Cyber-Sicherheitsorganisation GmbH\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program.  If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDCSO%2Fmauerspecht","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDCSO%2Fmauerspecht","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDCSO%2Fmauerspecht/lists"}