_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| _ _ _ _ _ _ _ _ _ _ _ _ _ _ |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| By Countercept
Snake is a malware storage zoo that was built out of the need for a centralised and unified storage solution for malicious samples that could seamlessly integrate into the investigation pipeline.
Snake is designed to provide just enough information to allow analysts to quickly and efficiently pivot to the most suitable tools for the task at hand. That being said there will be times where the information provided by Snake is more than sufficient. It is a Python based application built on top of Tornado and MongoDB. Scales provide Snake with a variety of functionality from static analysis through to interaction with external services.
For more information, please see: Wiki
The Snake Family
There is more to Snake than just the above, below is a summary:
- snake: The malware storage zoo.
- core: The main guts of Snake and the RESTful API.
- pit: The celery based workers that are used to execute static based commands.
- snake-charmer: The regression based test suite.
- snake-scales: The official repository of snake scales (plugins).
- snake-skin: The Web UI.
- snake-tail: The UNIX based command line UI.
There are a few dependencies to install Snake and Web UI (Snake Skin).
- (Snake) LibYAML
- (Snake) MongoDB 3.4 or greater
- (Snake) Python 3.5 or greater
- (Snake) Redis
- (Snake Skin) NodeJS 6 or greater
- (Snake Skin) NPM
- (Snake) libfuzzy & ssdeep
The above can be installed like so:
# Install dependencies sudo apt-get install libyaml-dev mongodb nodejs npm python3-dev python3-pip redis-server libfuzzy-dev ssdeep
# Install cURL sudo apt-get install curl # Add repository for MongoDB 3.6 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5 echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list # Add repository for nodejs 8 curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash - # Install dependencies sudo apt-get update sudo apt-get install libyaml-dev mongodb-org nodejs python3-dev python3-pip redis-server libfuzzy-dev ssdeep # Update pip and setuptools sudo -H pip3 install --upgrade pip setuptools
There are a few ways to install Snake, but the install scripts below will install Snake and the Web UI (Snake Skin).
Note: To install these components individually refer to their respective repositories.
This method will install Snake and the Web UI (Snake Skin) into the home directory.
Note: Requires virtualenv
git clone https://github.com/countercept/snake.git cd snake sys/user.sh
To start Snake:
# Source the virtual environment source ~/.snake/venv/bin/activate # Start the command workers celery worker --app snake.worker --logfile ~/.snake/log/%n%I.log & # Start Snake snaked & # Or # Start Snake in debug mode (log to console) snaked -d
To serve Snake Skin:
# Source the virtual environment source ~/.snake/venv/bin/activate # Navigate to Snake Skin cd ~/.snake-skin # Serve with http.server (port: 8000) python -m http.server &
This is the preferred method and will install Snake and the Web UI (Snake Skin) into the UNIX system.
Note: Requires nginx
git clone https://github.com/countercept/snake.git cd snake sys/install.sh
To start Snake:
# Start Snake Pit and Snake services systemctl start snake-pit systemctl start snake
To serve Snake Skin (port: 8000):
# Start Nginx to host Snake Skin systemctl stop nginx systemctl start nginx
By default Snake only provides three core scales:
- hashes: a command based scale used to perform a variety of hashing techniques on a sample.
- strings: a command based module to run strings on a sample.
- url: an upload based component used to upload samples to Snake from URLs.
Installing Additional Scales
Additional Scales are available at snake-scales
Snake provides a wrapper around pip to ease the installation of scales. A scale can be installed with this utility like so:
snake install virustotal
A scale can be checked at any time to see if it will successfully load in Snake.
snake check virustotal
Note: Whenever a new scale is installed, Snake and Celery must be restarted.
To create a scale, please see Scale Documentation
Both installations will serve Snake on port 5000 (API) and Snake Skin on port 8000.
To communicate with the WebUI:
To communicate with the API:
An overview of a sample that has been uploaded to Snake, with additional data enrichment from Cuckoo and VirusTotal.
Stores an user written notes about the sample.
This view is used to execute and view commands on a sample.
This view is used to communicate with external services in relation to a sample.
For an overview of Snake's settings, please see Snake
For an overview of Snake Skin's settings, please see Snake Skin