• Stars
    star
    171
  • Rank 222,266 (Top 5 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 7 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

BASS - BASS Automated Signature Synthesizer

BASS logo

BASS

BASS (pronounced ā€œbƦsā€) is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker.

Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS.

Installation

Prerequisites

You need Docker (installation instructions) and docker-compose (installation instructions) installed. Even if your distribution has packages for those, we recommend you to install them as described in the installation instructions to have the newest versions available. Parts of our software might not work with old versions of docker and docker-compose.

Further, the client to speak to the docker cluster needs the python requests package installed. This can for example be done with pip install requests if you use python's pip package manager.

To build the containers, you need to export some environment variables:

IDA_BINARY=... #Make this variable point to your IDA Pro installation binary
IDA_PASSWORD=... #Set this variable to your IDA Pro installation password
IDA_WEB_PASSWORD=... #Set this variable to your IDA Pro restriced web password
cp ${IDA_BINARY} ida7/ida.run
export IDA_PASSWORD
export IDA_WEB_PASSWORD

You need to set the variables whenever you open a new shell that you want to use to build or run BASS.

Building the containers

Normally it should be enough to run docker-compose build in the repository root directory to build BASS' containers.

Running BASS

If you have a VirusTotal key, export it in the shell where you run the docker (e.g., export VIRUSTOTAL_API_KEY=xxx in bash). Run docker-compose up in the project's root directory to start BASS.

Then use the client in client/client.py to submit samples and get the resulting signature.

For example, run python ./client/client.py sample1 sample2 sample3 to generate a signature for the cluster consisting of binaries sample1, sample2 and sample3.

Debugging

The job object has an exception and exception_trace property which contain information about a raised exception if the job finished with an error status.

Debug logs may be found in the docker volume mounted to /tmp/bass_logs. In particular it might be helpful to track progress in the most recent log file via tail -f $( ls /tmp/bass_logs/*.log | tail -n 1 ).

Hacking

The client is contained in client/.

The folders bass/, bindiff/ and kamino/ contain the docker containers for the specific tools.

Python APIs for the REST interface of kamino and bindiff are in ./bass/python/cisco/bass/docker/.

The k-LCS algorithm is implemented as a C library (source in ./bass/python/src/_lcs.cpp) which is interfaced with ctypes.

If you are looking for a starting point to the signature generation process, have a look at ./bass/python/cisco/bass/core.py.

More Repositories

1

clamav

ClamAV - Documentation is here: https://docs.clamav.net
C
3,200
star
2

pyrebox

Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU
C
1,604
star
3

GhIDA

Python
714
star
4

mutiny-fuzzer

Python
530
star
5

MBRFilter

Cisco Talos MBR Filter Driver
C
318
star
6

moflow

Release Branches for MoFlow
C++
296
star
7

ROPMEMU

ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks.
Python
282
star
8

Decept

Decept Network Protocol Proxy
Python
259
star
9

Ghidraaas

Python
207
star
10

DynDataResolver

Python
204
star
11

binary_function_similarity

Jupyter Notebook
186
star
12

fnc-1

Fake News Challenge
Python
173
star
13

file2pcap

C
162
star
14

Barbervisor

Intel x86 bare metal hypervisor for researching snapshot fuzzing ideas.
Rust
145
star
15

TeslaDecrypt

Decryption Tool
C++
132
star
16

snort-faq

Snort FAQ
110
star
17

osquery_queries

Cisco Orbital - Osquery queries by Talos
96
star
18

FIRST

91
star
19

snap_wtf_macos

WTF Snapshot fuzzing of macOS targets
Python
86
star
20

FIRST-plugin-ida

Python
85
star
21

Winbox_Protocol_Dissector

Lua
67
star
22

locky

C
66
star
23

pylocky_decryptor

Python
64
star
24

cvdupdate

ClamAV Private Database Mirror Updater Tool
Python
62
star
25

smi_check

Smart Install Client Scanner
Python
61
star
26

clamav-bytecode-compiler

ClamAV ByteCode Compiler
C
60
star
27

covnavi

Python
59
star
28

IOCs

Indicators of Compromise
55
star
29

Mussels

Python
43
star
30

CASC

Python
40
star
31

clamav-safebrowsing

Python
37
star
32

freesentry

C++
34
star
33

clamav-docker

Dockerfiles for the ClamAV project
Shell
34
star
34

Re2Pcap

Python
33
star
35

oil-pumpjack

Oil Pumpjack: open source materials to create your own oil pumpjack managed by an Arduino
Python
31
star
36

FIRST-server

CSS
30
star
37

clamav-fuzz-corpus

Seed Corpus for clamav-devel oss-fuzz integration.
HTML
30
star
38

flokibot

Python
25
star
39

remcos-decoder

Talos Decryptor POC for Remcos RAT version 2.0.5 and earlier
Python
21
star
40

badgerboard

Verilog
16
star
41

crashdog

C
15
star
42

Daemonlogger

The Official Github Repository of Daemonlogger
C
14
star
43

useful-tools

Python
14
star
44

Nim-IDA-FLIRT-Generator

Nim-IDA-FLIRT-Generator
Python
13
star
45

clamav-documentation

ClamAV Documentation
JavaScript
13
star
46

clamav-mussels-cookbook

12
star
47

snort2-docker

Vim Script
10
star
48

ida_tilegx

C
6
star
49

NibiruDecrypt

C#
6
star
50

mussels-recipe-scrapbook

2
star
51

Threat-Round-Up

1
star
52

clamav-async-rs

1
star