{"id":43550045,"url":"https://github.com/danielpoliakov/lisa","last_synced_at":"2026-02-03T19:16:26.657Z","repository":{"id":37765760,"uuid":"181665471","full_name":"danielpoliakov/lisa","owner":"danielpoliakov","description":"Sandbox for automated Linux malware analysis.","archived":false,"fork":false,"pushed_at":"2023-05-01T20:33:26.000Z","size":3945,"stargazers_count":479,"open_issues_count":24,"forks_count":90,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-05-07T15:17:17.074Z","etag":null,"topics":["internet-of-things","iot","linux","linux-sandbox","lisa","malware","malware-analysis","security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/danielpoliakov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-04-16T10:13:44.000Z","updated_at":"2025-04-30T13:31:52.000Z","dependencies_parsed_at":"2025-05-07T15:17:18.838Z","dependency_job_id":"5892ba01-2aed-4dcf-a8cd-81544f1f8430","html_url":"https://github.com/danielpoliakov/lisa","commit_stats":null,"previous_names":["danieluhricek/lisa"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/danielpoliakov/lisa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielpoliakov%2Flisa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielpoliakov%2Flisa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielpoliakov%2Flisa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielpoliakov%2Flisa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/danielpoliakov","download_url":"https://codeload.github.com/danielpoliakov/lisa/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielpoliakov%2Flisa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29054216,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T15:43:47.601Z","status":"ssl_error","status_checked_at":"2026-02-03T15:43:46.709Z","response_time":96,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["internet-of-things","iot","linux","linux-sandbox","lisa","malware","malware-analysis","security"],"created_at":"2026-02-03T19:13:17.367Z","updated_at":"2026-02-03T19:16:21.010Z","avatar_url":"https://github.com/danielpoliakov.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp\u003e\n    \u003cimg width=\"300\" height=\"auto\" src=\"web_frontend/src/logo-white.png\" alt=\"LiSa\" /\u003e\n\u003c/p\u003e\n\nProject providing automated Linux malware analysis on various CPU architectures.\n\n**Table of contents**\n\n- [Features](#features)\n- [Get Started](#get-started)\n- [Configuration](#configuration)\n  - [Web hosting](#web-hosting)\n  - [Scaling](#scaling)\n  - [VPN](#vpn)\n  - [Blacklists](#blacklists)\n- [Adding new sub-analysis modules](#adding-new-sub-analysis-modules)\n- [Upcoming features](#upcoming-features)\n- [Contribute](#contribute)\n- [Related work](#related-work)\n- [License](#license)\n\n![LiSa](web_frontend/lisa.gif)\n\n## Features\n\n- QEMU emulation.\n- Currently supporting x86_64, i386, arm, mips, aarch64.\n- Small images built w/ [buildroot](https://buildroot.org/).\n- Radare2 based static analysis.\n- Dynamic (behavioral) analysis using SystemTap kernel modules - captured syscalls, openfiles, process trees.\n- Network statistics and analysis of DNS, HTTP, Telnet and IRC communication.\n- Endpoints analysis and blacklists configuration.\n- Scaled with celery and RabbitMQ.\n- REST API | frontend.\n- Extensible through sub-analysis modules and custom images.\n\n## Get Started\n\n**Requirements**\n\n- [Docker](https://docs.docker.com/install/)\n- [docker-compose](https://docs.docker.com/compose/install/)\n\n1. Get repository.\n\n```\n$ git clone https://github.com/danieluhricek/lisa\n$ cd lisa\n```\n\n2. Build.\n\n```\n# docker-compose build\n```\n\n3. Run the sandbox (default location: http://localhost:4242).\n\n```\n# docker-compose up\n```\n\n## Configuration\n\n### MaxMind GeoLite2\n\n[Sign up](https://www.maxmind.com/en/geolite2/signup) to get your API key. Use API key in docker-compose.yml build args section.\n\n```\n.\n.\n  worker:\n    image: lisa-worker\n    build:\n      context: .\n      dockerfile: ./docker/worker/Dockerfile\n      args:\n        maxmind_key: YOUR_KEY\n    volumes:\n      - \"./data/storage:/home/lisa/data/storage\"\n      .\n      .\n      .\n.\n.\n```\n\n### Web hosting\n\nSetup your server's IP:port in nginx service in docker-compose.yml.\n\n```\n.\n.\n  nginx:\n    image: lisa-nginx\n    build:\n      context: .\n      dockerfile: ./docker/nginx/Dockerfile\n      args:\n        webhost: \u003cmyip|default=localhost\u003e:\u003cport\u003e\n    ports:\n      - \u003cport\u003e:80\n.\n.\n```\n\n### Scaling\n\nWorkers are scalable.\n\n```\n# docker-compose up --scale worker=10\n```\n\n### VPN\n\nYou can route malware's traffic through OpenVPN. In order to do that:\n\n1. Mount volume containing OpenVPN config (named config.ovpn).\n2. Set environment valirable `VPN` to OpenVPN config's directory path.\n\n```\n.\n.\n  worker:\n    image: lisa-worker\n    build:\n      context: .\n      dockerfile: ./docker/worker/Dockerfile\n    environment:\n      - VPN=/vpn\n    volumes:\n      - \"./data/storage:/home/lisa/data/storage\"\n      - \"./vpn:/vpn\"\n.\n.\n```\n\n### Blacklists\n\nDefault used blacklists are ([source](https://github.com/firehol/blocklist-ipsets)):\n\n- bi_ssh_2_30d.ipset\n- firehol_level3.netset\n- firehol_webserver.netset\n- iblocklist_abuse_zeus.netset\n- normshield_all_wannacry.ipset\n\nIf you want to use any other blacklist, put .ipset or .netset files into `data/blacklists`. All of these blacklists are merged during build of `worker` service.\n\n## Adding new sub-analysis modules\n\nCore of LiSa project supports 4 basic modules of analysis: `static_analysis`, `dynamic_analysis`, `network_analysis` and `virustotal`.\nSub-analysis modules are plugin-based. For adding new sub-analysis and appending it's output to final json do following:\n\n1. Create class which inherits from `AbstractSubAnalyzer` class and implement `run_analysis()` method eg.:\n\n```python\nclass NewSubAnalyzer(AbstractSubAnalyzer):\n    def run_analysis(self):\n        pass\n```\n\n2. Update list in `lisa.config.py` :\n\n```python\nanalyzers_config = [\n    # core analyzers\n    'lisa.analysis.static_analysis.StaticAnalyzer',\n    'lisa.analysis.dynamic_analysis.DynamicAnalyzer',\n    'lisa.analysis.network_analysis.NetworkAnalyzer',\n    'lisa.analysis.virustotal.VirusTotalAnalyzer',\n\n    # custom\n    'module_of_new_analyzer.NewSubAnalyzer'\n]\n\n```\n\n## Running tests\n\n```\n# docker build -f ./docker/tests/Dockerfile -t lisa-tests .\n# docker run lisa-tests\n```\n\n## Upcoming features\n\n1. **YARA module** - YARA module to match patterns in LiSa's JSON output.\n2. **Images selection** - More Linux images containing e.g. IoT firmware.\n\n## Contribute\n\nContributions | feedback | issues | pull requests are welcome.\n\n## Related work\n\n- [LiSa - Multiplatform Linux Sandbox for Analyzing IoT Malware](http://excel.fit.vutbr.cz/submissions/2019/058/58.pdf)\n- [Understanding Linux Malware](http://www.s3.eurecom.fr/~yanick/publications/2018_oakland_linuxmalware.pdf)\n- [LiSa. Linux Sand Box with Chad Seaman and Johnathan Respeto](https://www.youtube.com/watch?v=qed7ZnnkxZM)\n\n## License\n\nLiSa is licensed under [Apache License 2.0](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielpoliakov%2Flisa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanielpoliakov%2Flisa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielpoliakov%2Flisa/lists"}