Malware Pipeline is a prototype demonstrating malware handling playbook from reception to mitigation. It's goal is to simplify steps necessary for successful handling of malware.
Malware Pipeline prototype consists of several microservices and tools orchestrated by Apache Airflow.
It is possible to deploy this project in two ways: on local machine or on local VirtualBox machine orchestrated by Vagrant and Ansible. Configuration stays the same for either way of deployment.
The whole project is configured in such a way that is is not necessary to do much configuration. It is necessary to insert API keys of external analysers into the .env_keys configuration file, but all other configuration is strictly voluntarily.
.env_keysfile contains secrets part from official IntelOwl .env configuration file. You can use .env_keys.template as a starting point. Configuration of Observable Evaluator is done in observable_evaluator/.env file. You can configure supported APIs and their weights.
- #secrets
- this section contains MISP_URL of used MISP instance. Change ONLY if you want to use your own MISP instance
- #Supported tools
- this section contains API keys for VirusTotal, GoogleSafebrowsing, HybridAnalysis and MISP
- #REST of intelowl supported tools
- IntelOwl provides even more tools, however these tools are not supported by the project. It is possible to provide module with your own implementation
It is not recommended to change other values.
docker-compose up
vagrant up
You should check all built services (table below).
| Tool | Address | Credentials |
|---|---|---|
| IP blocker | http://localhost:8996/api/ip-addresses | None |
| Email blocker | http://localhost:8996/api/emails | None |
| DNS blocker | http://localhost:8997/api/?action=list&zone=black | None |
| Whitelist | http://localhost:8998/api | None |
| Apache Airflow | http://localhost:8999/airflow/ | airflow:supertestovaciheslo |
| S3 Minio | http://localhost:9001 | minioadmin:minioadmin |
| IntelOwl | http://localhost:9003 | root:supertestovaciheslo |
| Malware uploader | http://localhost:9006/ | None |
| MISP | http://localhost:9007 | [email protected]:supertestovaciheslo |
Analysis can last up to 10 minutes
