irt/docker_zircolite
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
tabledevil
2023-11-30 12:29:06 +01:00
commit 49cf6750fd
3 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Dockerfile Normal file
View File

@@ -0,0 +1,12 @@
FROM alpine as builder
RUN apk add --no-cache rust cargo python3 py3-pip alpine-sdk git bash
ENV PATH=/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
RUN git clone https://github.com/wagga40/Zircolite /opt/zircolite
ENV PYTHONDONTWRITEBYTECODE=1
ADD pip.conf /etc/pip.conf
RUN cd /opt/zircolite && pip install -r requirements.txt
WORKDIR /data
RUN mkdir /output && touch /output/notmounted
RUN python3 /opt/zircolite/zircolite.py -U --rules /opt/zircolite/rules/
ADD start.sh /root/start.sh
CMD ["/bin/bash","/root/start.sh"]

5
pip.conf Normal file
View File

@@ -0,0 +1,5 @@
[install]
compile = no
[global]
no-cache-dir = True

35
start.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/sh
#check if folder was mounted under /data
if [[ ! -d /data ]] ; then
echo "[!] No Folder was mounted to /data"
echo "[=] Make sure a folder containig the Windows Logs (evtx) is mounted. Example:"
echo "[=]"
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
exit 1
fi
#check which destination is writeable /data or /output
if [[ ! -f /output/notmounted ]] && [[ -w /output ]] ; then
echo "[!] Output folder was mounted and is writeable"
echo "[>] Using /output as destination for report"
output="/output"
else
if [[ -w /data ]] ; then
echo "[!] Mounted folder /data can be written"
echo "[>] Using /data as destination for report"
output="/data"
else
echo "[!] No writeable output folder available"
echo "[=] Make sure either the folder mounted under /data is writable ..."
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
echo "[=] ... or mount a writable folder to /output"
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/zircolite"
exit 1
fi
fi
#set output-destination
outputf="${output}/zircolite_$(date +%s)"
echo "output is goint to : ${outputf}"
python3 /opt/zircolite/zircolite.py --evtx /data --rules /opt/zircolite/rules/rules_windows_generic.json -c /opt/zircolite/config/fieldMappings.json -o "${outputf}.json" -t "${output}/tmp" -l "${outputf}.log"