rb-malware-agent

README

rb-malware-agent

Warning

This service is in development stage, and we constantly make changes to it. Therefore, bugs may occur. The master branch should be compatible with the latest redBorder reputation server and be the most stable version to use on production.

Currently, the SDK builds this service using Go version go1.11.13 linux/amd64 with Glide version 0.13.0-dev.

⚠️ : You may encounter some weird issues when using different Go versions with the GCC Compiler when building this...

Overview

This is a tool for query and obtain data from the redBorder's Malware API. There are three types of data that can be obtained:

• IPs scores
• File hashes score
• URL scores

It stores the data on three separated files, one for hashes (files analyzed), another for IPs, and another for URLs that have a score higher than a number that you can specify. After the data is gathered from the API, the app can notify snort via snortcontrol unix socket for hash and IPs.

For notify snort about new URLs, rb-malware-agent can generate snort rules for each URL. for calculate its SID, rb-malware-agent can view all the snort instances and all bindings for not generate collisions with other SNORT rules.

Once the rules are generated, rb-malware-agent can trigger a snort service reload by calculating SHA256 signature between old rules and new rules, if the hashes mismatch, it would trigger the reload.

Also, malware agent is capable to validate the new configuration to avoid crashes or network issues and rollback to previous config if its neccesary.

When reload is triggered, the malware agent would generate the new gen-msg.map, after it would trigger a barnyard2 reload.

Rules generated by the rb-malware-agent have the GID -> 369.

Installing Glide and building project

1. Glide is now discontinued, to install it correctly download bin from here -> https://github.com/Masterminds/glide/releases/tag/v0.13.0

2. Make sure you have GOPATH set correctly.

3. Copy-paste the glide bin in $GOPATH/bin

4. Check version running glide -v

And then:

1. Clone this repo and cd to the project

   git clone https://github.com/redBorder/rb-malware-agent.git && cd rb-malware-agent
   

2. Install dependencies and compile

   make
   

3. Install on desired directory

   prefix=/opt/rb make install
   

4. If you want to rebuild this project because you made some changes in the code-base ->

     make clean
     make
   

Usage

Usage of redborder-malware-agent:

--config string
    Config file
--debug
    Print debug info

Configuration

This is an example config file:

• url (string): address of the API to connect.
• interval (integer): Interval of requests to rb-reputation REST API to pull data
• snort_socket_timeout (integer): Time to wait for snort socket to make a response
• snort_bin_path (string): Path to snort bin for verify URL rules
• min_score (integer): Hashes and IPs with score greather than this value goes to the blacklist and those which score lower than this value goes to the whitelist.
• ip_blacklist, ip_whitelist, hash_blacklist, hash_whitelist (string): Stores information got from the API.
• snort_socket_path: Path to the /instance-i/SNORT.socket file. The app will iterate through folders where i is the index of the instance.
• url_blacklist: Snort URL .rules file for store the new URL blacklist rules.
• snort_instance_path: Where the Snort instance is located.

Example

Note:

In redBorder-IPS-sensor, you need to load the lists using prexif "redBorder-file" with (.blf) or (.wlf) extension (whitelist/blacklist), if you dont use that names without that extension, it will cause to not load the lists when snort (restart/reload/start) or when reloading via unix socket causing a segmentation fault...

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/249/original/snort_manual.pdf -> page 125

url: "http://10.0.161.177:7777/reputation/v1/malware"
interval: 0
snort_socket_timeout: 5
snort_bin_path: "/opt/rb/bin/snort"
instances: [{
  min_score: 1,
  ip_blacklist: "iplists/redBorder-file-malware-agent.blf",
  ip_whitelist: "iplists/redBorder-file-malware-agent.wlf",
  rb_ipreload_script: "iplists/ipreload_script.sh",
  hash_blacklist: "files/black_1.list",
  hash_whitelist: "files/seen_1.list",
  snort_socket_path: "/etc/snort/0/cs/0",
  url_blacklist: /etc/snort/0/url/urls.rules,
  snort_instance_path: "/etc/snort/0"
  },{
  min_score: 5,
  ip_blacklist: "iplists/redBorder-file-malware-agent.blf",
  ip_whitelist: "iplists/redBorder-file-malware-agent.wlf",
  rb_ipreload_script: "iplists/ipreload_script.sh",
  hash_blacklist: "files/black_2.list",
  hash_whitelist: "files/seen_2.list",
  snort_socket_path: "/etc/snort/0/cs/1",
  url_blacklist: /etc/snort/1/url/urls.rules,
  snort_instance_path: "/etc/snort/1"
}]