36 lines
1.5 KiB
Bash
36 lines
1.5 KiB
Bash
#!/bin/sh
|
|
#check if folder was mounted under /data
|
|
if [[ ! -d /data ]] ; then
|
|
echo "[!] No Folder was mounted to /data"
|
|
echo "[=] Make sure a folder containig the Windows Logs (evtx) is mounted. Example:"
|
|
echo "[=]"
|
|
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
|
|
exit 1
|
|
fi
|
|
|
|
#check which destination is writeable /data or /output
|
|
if [[ ! -f /output/notmounted ]] && [[ -w /output ]] ; then
|
|
echo "[!] Output folder was mounted and is writeable"
|
|
echo "[>] Using /output as destination for report"
|
|
output="/output"
|
|
else
|
|
if [[ -w /data ]] ; then
|
|
echo "[!] Mounted folder /data can be written"
|
|
echo "[>] Using /data as destination for report"
|
|
output="/data"
|
|
else
|
|
echo "[!] No writeable output folder available"
|
|
echo "[=] Make sure either the folder mounted under /data is writable ..."
|
|
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
|
|
echo "[=] ... or mount a writable folder to /output"
|
|
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/zircolite"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
#set output-destination
|
|
outputf="${output}/zircolite_$(date +%s)"
|
|
echo "output is goint to : ${outputf}"
|
|
|
|
python3 /opt/zircolite/zircolite.py --evtx /data --rules /opt/zircolite/rules/rules_windows_generic.json -c /opt/zircolite/config/fieldMappings.json -o "${outputf}.json" -t "${output}/tmp" -l "${outputf}.log"
|