Core Tools and Plugins

Core Tool Explanations

There are currently nine core tools that Vent uses.

elasticsearch

Enables comprehensive text search of syslog.

file_drop

Watches the specified directory for any new files. If a new file is added, it is added to a redis queue.

network_tap

A container that will watch a specific nic using tcpdump to output pcap files based on what was monitored. Has an interface located in System Commands -> Network Tap Interface in the main action menu. The interface has six available actions:

  • Create: Create a new container with a specified nic, tag, interval (in seconds), filter, and iterations. The container is also automatically started on creation.
  • Delete: Delete a specified network tap container. Containers must be stopped before they are able to be deleted.
  • List: Show all network tap containers. Will return container’s ID, if the container is running or not, and the tag provided in create.
  • NICs: Show all available network interfaces. Will return a list of the names of the available NICs. Note for Docker for Mac it will show available network interfaces on the VM running the Docker daemon, not the network interface names on the Mac host.
  • Start: Start a network tap container if it is exited. Will run with the same options given to the container in create.
  • Stop: Stop a network tap container.
  • Update: Update the metadata of a network tap container.

rabbitmq

Formats messages received from syslog and sends them to rmq_es_connector.

redis

A key/value store that is used for the queuing system that file drop sends to and rq_worker pulls out of.

rmq_es_connector

A gateway between the messaging system and elasticsearch. This way, the message formatting system is not locked to rabbitmq.

rq_worker

The tool that takes files from the redis queue and runs plugins that deal with those file extensions.

rq_dashboard

Management console to look at rq_worker’s active queue.

syslog

Standard logging system that adheres to the syslog standard. All tool containers send their information to syslog. If there’s some unexpected outputs or a container isn’t running properly, all information will be in this tool’s container.

Access this tool’s container with the command: docker logs cyberreboot-vent-syslog-master


Core Tool and Plugin Actions

Short explanations of all actions available in the core tools and plugins sub-menu.

Add all latest core/plugin tools

Clone the latest version of the tool. This will not update or remove any tools that have already been added.

By default, core tools are cloned from CyberReboot/vent and plugins, if no custom repo is specified, are cloned from CyberReboot/vent-plugins.

Build core/plugin tools

Build docker images from the Dockerfiles obtained from adding.

Clean core/plugin tools

Stop and remove the chosen tools’ containers.

Configure core/plugin tools

Edit a tool’s vent.template file found in the tool’s respective folder. Read more about Vent.template Files.

Disable core/plugin tools

Remove chosen tools from menus. For example, let’s say there were ten tools but only five were needed. Disabling the five unneeded tools would stop those tools from appearing on the other menus.

Enable core/plugin tools

Opposite of disable tools. Enables the tools so they can be seen again.

Inventory of core/plugin tools

Provides meta data regarding currently added core/plugin tools. It tells if a tool is built, enabled, the name of the image, and the if the tool is currently running.

Remove core/plugin tools

Remove a tool entirely. Any of that tool’s containers are also stopped and deleted. The tool must be added again if it is to be used.

Start core/plugin tools

Start the tools’ respective containers.

Stop core/plugin tools

Stop the tools’ respective containers.

Update core/plugin tools

Pulls the latest commit of the tool from its repo and builds it.