GitHub - tatsuiman/rpot2: Real-time Packet Observation Tool

Real-time Packet Observation Tool (RPOT)

This build was created and tested using Ubuntu 16.04.

architecture

Protocol coverage

Protocol	Decode Payload	ElasticSearch Output	Kibana Visualization
ARP	○	×	×
AYIYA	○	×	×
BackDoor	○	×	×
BitTorrent	○	×	×
DCE RPC	○	○	×
DHCP	○	○	○
DNP3	○	○	×
DNS	○	○	○
File	○	○	○
Finger	○	×	×
FTP	○	○	×
Gnutella	○	×	×
GSSAPI	○	×	×
GTPv1	○	×	×
HTTP	○	○	○
ICMP	○	○	○
Ident	○	×	×
IMAP	○	×	×
IRC	○	○	○
kerberos	○	○	×
Login	○	×	×
MIME	○	×	×
Modbus	○	○	×
MySQL	○	○	×
NCP	○	×	×
NetBios	○	○	○
NTLM	○	○	○
NTP	○	×	×
OpenFlow	○	○	○
POP3	○	×	×
RADIUS	○	○	×
RDP	○	○	×
RFB	○	○	×
RPC	○	×	×
SIP	○	○	○
SMB	○	○	○
SMTP	○	○	○
SNMP	○	○	○
SOCKS	○	○	○
SSH	○	○	○
SSL	○	○	○
Syslog	○	○	×
TCP	○	○	○
Teredo	○	○	×
UDP	○	○	○
XMPP	○	×	×
ZIP	○	×	×

Startup

$ wget https://raw.githubusercontent.com/tatsu-i/rpot/master/INSTALL/install-ubuntu1604.sh 
$ bash ./install-ubuntu1604.sh

Usage

$ cd /opt/rpot
$ ./scan-pcap.sh [pcap file path] [intel|standard|quick] [scan name]

Quick scan

$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap quick test-quickscan

Intelligence scan

$ cd /opt/rpot
$ ./update.sh
$ git clone https://github.com/tatsu-i/malware-traffic-analysis.net
$ ./scan-pcap.sh malware-traffic-analysis.net/2017-10-19-Necurs-Botnet-malspam-pushing-Locky.pcap intel test-intelscan

Threat hunting

$ cd /opt/rpot
$ git clone https://github.com/tatsu-i/virusshare_hash
$ python ./bin/keyword-hunter.py virusshare_hash/*.md5 /tmp/hunting.log malware

Update Geoip and Intelligence

$ cd /opt/rpot
$ ./update.sh

Update hunting rule

$ cd /usr/local/share/clamav/
$ sudo vim sample.yar
rule Sample_Rule {
        strings:
            $string1 = "Test"

        condition:
            $string1
}

FAME integration

See how to build FAME FAME’s Documentation. and change logstash config

$ cd /opt/rpot/INSTALL
$ vim logstash-clamav-es.conf # modify API_KEY and Hostname
$ sudo cp logstash-clamav-es.conf /etc/logstash/conf.d/
$ sudo service logstash restart

Visualization

Access Kibana url (http://localhost:5601) Click [Dashboard] -> [Open] -> [MAIN]

Name		Name	Last commit message	Last commit date
Latest commit History 36 Commits
INSTALL		INSTALL
bin		bin
config		config
dashboards		dashboards
es_tools		es_tools
hunting		hunting
screenshot		screenshot
static_data		static_data
.gitignore		.gitignore
CHANGELOG		CHANGELOG
LICENSE		LICENSE
README.md		README.md
init.sh		init.sh
scan-pcap.sh		scan-pcap.sh
server-status.sh		server-status.sh
tests.sh		tests.sh
update.sh		update.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Real-time Packet Observation Tool (RPOT)

architecture

Protocol coverage

Startup

Usage

Quick scan

Intelligence scan

Threat hunting

Update Geoip and Intelligence

Update hunting rule

FAME integration

Visualization

About

Uh oh!

Releases

Packages

Uh oh!

Languages

License

tatsuiman/rpot2

Folders and files

Latest commit

History

Repository files navigation

Real-time Packet Observation Tool (RPOT)

architecture

Protocol coverage

Startup

Usage

Quick scan

Intelligence scan

Threat hunting

Update Geoip and Intelligence

Update hunting rule

FAME integration

Visualization

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Languages

Packages