Modular file scanning/analysis framework
Clone or download
Latest commit dedc48c Oct 17, 2018
Permalink
Failed to load latest commit information.
analytics Indentation and whitespace fixes Feb 14, 2018
docker_utils Fix bug when web config options not present May 2, 2018
docs Update use-analysis-mods.rst Aug 27, 2018
etc/yarasigs Add code to clone http://yararules.com/ GitHub repo in installer script. Feb 16, 2016
libs Resolve merge conflicts Mar 7, 2018
modules pep8 changes for modules Mar 17, 2018
storage Merge pull request #121 from mitre/master Apr 17, 2018
tests Merge pull request #81 from emmanvg/feature-stix2-objects Apr 17, 2018
utils Merge pull request #157 from ptcNOP/hotfix/nsrl-out-of-mem Oct 17, 2018
web Fix bug when web config options not present May 2, 2018
.gitignore Merge pull request #85 from mitre/feature-celery Mar 12, 2018
.pre-commit-config.yaml Convert dos2unix line endings and add pre-commit hook to check for fu… Feb 26, 2018
.travis.yml Run flake8 but exit with "0" event with errors Mar 17, 2018
AUTHORS Add Austin to AUTHORS Jul 23, 2015
LICENSE End of file and whitespace fixes Feb 26, 2018
README.md Update README.md Apr 4, 2018
TODO.md More dos2unix fixes Feb 26, 2018
__init__.py Remove unused imports and sort Feb 16, 2018
docker-compose.yml Move proxy settings to docker-composel Nov 9, 2017
install.sh Fix NSRL cleanup Aug 28, 2018
multiscanner.py Merge pull request #132 from Drewsif/feat-tags May 2, 2018
requirements.txt Merge pull request #121 from mitre/master Apr 17, 2018
setup.cfg Bump minor version to 1.2.0 May 1, 2018
setup.py Bump minor version to 1.2.0 May 1, 2018
tox.ini Remove support for Python 3.3 since it is EOL Oct 13, 2017

README.md

MultiScanner

Build Status

Introduction

MultiScanner is a file analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output. Tools can be custom built Python scripts, web APIs, software running on another machine, etc. Tools are incorporated by creating modules that run in the MultiScanner framework.

Modules are designed to be quickly written and easily incorporated into the framework. Currently written and maintained modules are related to malware analytics, but the framework is not limited to that scope. For a list of modules you can look in modules/. Descriptions and config options can be found on the Analysis Modules page.

MultiScanner also supports a distributed workflow for sample storage, analysis, and report viewing. This functionality includes a web interface, a REST API, a distributed file system (GlusterFS), distributed report storage / searching (Elasticsearch), and distributed task management (Celery / RabbitMQ). Please see Architecture for more details.

Usage

MultiScanner can be used as a command-line interface, a Python API, or a distributed system with a web interface. See the documentation for more detailed information on installation and usage.

Command-Line

Install Python (2.7 or 3.4+) if you haven't already.

Then run the following (substituting the actual file you want to scan for <file>):

$ git clone https://github.com/mitre/multiscanner.git
$ cd multiscanner
$ sudo -HE ./install.sh
$ python multiscanner.py init

This will generate a default configuration for you. Check config.ini to see what modules are enabled. See Configuration for more information.

Now you can scan a file (substituting the actual file you want to scan for <file>):

$ python multiscanner.py <file>

You can run the following to get a list of all of MultiScanner's command-line options:

$ python multiscanner.py --help

Note: If you are not on a RedHat or Debian based Linux distribution, instead of running the install.sh script, install pip (if you haven't already) and run the following:

$ pip install -r requirements.txt

Python API

import multiscanner
multiscanner.config_init(filepath)
output = multiscanner.multiscan(file_list)
results = multiscanner.parse_reports(output, python=True)

Web Interface

Install the latest versions of Docker and Docker Compose if you haven't already.

$ git clone https://github.com/mitre/multiscanner.git
$ cd multiscanner
$ docker-compose up

You may have to wait a while until all the services are up and running, but then you can use the web interface by going to http://localhost:8000 in your web browser.

Note: this should not be used in production; it is simply an introduction to what a full installation would look like. See here for more details.

Documentation

For more information, see the full documentation on ReadTheDocs.