This is a tool for query and obtain data from the redBorder's Malware API. There are two types of data that can be obtained:
- IPs scores
- File hashes score
It stores the data on two separated files, one for hashes (files analyzed) and another for IPs that have a score higher than a number that you can specify. After the data is gathered from the API, the app can notify snort via snortcontrol unix socket.
To install this application ensure you have the GOPATH environment variable
set and glide installed.
curl https://glide.sh/get | shAnd then:
-
Clone this repo and cd to the project
git clone https://github.com/redBorder/rb-malware-agent.git && cd rb-malware-agent
-
Install dependencies and compile
make
-
Install on desired directory
prefix=/opt/rb make install
Usage of redborder-malware-agent:
--config string
Config file
--debug
Print debug info
This is an example config file:
- url (string): address of the API to connect.
- min_score (integer): Hashes and IPs with score greather than this value goes to the blacklist and those which score lower than this value goes to the whitelist.
- ip_blacklist, ip_whitelist, hash_blacklist, hash_whitelist (string): Stores information got from the API.
- interval (integer): time in seconds between calls to the API.
- snort_socket_path: Path to the
/instance-i/SNORT.socketfile. The app will iterate through folders whereiis the index of the instance. - snort_socket_timeout: Max time in seconds to wait for snort response after the notification is sent.
url: "http://10.0.161.177:7777/reputation/v1/malware"
interval: 0
snort_socket_timeout: 5
instances: [{
min_score: 1,
ip_blacklist: "iplists/black_1.list",
ip_whitelist: "iplists/seen_1.list",
hash_blacklist: "files/black_1.list",
hash_whitelist: "files/seen_1.list",
snort_socket_path: "/etc/snort/0/cs/0"
},{
min_score: 5,
ip_blacklist: "iplists/black_2.list",
ip_whitelist: "iplists/seen_2.list",
hash_blacklist: "files/black_2.list",
hash_whitelist: "files/seen_2.list",
snort_socket_path: "/etc/snort/0/cs/1"
}]