• Stars
    star
    102
  • Rank 335,584 (Top 7 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Malware/IOC ingestion and processing engine

MalPipe

              _   ___ _            
  /\/\   __ _| | / _ (_)_ __   ___ 
 /    \ / _` | |/ /_)/ | '_ \ / _ \
/ /\/\ \ (_| | / ___/| | |_) |  __/
\/    \/\__,_|_\/    |_| .__/ \___|
                   |_|         

MalPipe is a modular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.

At this time, the following feeds are supported:

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Installing

Deployment of MalPipe requires installing the required python libraries and configuring the various modules.

Python dependencies can be installed by running:

pip install -r requirements.txt

Configuring

Feeds

An example configuration is provided in config_example.json with settings to get started. This file contains a JSON object containing the required settings for each feed / processor / exporter. An description of a feeds settings are shown below:

...
    "feeds": {
...
        "MalShare": {
            "ENABLED" : true,
            "API_KEY" : "00000000000000000000000000000000000000000000000000000000000",
            "EXPORTERS" :  ["DetailsPrinter", "JSONLog"],
            "PROCESSORS" :  ["YaraScan", "DNSResolver"]
        },

...

As some feeds update daily, feeds can be in two forms: scheduled and active. Settings for when these should run is defined outside of the configuration in the individual modules.

Processors

Processors are used to enrich/standardize the collected. For example, data from VirusTotal contains yara results for each file collected, whereas MalShare does not. By adding, YaraScan to the PROCESSORS key, you can scan the files to also include this data.

An example modules settings are below:

...
    "processors": {
    ...
        "YaraScan": {
            "ENABLED" : false,
            "RULES_PATH": "/yara_rules/Malware.yara"
        },
        ...

Currently, the following processors have been implemented:

  • ASNLookup
  • DNSResolver
  • FileType
  • RDNS
  • YaraScan

Exporters

The final components is exporters, these control where the data goes. These can be used to export collected data to a malware repository, a SIEM, JSON Log files or printed for the user.

     ...
     "exporters": {
        ...
        "JSONLog": {
            "ENABLED" : true,
            "PRETTY" : true,
            "LOG_PATH": "./temp/"
        },
        ...

Currently, the following processors have been implemented:

  • DetailsPrinter
  • GenericWebStorage
  • JSONLog
  • LocalFileStorage

Running

After setup, MalPipe can be run by using:

python malpipe.py

Developing Modules

Modules for MalPipe located under malpipe/ by type:

Creating new modules is easy,

Create Python Module

MalPipe modules are defined as Python classes. Following is an example Module header

class ModuleName(Processor):
    def __init__(self):
        md = ProcessorDescription(
            module_name="ModuleName",
            description="Description",
            authors=["Author Name"],
            version="VersionNumber"
        )
        Processor.__init__(self, md)
        self.types = ['ipaddresses']
        self.parse_settings()

Settings can be set by importing the configuration and set to class variables, shown below:

	from malpipe.config import CONFIG
            ...
            self.yara_rule_path = CONFIG['processors'][self.get_module_name()]['RULES_PATH']

Each processor is required to have a run function that is called by the feed.

Add Settings

After creation of the module, settings need to be added to are config.json under the processors, feeds , or exporters key. If the new module is a processor or exporter, it will also need to be added to the associated feeds. An example is shown below:

     ...
    "processors": {
     ...    
        "SuperNewModule": {
            "ENABLED" : true,
            "DOCOOLSTUFF": true
        },
     ...
    "feeds": {
        ...
        "0DayMalwareFeed": { 
            "ENABLED" : true,
            "EXPORTERS" :  ["DetailsPrinter", "JSONLog"],
            "PROCESSORS" :  ["SuperNewModule"]
        }
        ...

Contributing

Please report any problems by creating a issue or starting a pull request. If you have additional modules or features you would like to see, please consider opening an issue.

Authors

See also the list of contributors who participated in this project.

License

This project is licensed under the GNU General Public License v3.0 - see the LICENSE.md file for details

Acknowledgments

More Repositories

1

LnkParse

Windows Shortcut file (LNK) parser
Python
131
star
2

awesome-docker-malware-analysis

Repository of tools and resources for analyzing Docker containers
Python
53
star
3

VirusTotalTools

Misc Tools for Virus Total Interaction
Python
35
star
4

IDA_AutoAnalysis

IDA Pro plugin that rename functions on load, based on functionality
Python
19
star
5

Proximity

Sinkhole Operational Framework for Automation and Reporting
Perl
14
star
6

IntelDB

Minimal Indicator Storage System
Python
11
star
7

MiscMalware

Misc malware stuff
Python
10
star
8

PyMSRz

Python module for interacting with Bluetooth MSR card reader/writers
Python
10
star
9

dns-monitor

DNSMonitor is a set of scripts to monitor malware and botnet domains for IP address changes by monitoring TTL values.
9
star
10

PastebinScraper

My personal Pastebin Scraper since 2010
Perl
7
star
11

Masochistic-Linux

A fork of Suicide Linux
Python
7
star
12

CookieMonsterVirus

Humble Shout out to the movie Hackers. For use in CCDC events.
C#
5
star
13

HiveMindDB

Tool to databasing IP addresses and Domains as well as storing notes about the domains.
Perl
4
star
14

ConferenceTalks

Collection of slides from my conference talks
3
star
15

Doom95Aimbot

Source code from https://0x00sec.org/t/doom95-making-an-aimbot/19862 && https://rstforums.com/forum/profile/3859-nytro/content/page/9/?type=forums_topic_post
C++
3
star
16

HamRadioLogbook

A web based logbook for ham radio operators based on Python & Flask
JavaScript
3
star
17

stalkerware-urls

3
star
18

dockerhoneypot-logs

Collection of Docker honeypot logs from 2021 - 2024
Python
3
star
19

pinfo

Simple CLI tool for showing Windows PE Info
Python
2
star
20

SecurityLexicon

Microsoft Office Dictionary of Security Teams
2
star
21

Rosetta

A Chrome Extension that automatically resolves names of various threat groups
Python
2
star
22

RapidSig

Yara + Drinking == Magic
Shell
2
star
23

BTCVendingMachine

1
star
24

ElectricSheepRedux

Continuation of the epic ElectricSheep project
1
star