This is a tool for query and obtain data from the redBorder's Malware API. There are two types of data that can be obtained:
- IPs scores
- File hashes score
It stores the data on two separated files, one for hashes (files analyzed) and another for IPs that have a score higher than a number that you can specify. After the data is gathered from the API, the app can notify snort via snortcontrol unix socket.
To install this application ensure you have the GOPATH
environment variable
set and glide installed.
curl https://glide.sh/get | sh
And then:
-
Clone this repo and cd to the project
git clone https://github.com/redBorder/rb-malware-agent.git && cd rb-malware-agent
-
Install dependencies and compile
make
-
Install on desired directory
prefix=/opt/rb make install
Usage of redborder-malware-agent:
--config string
Config file
--debug
Print debug info
This is an example config file:
- url (string): address of the API to connect.
- min_score (integer): Hashes and IPs with score greather than this value goes to the blacklist and those which score lower than this value goes to the whitelist.
- ip_blacklist, ip_whitelist, hash_blacklist, hash_whitelist (string): Stores information got from the API.
- interval (integer): time in seconds between calls to the API.
- snort_socket_path: Path to the
/instance-i/SNORT.socket
file. The app will iterate through folders wherei
is the index of the instance. - snort_socket_timeout: Max time in seconds to wait for snort response after the notification is sent.
url: "http://10.0.161.177:7777/reputation/v1/malware"
interval: 0
snort_socket_timeout: 5
instances: [{
min_score: 1,
ip_blacklist: "iplists/black_1.list",
ip_whitelist: "iplists/seen_1.list",
hash_blacklist: "files/black_1.list",
hash_whitelist: "files/seen_1.list",
snort_socket_path: "/etc/snort/0/cs/0"
},{
min_score: 5,
ip_blacklist: "iplists/black_2.list",
ip_whitelist: "iplists/seen_2.list",
hash_blacklist: "files/black_2.list",
hash_whitelist: "files/seen_2.list",
snort_socket_path: "/etc/snort/0/cs/1"
}]