This project provides a means to build a docker image containing:
- Zeek LTS (4.0.4)
- Flightsim (latest release version)
- asoc-zeek
A control script is also provided (tf.sh) as the container entry point. When the
container is started, tf.sh does the following:
- Starts Zeek via the
asoc-zeekscript - Runs all flightsim simulation modules
- Network telemetry will be collected and sent by Zeek to aSOC
- Teardown
The goal is to have a cohesive 'service' to test wheather aSOC infrastructure is generating proper events (at least for those threats that flightsim can simulate). The other half of this goal is realized using redash.hq.alphasoc.net.
Pull the repository, and cd to its root directory. The below will create an image testflight:latest:
docker build --tag=testflight .
Assuming you want to run the container locally, it's sufficient to:
docker run --rm --dns 8.8.8.8 -v ~/.ssh:/root/.ssh:ro -e ORG_ID="YOUR_ORGANIZATION_ID" -e STAGING=false testflight:latest
In this case, the following happens:
--rmwill remove the container after it finishes--dnsshould force the container to use8.8.8.8for DNS lookups, preventing cases where DNS requests are forwarded to host, thus circumenting Zeek detection. DNS-vmounts your local.ssh/directory as roots on the container. Assuming you have SSH configured correctly, this will allow Zeek to upload telemetry to aSOC SFTP servers. For information how to configure this, see: asoc-zeek -> SSH auth-epasses various environment variables to the container.ORG_IDis needed.STAGINGisfalseby default (you can omit it from the commandline). If you're a developer and communicating with staging services, set it totrue.