Skip to content

tatsuiman/rpot2

Repository files navigation

Real-time Packet Observation Tool (RPOT)

This build was created and tested using Ubuntu 16.04.

architecture

architecture

Protocol coverage

Protocol Decode Payload ElasticSearch Output Kibana Visualization
ARP × ×
AYIYA × ×
BackDoor × ×
BitTorrent × ×
DCE RPC ×
DHCP
DNP3 ×
DNS
File
Finger × ×
FTP ×
Gnutella × ×
GSSAPI × ×
GTPv1 × ×
HTTP
ICMP
Ident × ×
IMAP × ×
IRC
kerberos ×
Login × ×
MIME × ×
Modbus ×
MySQL ×
NCP × ×
NetBios
NTLM
NTP × ×
OpenFlow
POP3 × ×
RADIUS ×
RDP ×
RFB ×
RPC × ×
SIP
SMB
SMTP
SNMP
SOCKS
SSH
SSL
Syslog ×
TCP
Teredo ×
UDP
XMPP × ×
ZIP × ×

Startup

$ wget https://raw.githubusercontent.com/tatsu-i/rpot/master/INSTALL/install-ubuntu1604.sh 
$ bash ./install-ubuntu1604.sh

Usage

$ cd /opt/rpot
$ ./scan-pcap.sh [pcap file path] [intel|standard|quick] [scan name]

Quick scan

$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap quick test-quickscan

Intelligence scan

$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap intel test-intelscan

Threat hunting

$ cd /opt/rpot
$ git clone https://github.com/tatsu-i/virusshare_hash
$ python ./bin/keyword-hunter.py virusshare_hash/*.md5 /tmp/hunting.log malware

Update Geoip and Intelligence

$ cd /opt/rpot
$ ./update.sh

Update hunting rule

$ cd /usr/local/share/clamav/
$ sudo vim sample.yar
rule Sample_Rule {
        strings:
            $string1 = "Test"

        condition:
            $string1
}

FAME integration

See how to build FAME FAME’s Documentation. and change logstash config

$ cd /opt/rpot/INSTALL
$ vim logstash-clamav-es.conf # modify API_KEY and Hostname
$ sudo cp logstash-clamav-es.conf /etc/logstash/conf.d/
$ sudo service logstash restart

Visualization

Access Kibana url (http://localhost:5601) Click [Dashboard] -> [Open] -> [MAIN]

screenshot0 screenshot1 screenshot2 screenshot3 screenshot5 screenshot6 screenshot7