Merge pull request #108 from V1D1AN/devel

Convert tcpreplay to replay

00_create_instance.sh

@@ -81,11 +81,9 @@ then
     rsync -r ./ $WORKDIR
     sleep 5
     cd $WORKDIR
+	echo "INSTANCE=$name" >> env.sample
     sudo bash 01_deploy.sh
     cd ..
 else
     echo "directory/instance name found, deployment stopped"
-fi
-
-
-
+fi

01_deploy.sh

@@ -37,9 +37,9 @@ sed -i "s|n8n_account|$admin_account|g" .env
 sed -i "s|zircolite_account|$admin_account|g" .env
 echo
 while true; do
-    read -s -p "Password (Must be a password with at least 6 characters): " admin_password
+    read -s -p "Password (Must be a password with at least 6 characters):" admin_password
     echo
-    read -s -p "Password (again): " admin_password2
+    read -s -p "Password (again):" admin_password2
     echo
     [ "$admin_password" = "$admin_password2" ] && break
     echo "Please try again"
@@ -77,7 +77,7 @@ echo "##########################################"
 echo
 echo
 while true; do
-    read -r -p "Do you want use 1 node elasticsearch (Single) or 3 nodes elasticsearch (Multi) [S/M] ?" cluster
+    read -r -p "Do you want use 1 node elasticsearch (Single) or 3 nodes elasticsearch (Multi) [S/M]?" cluster
     case $cluster in
         [Ss]) cluster=SINGLE; break;;
         [Mm]) cluster=MULTI; break;;
@@ -110,15 +110,15 @@ then
 fi
 if 	 [ "$cluster" == SINGLE ];
 then
-		read -p "Enter the RAM in Go of node elasticsearch [2]: " master_node
+		read -p "Enter the RAM in Go of node elasticsearch [2]:" master_node
 		master_node=${master_node:-2}
 		sed -i "s|RAM_MASTER|$master_node|g" docker-compose.yml
 elif [ "$cluster" == MULTI ];
 then
-        read -p "Enter the RAM in Go of master node elasticsearch [2]: " master_node
+        read -p "Enter the RAM in Go of master node elasticsearch [2]:" master_node
 		master_node=${master_node:-2}
 		sed -i "s|RAM_MASTER|$master_node|g" docker-compose.yml
-		read -p "Enter the RAM in Go of data,ingest node elasticsearch [4]: " data_node
+		read -p "Enter the RAM in Go of data,ingest node elasticsearch [4]:" data_node
 		data_node=${data_node:-4}
 		sed -i "s|RAM_DATA|$data_node|g" docker-compose.yml
 fi
@@ -130,7 +130,7 @@ echo "########## CONFIGURING THEHIVE ###########"
 echo "##########################################"
 echo
 echo
-read -p "Enter the RAM in Go of TheHive [1]: " ram_thehive
+read -p "Enter the RAM in Go of TheHive [1]:" ram_thehive
 ram_thehive=${ram_thehive:-1}
 sed -i "s|RAM_THEHIVE|$ram_thehive|g" docker-compose.yml
 echo
@@ -140,7 +140,7 @@ echo "########### CONFIGURING CORTEX ###########"
 echo "##########################################"
 echo
 echo
-read -p "Enter the RAM in Go of Cortex [1]: " ram_cortex
+read -p "Enter the RAM in Go of Cortex [1]:" ram_cortex
 ram_cortex=${ram_cortex:-1}
 sed -i "s|RAM_CORTEX|$ram_cortex|g" docker-compose.yml
 echo
@@ -701,11 +701,21 @@ curl -XPUT -sk -u$admin_account:$admin_password -H 'Content-type: application/js
 echo
 echo
 echo "#########################################"
+echo "###### CONFIGURATION DE REPLAY ##########"
+echo "#########################################"
+echo
+echo
+chmod 755 replay/replay.sh
+instance=$(grep -oP 'INSTANCE=\K.*' .env)
+sed -i "s|instance_name|$instance|g" replay/replay.sh
+echo
+echo
+echo "#########################################"
 echo "####### STARTING OTHER DOCKER ###########"
 echo "#########################################"
 echo
 echo
-docker compose up -d fleet-server elastalert cyberchef zircolite zircolite-upload file-upload velociraptor-upload syslog-ng tcpreplay file4thehive heartbeat spiderfoot codimd watchtower
+docker compose up -d fleet-server elastalert cyberchef zircolite-upload file-upload velociraptor-upload syslog-ng replay file4thehive heartbeat spiderfoot codimd watchtower
 echo
 echo
 if [ "$cluster" == SINGLE ];

docker-compose-multi.yml

@@ -464,19 +464,26 @@ services:
         max-size: "10m"
         max-file: "3"
 
-  tcpreplay:
-    image: v1d1an/tcpreplay:2.0
-    container_name: tcpreplay
-    hostname: tcpreplay
+  replay:
+    image: v1d1an/replay:1.0
+    container_name: replay
+    hostname: replay
     restart: always
     logging:
       driver: "json-file"
       options:
         max-size: "10m"
         max-file: "3"
+    environment:
+      - ZIRCOLITE_USER=${ZIRCOLITE_USER}
+      - ZIRCOLITE_PASSWORD=${ZIRCOLITE_PASSWORD}
     volumes:
+      - ./replay/replay.sh:/data/replay.sh
+      - zircolite:/evtx
       - upload:/pcap
       - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - s1em
 
   file-upload:
     image: v1d1an/file-upload:1.1
@@ -509,24 +516,6 @@ services:
     networks:
       - s1em
 
-  zircolite:
-    image: docker.io/wagga40/zircolite:latest
-    container_name: zircolite
-    hostname: zircolite
-    restart: always
-    user: root
-    tty: true
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "10m"
-        max-file: "3"
-    volumes:
-      - zircolite:/case
-    command:  "--ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog"
-    networks:
-      - s1em
-
   zircolite-upload:
     image: v1d1an/file-upload:1.1
     container_name: zircolite-upload

docker-compose-single.yml

@@ -385,19 +385,26 @@ services:
         max-size: "10m"
         max-file: "3"
 
-  tcpreplay:
-    image: v1d1an/tcpreplay:2.0
-    container_name: tcpreplay
-    hostname: tcpreplay
+  replay:
+    image: v1d1an/replay:1.0
+    container_name: replay
+    hostname: replay
     restart: always
     logging:
       driver: "json-file"
       options:
         max-size: "10m"
         max-file: "3"
+    environment:
+      - ZIRCOLITE_USER=${ZIRCOLITE_USER}
+      - ZIRCOLITE_PASSWORD=${ZIRCOLITE_PASSWORD}
     volumes:
+      - ./replay/replay.sh:/data/replay.sh
+      - zircolite:/evtx
       - upload:/pcap
       - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - s1em
 
   file-upload:
     image: v1d1an/file-upload:1.1
@@ -430,24 +437,6 @@ services:
     networks:
       - s1em
 
-  zircolite:
-    image: docker.io/wagga40/zircolite:latest
-    container_name: zircolite
-    hostname: zircolite
-    restart: always
-    user: root
-    tty: true
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "10m"
-        max-file: "3"
-    volumes:
-      - zircolite:/case
-    command:  "--ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog"
-    networks:
-      - s1em
-
   zircolite-upload:
     image: v1d1an/file-upload:1.1
     container_name: zircolite-upload

replay/replay.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+/usr/bin/inotifywait -m --format '%f' -e close_write /pcap/ /evtx/ | while read FILE
+do
+    if [[ "$FILE" == *".pcap" ]]; then
+        docker exec suricata sh -c "suricata --runmode=autofp -c /etc/suricata/suricata.yaml -l /var/log/suricata -r /pcap/$FILE";
+        docker exec zeek sh -c "zeek -C local -r /pcap/$FILE";
+        rm -fr /pcap/$FILE;
+    elif [[ "$FILE" == *".evtx" ]]; then
+        docker run --rm --name zircolite --network instance_name_s1em -v instance_name_zircolite:/case/ docker.io/wagga40/zircolite:latest --ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite-whatever' --eslogin "${ZIRCOLITE_USER}" --espass "${ZIRCOLITE_PASSWORD}" --forwardall --remove-events --nolog;
+    fi
+done;