IRMA Documentation Release 2.0.4

IRMA Documentation Release 2.0.4

IRMA Documentation Release 2.0.4 Quarkslab Jan 24, 2018 Contents 1 Introduction 3 1.1 Purpose..................................................3 1.2 File Analysis Process...........................................3 1.3 Infrastructure Overview.........................................4 1.4 Hardware requirements.........................................5 1.5 Supported Analyzers...........................................6 2 Automated Install 9 2.1 Requirements...............................................9 2.2 Ansible scripts..............................................9 2.3 Predefined Environments.........................................9 2.4 Using Debian repos........................................... 12 3 Manual Installation 13 3.1 Brain................................................... 13 3.2 Frontend................................................. 22 3.3 Probe................................................... 31 4 Database migration 41 4.1 Requirements............................................... 41 4.2 Content.................................................. 41 4.3 Usage................................................... 42 4.4 Tips and tricks.............................................. 44 5 To evolve IRMA 47 5.1 Adding a new probe........................................... 47 6 References 51 6.1 Disclaimer................................................ 51 6.2 License.................................................. 51 6.3 Apache License, version 2.0....................................... 51 6.4 Authors.................................................. 51 7 Frequently Asked Questions 53 7.1 Playing with tags............................................. 53 7.2 SSL settings............................................... 56 7.3 How to debug............................................... 57 i 7.4 How to migrate.............................................. 60 7.5 API documentation............................................ 61 7.6 Connect to a vagrant box through ssh.................................. 63 7.7 Enable SSL using OpenSSL in ansible scripts.............................. 63 7.8 Speed up your Vagrant VMs....................................... 64 8 Resources 65 9 Screenshots 67 9.1 Command Line Interface......................................... 67 9.2 Web Interface............................................... 68 ii IRMA Documentation, Release 2.0.4 IRMA is an asynchronous & customizable analysis system for suspicious files. This guide will explain how to set up IRMA, use it and customize it at will. Contents 1 IRMA Documentation, Release 2.0.4 2 Contents CHAPTER 1 Introduction This is an introductory chapter to IRMA. It recalls IRMA’s overall architecture, hardware required to run it and the recommended order for installing the IRMA’s components. 1.1 Purpose IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today’s defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, . An important value with IRMA comes from you keep control over where goes and who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other “probes” (feel free to submit your own). 1.2 File Analysis Process 1. An analysis begins when a user uploads files to the Frontend. 2. Frontend checks for existing files and results in SQL. If needed, it stores the new files and calls asynchronously scan jobs on Brain. 3. Brain worker sends as much subtasks to Probe(s) as needed. 4. Probe workers process their jobs and send back results to Brain. 5. Brain sends results to Frontend. 3 IRMA Documentation, Release 2.0.4 1.3 Infrastructure Overview A drawing is better than a lot of explanations (sometimes ;) 4 Chapter 1. Introduction IRMA Documentation, Release 2.0.4 1.4 Hardware requirements IRMA platform is divided in three major components: the Frontend, the Brain and one or multiple Probes. These three components can be installed on a unique host or on multiple hosts, according to the kind of probes you are using. The Frontend and the Brain must be installed on a GNU/Linux system1. We recommend to use a Debian Stable distribution which is supported and known to work. According to the kind of probes and their dependencies, each analyzers can be installed on a separate hosts or share 1 Theorically, it should be possible, with some efforts, to make IRMA work on Microsoft Windows systems as most of the components used for the platform are known to work or to have equivalents on these systems. 1.4. Hardware requirements 5 IRMA Documentation, Release 2.0.4 the same host as far as they do not interfere with each other2. So forth, only Debian Stable and Microsoft Windows 8 and 10 hosts have been tested. We can not give you any specific numbers. On one hand we managed to run the whole IRMA platform on a single machine by hosting it with multiple systems inside virtual machines: this setup gives fairly high throughput as long as it has reasonable IO (ideally, SSDs), and a good amount of memory (our setup was an i7 cpu with 16 GB ram on regular drives (at least 200 GB required), on the other hand, a lighter version of the system with the three parts together3 was successfully installed on a single virtual machine (1 GB of Ram and 4 virtual processors). For a large company, in theory, given a single high-memory machine, with 16+ cores, and SSDs, you could run IRMA platform and bear the workload load with reasonable response time. 1.5 Supported Analyzers We have mainly focused our efforts on multiple anti-virus engines but we are working on other kind of “probes”. We enumerate the analyzers that are bundled with IRMA probe application. Feel free to submit your own probes. 1.5.1 Antiviruses So far, we have instrumented the following antiviruses from their CLI: Probe Name Anti-Virus Name Platform ASquaredCmd Emsisoft Command Line Microsoft Windows CLI Avira Avira Microsoft Windows CLI AvastCoreSecurity Avast GNU/Linux CLI AVGAntiVirusFree AVG GNU/Linux CLI BitdefenderForUnices Bitdefender GNU/Linux CLI ClamAV ClamAV GNU/Linux CLI ComodoCAVL Comodo Antivirus for Linux GNU/Linux CLI DrWeb Dr.Web GNU/Linux CLI EsetNod32 Eset Nod32 Business Edition GNU/Linux CLI EScan eScan GNU/Linux CLI FProt F-Prot GNU/Linux CLI FSecure F-Secure GNU/Linux CLI GData G Data Antivirus Microsoft Windows CLI Kaspersky Kaspersky Internet Security Microsoft Windows CLI McAfeeVSCL McAfee VirusScan Command Line GNU/Linux - Microsoft Windows CLI Sophos Sophos GNU/Linux - Microsoft Windows CLI Symantec Symantec Endpoint Protection Microsoft Windows CLI VirusBlokAda VirusBlokAda GNU/Linux CLI Zoner Zoner Antivirus GNU/Linux CLI 1.5.2 External analysis platforms So far, we query the following external analysis platforms: 2 For instance, we managed to host several GNU/Linux anti-viruses on an unique probe by preventing it to launch daemons at startup. This is difficult for Microsoft systems on which it is not recommended to install multiple anti-viruses on a single host. 3 with a limited set of probes 6 Chapter 1. Introduction IRMA Documentation, Release 2.0.4 Probe Name Analysis Platform Description VirusTotal VirusTotal Report is searched using the sha256 of the file which is not sent 1.5.3 File database So far, we query the following file databases: Probe Database Description Name NSRL National Software Reference Li- collection of digital signatures of known, traceable software ap- brary plications 1.5.4 Metadata So far, we implemented the following analyzers: Probe Name Description StaticAnalyzer PE File analyzer adapted from Cuckoo Sandbox PEiD PE File packer analyzer Yara Checks if a file match yara rules 1.5. Supported Analyzers 7 IRMA Documentation, Release 2.0.4 8 Chapter 1. Introduction CHAPTER 2 Automated Install IRMA platform can be easily installed with a set of ansible roles and playbooks. It will help you to build, install or maintain different setups. 2.1 Requirements • Ansible 2.2.1.0; 2.2 Ansible scripts Get IRMA ansible scripts on github: $ git clone https://github.com/quarkslab/irma $ cd irma/ansible 2.3 Predefined Environments There are 2 different IRMA setups available. Dev/Testing will be installed in one or multiple virtual machines while production could be used to install IRMA on physical machines or virtual machines already setup: 2.3.1 Development environment This environment has been designed to help you to modify IRMA’s components and redeploy and test them. In this setup, everything is installed in a single virtual machine with sources rsync-ed between the host and the guest. 9 IRMA Documentation, Release 2.0.4 Requirements • Vagrant 1.8 or higher has to be installed • As the installation work only for Virtualbox, you will need to install it • Rsync to synchronize directories from host to VMs • Read the Ansible introduction Run Vagrant and create your VMs To initialize and provision the Virtualbox VM. $ cd <IRMA_SRC_DIR>/ansible $ VM_ENV=your_environment_name vagrant up The template will be downloaded automatically and configured using environments/dev.yml file. Note: Optionally, if you want to use your own environment, create it in environments directory and run: $ VM_ENV=your_environment_name vagrant up Configure your .ini files Note: You can bypass this step, as this

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    76 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us