https://github.com/Neo23x0/Loki2

LOKI2 - Simple IOC and YARA Scanner
https://github.com/Neo23x0/Loki2

dfir incident-response iocs scanner yara

Last synced: 2 months ago
JSON representation

LOKI2 - Simple IOC and YARA Scanner

• Host: GitHub
• URL: https://github.com/Neo23x0/Loki2
• Owner: Neo23x0
• License: gpl-3.0
• Created: 2022-10-19T11:40:51.000Z (almost 3 years ago)
• Default Branch: master
• Last Pushed: 2024-07-27T21:29:21.000Z (about 1 year ago)
• Last Synced: 2024-12-09T00:06:12.413Z (10 months ago)
• Topics: dfir, incident-response, iocs, scanner, yara
• Language: Rust
• Homepage:
• Size: 2.09 MB
• Stars: 81
• Watchers: 5
• Forks: 10
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# LOKI2

LOKI - Simple IOC and YARA Scanner

## Status

Work in Progress. This version is not ready for use. There's still some work to do for a first release. 

### What's already implemented

- System reconnaissance (system and hardware information for the log)

- Logging and formatting of the different log outputs

- File system walk

- File time evaluation (MAC timestamps)

- Exclusions based on file characteristics

- IOC initialization - hash values

- IOC matching on files (hashes)

- YARA rule initialization, syntax checks, and error handling

- YARA scanning of files

- YARA scanning of process memory 

### What's still to do

- IOC initialization - file patterns

- IOC initialization - C2 patterns (FQDN, IP)

- IOC matching on files (file patterns)

- C2 IOC matching (process connections)

- File system walk exceptions: network drivers, mounted drives etc.

- Custom exclusions (regex on file path)

- Release workflows (automatically build and provide as release)

# Setup Build Environment

## Requirements

See the files in the folder .github/workflows for steps to setup a build environment for 

- Linux

- macOS

## Providing Signatures 

```bash

git clone https://github.com/Neo23x0/signature-base ../signature-base/

ln -s ../signature-base/ ./signatures

```

## Build

```bash

cargo build

```

## Test Run

```bash

cargo build && ./target/debug/loki --help

```

## Usage

```

Usage: loki [OPTIONS]

LOKI YARA and IOC Scanner

Options:

  -m, --max-file-size         Maximum file size to scan (default: 10000000)

  -s, --show-access-errors    Show all file and process access errors

  -c, --scan-all-files        Scan all files regardless of their file type / extension

  -d, --debug                 Show debugging information

  -t, --trace                 Show very verbose trace output

  -n, --noprocs               Don't scan processes

  -o, --nofs                  Don't scan the file system

  -f, --folder                Folder to scan

  -h, --help                  Show this help message.

```

# Screenshots

LOKI 2 alpha version

![Screenhot of Alpha Version](/screens/screen-alpha.png)