IRMA — Incident Response Malware Analysis
Incident Response Malware Analysis: IRMA is an asynchronous and customizable analysis platform for suspicious files!
IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today’s defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, …
[adsense size='1']
An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network.
File Analysis Process
- An analysis begins when a user uploads files to the Frontend.
- Frontend checks for existing files and results in mongodb. If needed,
it stores the new files and calls asynchronously scan jobs on Brain. - Brain worker sends as much subtasks to Probe(s) as needed.
- Probe workers process their jobs and send back results to Brain.
- Brain sends results to Frontend.
Hardware requirements
IRMA has been designed as a three parts system with the Frontend, the Brain and one or multiple Probes. These components can be installed on a unique or on multiple hosts.
The Frontend and the Brain must be installed on a GNU/Linux system. We recommend to use a Debian Stable distribution which is supported and known to work.
[adsense size='1']
According to the kind of probes and their dependencies, each analyzers can share the same host, as far as they do not interfere with each other, or be installed on separate ones. So forth, only Debian Stable and Microsoft Windows 7 hosts have been tested.
Download pre-packaged appliance
A complete version of IRMA is available as virtual image disk. You can easily import it in Vmware or VirtualBox. The virtual machine is mainly a Debian 7.6 os with irma packages installed. This demo version is shipped with 3 Linux AVs (ClamAV, McAfee, Comodo) ready but you can add as much analyzers as you want. Typical hardware configuration for the demo virtual machine is 2 processors and 1 GB of ram.
WARNING: This box has been automatically generated with Vagrant. Make sure to change the default credentials (vagrant/vagrant) and “insecure” ssh key before connecting to the network.
- irma v1.2.0 9312680a0afc9cf02699c141a5e077cf98baa428007c858962ad98f069c6e140
- irma v1.1.1 8ce739df45524e2ebfa570be3dff45eeca2e259d31f6d0ce4be43ad90755cc28
- irma v1.1.0 414be0d6d8b765f0ee433c0efe267d9e4a25ee28dbae94579c8dfee9f53beed7
Automated (fast) install
If not installed yet, download and install virtualbox, vagrant (1.5 or higher) and ansible (1.8 or higher):
$ git clone https://github.com/quarkslab/irma-ansible $ cd irma-ansible $ ansible-galaxy install -r ansible-requirements.yml $ vagrant up
To customize your installation, please refer to the documentatio. Unfortunately, at the moment, the automated installation of probes on Windows is not implemented yet.
[adsense size='1']
Source (slow) install
There is a common submodule named irma-common that could be fetched automatically with the –recursive option:
$ git clone --recursive https://github.com/quarkslab/irma-brain $ git clone --recursive https://github.com/quarkslab/irma-frontend $ git clone --recursive https://github.com/quarkslab/irma-probe
Source && Download
Gloss