{"id":21149199,"url":"https://github.com/alexfrancow/isoc","last_synced_at":"2025-07-09T09:30:40.385Z","repository":{"id":40530685,"uuid":"245495074","full_name":"alexfrancow/iSOC","owner":"alexfrancow","description":":bar_chart: Deploy an \"illegal\" SOC to manage vulnerabilities on your city servers in minutes.","archived":false,"fork":false,"pushed_at":"2022-12-08T03:05:10.000Z","size":122210,"stargazers_count":19,"open_issues_count":7,"forks_count":10,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-03-04T16:02:14.357Z","etag":null,"topics":["blue-team","bugbounty","bugbounty-tool","cybersecurity","docker","docker-compose","elasticsearch","elk","kibana","mongodb","openvas","python3","red-team","security-operations","siem","vulnerability-detection","w3af","zabbix"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alexfrancow.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-06T18:54:47.000Z","updated_at":"2023-02-14T02:04:19.000Z","dependencies_parsed_at":"2023-01-24T21:15:44.646Z","dependency_job_id":null,"html_url":"https://github.com/alexfrancow/iSOC","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexfrancow%2FiSOC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexfrancow%2FiSOC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexfrancow%2FiSOC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alexfrancow%2FiSOC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alexfrancow","download_url":"https://codeload.github.com/alexfrancow/iSOC/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225519375,"owners_count":17483515,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","bugbounty","bugbounty-tool","cybersecurity","docker","docker-compose","elasticsearch","elk","kibana","mongodb","openvas","python3","red-team","security-operations","siem","vulnerability-detection","w3af","zabbix"],"created_at":"2024-11-20T09:32:57.045Z","updated_at":"2024-11-20T09:32:57.650Z","avatar_url":"https://github.com/alexfrancow.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"# iSOC \n\nDeploy an \"illegal\" SOC (Security Operations Center) to audit all the servers in your city in a few minutes. \n\n[![](https://img.shields.io/badge/twitter-@alexfrancow-00aced?style=flat-square\u0026logo=twitter\u0026logoColor=white)](https://twitter.com/alexfrancow) [![](https://img.shields.io/badge/linkedin-@alexfrancow-0084b4?style=flat-square\u0026logo=linkedin\u0026logoColor=white)](https://www.linkedin.com/in/alexfrancow)\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/kibana.jpg\" height=\"400\" width=\"825\" /\u003e\u003c/p\u003e\n\n## Requirements\n\nTested on:\n- Debian 10\n- Docker-compose version 1.25.4, build 8d51620a\n- Docker 19.03.6\n- Python 3.7.3\n\n```bash\n$ sudo apt update\n# Docker\n$ sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common\n$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -\n$ sudo add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable\"\n$ sudo apt update\n$ apt-cache policy docker-ce\n$ sudo apt install docker-ce\n$ sudo systemctl status docker\n$ sudo usermod -aG docker ${USER}\n$ su - ${USER}\n$ id -nG\n$ sudo usermod -aG docker username\n$ docker -v\n# Docker-compose\n$ curl -L \"https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)\" -o /usr/local/bin/docker-compose\n$ chmod +x /usr/local/bin/docker-compose\n$ ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose\n$ docker-compose --version\n# Python libraries\n$ apt install python3-pip\n$ pip3 install -r requirements.txt\nexport PGEOCODE_DATA_DIR=/tmp/pgeocode_data\n# System requirements\n$ apt install nmap masscan\n# Virtual memory to Elasticsearch\n$ sysctl -w vm.max_map_count=262144 or $ echo \"vm.max_map_count=262144\" \u003e\u003e /etc/sysctl.conf\n\n```\n\nConfigure openvas to avoid: \"The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it.\" error.\n```\n$ nano docker-compose.yml\n  openvas:\n    image: mikesplain/openvas\n    container_name: openvas\n    environment:\n      - PUBLIC_HOSTNAME=\u003cIP\u003e\n```\n\nTest manually the containers:\n\n```\n$ docker-compose up\nRecreating openvas     ... done\nStarting vulnwhisperer ... done\nStarting zabbix        ... done\nStarting elk           ... done\n\nPress Ctrl+C to stop\n\n$ docker ps\nCONTAINER ID        IMAGE                     COMMAND                  CREATED             STATUS\n     PORTS                                                                                        NAMES\n3c8b576943a0        mikesplain/openvas        \"/bin/sh -c /start\"      50 seconds ago      Up 48 seconds\n     0.0.0.0:443-\u003e443/tcp, 0.0.0.0:9390-\u003e9390/tcp                                                 openvas 8cb886882bdd        sebp/elk                  \"/usr/local/bin/star…\"   7 minutes ago       Up 48 seconds\n     0.0.0.0:5044-\u003e5044/tcp, 0.0.0.0:5601-\u003e5601/tcp, 9300/tcp, 0.0.0.0:9200-\u003e9200/tcp, 9600/tcp   elk\n180c993b21ac        zabbix/zabbix-appliance   \"/sbin/tini -- /usr/…\"   7 minutes ago       Up 49 seconds\n     0.0.0.0:80-\u003e80/tcp, 0.0.0.0:10051-\u003e10051/tcp, 443/tcp\n\n```\n\n## Getting started\n\n```bash\n$ cat data/maxmind/database.tar.gz.parta* \u003e data/maxmind/database.tar.gz\n$ tar -zxvf data/maxmind/database.tar.gz\n$ python3 Main.py\n[i] Checking requirements..\n[i] Starting containers..\n[i] Logs: $ docker-compose logs -f\nCreating network \"isoc_esnet\" with the default driver\nCreating network \"isoc_default\" with the default driver\nCreating elk           ... done\nCreating openvas       ... done\nCreating zabbix        ... done\nCreating vulnwhisperer ... done\n[i] Waiting for zabbix to be up..\n    [*] Zabbix is up!\n    [*] Installing requirements\n[i] Waiting for kibana to be up..\n    [*] Kibana is up!\n[i] Importing templates..\n    resources/zabbix/templates/template_app_service_ports.xml\n    resources/zabbix/templates/main-template.xml\n[i] Importing actions..\n    resources/zabbix/actions/run-scan-port-80.json\n[i] Creating openvas index..\n[i] Getting IPs from maxmind database\n[i] Importing hosts..\n    192.168.1.13\n    ...\n```\n\n## Options\n\n- **Custom Zabbix Actions/Templates**: If you want to edit or import a new template or action, you can place it in \"resources/zabbix/templates/\" or \"resources/zabbix/actions/\".\n\n\n## Troubleshooting\n\n### Scan reports\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/vulnwhisperer.jpg\" height=\"400\" width=\"625\" /\u003e\u003c/p\u003e\n\nTo launch an openvas report conversion manually, we will start the vulnwhisperer container:\n\n```bash\n$ docker-compose up vulnwhisperer\nStarting vulnwhisperer ... done\nAttaching to vulnwhisperer\nvulnwhisperer       | WARNING: No section was specified, vulnwhisperer will scrape enabled modules from config file.\nvulnwhisperer       | Please specify a section using -s.\nvulnwhisperer       | Example vuln_whisperer -c config.ini -s nessus\nvulnwhisperer       | INFO:root:main:No section was specified, vulnwhisperer will scrape enabled modules from the config file.\nvulnwhisperer       | INFO:vulnWhispererBase:__init__:Connected to database at /opt/VulnWhisperer/data/database/report_tracker.db\nvulnwhisperer       | INFO:vulnWhispererOpenVAS:directory_check:Directory already exist for /opt/VulnWhisperer/data/ - Skipping creation\nvulnwhisperer       | INFO:OpenVAS_API:get_reports:Retreiving OpenVAS report data...\nvulnwhisperer       | INFO:OpenVAS_API:get_report_formats:Retrieving available report formats\nvulnwhisperer       | INFO:vulnWhispererOpenVAS:identify_scans_to_process:Identified 3 scans to be processed\nvulnwhisperer       | INFO:vulnWhispererOpenVAS:process_openvas_scans:Processing 1/3 - Report ID: e3326680-afef-4292-897e-775a35dc6dba\n```\n\nThe ELK container has shared the file 'resources/vulnwhisperer/vulnmod_logstash.conf' which is in charge of parsing the .json from the openvas report, to verify that this file is in the ELK container, we start the container interactively:\n\n```bash\n$ docker exec -it elk bash\n$ vi /etc/logstash/conf.d/vulnmod_logstash.conf\n\tinput {\n  \t    file {\n  \t\tpath =\u003e \"/opt/VulnWhisperer/data/*.json\"\n```\n\nIf we make an 'ls' of that folder we have to see our reports.\n\n```bash \n$ ls /opt/VulnWhisperer/data/*.json\n/opt/VulnWhisperer/data/openvas_scan_25826d5a471c444e941f942a771537f6_1584732168.json\n/opt/VulnWhisperer/data/openvas_scan_5b0204d06b3d4a469389acb4ba4f6b31_1584647458.json\n/opt/VulnWhisperer/data/openvas_scan_e3326680afef4292897e775a35dc6dba_1584647468.json\n```\n\nWe can see in kibana how the data has been parsed with a previously created index:\n\n```bash\nlogstash-vulnwhisperer-*\n```\nYou can create it with:\n\n```bash\ncurl -f -XPOST -H 'Content-Type: application/json' -H 'kbn-xsrf: anything' 'http://192.168.1.13:5601/api/saved_objects/index-pattern/logstash-*' '-d{\"attributes\":{\"title\":\"logstash-*\"}}'\n```\n\nIf you don't have any data to can create an Index you can refresh the logs manually with logstash use, first of all you must have logs in \"/opt/VulnWhisperer/data/\" directory and execute:\n\n```bash \n$ /opt/logstash/bin/logstash -f /etc/logstash/conf.d/vulnmod_logstash.conf --config.reload.automatic\n```\n\n#### Add Geo information\n\nIn the \"/etc/logstash/conf.d/vulnmod_logstash.conf\" file you can add the geoip function to localize your asset, in our case the asset is the IP:\n\n```bash\n    grok {\n        match =\u003e { \"path\" =\u003e \"openvas_scan_%{DATA:scan_id}_%{INT:last_updated}.json$\" }\n        tag_on_failure =\u003e []\n    }\n\n    geoip {\n        source =\u003e \"asset\"\n    }\n```\n\n### Zabbix Disvover (Ports):\n\nThere is a script ```resources/zabbix/externalscripts/tcp-discovery.sh``` that can scan the target, to attach this script to any host you must add the host into the ```Template App Service Ports``` template once you get it you will see in the Problems tab the open ports of the host.\n\nThere is another script ```resources/zabbix/externalscripts/port_to_mongo.py``` that runs with an action, when the previous script find any port the trigger activate the  ```Port to mongoDB``` action, this script will make a $pull/$push requests to the mongoDB and will add or delete the port.\n\n\n```bash\n# Add port\n$ python3 port_to_mongo.py -i 213.60.47.175 -pA 'Status of port 80 tcp http'\nmongodb# db.getCollection('assets').find({'ip':'213.60.47.175'})\n{'_id': ObjectId('5f46fcb743f600b9b8dae84c'), 'ip': '213.60.47.175', 'time_added': '27/08/2020', 'host_up': 'Yes', 'zip_code': '15009', 'lat': 42.3749, 'lng': -7.8049, 'place_name': 'A Coruña, Casanova De Eiris, Curramontes, Monserrat (Avenida)', 'network': '213.60.47.0/24', 'city': 'A Coruña', 'iso_code': 'ES', 'ports': ['80'], 'ports_w_protocol' : {'80' : ['https-alt']}}\n\n# Delete port\n$ python3 port_to_mongo.py -i 213.60.47.175 -pD 'Status of port 80 tcp http'\nmongodb# db.getCollection('assets').find({'ip':'213.60.47.175'})\n{'_id': ObjectId('5f46fcb743f600b9b8dae84c'), 'ip': '213.60.47.175', 'time_added': '27/08/2020', 'host_up': 'Yes', 'zip_code': '15009', 'lat': 42.3749, 'lng': -7.8049, 'place_name': 'A Coruña, Casanova De Eiris, Curramontes, Monserrat (Avenida)', 'network': '213.60.47.0/24', 'city': 'A Coruña', 'iso_code': 'ES', 'ports': [], 'ports_w_protocol' : {}}\n```\n\nYou must edit the ```port_to_mongo.py``` script and make sure that the mongoDB IP it's correct:\n\n```python\nclient = MongoClient(\"192.168.1.129\",\n                username=\"alexfrancow\",\n                password=\"abc123\",\n                maxPoolSize=50)\n```\n\n### Zabbix Discover logs:\n\n```bash\n$ docker ps\n$ docker logs -f zabbix | grep discover\nline 5: nmap: command not found\n\n# The normal error\n$ docker exec -it zabbix bash\nbash-5.0# apk add nmap\nfetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz\nfetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz\n(1/3) Installing lua5.3-libs (5.3.5-r2)\n(2/3) Installing libpcap (1.9.1-r0)\n(3/3) Installing nmap (7.70-r4)\nExecuting busybox-1.30.1-r3.trigger\nOK: 346 MiB in 119 packages\n\n# And\n$ docker logs -f zabbix | grep discover\nzabbix              |    346:20200321:172546.188 discovery rule \"46.24.171.21:tcp-discovery.sh[{HOST.CONN}]\" became supported\n```\n\nYou can save the logs into file editing the ```/etc/zabbix/zabbix_server.conf```:\n\n```bash\n### Option: LogType\n#       Specifies where log messages are written to:\n#               system  - syslog\n#               file    - file specified with LogFile parameter\n#               console - standard output\n#\n# Mandatory: no\n# Default:\n# LogType=console\nLogType=file\n\n### Option: LogFile\n#       Log file name for LogType 'file' parameter.\n#\n# Mandatory: yes, if LogType is set to file, otherwise no\n# Default:\nLogFile=/var/log/zabbix.log\n```\n\n### Zabbix zbx_mem_malloc(): out of memory \n\nMy city has a lot of hosts (\u003e20958) found and it crashes, you must increase the CacheSize on ZABBIX container with this variable in the \"docker-compose.yml\":\n\n```bash\nZBX_CACHESIZE=2000M\n```\n\n### Zabbix php_value memory_limit\n\nIncrease the MEMORYLIMIT on ZABBIX container with this variable in the \"docker-compose.yml\":\n\n``` Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 20480 bytes) in /usr/share/zabbix/include/classes/api/CRelationMap.php on line 77```\n\n```bash\nZBX_MEMORYLIMIT=512M\n```\n\n### Openvas NVT:\n\n```bash\n$ docker ps\n$ docker logs -f openvas\n```\n\n## Errors\n\nIf you get an openvas login error when it starts, you must delete the files inside 'volumes/openvas' directory.\n\n\n## External Documentation\n\n- ELK: https://elk-docker.readthedocs.io/\n- Openvas: https://hub.docker.com/r/mikesplain/openvas/dockerfile\n- Zabbix: https://www.zabbix.com/documentation/current/manual\n- Vulnwhisperer: https://github.com/HASecuritySolutions/VulnWhisperer/wiki/docker-compose-Instructions\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexfrancow%2Fisoc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falexfrancow%2Fisoc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexfrancow%2Fisoc/lists"}