-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
148 lines (109 loc) · 7.61 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# This project has been deprecated by the artemis-distributed project. It may still work
# properly but lacks much of the functionality included in the newer version.
# It has also been quite some time since I tested the scripts in this project. Though I
# am no longer supporting this project, feel free to contact me if you have any specific
# questions or issues.
# Artemis Network Traffic Virus Monitor
# Author: Andrew Withers ([email protected])
________ ________ _________ _______ _____ ______ ___ ________
|\ __ \|\ __ \|\___ ___\\ ___ \ |\ _ \ _ \|\ \|\ ____\
\ \ \|\ \ \ \|\ \|___ \ \_\ \ __/|\ \ \\\__\ \ \ \ \ \ \___|_
\ \ __ \ \ _ _\ \ \ \ \ \ \_|/_\ \ \\|__| \ \ \ \ \_____ \
\ \ \ \ \ \ \\ \| \ \ \ \ \ \_|\ \ \ \ \ \ \ \ \|____|\ \
\ \__\ \__\ \__\\ _\ \ \__\ \ \_______\ \__\ \ \__\ \__\____\_\ \
\|__|\|__|\|__|\|__| \|__| \|_______|\|__| \|__|\|__|\_________\
\|_________|
################################# Description ###########################################
# Artemis works by monitoring a specific directory for new files. When a new file #
# is added to the directory, a child process decides which actions are required in #
# order to determine whether the file poses any threat to the network. First, #
# a hash of the file is created and compared against hashes of files that have #
# already been scanned and logged in the database. If the hash matches a file and #
# the result of the previous scan indicated that the file was infected, an alert #
# email is dispatched. If the hash is not present in the database and the number of #
# current scans is below the max concurrent scan threshold, the child will #
# begin the scanning process. If the max concurrent scans threshold has already #
# been reached, then the file is added to a queue. Artemis will scan the files that #
# have been queued as worker slots open up and more resources become available. #
#########################################################################################
#################################### Notes ##############################################
# Artemis was designed for, and tested on, Ubuntu 16.04 running Security Onion NSM. #
# At a minimum, Artemis requires that the Bro NSM be installed. Bro is utilized #
# to extract executable files from the network data stream in order to inspect them #
# for known viruses. Artemis "may" be compatible with other flavors of Debian #
# Linux, so long as the systemd service manager is utilized; however, Ubuntu is the #
# only flavor that has been tested and is currently supported. #
# #
# Ubuntu 16.04 downloads: #
# http://releases.ubuntu.com/xenial/ #
# #
# For more information about Security Onion visit: #
# https://securityonion.net/ #
# #
# For more information about Bro visit: #
# https://www.bro.org/ #
# #
# Questions, suggestions, and problem reporting: #
# https://groups.google.com/forum/#!forum/artemis-ntvm #
# #
#########################################################################################
########################### Installation instructions ######################################
# Enter the Artemis directory and run the Artemis install script
cd artemis
sudo ./artemis-installer
# or create an answer file using the install.conf template in the artemis/conf/ directory
# and run the installer in automated mode
sudo ./artemis-installer -f <answer file>
Example: sudo ./artemis-isntaller -f ./conf/install.conf
########################### Uninstall Instructions #########################################
# Run installer in uninstall mode and follow the prompts
sudo ./artemis-installer -u
#################################### Usage #################################################
Artemis Network Traffic Virus Monitor
Usage: artemis [OPTION]
Options:
-h This message
-v Print version information
-f Flush the hash cache
-w <SHA256 Hash> Add a SHA256 hash to the whitelist
-b <SHA256 Hash> Add a SHA256 hash to the blacklist
############################### Auxiliary Scripts ###########################################
Tracks - Artemis log interface
Usage: tracks [Time OPTION]...[Query OPTION]
If no Time option is selected or if it is placed after the Query option, the time period will default to the last 24 hours
Time Period Options:
-D <YYYY-MM-HH> Specific date
-M <YYYY-MM> Specific month
-Y <YYYY> Specific year
-H <HH> Specific hour of current day
-d <n> Last n number of days
-w <n> Last n number of weeks
-m <n> Last n number of months
-y <n> Last n number of years
-r <n> Last n number of hours
-i <n> Last n number of minutes
-R <Start> <End> Specific start and end Date/Time in YYYY-MM-DD HH:MM:SS format
-a all
Query options:
-F <SHA256 Hash> Query file(s) by hash
-S <Source IP> Query file(s) by source IP address
-T <Destination IP> Query file(s) by destination IP address
-I <Source or Destination IP> Query files(s) by Source or Destination IP address
-f <Filename> Query file by filename
Additional option:
-p Purge all log data
arteStat - Artemis statistical report generator
Usage: arteStat [OPTION]...
Report Period Options:
-D <YYYY-MM-HH> Specific date
-M <YYYY-MM> Specific month
-Y <YYYY> Specific year
-H <HH> Specific hour of current day
-d <n> Last n number of days
-w <n> Last n number of weeks
-m <n> Last n number of months
-y <n> Last n number of years
-r <n> Last n number of hours
-i <n> Last n number of minutes
-R <Start> <End> Specific start and end Date/Time in YYYY-MM-DD HH:MM:SS format
# exit