This build was created and tested using Ubuntu 16.04.
Protocol | Decode Payload | ElasticSearch Output | Kibana Visualization |
---|---|---|---|
ARP | ○ | × | × |
AYIYA | ○ | × | × |
BackDoor | ○ | × | × |
BitTorrent | ○ | × | × |
DCE RPC | ○ | ○ | × |
DHCP | ○ | ○ | ○ |
DNP3 | ○ | ○ | × |
DNS | ○ | ○ | ○ |
File | ○ | ○ | ○ |
Finger | ○ | × | × |
FTP | ○ | ○ | × |
Gnutella | ○ | × | × |
GSSAPI | ○ | × | × |
GTPv1 | ○ | × | × |
HTTP | ○ | ○ | ○ |
ICMP | ○ | ○ | ○ |
Ident | ○ | × | × |
IMAP | ○ | × | × |
IRC | ○ | ○ | ○ |
kerberos | ○ | ○ | × |
Login | ○ | × | × |
MIME | ○ | × | × |
Modbus | ○ | ○ | × |
MySQL | ○ | ○ | × |
NCP | ○ | × | × |
NetBios | ○ | ○ | ○ |
NTLM | ○ | ○ | ○ |
NTP | ○ | × | × |
OpenFlow | ○ | ○ | ○ |
POP3 | ○ | × | × |
RADIUS | ○ | ○ | × |
RDP | ○ | ○ | × |
RFB | ○ | ○ | × |
RPC | ○ | × | × |
SIP | ○ | ○ | ○ |
SMB | ○ | ○ | ○ |
SMTP | ○ | ○ | ○ |
SNMP | ○ | ○ | ○ |
SOCKS | ○ | ○ | ○ |
SSH | ○ | ○ | ○ |
SSL | ○ | ○ | ○ |
Syslog | ○ | ○ | × |
TCP | ○ | ○ | ○ |
Teredo | ○ | ○ | × |
UDP | ○ | ○ | ○ |
XMPP | ○ | × | × |
ZIP | ○ | × | × |
$ wget https://raw.githubusercontent.com/tatsu-i/rpot/master/INSTALL/install-ubuntu1604.sh
$ bash ./install-ubuntu1604.sh
$ cd /opt/rpot
$ ./scan-pcap.sh [pcap file path] [intel|standard|quick] [scan name]
$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap quick test-quickscan
$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap intel test-intelscan
$ cd /opt/rpot
$ git clone https://github.com/tatsu-i/virusshare_hash
$ python ./bin/keyword-hunter.py virusshare_hash/*.md5 /tmp/hunting.log malware
$ cd /opt/rpot
$ ./update.sh
$ cd /usr/local/share/clamav/
$ sudo vim sample.yar
rule Sample_Rule {
strings:
$string1 = "Test"
condition:
$string1
}
See how to build FAME FAME’s Documentation. and change logstash config
$ cd /opt/rpot/INSTALL
$ vim logstash-clamav-es.conf # modify API_KEY and Hostname
$ sudo cp logstash-clamav-es.conf /etc/logstash/conf.d/
$ sudo service logstash restart
Access Kibana url (http://localhost:5601
)
Click [Dashboard] -> [Open] -> [MAIN]