GCR - Cybersecurity Operations Center Project
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
InstallerFiles File has been moved to openvas_commander repo Nov 8, 2017
SampleLogFiles Update GCRCowrieAlerts.py Jul 18, 2018
Utilities Create fwoff.sh Nov 30, 2017
amazon-deploy esxi.esxi_hostname = '<esxi server ip or hostname>' Mar 20, 2018
bastion Update iptablesSettings.md Feb 6, 2018
images Add files via upload Mar 16, 2018
openvas Commented out openvas-smb install attempt Nov 15, 2017
operations-documentation Update README.md Nov 28, 2017
syslog Create 00-GCRserverReciDionaea.conf Sep 29, 2017
DeploymentDiagnostics.py pause before window is closed Dec 14, 2017
GCRDiagnostics.desktop Create GCRDiagnostics.desktop Nov 21, 2017
GCRdionaeaAlerts from Required-Start: $dionaea to Required-Start: dionaea - boot order… Nov 13, 2017
GCRdionaeaBIStream Creating startup for GCRdionaeaBIStream.py Dec 5, 2017
LICENSE Initial commit Sep 6, 2017
README.md Update README.md Feb 25, 2018
awsiotinstall.sh Update awsiotinstall.sh Sep 23, 2017
cowrie Create cowrie Sep 20, 2017
cowrie.logrotate Update cowrie.logrotate Sep 20, 2017
cowrie.service Create cowrie.service Sep 20, 2017
cowrie.socket Create cowrie.socket Sep 20, 2017
cowrieinstall.sh Update cowrieinstall.sh Sep 22, 2017
cowrielogviewer.sh Update cowrielogviewer.sh Sep 22, 2017
dionaea changed Required-Start: to lightdm for bootorder Nov 13, 2017
dionaea-cloud Create dionaea-cloud Nov 29, 2017
dionaea-cloud.sh Update dionaea-cloud.sh Nov 30, 2017
dionaeafr Update dionaeafr Sep 19, 2017
dionaeainstall.sh #!/bin/bash Nov 20, 2017
dionaealogviewer.sh Update dionaealogviewer.sh Sep 25, 2017
dionaealogviewer2.sh Update dionaealogviewer2.sh Sep 25, 2017
firewall.sh added comments about chaning nic settings Dec 15, 2017
githubGCRheader.png Add files via upload Sep 22, 2017
honeypots.sh Accommodate for GCRdionaeaBIStream Dec 5, 2017
ossecinstall.sh Update ossecinstall.sh Sep 22, 2017
phishingfrenzyinstall.sh Create phishingfrenzyinstall.sh Sep 27, 2017
rpinstall.sh Shutdown device once a week Mar 12, 2018
vncsetup.sh Update vncsetup.sh Oct 21, 2017
watchdog.sh Update watchdog.sh Sep 26, 2017


Global Cybersecurity Resource

Carleton University - GCR Cybersecurity Operations Center Project


The GCR - CSOC (Cybersecurity Operations Center) initiative seeks to provide small to medium size enterprises with openly available cybersecurity resources to self-manage their own security or enable companies to offer cybersecurity services to others as part their business.

The development of this project is primarily divided into three focus areas: i) Developing open source software to compliment CSOC services ii) Developing CSOC operation guides and templates as a means to manage security iii) Creating CSOC "Pathway Training" material for online learning.

i) Open Source Software Development:
Open source software development activities for this project seeks to configure, integrate and enhance existing open source projects (such as Dionaea, Cowrie, OSSEC, OpenVAS and others) to report to a central alert collector (such as Apache Metron). The central alert collector will be used for alert aggregation and analytics. Development also includes the creation of "GCR Canary" honeypots. The honeypots are physically and virtually deployable. As the GCR Canary project evolves it will include the various sensors mentioned above. The GCR Canary honeypot can be used for intrusion detection in SME environments.

ii) CSOC Operation Guide Creation:
The creation of the GCR CSOC Playbook will include guidance and templates for managing cybersecurity in an organization.

iii) CSOC Pathway Training Material:
Online training resources seeks to improve the adoption of proper cybersecurity hygiene within an organization


This project is being rolled out over three phases. We are currently focused on Phase 1.


The following screenshots (from left to right) are of Apache Metron (used for central alert collection), a terminal output of a GCR Canary honeypot, and a screen capture of the GCR CSOC Playbook. Global Cybersecurity Resource - Collage of screenshots

The following screenshot shows a customized dashboard in Apache Metron that presents alert information from a GCR Canary honeypot. Metron Analytics UI - GCRDionaea

A GCR Canary honeypot was configured to send Dionaea type alerts to the Apache Metron central server. The Metron Management UI was used enter how the alert should be parsed. Metron Management UI - GCRDionaea

In the alert collection server Apache Nifi was used to channel Syslog alert information to a Kafka broker for further processing by Apache Metron. Nifi UI - GCRDionaea


GCR Canary

The installation procedure below was tested on Ubuntu Mate LTS 16.04 with Raspberry Pi 3.

  • UPDATE Oct, 2017: Simple alerts from Dionaea can be reported to a remote server using syslog(unencrypted). Alerts are GROK formatted and ingested by Apache Metron.
  • Project is currently under active development and testing.

To install all of the GCR Canary software, run the following script on Ubuntu Mate:

cd ~ && \
sudo apt-get -y install unzip && \
wget https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/archive/master.zip && \
unzip master.zip && \
cd csoc-installation-scripts-master/ && \
chmod +x *.sh 


Configuration settings (such as disabling the install of OpenVAS, OSSEC, ext..) is in honeypots.sh. Within honeypots.sh change the INSTALL_* parameters as needed. The following is an example of enabling Dionaea for install and disabling Cowrie for install.


After the updates have been made run honeypots.sh


Dionaea Service within GCR Canary: The following provides guidance on the GROK formatted output which is intended for use with Apache Metron: GCRDionaea GROK Format

The Dionaea logs and sqlite3 database is stored in /opt/dionaea/var/dionaea within GCR Canary.

If INSTALL_DIONAEALOGVIEWER was set to "yes", to view the Dionaea Logs visit

Cowrie Service within GCR Canary: If INSTALL_COWRIE and INSTALL_COWRIELOGVIEWER were set to "yes", to view the Cowrie Logs, visit

Alert Collection Server

This project uses Apache Metron to collect alerts from the distribution of GCR Canary honeypots. Below are links that can provide guidance to install Apache Metron.

Syslog configuration for GCR Canary alert ingest The following syslog configuration files will need to be installed on the server. (syslog config files)[https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/SampleLogFiles/configForServer-notEnc]

Apache Metron Configuration for GCR Canary alert ingest To be provided - Instructions for ingesting GCR Canary alerts are under development. The screenshots above provide a preview of what alerts look like in Apache Metron.

How to test the software

To be provided - (Information on how to run automated tests on the software)

Known issues

See this repository's issue tracker.

GCR Canary Case

GCR is working with Made Mill at Bayview Yards. to create a custom designed case for the GCR Canary. The case is composed of PLA plastic and manufactured using 3D printing. More details are available in this repository.

Global Cybersecurity Resource - Canary Case

GCR CSOC Playbook

Operational documentation for use of the CSOC is provided here. The documentation includes: organization structure and roles, workflows and usecases, incident report templates, shift report templates.

Getting help

If you have questions, concerns, bug reports, etc, please file an issue in this repository's issue tracker.

Getting involved


Open source licensing info

Some components in GCR Canary are licensed under GPL LICENSE.

Apache Metron is licensed under Apache v2.0 LICENSE.

Related open source projects

Related cloud services

Credits and references