Real-time Packet Observation Tool
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
INSTALL update version 1.1 Mar 20, 2018
bin update version 1.1 Mar 20, 2018
config
dashboards update dashboard Mar 28, 2018
es_tools fix mapping bug Mar 25, 2018
hunting update hinting keyword Jan 21, 2018
screenshot replace conn dashboard Jan 18, 2018
static_data first commit Jan 16, 2018
.gitignore upgrade feed Jan 20, 2018
CHANGELOG update version 1.1 Mar 20, 2018
LICENSE first commit Jan 16, 2018
README.md update version 1.1 Mar 20, 2018
init.sh fix bug Mar 28, 2018
scan-pcap.sh update scan script Feb 18, 2018
server-status.sh first commit Jan 16, 2018
tests.sh Protocol coverage test Feb 18, 2018
update.sh fix bug Mar 28, 2018

README.md

Real-time Packet Observation Tool (RPOT)

This build was created and tested using Ubuntu 16.04.

architecture

architecture

Protocol coverage

Protocol Decode Payload ElasticSearch Output Kibana Visualization
ARP × ×
AYIYA × ×
BackDoor × ×
BitTorrent × ×
DCE RPC ×
DHCP
DNP3 ×
DNS
File
Finger × ×
FTP ×
Gnutella × ×
GSSAPI × ×
GTPv1 × ×
HTTP
ICMP
Ident × ×
IMAP × ×
IRC
kerberos ×
Login × ×
MIME × ×
Modbus ×
MySQL ×
NCP × ×
NetBios
NTLM
NTP × ×
OpenFlow
POP3 × ×
RADIUS ×
RDP ×
RFB ×
RPC × ×
SIP
SMB
SMTP
SNMP
SOCKS
SSH
SSL
Syslog ×
TCP
Teredo ×
UDP
XMPP × ×
ZIP × ×

Startup

$ wget https://raw.githubusercontent.com/tatsu-i/rpot/master/INSTALL/install-ubuntu1604.sh 
$ bash ./install-ubuntu1604.sh

Usage

$ cd /opt/rpot
$ ./scan-pcap.sh [pcap file path] [intel|standard|quick] [scan name]

Quick scan

$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap quick test-quickscan

Intelligence scan

$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap intel test-intelscan

Threat hunting

$ cd /opt/rpot
$ git clone https://github.com/tatsu-i/virusshare_hash
$ python ./bin/keyword-hunter.py virusshare_hash/*.md5 /tmp/hunting.log malware

Update Geoip and Intelligence

$ cd /opt/rpot
$ ./update.sh

Update hunting rule

$ cd /usr/local/share/clamav/
$ sudo vim sample.yar
rule Sample_Rule {
        strings:
            $string1 = "Test"

        condition:
            $string1
}

FAME integration

See how to build FAME FAME’s Documentation. and change logstash config

$ cd /opt/rpot/INSTALL
$ vim logstash-clamav-es.conf # modify API_KEY and Hostname
$ sudo cp logstash-clamav-es.conf /etc/logstash/conf.d/
$ sudo service logstash restart

Visualization

Access Kibana url (http://localhost:5601) Click [Dashboard] -> [Open] -> [MAIN]

screenshot0 screenshot1 screenshot2 screenshot3 screenshot5 screenshot6 screenshot7