Rapidly Search and Hunt through Linux Forensics Artifacts
ChopChopGo inspired by Chainsaw utilizes Sigma rules for forensics artifact recovery, enabling rapid and comprehensive analysis of logs and other artifacts to identify potential security incidents and threats on Linux.
Features
- π― Hunt for threats using Sigma detection rules and custom ChopChopGo detection rules
- β‘ Lightning fast, written in go
- πͺΆ Clean and lightweight execution and output formats without unnecessary bloat
- π» Runs on Linux
$ ./ChopChopGo -target syslog -rules ./rules/linux/builtin/syslog/
ββββββ βββ ββ ββββββ ββββββ ββββββ βββ ββ ββββββ ββββββ βββββ ββββββ
ββββ ββ ββββ βββββββ βββββββ βββ ββββ ββ ββββ βββββββ βββββββ βββ βββ βββββββ βββ
βββ β ββββββββββββ βββββββ ββββ βββ β ββββββββββββ βββββββ ββββ ββββββββββββ βββ
ββββ βββββββ βββ βββ ββββββββββ β ββββ βββββββ βββ βββ ββββββββββ β βββ ββββββ βββ
β βββββ ββββββββββ βββββββββββ β β β βββββ ββββββββββ βββββββββββ β β βββββββββ βββββββ
β ββ β β β ββββββ ββββββ ββββ β β β ββ β β β ββββββ ββββββ ββββ β β ββ β β ββββββ
β β β βββ β β β ββ ββ β β β β βββ β β β ββ ββ β β β β β ββ
β β ββ ββ β β β ββ β β ββ ββ β β β ββ β β β β β β β
β β β β β β β β β β β β β β β β β
β β
By Keyboard Cowboys (M00NL1G7)
Using syslog file: /var/log/messages
100% |ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ| (67504/67504, 27840 it/s)
+-----------------+--------------------------------+-----------------------------------------+
| TIMESTAMP | MESSAGE | TAGS |
+-----------------+--------------------------------+-----------------------------------------+
| Mar 2 20:04:38 | fedora systemd[1]: | attack.defense_evasion-attack.t1562.004 |
| | iptables.service: Deactivated | |
| | successfully. | |
| Mar 4 10:19:03 | DESKTOP-RNL1DBO systemd[1]: | attack.defense_evasion-attack.t1562.004 |
| | iptables.service: Deactivated | |
| | successfully. | |
+-----------------+--------------------------------+-----------------------------------------+
Processed 67504 syslog events
Quick Start Guide
Downloading and Running
For an all-in-one zip container the ChopChopGo binary, and the official sigma rules to go with it, check out the releases section In this releases section you will also find pre-compiled binary-only versions of ChopChopGo.
If you want to compile ChopChopGo yourself, you can clone the ChopChopGo repo:
git clone https://github.com/M00NLIG7/ChopChopGo.git
and compile the code yourself by running: go build
.
You might need to install the development files for systemd (e. g. apt-get install libsystemd-dev
)
Command Examples
./ChopChopGo # Defaults to searching through syslog
./ChopChopGo -target auditd -rules ./rules/linux/auditd/ -file /opt/evidence/auditd.log # This searches through auditd log with the official sigma rules
./ChopChopGo -target journald -rules ./rules/linux/builtin/ # This searches through journald with specified rules
You may wish to use ChopChopGo in an automated fashion. The CSV and JSON output options are useful for this purpose. With both of these options, the header and progress statistics are not printed to the console.
The alternative output format is written to stdout - you can process it from there (e. g. write it to a file for later use).
Each option can be specified using the -out
parameter.
CSV
./ChopChopGo -target sylog -rules ./rules/linux/builtin/syslog/ -out csv # This searches through syslog with the official sigma rules, then outputs the data in CSV format
JSON
./ChopChopGo -target syslog -rules ./rules/linux/builtin/syslog/ -out json # This searches through syslog with the official sigma rules, then outputs the data as JSON
Updating Sigma Rules
The repository includes a simple script to update the included sigma rules to the newest state from the Sigma Rules repo.
./update-rules.sh