This is a malware analysis project which expecte to generate snort rule via malicious network traffic
- pyvbox: for creating an sandbox.
- dpkt: for parsering network packet.
- requests: for sending requests to VirusTotal
- Take the snapshot (manually)
- Copy the malware into virtual machine
- Active the malware
- Record the network traffic (Save in the host) in the virtual machinei
- Restore the snapshot (Which means goto step 0)
-
Isolation environment usage
Show help messages
$ python sandbox_run.py -h
usage: sandbox_run.py [-h] [-n NAME] [-t TIME] [-m MALWARE]
This is a automatic script which record malware network behavior in the
isolation environment.
optional arguments:
-h, --help show this help message and exit
-n NAME, --name NAME Specify a VM name.
-t TIME, --time TIME Specify a time in seconds for recording network
traffic.
-m MALWARE, --malware MALWARE
Specify a path which place malware will be copy into
sandbox.
The following example is starting a virtual machine named WinXPSP3 and capturing network traffic for 60 seconds.
$ python sandbox_run.py -n WinXPSP3 -t 60 -m malware_bin
-
Packet reconstruct Usage
Show help message
$ python pkt_reconstruct.py -h
usage: pkt_reconstruct.py [-h] [-d DIRECTORY]
This is a packet reconstruct tool to help reconstruct the packet payload.
optional arguments:
-h, --help show this help message and exit
-d DIRECTORY, --directory DIRECTORY
Specify a path which place pcap file
- Analysis malicious network traffic from packet reconstruct
- Automatic generate the snort rule depending on analyse results
- A Web GUI interface for user can upload the malware and generate snort rule