LiSa is an automated sandbox tool for comprehensive Linux malware analysis across multiple CPU architectures.
Sandbox for automated Linux malware analysis.
LiSa is designed for security analysts and researchers to perform automated static, dynamic, and network analysis of Linux malware samples in a controlled sandbox environment. It enables detection and investigation of malicious behaviors, network communications, and endpoint threats on various CPU architectures, facilitating malware research and incident response.
LiSa requires Docker and docker-compose for deployment and supports multiple CPU architectures via QEMU emulation. For enhanced network analysis, malware traffic can be routed through OpenVPN by mounting the appropriate config and setting environment variables. Users should obtain a MaxMind GeoLite2 API key to enable geolocation features. Blacklists can be customized by adding .ipset or .netset files to the data directory before building the worker image. The tool is extensible via plugin sub-analysis modules, allowing customization of analysis workflows.
Clone the repository: git clone https://github.com/danieluhricek/lisa
Navigate into the directory: cd lisa
Build the Docker images: docker-compose build
Run the sandbox environment: docker-compose upgit clone https://github.com/danieluhricek/lisa
Clones the LiSa repository to your local machine.
cd lisa
Changes directory into the cloned LiSa repository.
docker-compose build
Builds the necessary Docker images for LiSa services.
docker-compose up
Starts the LiSa sandbox environment and web frontend.
docker-compose up --scale worker=10
Scales the number of worker containers to 10 for parallel analysis.