IOC/Hash scanner and IDS layer 4 portable and fast
Anubi is a tool designed and written in Python in order to be flexible and usable on different platforms.
Anubi combines 5 different engines to check your assets:
These functionalities use a prepared set of rules available in my repository generated daily; even custom rules can be loaded.
IOC scan is a passive monitoring on the filesystem root applying Yara rules generated in my official repo
Hash scan is a passive monitoring on the filesystem root applying Hash rules generated in my official repo
IP checker is an active monitoring of a particular ethernet interface applying IP rules generated in my official repo
Voyeur is an active monitoring on the filesystem directories specified applying Yara and Hash rules
Anubi helps users with its own API system used to interact.
Command to connect with API system curl http://127.0.0.1:5555/api?func=help
provides available references:
http://127.0.0.1:5555/api?func=download_signatures
allows pulling from anubi-signatures repository for rules update without reload them in Anubihttp://127.0.0.1:5555/api?func=refresh_yara
refreshes official and custom Yara ruleshttp://127.0.0.1:5555/api?func=refresh_hash
refreshes official and custom Malware hash ruleshttp://127.0.0.1:5555/api?func=refresh_ip
refreshes official and custom IP for network monitoringhttp://127.0.0.1:5555/api?func=force_yara_scan&dir=url_encoded_dir
forces a yara scan (dir parameter shall be url-encoded)http://127.0.0.1:5555/api?func=force_hash_scan&dir=url_encoded_dir
forces a hash scan (dir parameter shall be url-encoded)http://127.0.0.1:5555/api?func=report&dir=report_type
requires and prints the report for the current day for the selected type (yara, hash, voyeur or ips)User is helped by a simply webui in order to interact with Anubi (as default console is reacheable at http://127.0.0.:5555)
Linux, MacOS and Windows
External dependencies are needed:
apt install git-core
yum install git-core
brew install git
apt install python3
yum install python3
brew install python3
apt install python3-pip
or python3 -m ensurepip
yum install python3-pip
or python3 -m ensurepip
python3 -m ensurepip
brew install yara
Relating to Pip modules, user can install dependecies through pip install -r pip_requirements.txt
Attention: running Anubu some errors can appear, as below
yara.SyntaxError: ......./anubi/conf/anubi-signatures/yara/RANSOM_BadRabbit.yar(35): invalid field name "imphash"
this happen because yara-python or yara needs to be installed after or with the compilation support of other libraries, such libssl-dev for this particular case
Anubi is developed to be run on Linux and Mac, further release will provides same functions on Windows.
In order to print full options, run Anubi with --help; the following options will be returned:
In details, options available are the following:
Remember to run always as root user!
In order to start and control our assets, follow the flow below:
During first time start Anubi will ask for its internal set up, as:
In case of error during rules loading process, only the line with error will be discarded, not the entire file.
File conf_anubi.py contains personal settings usable by user to customize Anubi, as below:
Periodical or on-demand scans are executed parallel and output can be visualized at screen or in specific file in path reports
Anubi allows to whitelist:
only adding them in conf_anubi.py in specific whitelist:
Anubi is able to launch notifications in desktop environments, using py-notifier library. Notification is fired when: