Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux support #2001

Merged
merged 32 commits into from
Mar 13, 2024
Merged

Linux support #2001

merged 32 commits into from
Mar 13, 2024

Conversation

winson0123
Copy link
Contributor

Long awaited Linux support.

Description of how behavioral information is captured by Linux Machines:

  • strace is used to detonate the malware sample, and the logs are captured and uploaded to the host.
  • Strace logs are processed and outputted similarly to how the current implementation of windows behaviors are.
  • Strace information is stored onto the "behaviors" key in the CAPE report json (like how Windows would)
  • Information is fetched and retrieved from the database and is displayed on the behavioral tab
  • Behavioral tab showcases all the syscalls that are called by each process that is spawned by the sample
  • Syscalls are filtered by the root of the kernel source code (mm, fs, crypto, etc)
  • Small hiccup we've encountered running ransomware samples, it encrypts the strace log and prevents us from processing the logs for behavioral analysis

Database changes:

  • Adds the column platform to the guests table in PostgreSQL
  • Required to run alembic migrations

Future work:

  • More signaturization for Linux samples is possible

kenleejl and others added 26 commits March 7, 2024 10:41
@kenleejl @winson0123
feat: linux analysis api captured to log and report json
45bb5e0 
Description:
- Sample executed via `strace` to capture api execution sequence
- Strace logs output to linux guest machine
- Filecollector to ignore strace log
- Strace logs uploaded to host
- Strace logs processed and output to CAPE report json
@winson0123
add: strace processing module process tree
965234c
@winson0123
add: strace analysis for frontend
6bae8c8
@winson0123
add: strace page
d790edd
@winson0123
add: strace view in frontend
090afe6
@winson0123
refractor: strace argument parsing on frontend
e56acea
@kenleejl @winson0123
fix: strace tab
ab84cb4
@winson0123
refactor: accurate args fetched by syscall number and categorisation
db80c82
@winson0123
refactor: strace processing output similar to behavior output
76a6129
@winson0123
add: linux agent installation script
8387522
@winson0123
refactor: strace process calls store as objects in mongodb
5058082
@winson0123
feat: behavioral analysis tab for linux syscalls
2670a97
@winson0123
fix: strace process tree on behavioral tab
cae3428 
- removal of strace-process-tree dependencies
- removal of strace folder in analysis output folder
- changed output location of strace log files to match like behavior ("logs" folder)
- extra clean up of previous systemtap implementations
@winson0123
feat: filename match w/ file descriptor in sycall
77b5c10
@winson0123
fix: strace processing crashes upon unclosed file descriptors
5583f9e 
Description:
Some malware may not close file descriptors, relies on lazy cleanup.
Fix is to assume that the file descriptor is closed after running,
If encounter fd that is unclosed during processing, match the
respective filename anyway, since most likely reach near end of file
descriptor list
@winson0123
refactor: reformatted strace processing
14498f6
@winson0123
add: more syscalls that utilize file descriptors
901bd84
@winson0123
fix: default file descriptors
a2b01bb
@winson0123
fix: allow 32bit to run on 64bit for linux
1e8b614
@winson0123
fix: syscall incorrect arguments
92841fa 
Previous implementation was referencing the `strace` syscall indexes in order to match the relevant syscalls and argument inputs. Turns out, this is not very reliable and causes a bug on the `open` syscall which is output by strace to be the index of 5. Upon matching with the linux syscall json, it incorrectly matches with `newfstat`. The fix to this was to just match via the same syscall name instead.
@winson0123
refactor: strace processing readability
48d08f8
@winson0123
refactor: move "strace" to "behavior" key
f15de26
@winson0123
refactor: add machine platform to cape report
cbf3969
@winson0123
refactor: migrate strace implementation to behavior
2145cf2
@winson0123
update: alembic upgrades and schema version
60ab9c2
@winson0123
chore: remove unused import functions
f0367fe
@doomedraven
Copy link
Collaborator

hello amazing job on this, i got first quick look, i will check properly a bit later. but so far looks good, i have a question, to prevent ransom encrypt logs, maybe we should stream the strace log to the server side? it sound to me that we had something for that i will have to double check

@nbargnesi
Copy link
Contributor

And well-timed with the ability to run tests against the analyzer and agent! (CC @rkoumis )

@winson0123
Copy link
Contributor Author

hello amazing job on this, i got first quick look, i will check properly a bit later. but so far looks good, i have a question, to prevent ransom encrypt logs, maybe we should stream the strace log to the server side? it sound to me that we had something for that i will have to double check

I'll probably take a look into this next week, that suggestion does sound better to circumvent the encryption issue. Probably something along the lines of piping the output on the agent and streaming to the server side.

@kevoreilly
Copy link
Owner

Thank you ❤️

@nbargnesi
Copy link
Contributor

hello amazing job on this, i got first quick look, i will check properly a bit later. but so far looks good, i have a question, to prevent ransom encrypt logs, maybe we should stream the strace log to the server side? it sound to me that we had something for that i will have to double check

I'll probably take a look into this next week, that suggestion does sound better to circumvent the encryption issue. Probably something along the lines of piping the output on the agent and streaming to the server side.

This is a great PR as-is. It'd be great to have it merge even without addressing this.

@doomedraven
Copy link
Collaborator

i have one question, is not related to fully related to this PR, but as we nuke stap, we need to remove it from the .conf maybe we should already nuke all not .conf.default as we touch already one we can delete directly it maybe as it will be overwritten anyway on install, any thoughts to help me decide the proper way?

@doomedraven doomedraven merged commit d46b28e into kevoreilly:master Mar 13, 2024
5 checks passed
@winson0123 winson0123 deleted the linux-support branch April 3, 2024 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nbargnesi nbargnesi nbargnesi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@winson0123 @doomedraven @nbargnesi @kevoreilly @kenleejl