Tulip is a flow analyzer meant for use during Attack / Defence CTF competitions. It allows players to easily find some traffic related to their service and automatically generates python snippets to replicate attacks.
Tulip was developed by Team Europe for use in the first International Cyber Security Challenge. The project is a fork of flower, but it contains quite some changes:
- New front-end (typescript / react / tailwind)
- New ingestor code, based on gopacket
- IPv6 support
- Vastly improved filter and tagging system.
- Deep links for easy collaboration
- Added an http decoding pass for compressed data
- Synchronized with Suricata.
- Flow diffing
- Time and size-based plots for correlation.
- Linking HTTP sessions together based on cookies (Experimental*, disabled by default)
- PCAP-over-IP with BPF filtering support**
* - to enable, add -experimental after ./assembler in docker-compose.yml
** - to enable, configure PCAP-over-IP server (e.g. pcap-broker as suggested in PR 24) and set PCAP_OVER_IP (and BPF if necessary) in .env
Before starting the stack, edit services/api/configurations.py:
vm_ip = "10.60.4.1"
services = [{"ip": vm_ip, "port": 18080, "name": "BIOMarkt"},
{"ip": vm_ip, "port": 5555, "name": "SaaS"},
]
You can also edit this during the CTF, just rebuild the api service:
docker-compose up --build -d api
The stack can be started with docker-compose, after creating an .env file. See .env.example as an example of how to configure your environment.
cp .env.example .env
# < Edit the .env file with your favourite text editor >
docker-compose up -d --build
To ingest traffic, it is recommended to create a shared bind mount with the docker-compose. One convenient way to set this up is as follows:
- On the vulnbox, start a rotating packet sniffer (e.g. tcpdump, suricata, ...)
tcpdump -i eth0 -G 180 -w "traffic_%H:%M:%S.pcap" port 8080- Using rsync, copy complete captures to the machine running tulip (e.g. to /traffic)
rsync -avz -e ssh --progress root@10.0.0.2:/pcaps ./pcaps- Add a bind to the assembler service so it can read /traffic
(Just change
TRAFFIC_DIR_HOSTin.env)
The ingestor will use inotify to watch for new pcap's and suricata logs. No need to set a chron job.
Configure SURICATA_DIR_HOST in .env.
Create some rules (404 for testing):
. .env
mkdir -p ${SURICATA_DIR_HOST}/{etc,lib/rules,log}
echo 'alert tcp any any -> any any (msg: "404 Not Found"; http.stat_code; content:"404"; metadata: tag notfound; sid:4; rev: 1;)' >> ${SURICATA_DIR_HOST}/lib/rules/suricata.rulesAfter that run (default config for eve.json logging was good enough):
docker compose -f docker-compose-suricata.yml up -d --buildTags are read from the metadata field of a rule. For example, here's a simple rule to detect a path traversal:
alert tcp any any -> any any (msg: "Path Traversal-../"; flow:to_server; content: "../"; metadata: tag path_traversal; sid:1; rev: 1;)
Once this rule is seen in traffic, the path_traversal tag will automatically be added to the filters in Tulip.
Note
After editing Suricata rules (renaming or id change) please:
Remove old logs: rm ${SURICATA_DIR_HOST}/log/* (otherwise old signatures will be repopulated).
Restart Docker containers.
If database was only restarted (not dropped), try cleaning tags/signatures with python wipe_tags.py.
Suricata alerts are read directly from the eve.json file. Because this file can get quite verbose when all extensions are enabled, it is recommended to strip the config down a fair bit. For example:
# ...
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
pcap-file: false
community-id: false
community-id-seed: 0
types:
- alert:
metadata: yes
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# ...Sessions with matched alerts will be highlighted in the front-end and include which rule was matched.
Your Tulip instance will probably contain sensitive CTF information, like flags stolen from your machines. If you expose it to the internet and other people find it, you risk losing additional flags. It is recommended to host it on an internal network (for instance behind a VPN) or to put Tulip behind some form of authentication.
If you have an idea for a new feature, bug fixes, UX improvements, or other contributions, feel free to open a pull request or create an issue!
When opening a pull request, please target the latest development branch.
Tulip was written by @RickdeJager and @Bazumo, with additional help from @Sijisu. Thanks to our fellow Team Europe players and coaches for testing, feedback and suggestions. Finally, thanks to the team behind flower for opensourcing their tooling.