The tool approaches detection of malicious activity differently from say Snort or Suricata. Instead of looking at the entire traffic stream, it looks at elements within the traffic, individual files and programs. For instance if an email is received, it will look at the body of the email, then the attachment, break out the sub-components of the attachment and analyze them separately.
Laika BOSS has been internally tested at Lockheed for several years now and most of the bugs should be worked out. They have open sourced it in the same spirit that they released the now famous kill chain paper, hoping to promote more advances in network defense.
A copy can be found at their github: https://github.com/lmco/laikaboss.
The install instructions are pretty straight forward, there are a fair bit of dependencies to be installed first:
apt-get install yara python-yara python-progressbar pip install interruptingcow
apt-get install libzmq3 python-zmq python-gevent python-pexpect
apt-get install python-ipy python-m2crypto python-pyclamd liblzma5 libimage-exiftool-perl python-msgpack libfuzzy-dev python-cffi python-dev unrar pip install fluent-logger olefile ssdeep py-unrar2 pylzma wget https://github.com/smarnach/pyexiftool/archive/master.zip unzip master.zip cd pyexiftool-master python setup.py build python setup.py install wget http://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz tar vxzf pefile-1.2.10-139.tar.gz cd pefile-1.2.10-139 python setup.py build python setup.py install
I had no trouble installing any of this on a fully updated debian box, on an older CentOS machine (5.7) I had to manually search google for a lot of things and install from source.
Next, grab a copy of the laika source from github:
wget https://github.com/lmco/laikaboss/archive/master.zip
unzip master.zip
cd laikaboss-master
Laika has several parts, a standalone scanner, a distributed client-server framework, and an integration with MTA's. Usage of the standalone instance is fairly simple:
Just point it at a file and go. It returns a wealth of information in JSON format, so it can easily be parsed by other applications or sent to a SIEM.
I haven't played around with the networked instances yet, but I probably will in the near future. Someone also pointed me to REbus, which looks like a similar application I'm going to have to take a look at in the future.
f3n3s7ra
No comments:
Post a Comment