MCPcopy Index your code
hub / github.com/danielpoliakov/lisa

github.com/danielpoliakov/lisa @v0.9

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.9 ↗ · + Follow
192 symbols 491 edges 46 files 90 documented · 47%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README
<img width="300" height="auto" src="https://github.com/danielpoliakov/lisa/raw/v0.9/web_frontend/src/logo-white.png" alt="LiSa" />

Project providing automated Linux malware analysis on various CPU architectures.

Table of contents

LiSa

Features

  • QEMU emulation.
  • Currently supporting x86_64, i386, arm, mips, aarch64.
  • Small images built w/ buildroot.
  • Radare2 based static analysis.
  • Dynamic (behavioral) analysis using SystemTap kernel modules - captured syscalls, openfiles, process trees.
  • Network statistics and analysis of DNS, HTTP, Telnet and IRC communication.
  • Endpoints analysis and blacklists configuration.
  • Scaled with celery and RabbitMQ.
  • REST API | frontend.
  • Extensible through sub-analysis modules and custom images.

Get Started

Requirements

$ git clone https://github.com/danieluhricek/lisa
$ cd lisa
  1. Build.
# docker-compose build
  1. Profit.
# docker-compose up

Configuration

Web hosting

Setup your server's IP:port in nginx service in docker-compose.yml.

.
.
  nginx:
    image: lisa-nginx
    build:
      context: .
      dockerfile: ./docker/nginx/Dockerfile
      args:
        webhost: <myip|default=localhost>:<port>
    ports:
      - <port>:80
.
.

Scaling

Workers are scalable.

# docker-compose up --scale worker=10

VPN

You can route malware's traffic through OpenVPN. In order to do that:

  1. Mount volume containing OpenVPN config (named config.ovpn).
  2. Set environment valirable VPN to OpenVPN config's directory path.
.
.
  worker:
    image: lisa-worker
    build:
      context: .
      dockerfile: ./docker/worker/Dockerfile
    environment:
      - VPN=/vpn
    volumes:
      - "./data/storage:/home/lisa/data/storage"
      - "./vpn:/vpn"
.
.

Blacklists

Default used blacklists are (source):

  • bi_ssh_2_30d.ipset
  • firehol_level3.netset
  • firehol_webserver.netset
  • iblocklist_abuse_zeus.netset
  • normshield_all_wannacry.ipset

If you want to use any other blacklist, put .ipset or .netset files into data/blacklists. All of these blacklists are merged during build of worker service.

Adding new sub-analysis modules

Core of LiSa project supports 4 basic modules of analysis: static_analysis, dynamic_analysis, network_analysis and virustotal. Sub-analysis modules are plugin-based. For adding new sub-analysis and appending it's output to final json do following:

  1. Create class which inherits from AbstractSubAnalyzer class and implement run_analysis() method eg.:
class NewSubAnalyzer(AbstractSubAnalyzer):
    def run_analysis(self):
        pass
  1. Update list in lisa.config.py :
analyzers_config = [
    # core analyzers
    'lisa.analysis.static_analysis.StaticAnalyzer',
    'lisa.analysis.dynamic_analysis.DynamicAnalyzer',
    'lisa.analysis.network_analysis.NetworkAnalyzer',
    'lisa.analysis.virustotal.VirusTotalAnalyzer',

    # custom
    'module_of_new_analyzer.NewSubAnalyzer'
]

Upcoming features

  1. YARA module - YARA module to match patterns in LiSa's JSON output.
  2. Images selection - More Linux images containing e.g. IoT firmware.

Contribute

Contributions | feedback | issues | pull requests are welcome.

License

LiSa is licensed under Apache License 2.0.

Core symbols most depended-on inside this repo

to_dict
called by 26
lisa/web_api/responses.py
to_dict
called by 7
lisa/analysis/anomaly.py
save_output
called by 6
lisa/core/file_handling.py
_analyze_behavior
called by 4
lisa/analysis/dynamic_analysis.py
_analyze_endpoint
called by 4
lisa/analysis/network_analysis.py
analyze_pcap
called by 4
lisa/analysis/network_analysis.py
send_command
called by 3
lisa/core/qemu_guest.py
get_checksum
called by 3
lisa/core/base.py

Shape

Method 89
Function 50
Class 38
Route 15

Languages

Python72%
TypeScript28%

Modules by API surface

lisa/web_api/routes.py26 symbols
lisa/core/base.py23 symbols
lisa/core/qemu_guest.py10 symbols
lisa/manage.py9 symbols
lisa/analysis/network_analysis.py9 symbols
tests/static_analysis/test_static_analysis.py8 symbols
lisa/core/shell.py8 symbols
lisa/analysis/top_level.py7 symbols
web_frontend/src/pages/ResultsPage.jsx5 symbols
web_frontend/src/pages/ReportPage.jsx5 symbols
web_frontend/src/pages/PendingTasksPage.jsx5 symbols
web_frontend/src/pages/FailedTasksPage.jsx5 symbols

Datastores touched

(mysql)Database · 1 repos
lisadbDatabase · 1 repos

For agents

$ claude mcp add lisa \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact