Anubi
IOC/Hash scanner and IDS layer 4 portable and fast
Anubi is a tool designed and written in Python in order to be flexible and usable on different platforms.
Functions
Anubi combines 5 different engines to check your assets:
- IOC scanner
- Hash scanner
- IP check
- Filesystem modifications (Voyeur)
- API
These functionalities use a prepared set of rules available in my repository generated daily; even custom rules can be loaded.
IOC scanner
IOC scan is a passive monitoring on the filesystem root applying Yara rules generated in my official repo
Hash scanner
Hash scan is a passive monitoring on the filesystem root applying Hash rules generated in my official repo
IP checker
IP checker is an active monitoring of a particular ethernet interface applying IP rules generated in my official repo
Filesystem modifications (Voyeur)
Voyeur is an active monitoring on the filesystem directories specified applying Yara and Hash rules
API
Anubi helps users with its own API system used to interact.
Command to connect with API system curl http://127.0.0.1:5555/api?func=help provides available references:
- download_signatures,
http://127.0.0.1:5555/api?func=download_signaturesallows pulling from anubi-signatures repository for rules update without reload them in Anubi - refresh_yara,
http://127.0.0.1:5555/api?func=refresh_yararefreshes official and custom Yara rules - refresh_hash,
http://127.0.0.1:5555/api?func=refresh_hashrefreshes official and custom Malware hash rules - refresh_ip,
http://127.0.0.1:5555/api?func=refresh_iprefreshes official and custom IP for network monitoring - force_yara_scan,
http://127.0.0.1:5555/api?func=force_yara_scan&dir=url_encoded_dirforces a yara scan (dir parameter shall be url-encoded) - force_hash_scan,
http://127.0.0.1:5555/api?func=force_hash_scan&dir=url_encoded_dirforces a hash scan (dir parameter shall be url-encoded) - report,
http://127.0.0.1:5555/api?func=report&dir=report_typerequires and prints the report for the current day for the selected type (yara, hash, voyeur or ips)
User is helped by a simply webui in order to interact with Anubi (as default console is reacheable at http://127.0.0.:5555)
OS supported
Linux, MacOS and Windows
Dependencies
External dependencies are needed:
- WinPcap
- Windows: follow official documentation
- Git
- Linux (Debian):
apt install git-core - Linux (Centos):
yum install git-core - MacOS:
brew install git - Windows: follow official documentation
- Linux (Debian):
- Python3
- Linux (Debian):
apt install python3 - Linux (Centos):
yum install python3 - MacOS:
brew install python3 - Windows: follow official documentation
- Linux (Debian):
- Python3 Pip
- Linux (Debian):
apt install python3-piporpython3 -m ensurepip - Linux (Centos):
yum install python3-piporpython3 -m ensurepip - MacOS:
python3 -m ensurepip - Windows: Pip will be install with Python3 installation, follow official documentation
- Linux (Debian):
- YARA
- Linux/Windows: follow official documentation
- MacOS:
brew install yara
Relating to Pip modules, user can install dependecies through pip install -r pip_requirements.txt
Attention: running Anubu some errors can appear, as below
yara.SyntaxError: ......./anubi/conf/anubi-signatures/yara/RANSOM_BadRabbit.yar(35): invalid field name "imphash"
this happen because yara-python or yara needs to be installed after or with the compilation support of other libraries, such libssl-dev for this particular case
Run
Anubi is developed to be run on Linux and Mac, further release will provides same functions on Windows.
In order to print full options, run Anubi with --help; the following options will be returned:
In details, options available are the following:
- -h, --help used to show the current help message and exit
- --check-conf used to check the current configuration and exit
- --check-struct used to check Anubi directory structure and exit
- --create-struct used to create Anubi directory structure needed and exit
- --init used to init runtime.dat configuration file in order to set features to protect us and exit
- --start used to start Anubi with configuration created and rules already present
- --start-full used to start Anubi with configuration created (if runtime.dat is not present, it will be created before starting), rules will be downloaded or updated
- --wipe used to erase Anubi logs and exit
Remember to run always as root user!
In order to start and control our assets, follow the flow below:
- clone repo
- install dependencies
- run Anubi with --start-full
During first time start Anubi will ask for its internal set up, as:
- periodic IOC/malware scan
- live network activities monitoring
- particular directories hooks where IOC and malware detections will started on file creation/modification events.
In case of error during rules loading process, only the line with error will be discarded, not the entire file.
conf_anubi.py
File conf_anubi.py contains personal settings usable by user to customize Anubi, as below:
Scan process
Periodical or on-demand scans are executed parallel and output can be visualized at screen or in specific file in path reports
Whitelisting
Anubi allows to whitelist:
- Yara rules
- Hash
- IP
only adding them in conf_anubi.py in specific whitelist:
- Yara rules specified by name (example Certutil_Decode_OR_Download) in yara_whitelist
- Hash (example 1ebbd3e34237af26da5dc08a4e440464) in hash_whitelist
- IP (example 1.1.1.1) in ip_whitelist
Notifications
Anubi is able to launch notifications in desktop environments, using py-notifier library. Notification is fired when:
- IOC for periodic scan, on-demand scan or Voyeur is detected
- Malware for periodic scan, on-demand scan or Voyeur is detected
- IP marked as malicious is detected in network activity
