<img width="300" height="auto" src="https://github.com/danielpoliakov/lisa/raw/v0.9/web_frontend/src/logo-white.png" alt="LiSa" />
Project providing automated Linux malware analysis on various CPU architectures.
Table of contents

Requirements
Get repository.
$ git clone https://github.com/danieluhricek/lisa
$ cd lisa
# docker-compose build
# docker-compose up
Setup your server's IP:port in nginx service in docker-compose.yml.
.
.
nginx:
image: lisa-nginx
build:
context: .
dockerfile: ./docker/nginx/Dockerfile
args:
webhost: <myip|default=localhost>:<port>
ports:
- <port>:80
.
.
Workers are scalable.
# docker-compose up --scale worker=10
You can route malware's traffic through OpenVPN. In order to do that:
VPN to OpenVPN config's directory path..
.
worker:
image: lisa-worker
build:
context: .
dockerfile: ./docker/worker/Dockerfile
environment:
- VPN=/vpn
volumes:
- "./data/storage:/home/lisa/data/storage"
- "./vpn:/vpn"
.
.
Default used blacklists are (source):
If you want to use any other blacklist, put .ipset or .netset files into data/blacklists. All of these blacklists are merged during build of worker service.
Core of LiSa project supports 4 basic modules of analysis: static_analysis, dynamic_analysis, network_analysis and virustotal.
Sub-analysis modules are plugin-based. For adding new sub-analysis and appending it's output to final json do following:
AbstractSubAnalyzer class and implement run_analysis() method eg.:class NewSubAnalyzer(AbstractSubAnalyzer):
def run_analysis(self):
pass
lisa.config.py :analyzers_config = [
# core analyzers
'lisa.analysis.static_analysis.StaticAnalyzer',
'lisa.analysis.dynamic_analysis.DynamicAnalyzer',
'lisa.analysis.network_analysis.NetworkAnalyzer',
'lisa.analysis.virustotal.VirusTotalAnalyzer',
# custom
'module_of_new_analyzer.NewSubAnalyzer'
]
Contributions | feedback | issues | pull requests are welcome.
LiSa is licensed under Apache License 2.0.