w3ndige / aurora Goto Github PK

View Code? Open in Web Editor NEW

75.0 3.0 8.0 6.73 MB

Malware similarity platform with modularity in mind.

License: Other

Python 76.43% Dockerfile 0.28% Mako 0.52% Shell 0.06% HTML 20.29% JavaScript 2.19% CSS 0.23%

aurora's Introduction

Aurora

Automated malware similarity platform with modularity in mind.

Usage

Essential services

Remember, that aurora uses a number of services running under a hood.

PostgreSQL for a database.
Karton for backend pipeline.
- Redis for Karton.
- Minio for Karton.

In order to set up Karton, please see the Karton documentation, which gives a great head start into how Karton ecosystem works and how you can easily write new karton for different similarity tasks.

Configuration

Rename the .env.template file to .env and fill the blank values.

Manual installation

Make sure that libmagic and libfuzzy libraries are installed.

For Ubuntu:

apt-get install -y libmagic-dev libfuzzy-dev libfuzzy2

For Arch Linux:

pacman -S ssdeep

Install aurora package.

pip install .

Start the server.

uvicorn aurora.app

Docker installation

In addition, you can use both Docker image and Docker Compose to quickly setup full environment.

docker-compose -f docker-compose.yml build
docker-compose -f docker-compose.yml up

License

This software is licensed under This software is licensed under GNU Affero General Public License version 3 except for kartons.

For more information, read LICENSE file.

aurora's People

Stargazers

Watchers

Forkers

fr0gger olivierh59500 l1kw1d cybersecops superuser5 eragon226 sh1dow3r ethicalsecurity-agency

aurora's Issues

Optimize big network graph

No idea how to proceed with it yet but the graph has to be optimized.

Possible solutions can be:

Move from a different graph library (possibly supporting WebGL).
Limit the number of visible nodes (and edges).
Build clusters already in DB (hard but the best solution for really larg graphs)
Don't show small (2-3 nodes) clusters.

Directories in https://github.com/W3ndige/aurora/tree/master/kartons are subprojects. To get them, user may clone project by command git clone --recursive https://github.com/W3ndige/aurora. However, subproject path in https://github.com/W3ndige/aurora/blob/master/.gitmodules was set as ssh@, which causes normal users can't get the project without ssh key. I believe, the solution is change url protocols to https

Docker-compose unsupported config version

Hello. I tried creating docker-compose with commands from readme. I got error message Unsupported config version <a service name>. The problem is similar to this topic https://stackoverflow.com/questions/36724948/docker-compose-unsupported-config-option-for-services-service-web. Solution: Add version: "3.0" to the head of docker-compose.yml
Platform: Parrot OS 4.13 amd64
Docker-compose version: 1.25.0

Decompile or disassemble .NET malware.

Add aurora-karton reporter

Add single karton for communicating with aurora. Allows for unit tests for other kartons.

New frontend using one of Javascript frameworks.

Leave this dirty Jinja templating alone

Survey other code similarity methods

Minhashing functions instead of whole code.

Maldoc similarity

Add maldoc similarity karton based on the embedded images and (or) other characteristics of a document.

References:
https://github.com/jstrosch/graph-maldoc-similar-images

Add tags

By tagging different entities, user will be able to extend the analysis with the manual input usually not possible to gather by the system. In future, such tagging could allow for better similarity predictions, partially assisted by the user/analyst. Example of such information can be:

Malware family.
APT group name.
String origin (for example string discovered in samples from certain APT group)
Minhash origin (for example function used in legit binary, etc)

Proposed tags:

Tagging malware samples will allow user to input his own information about the sample such as family, group, etc.
Tagging strings.
Tagging minhash.

Optional:

Tagging relations.

For function similarity, see #5.

Test graph databases for storing relationship information.

References:

https://neo4j.com/developer/graph-database/

Calculate minhash of each function in sample

This can yield better results than minhashing whole disassembly by comparing if some of the functions are similar to the others in database.

Standardise malware similarity profile.

Malware similarity profile should be standardized into a clean and understandable summary of a malware sample.

Something like this.

{
    
    "profile": {
        "filename": "filename",
        "md5": "md5",
        "sha1": "sha1",
        "sha256": "sha256",
        "sha512": "sha512",
        "imphash": "imphash",
        "ssdeep": "ssdeep",

        
        "minhash": {
            "string": "minhash of file strings",
            "code": [
                {
                    "function_addr": "address of function",
                    "function_minhash": "minhash of functions assembly code"
                }
            ]
        },

        "artifacts": {
            "unique_strings": [
                "list of unique strings found by different heuristics."
            ]
        }
    }
}

String similarity

Add karton for adding relationship with similar strings.

Optimization ideas:

Store string length in db and choose only strings with length different by only a small factor.

References:
https://github.com/seatgeek/fuzzywuzzy

Use luqum for advance searching

Luqum will allow for using lucerne like query syntax instead of this cursed abomination I'm currently using.

References:

https://github.com/jurismarches/luqum

MWDB Plugin

https://mwdb.readthedocs.io/en/latest/integration-guide.html

Problem with Post sample

Hi,

After many hours of debugging, I finally have MWDB with Aurora.

Now I have a problem when I push a malware in mwdb.

Nothing appears in Aurora.

I have in my docker aurora
"XXX.XXX.XXX.XXX:57086 - "POST /api/v1/sample/92bc02116a72b13d359ba88e0984ea09d2eb230fbf711d92a0c961e08274a09e/minhash HTTP/1.1" 404"

But if I use via the api interface, a post of a sample, it works.
XXX.XXX.XXX.XXX:44884 - "POST /api/v1/sample/8067902175e02514dafffebb78dde8044a8f646bf63322e8fd5777bf39bb9a69/minhash HTTP/1.1" 200