Skip to content

Deploying Respotter

Jump to bottom
C.J. May edited this page Sep 5, 2024 · 4 revisions

The recommended deployment method is to use the container image and deploy it with Docker Compose (docker compose up -d).

Deployment

This repository includes an example docker-compose.yaml file in the root of the repository. Its contents are also shown below:

version: "3.9"
services:
  respotter:
    container_name: respotter
    image: ghcr.io/lawndoc/respotter:latest
    network_mode: host
    cap_add:
      - NET_RAW
    security_opt:
      - label:disable
    restart: always
    volumes:
      - ./config:/config
      - ./state:/state

The container image will use /config/config.json as the default configuration file and /state/state.json as the default state file.

network_mode: host and cap_add: NET_RAW are required so that Respotter can perform privileged socket operations when crafting and sniffing UDP network packets.

security_opt: label:disable is needed to fix deployment issues on servers with SELinux.

The volume bind mounts allow you to edit config.json to include your arguments and persist state.json across container restarts to remember which hosts have already triggered alerts.

Configuration

There are various configuration options you can set when launching Respotter. You can set these options in config.json or pass them in as a command line argument (use the -h flag to see all command line flags).

The order of precedence for configuration overrides is:

Defaults < Config File < CLI Arguments

Each option is described in detail below:

Variable Default Description
discord_webhook "" URL for Discord webhook to receive alerts from Respotter
exclude "" comma separated list of protocols to exclude from Responder scans -- options are llmnr,mdns,nbns
hostname "Loremipsumdolorsitamet" fake hostname to query when scanning for Responder -- it's recommended to set to a more believable hostname
slack_webhook "" URL for Slack webhook to receive alerts from Respotter
subnet "" local subnet for the container host in CIDR notation -- required for Netbios (nbns) scans
syslog_address "" hostname or IP of syslog server to receive alerts from Respotter
teams_webhook "" URL for Teams webhook to receive alerts from Respotter
verbosity 2 log level (0-Critical, 1-Error, 2-Warning, 3-Informational, 4-Debug)

Clone this wiki locally