-
Notifications
You must be signed in to change notification settings - Fork 340
Installation and requirements
The DeTT&CT framework consists of a Python tool, YAML administration files, the DeTT&CT Editor and scoring tables for the different aspects.
We provide a Docker image and Dockerfile for DeTT&CT, or it can be installed locally.
First, make sure to have Docker available on your system.
You can choose to get the DeTT&CT docker image from Docker Hub or build it yourself.
Content
- Download the image:
docker pull rabobankcdc/dettect:latest
We automatically build a fresh Docker image every week and push it to Docker Hub. This is done to minimise the change of having a Docker image with OS, software library or Python interpreter vulnerabilities.
- Clone the GitHub repository:
git clone https://github.com/rabobank-cdc/DeTTECT
- Go into the DeTT&CT directory:
cd DeTTECT
- Build the Docker image:
docker build -t dettect .
(this can take a while)
The below two directories are essential when using DeTT&CT with Docker. These are shared between your Docker container and the host system to allow easy exchange of files:
- input
Within this directory, you can put your data source, technique and group YAML administration files. - output
Within this directory, the output files from DeTT&CT are written. Such as ATT&CK Navigator layer files.
When running the image take into account the following:
- The
-v
flag should create the "input" and "output" directories on the host if they do not yet exist. If not, you have to create them manually. - Make sure to remove the namespace
rabobankcdc
from the command line arguments when you have built the image yourself. - Make sure that you allow sharing of drives between Docker and your host system (Windows, Mac).
- The TCP port 8080 within the container is mapped to port 8080 on the host, to allow you to access the DeTT&CT Editor locally (
-p hostPort:containerPort
). Choose another host port, if port 8080 is already in use. If you do not plan to run the Editor locally, you can omit the following command line argument-p 8080:8080
.
Execute the appropriate command to create the container and mount the input and output directories:
- Linux and MacOS:
docker run -p 8080:8080 -v $(pwd)/output:/opt/DeTTECT/output -v $(pwd)/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:latest /bin/bash
- Windows (cmd.exe):
docker run -p 8080:8080 -v %cd%/output:/opt/DeTTECT/output -v %cd%/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:latest /bin/bash
- PowerShell:
docker run -p 8080:8080 -v ${PWD}/output:/opt/DeTTECT/output -v ${PWD}/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:latest /bin/bash
Start the container when it is no longer running (this should bring you straight back into the container with an interactive Bash shell)
docker start -i dettect
Execute the following steps to upgrade to a new version of DeTT&CT. Please note that the removal of the old container and corresponding image will not result in the removal of the input and output directory on your host. So, you can keep using the same input and output directory after the upgrade.
-
Stop the old container when it is running:
docker stop dettect
-
Remove the old container:
docker rm dettect
-
Remove the old image. If you have built the image locally, remove "rabobankcdc/" from the image name:
docker image rm rabobankcdc/dettect
-
Run the new Docker image.
- Python 3.8 and higher
- Have the following Python packages installed with its appropriate version:
attackcti
,eql
,pandas
,plotly
,ruamel.yaml
,simplejson
,taxii2-client
andxlsxwriter
. See below on how to perform the installation using therequirements.txt
file.
git clone https://github.com/rabobank-cdc/DeTTECT
pip install -r requirements.txt
- Home
- Introduction
- Installation and requirements
- Getting started / How to
- Changelog
- Future developments
- ICS - Inconsistencies
- Introduction
- DeTT&CT data sources
- Data sources per platform
- Data quality
- Scoring data quality
- Improvement graph