commit 49cf6750fdf78e7c4bb3ebbe60f1b6f4b7b1d7c5
Author: tabledevil <tabledevil@gmail.com>
Date:   Thu Nov 30 12:29:06 2023 +0100

    first commit

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..843dab5
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM alpine as builder
+RUN apk add --no-cache rust cargo python3 py3-pip alpine-sdk git bash
+ENV PATH=/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+RUN git clone https://github.com/wagga40/Zircolite /opt/zircolite
+ENV PYTHONDONTWRITEBYTECODE=1
+ADD pip.conf /etc/pip.conf
+RUN cd /opt/zircolite && pip install -r requirements.txt
+WORKDIR /data
+RUN mkdir /output && touch /output/notmounted
+RUN python3 /opt/zircolite/zircolite.py -U --rules /opt/zircolite/rules/
+ADD start.sh /root/start.sh
+CMD ["/bin/bash","/root/start.sh"]
diff --git a/pip.conf b/pip.conf
new file mode 100644
index 0000000..b3f5298
--- /dev/null
+++ b/pip.conf
@@ -0,0 +1,5 @@
+[install]
+compile = no
+
+[global]
+no-cache-dir = True
diff --git a/start.sh b/start.sh
new file mode 100644
index 0000000..d5f596f
--- /dev/null
+++ b/start.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+#check if folder was mounted under /data
+if [[ ! -d /data ]] ; then
+    echo "[!] No Folder was mounted to /data"
+    echo "[=] Make sure a folder containig the Windows Logs (evtx) is mounted. Example:"
+    echo "[=]"
+    echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
+    exit 1
+fi
+
+#check which destination is writeable /data or /output
+if [[ ! -f /output/notmounted ]] && [[ -w /output ]] ; then
+    echo "[!] Output folder was mounted and is writeable"
+    echo "[>] Using /output as destination for report"
+    output="/output"
+else
+    if [[ -w /data ]] ; then
+        echo "[!] Mounted folder /data can be written"
+        echo "[>] Using /data as destination for report"
+        output="/data"
+    else
+        echo "[!] No writeable output folder available"
+        echo "[=] Make sure either the folder mounted under /data is writable ..."
+        echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
+        echo "[=] ... or mount a writable folder to /output"
+        echo "[>] # docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/zircolite"
+        exit 1
+    fi
+fi
+
+#set output-destination
+outputf="${output}/zircolite_$(date +%s)"
+echo "output is goint to : ${outputf}"
+
+python3 /opt/zircolite/zircolite.py --evtx /data --rules /opt/zircolite/rules/rules_windows_generic.json -c /opt/zircolite/config/fieldMappings.json  -o "${outputf}.json" -t "${output}/tmp" -l "${outputf}.log"