Need help with LiSa?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

danieluhricek
176 Stars 43 Forks Apache License 2.0 16 Commits 6 Opened issues

Description

Sandbox for automated Linux malware analysis.

Services available

!
?

Need anything else?

Contributors list

LiSa

Project providing automated Linux malware analysis on various CPU architectures.

Table of contents

LiSa

Features

  • QEMU emulation.
  • Currently supporting x86_64, i386, arm, mips, aarch64.
  • Small images built w/ buildroot.
  • Radare2 based static analysis.
  • Dynamic (behavioral) analysis using SystemTap kernel modules - captured syscalls, openfiles, process trees.
  • Network statistics and analysis of DNS, HTTP, Telnet and IRC communication.
  • Endpoints analysis and blacklists configuration.
  • Scaled with celery and RabbitMQ.
  • REST API | frontend.
  • Extensible through sub-analysis modules and custom images.

Get Started

Requirements

  1. Get repository.
$ git clone https://github.com/danieluhricek/lisa
$ cd lisa
  1. Build.
# docker-compose build
  1. Run the sandbox (default location: http://localhost:4242).
# docker-compose up

Configuration

MaxMind GeoLite2

Sign up to get your API key. Use API key in docker-compose.yml build args section.

.
.
  worker:
    image: lisa-worker
    build:
      context: .
      dockerfile: ./docker/worker/Dockerfile
      args:
        maxmind_key: YOUR_KEY
    volumes:
      - "./data/storage:/home/lisa/data/storage"
      .
      .
      .
.
.

Web hosting

Setup your server's IP:port in nginx service in docker-compose.yml.

.
.
  nginx:
    image: lisa-nginx
    build:
      context: .
      dockerfile: ./docker/nginx/Dockerfile
      args:
        webhost: :
    ports:
      - :80
.
.

Scaling

Workers are scalable.

# docker-compose up --scale worker=10

VPN

You can route malware's traffic through OpenVPN. In order to do that:

  1. Mount volume containing OpenVPN config (named config.ovpn).
  2. Set environment valirable
    VPN
    to OpenVPN config's directory path.
.
.
  worker:
    image: lisa-worker
    build:
      context: .
      dockerfile: ./docker/worker/Dockerfile
    environment:
      - VPN=/vpn
    volumes:
      - "./data/storage:/home/lisa/data/storage"
      - "./vpn:/vpn"
.
.

Blacklists

Default used blacklists are (source):

  • bissh2_30d.ipset
  • firehol_level3.netset
  • firehol_webserver.netset
  • iblocklistabusezeus.netset
  • normshieldallwannacry.ipset

If you want to use any other blacklist, put .ipset or .netset files into

data/blacklists
. All of these blacklists are merged during build of
worker
service.

Adding new sub-analysis modules

Core of LiSa project supports 4 basic modules of analysis:

static_analysis
,
dynamic_analysis
,
network_analysis
and
virustotal
. Sub-analysis modules are plugin-based. For adding new sub-analysis and appending it's output to final json do following:
  1. Create class which inherits from
    AbstractSubAnalyzer
    class and implement
    run_analysis()
    method eg.:
class NewSubAnalyzer(AbstractSubAnalyzer):
    def run_analysis(self):
        pass
  1. Update list in
    lisa.config.py
    :
analyzers_config = [
    # core analyzers
    'lisa.analysis.static_analysis.StaticAnalyzer',
    'lisa.analysis.dynamic_analysis.DynamicAnalyzer',
    'lisa.analysis.network_analysis.NetworkAnalyzer',
    'lisa.analysis.virustotal.VirusTotalAnalyzer',

# custom
'module_of_new_analyzer.NewSubAnalyzer'

]

Running tests

# docker build -f ./docker/tests/Dockerfile -t lisa-tests .
# docker run lisa-tests

Upcoming features

  1. YARA module - YARA module to match patterns in LiSa's JSON output.
  2. Images selection - More Linux images containing e.g. IoT firmware.

Contribute

Contributions | feedback | issues | pull requests are welcome.

Related work

License

LiSa is licensed under Apache License 2.0.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.