first commit

.gitignore

@@ -3,12 +3,15 @@ __pycache__/
 *.py[cod]
 *$py.class
 
+#secrets
+.env
+malware
 # C extensions
 *.so
 
 # Distribution / packaging
 .Python
-build/
+# build/
 develop-eggs/
 dist/
 downloads/

README.md

@@ -1 +1,10 @@
-# Yara_Strelka_Training
+# Yara_Strelka_Training
+
+Running:
+
+rename prod.env.example to .env and set values accordingly. Then run using:
+
+```docker-compose up```
+
+Visit http://localhost:8080/guacamole and login using default guacamole credentials guacadmin:guacadmin
+Set up a new connection to 127.0.0.1 port 2222 using credentials specified in the .env file

build/Dockerfile

@@ -0,0 +1,72 @@
+FROM ubuntu:latest
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV GIT_SSL_NO_VERIFY=1
+ARG SSH_USERNAME=student
+ARG SSH_PASSWORD=student
+ARG ZIP_PASS=test
+ARG YARA=4.1.0
+
+RUN apt-get update && apt-get install --no-install-recommends -y \
+  openssh-server \
+  vim \
+  nano \
+  automake \
+  bison \
+  flex \
+  gcc \
+  git \
+  libmagic-dev \
+  libprotobuf-dev \
+  libssl-dev \
+  libtool \
+  make \
+  openssh-server \
+  pkg-config \
+  unzip
+
+# install yara
+RUN cd /tmp \
+  && git clone --recursive --branch v$YARA https://github.com/VirusTotal/yara.git \
+  && cd /tmp/yara \
+  && ./bootstrap.sh \
+  && sync \
+  && ./configure \
+    --with-crypto \
+    --enable-magic \
+    --enable-dotnet \
+  && make \
+  && make install \
+  && ldconfig
+
+RUN git clone https://github.com/target/strelka.git /opt/strelka
+
+WORKDIR /opt
+COPY malware.zip /opt
+RUN unzip -P $ZIP_PASS malware.zip && rm -rf malware.zip
+
+#setup user
+RUN useradd -rm -s /bin/bash -u 1000 $SSH_USERNAME
+RUN echo "$SSH_USERNAME:$SSH_PASSWORD" | chpasswd
+RUN echo "uuid=\$(cat /proc/sys/kernel/random/uuid |cut -d '-' -f 1) \
+&& mkdir \$uuid && cd \$uuid \
+&& mkdir strelka \
+&& ln -s /opt/malware malware \
+&& cp -r /opt/strelka/src/python/strelka/scanners/ ./strelka/ \
+&& cp -r /opt/strelka/configs/python/backend/ ./strelka/ \
+&& HOME=~/\$uuid" >> /home/$SSH_USERNAME/.bashrc
+RUN chmod 701 /home && \
+  sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config && \
+  mkdir /var/run/sshd
+
+#setup ssh
+# RUN sed -ri 's/^#?PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config
+EXPOSE 22
+
+#cleanup
+RUN apt-get clean && \
+    rm -rf /var/lib/apt/lists/* \
+    /tmp/* /var/tmp/*
+
+CMD ["/usr/sbin/sshd","-D"]
+

docker-compose.yml

@@ -0,0 +1,61 @@
+version: "3"
+services:
+
+  init-guacamole-db:
+    image: guacamole/guacamole:latest
+    command: ["/bin/sh", "-c", "test -e /init/initdb.sql && echo 'init file already exists' || /opt/guacamole/bin/initdb.sh --postgres > /init/initdb.sql" ]
+    volumes:
+      - dbinit:/init    
+
+  postgres:
+    image: postgres:latest
+    restart: unless-stopped
+    volumes:
+      - dbinit:/docker-entrypoint-initdb.d        
+      - dbdata:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-guacdb}
+      POSTGRES_PASSWORD: 
+    depends_on:
+      - init-guacamole-db
+    network_mode: host
+
+  guacd:
+    image: guacamole/guacd:latest
+    restart: unless-stopped
+    network_mode: host
+
+  guac:
+    image: guacamole/guacamole:latest
+    restart: unless-stopped
+    # ports:
+    #   - "8080:8080"
+    environment:
+      GUACD_HOSTNAME: "127.0.0.1"
+      POSTGRES_HOSTNAME: "127.0.0.1"
+      POSTGRES_DATABASE: ${POSTGRES_USER:-guacdb}
+      POSTGRES_USER: ${POSTGRES_USER:-guacdb}
+      POSTGRES_PASSWORD:
+    depends_on:
+      - postgres
+      - guacd
+    network_mode: host
+
+  openssh-server:
+    build:
+      context: .
+      dockerfile: build/Dockerfile
+      args:
+        - SSH_USERNAME=$SSH_USERNAME
+        - SSH_PASSWORD=$SSH_PASSWORD
+        - ZIP_PASS=$ZIP_PASS
+    container_name: openssh-server
+    ports:
+      - '2222:22'
+    restart: unless-stopped
+
+volumes:
+  dbinit:
+    driver: local
+  dbdata:
+    driver: local

prod.env.example

@@ -0,0 +1,5 @@
+POSTGRES_USER=user
+POSTGRES_PASSWORD=pass
+SSH_USERNAME=test
+SSH_PASSWORD=password
+ZIP_PASS=test