{"id":13756090,"url":"https://github.com/Neo23x0/Fenrir","last_synced_at":"2025-05-10T03:30:48.785Z","repository":{"id":42700088,"uuid":"43861569","full_name":"Neo23x0/Fenrir","owner":"Neo23x0","description":"Simple Bash IOC Scanner","archived":false,"fork":false,"pushed_at":"2022-02-12T09:33:35.000Z","size":637,"stargazers_count":730,"open_issues_count":1,"forks_count":108,"subscribers_count":40,"default_branch":"master","last_synced_at":"2025-05-02T22:52:00.031Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Neo23x0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-10-08T03:55:35.000Z","updated_at":"2025-04-25T21:09:48.000Z","dependencies_parsed_at":"2022-07-07T22:29:36.883Z","dependency_job_id":null,"html_url":"https://github.com/Neo23x0/Fenrir","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neo23x0%2FFenrir","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neo23x0%2FFenrir/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neo23x0%2FFenrir/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neo23x0%2FFenrir/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Neo23x0","download_url":"https://codeload.github.com/Neo23x0/Fenrir/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253358069,"owners_count":21895967,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T11:00:36.034Z","updated_at":"2025-05-10T03:30:48.489Z","avatar_url":"https://github.com/Neo23x0.png","language":"Shell","funding_links":[],"categories":["IR Tools Collection","Tools","Detection \u0026 Remediation","IR tools Collection","Operating Systems"],"sub_categories":["Scanner Tools","IOC Scanner","Other Tools","Linux"],"readme":"[![Active Development](https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)\n\n# Fenrir\nSimple Bash IOC Scanner\n\nFenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs):\n\n- Hashes\n\n   MD5, SHA1 and SHA256 (using md5sum, sha1sum, sha -a 256)\n\n- File Names \n\n   string - checked for substring of the full path, e.g. \"temp/p.exe\" in \"/var/temp/p.exe\"\n\n- Strings\n\n   grep in files\n   \n- C2 Server\n   \n   checking for C2 server strings in 'lsof -i' and 'lsof -i -n' output  \n\n- Hot Time Frame\n\n   using stat in different modes - define min and max epoch time stamp and get all files that have been created in between\n   \nBasic characteristics:\n- Bash Script\n- No installation or agent needed\n- Uses common tools to extract attributes (e.g. md5sum, grep, stat in different modes)\n- Intended to run on any Linux / Unix / OS X with Bash\n- Low footprint - Ansible playbook with RAM drive solution\n- Smart exclusions (file size, extension, certain directories) speeds up the scan process\n\n# Why Fenrir?\nFENRIR is the 3rd tool after THOR and LOKI. [THOR](http://www.bsk-consulting.de/apt-scanner-thor/) is our full featured APT Scanner with many modules and export types for corporate customers. [LOKI](https://github.com/Neo23x0/Loki) is a free and open IOC scanner that uses [YARA](https://plusvic.github.io/yara/) as signature format. \n\nThe problem with both predecessors is that both have certain requirements on the Linux platform. We build THOR for a certain Linux version in order to match the correct libc that is required by the YARA module. LOKI requires Python and YARA installed on Linux to run.\n\nWe faced the problem of checking more than 100 different Linux systems for certain Indicators of Compromise (IOCs) without installing an agent or software packages. We already had an [Ansible](http://www.ansible.com/) playbook for the distribution of THOR on a defined set of Linux remote systems. This playbook creates a RAM drive on the remote system, copies the local program binary to the remote system, runs it and retrieves the logs afterwards. This ensures that the program's footprint on the remote system is minimal. I adapted the Ansible playbook for Fenrir. (it is still untested)\n\nFenrir is still 'testing'. Please report back errors (and solutions) via the \"Issues\" section here on github. \n\nIf you find a better / more solid / less error-prone solution to the evaluations in the script, please report them back. I am not a full-time bash programmer so I'd expect some room for improvement. \n\n# Usage\n\n```\nUsage: ./fenrir.sh DIRECTORY\n \nDIRECTORY - Start point of the recursive scan\n```\n\nAll settings can be configured in the header of the script.\n\n![Settings](./screens/fenrir2.png)\n\n# Step by Step\n\nWhat Fenrir does is:\n- Reads the IOC files\n- Takes a parameter as starting directory for the recursive walk\n- Checks C2 servers in lsof output\n- Checks for directory exclusions (configurable in the script header)\n- Checks for certain file extensions to check (configurable in the script header)\n- Checks the file name (full path) for matches in IOC files\n- Checks for file size exclusions (configurable in the script header)\n- Checks for certain strings in the file (via grep)\n- Checks for certain hash values \n- Checks for change/creation time stamp \n\n# Screenshots\n\nScan Run showing the different match types on a demo directory. \n\n![Scan Run](./screens/fenrir1.png)\n\nDetect C2 connections\n\n![Ansible Playbook](./screens/fenrir4.png)\n\nDetect strings in GZIP packed log files\n\n![Strings in GZP Logs](./screens/fenrir5.png)\n\nConfiguration\n\n![Configuration](./screens/fenrir2.png)\n\nAnsible Playbook\n\n![Ansible Playbook](./screens/fenrir3.png)\n\nStat issue (regarding the CREATED file stamp on Linux file systems)\n\n![Stat issue](./screens/stat1.png)\n\n# Known Issues\n\n# Contact \n\nvia Twitter @Cyb3rOps\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNeo23x0%2FFenrir","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNeo23x0%2FFenrir","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNeo23x0%2FFenrir/lists"}