A fork of Loki - Simple IOC and YARA Scanner, rewritten for Linux and modified to support single file scans, as well as a daemon mode to accept scans in a client/server manner. It also includes some other improvements.
colorama | progressbar2 | psutil | requests | yara-python
Neo23x0/signature-base | reversinglabs-yara-rules
elastic/protections-artifacts | PhishingKit-Yara-Rules | malpedia/signator-rules | YARAHQ/yara-forge
apk add bash gcc git linux-headers musl-dev openssl-dev python3 python3-dev py3-pip
pacman -S bash gcc git python3 python-devtools python-pip
apt -y install gcc git libssl-dev python3 python3-dev python3-venv
update-alternatives --install /usr/bin/python python /usr/bin/python3 1
dnf -y install bash gcc git openssl-devel python3 python3-devel python3-pip
xbps-install -Sy bash gcc git openssl-devel python3 python3-devel
git clone https://github.com/c0m4r/paranoya.git
cd paranoya
./deploy.sh
./paranoya.py --nolog --intense -p ./test
Now available on the Docker Hub and Github Packages.
docker run --name paranoya -v /tmp:/tmp -p 127.0.0.1:1337:1337 -d c0m4r/paranoya
You can also build the image yourself. This repo comes with predefined Docker files. The default one is based on an official Python image, so running it should be as simple as:
git clone https://github.com/c0m4r/paranoya.git
cd paranoya/addons/docker/default
docker compose up -d
However, to be able to scan anything outside of Docker, you have to mount a volume pointing to a specific directory. Change docker-compose.yml accordingly.
There are other Dockerfiles available, based on different Linux distros.
DIY flatpak-builder files are available here.
git clone https://github.com/c0m4r/paranoya.git
cd paranoya/addons/flatpak
./build.sh
Once it's ready, you can run paranoya, passing the arguments you need.
flatpak run org.flatpak.paranoya --intense -p ./test
Keep in mind that even though there is --filesystem=host
set,
some of the directories are blacklisted
under Flatpak Sandbox, preventing paranoya from scanning them.
In order to scan one of them, use an override. An example for /tmp dir:
flatpak override --user --filesystem=/tmp org.flatpak.paranoya
For the binary version of paranoya and its tools, use the ./build.sh
script.
However, when possible, you should use bare python under venv, as it will allow you to get the latest versions of python modules and keep them up-to-date, as well as view and verify the source code.
See: paranoya in chroot
See: paranoya on Android
See: paranoya on FreeBSD
Start as a daemon and bind on the default localhost:1337
./paranoya.py -d -s 20000 --noindicator --csv --nolog --intense
You can also change default bind address/port with --listen-host
and --listen-port
args. Check --help
for details.
Check example init files for OpenRC and systemd integration.
./client.py -p /path/to/scan
As of now, the server accepts a plain path and an optional space-separated auth key.
echo "./test" | nc localhost 1337 ; echo
echo "./test authkey" | nc localhost 1337 ; echo
Possible responses:
Answer | Level | Score |
---|---|---|
RESULT: Indicators detected! | ALERT | >= 100 |
RESULT: Suspicious objects detected! | WARNING | >= 60 |
RESULT: SYSTEM SEEMS TO BE CLEAN. | NOTICE | >= 40 |
In --auth
mode it will respond with authorization required
if authkey was not sent or unauthorized
if authkey is invalid.
- Rewritten for Linux
- A single file scan if a given path is a file
- Daemon mode
-d
with listening socket--listen-host 127.0.0.1
--listen-port 1337
accepting scans requested from client.py- PID file
paranoya.pid
is created in the program directory if running in daemon mode, you change its path with--pidfile /path/to/pidfile
- Optional auth key
--auth somethingRandomHere
in daemon mode (just a dumb string authorization, can be intercepted and read from the process list)
- PID file
- You can disable one or more yara files, f.e.
--disable-yara-files apt_vpnfilter.yar,yara_mixed_ext_vars.yar
- Exclude files by hash as proposed by rafaelarcanjo in Neo23x0/Loki/pull/204. See: excludes.cfg
- Initial implementation of process scanning under Linux (scan_processes_linux()):
- File Name Checks: works with signature-base/iocs/filename-iocs.txt (note: linux iocs missing by default)
- Process connections: for now, it only shows detected connections per process
- Process Masquerading Detection: reports non-empty /proc/PID/maps of processes that uses square brackets in their cmdlines
- Progress bar (experimental) can be enabled with --progress
- Force paranoya to follow symlinks (be aware: may lead to RAM overflow) with --followlinks
- Custom yara rules sources
- Some additional YARA rule sources have been added and you can also choose your own
- Custom yara ruleset dir can be set with --custom signature-custom/yara/name
- To avoid conflicts between rules, it's recommended to use only one source at a time
Run a program with --help to view usage information.
See: Usage
Apart from the signature-base there are some example custom signature rulesets being pulled by the upgrader script.
Custom signatures can be used independently as a supplement, but you should avoid mixing the rule sources, as this may lead to conflicts between rules.
Use --custom
to point the scanner to a different directory where the rules are stored.
It will process all the .yar and .yara stored in that directory; don't point to a file, as this won't work.
Example usage of the custom ruleset:
./paranoya.py --intense --progress -p ./sample/webshell/ --custom signature-custom/yara/protections-artifacts-main/
These additional custom YARA rules has been proven to work* with paranoya:
- SupportIntelligence/Icewater
- intezer/yara-rules
- jeFF0Falltrades/YARA-Signatures
- evthehermit/YaraRules
- MalGamy/YARA_Rules
- advanced-threat-research/Yara-Rules
- securitymagic/yara
- telekom-security/malware_analysis
- tenable/yara-rules
* That doesn't mean they will actually detect something; just that they are processed properly by the yara-python
paranoya: Simple IOC and YARA Scanner for Linux®
Copyright (c) 2015-2023 Florian Roth
Copyright (c) 2023-2024 c0m4r
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
If you found this software helpful, please consider making donation to a charity on my behalf. Thank you.