Wednesday, February 24, 2016

Laika BOSS

Last summer Lockheed Martin open-sourced one of their tools for intrusion detection, Laika BOSS. The whitepaper can be found here.

The tool approaches detection of malicious activity differently from say Snort or Suricata.  Instead of looking at the entire traffic stream, it looks at elements within the traffic, individual files and programs. For instance if an email is received, it will look at the body of the email, then the attachment, break out the sub-components of the attachment and analyze them separately.

Laika BOSS has been internally tested at Lockheed for several years now and most of the bugs should be worked out. They have open sourced it in the same spirit that they released the now famous kill chain paper, hoping to promote more advances in network defense.

A copy can be found at their github: https://github.com/lmco/laikaboss.

The install instructions are pretty straight forward, there are a fair bit of dependencies to be installed first:

apt-get install yara python-yara python-progressbar
pip install interruptingcow
apt-get install libzmq3 python-zmq python-gevent python-pexpect

apt-get install python-ipy python-m2crypto python-pyclamd liblzma5 libimage-exiftool-perl python-msgpack libfuzzy-dev python-cffi python-dev unrar
pip install fluent-logger olefile ssdeep py-unrar2 pylzma
wget https://github.com/smarnach/pyexiftool/archive/master.zip
unzip master.zip
cd pyexiftool-master
python setup.py build
python setup.py install
wget http://pefile.googlecode.com/files/pefile-1.2.10-139.tar.gz
tar vxzf pefile-1.2.10-139.tar.gz
cd pefile-1.2.10-139
python setup.py build
python setup.py install


I had no trouble installing any of this on a fully updated debian box, on an older CentOS machine (5.7) I had to manually search google for a lot of things and install from source.

Next, grab a copy of the laika source from github:

wget https://github.com/lmco/laikaboss/archive/master.zip
unzip master.zip
cd laikaboss-master

Laika has several parts, a standalone scanner, a distributed client-server framework, and an integration with MTA's.  Usage of the standalone instance is fairly simple:
Just point it at a file and go. It returns a wealth of information in JSON format, so it can easily be parsed by other applications or sent to a SIEM. 
I haven't played around with the networked instances yet, but I probably will in the near future. Someone also pointed me to REbus, which looks like a similar application I'm going to have to take a look at in the future. 

f3n3s7ra








No comments:

Post a Comment