tatsui-geek / Rpot
Licence: apache-2.0
Real-time Packet Observation Tool
Stars: ✭ 38
Projects that are alternatives of or similar to Rpot
YAFRA
YAFRA is a semi-automated framework for analyzing and representing reports about IT Security incidents.
Stars: ✭ 22 (-42.11%)
Mutual labels: intelligence, threat-hunting, malware-research
Vendor-Threat-Triage-Lookup
Lookup file hashes, domain names and IP addresses using various vendors to assist with triaging potential threats.
Stars: ✭ 17 (-55.26%)
Mutual labels: intelligence, threat-hunting, malware-research
Threatingestor
Extract and aggregate threat intelligence.
Stars: ✭ 439 (+1055.26%)
Mutual labels: threat-hunting, malware-research, yara
Awesome Yara
A curated list of awesome YARA rules, tools, and people.
Stars: ✭ 1,394 (+3568.42%)
Mutual labels: threat-hunting, malware-research, yara
ThreatKB
Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)
Stars: ✭ 68 (+78.95%)
Mutual labels: malware-research, yara
pyeti
Python bindings for Yeti's API
Stars: ✭ 15 (-60.53%)
Mutual labels: intelligence, threat-hunting
MeltingPot
A tool to cluster similar executables (PEs, DEXs, and etc), extract common signature, and generate Yara patterns for malware detection.
Stars: ✭ 23 (-39.47%)
Mutual labels: malware-research, yara
Detectionlabelk
DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
Stars: ✭ 273 (+618.42%)
Mutual labels: elk, threat-hunting
ELK-Hunting
Threat Hunting with ELK Workshop (InfoSecWorld 2017)
Stars: ✭ 58 (+52.63%)
Mutual labels: elk, threat-hunting
Misp
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Stars: ✭ 3,485 (+9071.05%)
Mutual labels: threat-hunting, intelligence
Stoq
An open source framework for enterprise level automated analysis.
Stars: ✭ 352 (+826.32%)
Mutual labels: malware-research, yara
binlex
A Binary Genetic Traits Lexer Framework
Stars: ✭ 303 (+697.37%)
Mutual labels: malware-research, yara
See
Sandboxed Execution Environment
Stars: ✭ 770 (+1926.32%)
Mutual labels: malware-research, virtualization
Owlyshield
Owlyshield is an EDR framework designed to safeguard vulnerable applications from potential exploitation (C&C, exfiltration and impact))..
Stars: ✭ 281 (+639.47%)
Mutual labels: threat-hunting, malware-research
Malware-Sample-Sources
Malware Sample Sources
Stars: ✭ 214 (+463.16%)
Mutual labels: threat-hunting, malware-research
Python Iocextract
Defanged Indicator of Compromise (IOC) Extractor.
Stars: ✭ 300 (+689.47%)
Mutual labels: malware-research, yara
Real-time Packet Observation Tool (RPOT)
This build was created and tested using Ubuntu 16.04.
architecture
Protocol coverage
| Protocol | Decode Payload | ElasticSearch Output | Kibana Visualization |
|---|---|---|---|
| ARP | ○ | × | × |
| AYIYA | ○ | × | × |
| BackDoor | ○ | × | × |
| BitTorrent | ○ | × | × |
| DCE RPC | ○ | ○ | × |
| DHCP | ○ | ○ | ○ |
| DNP3 | ○ | ○ | × |
| DNS | ○ | ○ | ○ |
| File | ○ | ○ | ○ |
| Finger | ○ | × | × |
| FTP | ○ | ○ | × |
| Gnutella | ○ | × | × |
| GSSAPI | ○ | × | × |
| GTPv1 | ○ | × | × |
| HTTP | ○ | ○ | ○ |
| ICMP | ○ | ○ | ○ |
| Ident | ○ | × | × |
| IMAP | ○ | × | × |
| IRC | ○ | ○ | ○ |
| kerberos | ○ | ○ | × |
| Login | ○ | × | × |
| MIME | ○ | × | × |
| Modbus | ○ | ○ | × |
| MySQL | ○ | ○ | × |
| NCP | ○ | × | × |
| NetBios | ○ | ○ | ○ |
| NTLM | ○ | ○ | ○ |
| NTP | ○ | × | × |
| OpenFlow | ○ | ○ | ○ |
| POP3 | ○ | × | × |
| RADIUS | ○ | ○ | × |
| RDP | ○ | ○ | × |
| RFB | ○ | ○ | × |
| RPC | ○ | × | × |
| SIP | ○ | ○ | ○ |
| SMB | ○ | ○ | ○ |
| SMTP | ○ | ○ | ○ |
| SNMP | ○ | ○ | ○ |
| SOCKS | ○ | ○ | ○ |
| SSH | ○ | ○ | ○ |
| SSL | ○ | ○ | ○ |
| Syslog | ○ | ○ | × |
| TCP | ○ | ○ | ○ |
| Teredo | ○ | ○ | × |
| UDP | ○ | ○ | ○ |
| XMPP | ○ | × | × |
| ZIP | ○ | × | × |
Startup
$ wget https://raw.githubusercontent.com/tatsu-i/rpot/master/INSTALL/install-ubuntu1604.sh
$ bash ./install-ubuntu1604.sh
Usage
$ cd /opt/rpot
$ ./scan-pcap.sh [pcap file path] [intel|standard|quick] [scan name]
Quick scan
$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap quick test-quickscan
Intelligence scan
$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap intel test-intelscan
Threat hunting
$ cd /opt/rpot
$ git clone https://github.com/tatsu-i/virusshare_hash
$ python ./bin/keyword-hunter.py virusshare_hash/*.md5 /tmp/hunting.log malware
Update Geoip and Intelligence
$ cd /opt/rpot
$ ./update.sh
Update hunting rule
$ cd /usr/local/share/clamav/
$ sudo vim sample.yar
rule Sample_Rule {
strings:
$string1 = "Test"
condition:
$string1
}
FAME integration
See how to build FAME FAME’s Documentation. and change logstash config
$ cd /opt/rpot/INSTALL
$ vim logstash-clamav-es.conf # modify API_KEY and Hostname
$ sudo cp logstash-clamav-es.conf /etc/logstash/conf.d/
$ sudo service logstash restart
Visualization
Access Kibana url (http://localhost:5601)
Click [Dashboard] -> [Open] -> [MAIN]
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].