Merge pull request #94 from V1D1AN/devel

Add Zircolite

01_deploy.sh

@@ -16,7 +16,7 @@ echo "The master password Elastic set in .env:" $password
 echo "The master password Kibana set in .env:" $kibana_password
 echo "The Kibana api key is : " $kibana_api_key
 sed -i "s|kibana_api_key|$kibana_api_key|g" kibana/kibana.yml
-sed -i "s|changeme|$password|g" .env cortex/application.conf thehive/application.conf elastalert/elastalert.yaml filebeat/filebeat.yml metricbeat/metricbeat.yml heartbeat/heartbeat.yml metricbeat/modules.d/elasticsearch-xpack.yml metricbeat/modules.d/kibana-xpack.yml kibana/kibana.yml auditbeat/auditbeat.yml logstash/config/logstash.yml logstash/pipeline/beats/300_output_beats.conf logstash/pipeline/stoq/300_output_stoq.conf sigma/dockerfile arkime/scripts/capture.sh arkime/scripts/config.sh arkime/scripts/import.sh arkime/scripts/init-db.sh arkime/scripts/viewer.sh arkime/config.ini cortex/Elasticsearch_IP.json cortex/Elasticsearch_Hash.json
+sed -i "s|changeme|$password|g" .env cortex/application.conf thehive/application.conf elastalert/elastalert.yaml filebeat/filebeat.yml metricbeat/metricbeat.yml heartbeat/heartbeat.yml metricbeat/modules.d/elasticsearch-xpack.yml metricbeat/modules.d/kibana-xpack.yml kibana/kibana.yml auditbeat/auditbeat.yml logstash/config/logstash.yml logstash/pipeline/beats/300_output_beats.conf logstash/pipeline/stoq/300_output_stoq.conf logstash/pipeline/zircolite/300_output_zircolite.conf sigma/dockerfile arkime/scripts/capture.sh arkime/scripts/config.sh arkime/scripts/import.sh arkime/scripts/init-db.sh arkime/scripts/viewer.sh arkime/config.ini cortex/Elasticsearch_IP.json cortex/Elasticsearch_Hash.json
 sed -i "s|kibana_changeme|$kibana_password|g" .env
 echo
 echo
@@ -35,6 +35,7 @@ sed -i "s|organization_name|$organization|g" .env
 sed -i "s|opencti_account|$admin_account|g" .env
 sed -i "s|arkime_account|$admin_account|g" .env
 sed -i "s|n8n_account|$admin_account|g" .env
+sed -i "s|zircolite_account|$admin_account|g" .env
 echo
 while true; do
     read -s -p "Password (Must be a password with at least 6 characters): " admin_password
@@ -47,6 +48,7 @@ done
 sed -i "s|opencti_password|$admin_password|g" .env
 sed -i "s|arkime_password|$admin_password|g" .env
 sed -i "s|n8n_password|$admin_password|g" .env
+sed -i "s|zircolite_password|$admin_password|g" .env
 echo
 echo
 echo "##########################################"
@@ -614,7 +616,7 @@ echo "####### STARTING OTHER DOCKER ###########"
 echo "#########################################"
 echo
 echo
-docker-compose up -d fleet-server elastalert cyberchef file-upload syslog-ng tcpreplay clamav heartbeat spiderfoot codimd watchtower
+docker-compose up -d fleet-server elastalert cyberchef zircolite zircolite-upload file-upload syslog-ng tcpreplay clamav heartbeat spiderfoot codimd watchtower
 echo
 echo
 echo "#########################################"

README.md

@@ -24,6 +24,7 @@ Inside the solution:
 * Auditbeat
 * Fleet
 * N8n
+* Zircolite
 * Spiderfoot
 * Syslog-ng
 * Elastalert
@@ -42,7 +43,7 @@ Inside the solution:
 * Watchtower
 * Homer
 
-![S1EM](https://user-images.githubusercontent.com/18678787/201867896-1bdb6c45-6f34-45cb-b68e-e8174d1eda82.png)
+![S1EM](https://user-images.githubusercontent.com/18678787/215265829-4538679f-9efe-4ce6-a49b-2d31ec45bc55.png)
 
 # Guides
 - :exclamation:[Installation Guide](https://github.com/V1D1AN/S1EM/wiki/Installation-Guide)
@@ -69,6 +70,7 @@ Inside the solution:
 - [ ] SSO
 - [ ] Interact with Lab-DFIR-SOC (https://github.com/StevenDias33/Lab-DFIR-SOC)
 - [ ] Add Capa
+- [x] Add Zircolite
 
 # Related project
 
@@ -93,6 +95,7 @@ https://gchq.github.io/CyberChef/ <br />
 https://www.clamav.net/ <br />
 https://www.syslog-ng.com/ <br />
 https://github.com/bastienwirtz/homer <br />
+https://github.com/wagga40/zircolite <br />
 
 
 

docker-compose.yml

@@ -323,6 +323,7 @@ services:
     volumes:
       - certs:/usr/share/certificates:ro
       - stoq:/var/log/stoq
+      - zircolite:/usr/share/logstash/zircolite:rw
       - ./logstash/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro
       - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
       - ./logstash/config/jvm.options:/usr/share/logstash/config/jvm.options:ro
@@ -399,6 +400,8 @@ services:
       - NET_ADMIN
       - SYS_NICE
     restart: always
+    depends_on:
+      - filebeat
     volumes:
       - ./rules/suricata:/etc/suricata/rules
       - ./suricata/suricata.yaml:/etc/suricata/suricata.yaml
@@ -482,7 +485,7 @@ services:
       - upload:/pcap
 
   file-upload:
-    image: v1d1an/file-upload:1.0
+    image: v1d1an/file-upload:1.1
     container_name: file-upload
     hostname: file-upload
     restart: always
@@ -495,9 +498,10 @@ services:
     volumes:
       - upload:/var/www/upload/server/php/chroot/files
     environment:
-      - SITE_NAME=S1EM
+      - SITE_NAME=Upload for PCAP
       - SITE_USERNAME=upload
       - SITE_PASSWORD=upload
+      - DESCRIPTION=Upload only PCAP file.
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.upload.rule=PathPrefix(`/upload`)"
@@ -508,8 +512,56 @@ services:
       - "traefik.http.routers.upload.middlewares=redirect-to-https"
       - "traefik.http.middlewares.upload-stripprefix.stripprefix.prefixes=/upload"
       - "traefik.http.routers.upload.middlewares=upload-stripprefix"
-    ports:
-      - "8022:22"
+    networks:
+      - s1em
+
+  zircolite:
+    #image: docker.io/wagga40/zircolite:latest
+    image: v1d1an/zircolite:1.0
+    container_name: zircolite
+    hostname: zircolite
+    restart: always
+    user: root
+    tty: true
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+    volumes:
+      - zircolite:/case
+    command:  "--ruleset rules/rules_windows_sysmon_full.json --evtx /case/ --outfile /case/detected_events.json --remote 'https://es01:9200' --index 'zircolite' --eslogin '${ZIRCOLITE_USER}' --espass '${ZIRCOLITE_PASSWORD}' --forwardall --remove-events --nolog"
+    networks:
+      - s1em
+
+  zircolite-upload:
+    image: v1d1an/file-upload:1.1
+    container_name: zircolite-upload
+    hostname: zircolite-upload
+    restart: always
+    user: root
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+    volumes:
+      - zircolite:/var/www/upload/server/php/chroot/files
+    environment:
+      - SITE_NAME=Upload for Zircolite
+      - SITE_USERNAME=upload
+      - SITE_PASSWORD=upload
+      - DESCRIPTION=Upload only EVTX file or JSON file (Use template exportForELK.tmpl).
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.zircolite.rule=PathPrefix(`/zircolite`)"
+      - "traefik.http.routers.zircolite.entryPoints=secure"
+      - "traefik.http.routers.zircolite.tls=true"
+      - "traefik.http.services.zircolite.loadbalancer.server.port=80"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.routers.zircolite.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.zircolite-stripprefix.stripprefix.prefixes=/zircolite"
+      - "traefik.http.routers.zircolite.middlewares=zircolite-stripprefix"
     networks:
       - s1em
 
@@ -1645,3 +1697,5 @@ volumes:
     external: false
    n8n_data:
     external: false
+   zircolite:
+    external: false

env.sample

@@ -37,3 +37,5 @@ GENERIC_TIMEZONE=Europe/Berlin
 FLEET_SERVICETOKEN=fleettoken
 FLEET_ENROLLTOKEN=fleetenroll
 ADMINISTRATION_IP=administrationip
+ZIRCOLITE_USER=zircolite_account
+ZIRCOLITE_PASSWORD=zircolite_password

heartbeat/monitors.d/zircolite.yml

@@ -0,0 +1,7 @@
+- type: tcp
+  enabled: true
+  id: zircolite
+  name: Zircolite upload
+  hosts: ["zircolite-upload"]
+  ports: [80]
+  schedule: '@every 30s'

homer/config.yml

@@ -138,13 +138,18 @@ services:
         logo: "http://attack.mitre.org/theme/images/ATT&CK_red.png"
         tag: "site"
         tagstyle: "is-success"
-        url: "https://ela.st/tj-mitre-an"
+        url: "https://ela.st/detection-rules-navigator"
         target: "_blank" # optional html a tag target attribute
 
 
   - name: "SIRP"
     icon: "fas fa-sitemap"
     items:
+      - name: "Zircolite"
+        logo: "https://github.com/wagga40/Zircolite/raw/master/pics/zircolite_400.png"
+        tag: "app"
+        url: "https://s1em_hostname/kibana/app/dashboards#/view/832a98e0-9ef0-11ed-bedc-f9813e7df557"
+        target: "_blank" # optional html a tag target attribute
       - name: "TheHive"
         logo: "https://github.com/TheHive-Project/TheHive/raw/main/images/thehive-logo.png"
         tag: "app"
@@ -169,14 +174,23 @@ services:
         tag: "app"
         url: "https://s1em_hostname/codimd/"
         target: "_blank" # optional html a tag target attribute
-      - name: "Upload"
-        logo: "https://fileproinfo.com/images/pcap_file_extension.png"
-        tag: "app"
-        url: "https://s1em_hostname/upload/"
-        target: "_blank" # optional html a tag target attribute
       - name: "StartMe"
         logo: "https://res.cloudinary.com/crunchbase-production/image/upload/c_lpad,h_170,w_170,f_auto,b_white,q_auto:eco,dpr_1/v1477931274/aq1yfkwbl5yslbedhkyj.png"
         tag: "site"
         tagstyle: "is-success"
         url: "https://start.me/p/6r66da/cybersecurity"
         target: "_blank" # optional html a tag target attribute
+
+  - name: "UPLOAD"
+    icon: "fas fa-tools"
+    items:
+      - name: "PCAP"
+        logo: "https://fileproinfo.com/images/pcap_file_extension.png"
+        tag: "app"
+        url: "https://s1em_hostname/upload/"
+        target: "_blank" # optional html a tag target attribute
+      - name: "Zircolite"
+        logo: "https://fileproinfo.com/images/pcap_file_extension.png"
+        tag: "app"
+        url: "https://s1em_hostname/zircolite/"
+        target: "_blank" # optional html a tag target attribute