Skip to content
/ ecel Public
forked from ARL-UTEP-OC/ecel

The Evaluator-Centric and Extensible Logger was developed as the result of a collaborative research project between the US Army Research Laboratory and the University of Texas at El Paso.

License

Notifications You must be signed in to change notification settings

dreyes15/ecel

 
 

Repository files navigation

Evaluator-Centric and Extensible Logger (ECEL)

System Requirements

ECEL has been tested on:

  • Kali Linux 2016.2, both 32 and 64-bit
  • Ubuntu 16.04 LTS 64-bit*, but see caveat below

*ECEL must be run as root. In order for the task bar status icon to function properly, you must also be logged in as root.

Installation

To install ECEL, run ./install.sh. A internet connection is required for installation.

Execution

Run ./ecel_gui to execute ECEL. This will invoke the main GUI and a clickable status icon will appear in the task bar.

Plugins

The ECEL is written using a plugin architecture. There are two types of plugins, collectors and parsers. Collector plugins will collect timestamps and event data. These collector plugins use custom or existing external logging tools. Parser plugins read log data (that produced by the collectors) and then format the data into an alternate form. All plugins are managed (started, terminated, etc.) from the ECEL graphical interface.

The following are the plugins that come packaged with ECEL.

PyKeylogger

https://github.com/nanotube/pykeylogger

The collector plugin will execute pykeylogger to gather screenshots (on mouse clicks on based on a timer) and keystrokes. The parser plugin executes three tasks. The first will read keystroke data and then, based on a time threshold/delimiter, weave the data into keystroke units and produce a labeled JSON file. The second extracts mouse click screenshot paths and timestamps and stores them in a JSON file. Simiarly, the last task extracts timed screenshot paths and timestamps and stores them in a JSON file.

tshark, multi_inc_tshark, and multi_exc_tshark

https://www.wireshark.org/download.html

There are three collector plugins that leverage tshark. The first executes a single instance of tshark on a specified interface. The multi_inc_tshark will collect network data on all specified interfaces. Multi_exc_tshark will collect network data on all interfaces, except any specified. The parser plugin will extract various protocol fields from network packtes including source and destination MAC, IP, and port information as well as flags (TCP) and routes (RIP).

Snoopy

https://github.com/a2o/snoopy

The collector plugin will gather all system calls on the system by leveraging the snoopy tool. The plugin reads the auth.log file produced by snoopy and will periodically copy it into the ECEL raw data folder. The parser plugin will read the snoopy log and generate a set of timestamp/system call pairs formatted in a JSON file.

Manual Screenshot

http://www.autopy.org/documentation/api-reference/bitmap.html

The collector is a manual plugin that is executed by clickin on the context menu of the ECEL status icon. A dialog window will collect metadata and then take a screenshot using the autopy module. With the parser plugin, all of the stored metadata is then formatted and stored in a JSON file.

About

The Evaluator-Centric and Extensible Logger was developed as the result of a collaborative research project between the US Army Research Laboratory and the University of Texas at El Paso.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Makefile 37.1%
  • Shell 23.9%
  • Python 17.6%
  • C 10.2%
  • Java 9.5%
  • M4 1.5%
  • Other 0.2%