Initial commit

Author: SOVEREIGN

.dockerignore

@@ -0,0 +1,12 @@
+/src/rtkcsm*
+/src/cpu_profile*.pprof
+/src/graphs.json
+/src/graphs/
+/src/static/*.js
+/src/static/*.js.map
+/src/web/node_modules/**
+/src/web/dist/**
+**/.DS_Store
+**.csv
+**/.gitignore
+**/.git

.gitignore

@@ -0,0 +1,15 @@
+.DS_Store
+
+/data/
+/src/graphs/
+/src/graphs.json
+cpu_profile*.pprof
+/src/rtkcsm*
+*.csv
+__debug_bin*
+
+# Web
+/src/web/node_modules
+/src/web/dist/
+/src/static/*.js
+/src/static/*.js.map

Dockerfile

@@ -0,0 +1,45 @@
+# syntax=docker/dockerfile:1.7-labs
+FROM node AS web-builder
+
+RUN npm install -g typescript rollup
+
+COPY /src/web/package.json /src/web/package.json
+COPY /src/web/package-lock.json /src/web/package-lock.json
+COPY /src/web/rollup.config.js /src/web/rollup.config.js
+COPY /src/web/tsconfig.json /src/web/tsconfig.json
+
+WORKDIR /src/web/
+RUN npm install
+
+COPY /src/web/src/ /src/web/src/
+RUN tsc && rollup -c
+
+COPY /src/static/ /src/static/
+
+FROM golang:alpine AS builder
+
+COPY --exclude=/src/web/* /src/ /src/
+COPY --from=web-builder /src/static/ /src/static/
+WORKDIR /src/
+
+ARG TARGETOS TARGETARCH
+
+RUN --mount=type=cache,target=/root/.cache/ GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /rtkcsm .
+
+FROM golang:alpine AS passwd
+
+RUN echo "nobody:x:65534:65534:Nobody:/:" > /etc_passwd
+
+FROM scratch
+
+COPY --from=passwd /etc_passwd /etc/passwd
+COPY --from=builder /rtkcsm /rtkcsm
+
+ENV GIN_MODE=release
+WORKDIR /
+
+USER nobody
+ENV PATH="/"
+
+ENTRYPOINT ["rtkcsm"]
+CMD ["--reader", "suricata", "--transport", "tcp", "--listen", ":9000", "--server", ":8080"]

README.md

@@ -0,0 +1,41 @@
+## Usage
+
+### Command Line Options
+
+**Ingesting data**
+
+You have two options for getting the data in. Either via file or TCP server:
+- `--file /my/file` File path of your log file
+- `--listen 0.0.0.0:9000` TCP Server address that can be connected to using Tenzir's [TCP client connector](https://docs.tenzir.com/connectors/tcp)
+
+In addition, you also need to supply the `--transport TYPE` option with either:
+
+- `file` when using the `--file` option (**default**)
+- `tcp` when using the `--listen` option
+
+
+Using the TCP server has the advantage of enabling data streaming, thereby generating graphs in real-time.
+
+**Data ingest type**
+
+You can choose between different data types of your ingested data using the `--reader TYPE` option:
+- `zeek`
+- `suricata`
+- `ocsf`
+
+
+**Web UI**
+
+By default the RT-KCSM does not expose the web interface. To view it, you must specify the address of the HTTP server:
+- `--server 0.0.0.0:8080`
+
+You can visit the web UI at [http://localhost:8080/web/](http://localhost:8080/web/)
+
+For configuring high-risks target/hosts go to the `Configure Hosts` section.
+
+**Example using Docker**
+
+Default options for Docker container.
+```
+docker run git.informatik.uni-hamburg.de:4567/iss/projects/sovereign/rt-kcsm/open-source:latest --reader suricata --transport tcp --listen :9000 --server :8080
+```

docker-compose.yaml

@@ -0,0 +1,9 @@
+services:
+  rtkcsm:
+    build: .
+    image: git.informatik.uni-hamburg.de:4567/iss/projects/sovereign/rt-kcsm/open-source:latest
+    restart: always
+
+    ports:
+      - 8080:8080 # Web interface
+      - 9000:9000 # TCP ingest port for Tenzir