A production-grade Linux malware detection & analysis platform that combines static (YARA), dynamic (eBPF/strace sandbox tracing), and behavioral/anomaly (auditd + osquery + correlation rules) techniques.
The system follows a modular pipeline architecture:
File Watcher → Static Scanner (YARA) → Sandbox (Dynamic Tracer) → Correlation Engine → Storage/Alerting
↑
Live Monitor (auditd/osquery) ─────────────────────────────────────┘
- File Watcher: Monitors directories for new/modified files using inotify
- Static Scanner: YARA-based signature scanning with hot-reloadable rules
- Sandbox Container: Isolated execution environment for dynamic analysis
- Dynamic Tracer: eBPF/strace-based syscall tracing
- Live Monitor: Real-time system monitoring via auditd and osquery
- Correlation Engine: Rule-based engine (with optional ML) that correlates events into incidents
- Storage: NDJSON (canonical), SQLite (local), Elastic (optional)
- REPL Interface: Interactive command-line interface for incident triage
- Python 3.11+
- Docker or Podman
- YARA libraries
- BCC tools (optional, falls back to strace)
- osquery (optional)
- auditd (optional)
See docs/install.md for detailed installation instructions.
# Clone the repository
git clone <repository-url>
cd linux-malware-detection
# Install dependencies
pip install -r requirements.txt
# Install package in development mode (recommended)
pip install -e .
# Or set PYTHONPATH for development
export PYTHONPATH=$PWD/src:$PYTHONPATH
# Configure
cp examples/config.yaml /etc/msdetector/config.yaml
# Edit /etc/msdetector/config.yaml as needed
# Run as daemon (requires systemd)
sudo systemctl start msdetectord
# Or run interactively (after pip install -e .)
msdetectord --config /path/to/config.yaml
# Or with PYTHONPATH set
PYTHONPATH=src python -m msdetectord.main --config /path/to/config.yaml
# Or use helper script
./scripts/run_daemon.sh --config /path/to/config.yamlmsdetector-replSee docs/usage.md for REPL commands and usage examples.
- Static Analysis: YARA rule scanning with hot-reload support
- ELF Analysis: Deep inspection of Linux executables with suspicious pattern detection
- Dynamic Analysis: Container-based sandbox with eBPF/strace tracing
- Live Monitoring: Real-time auditd and osquery event ingestion
- Correlation: Advanced rule-based incident detection with 8+ correlation rules
- Machine Learning: Optional ML-based anomaly detection and confidence scoring
- Web Dashboard: Real-time web interface for monitoring incidents and events
- REST API: Full REST API for programmatic access and integration
- Storage: Multiple storage backends (NDJSON, SQLite, Elastic)
- Alerting: Multiple alert outputs (console, webhook, syslog)
- REPL Interface: Interactive incident triage and analysis
- Security: Least privilege execution, sandbox isolation, rate limiting
msdetector/
├── README.md
├── docs/ # Documentation
├── src/
│ ├── msdetectord/ # Main daemon code
│ └── cli/ # REPL interface
├── tests/ # Unit and integration tests
├── docker/ # Docker images
├── systemd/ # Systemd service files
└── examples/ # Example configs, rules, queries
- Installation Guide
- Configuration Reference
- Usage Guide
- Testing Guide
- Web Dashboard Guide
- ELF Analysis Guide
- ML Integration Guide
IMPORTANT: This platform is designed for security analysis. When testing:
- Never run real malware on production systems
- Use isolated lab environments for unknown samples
- All test samples provided are synthetic/benign (EICAR, test scripts)
- Sandbox isolation prevents network access and resource exhaustion
- See docs/testing.md for safety guidelines
# Install development dependencies
pip install -r requirements-dev.txt
# Run tests
pytest
# Run integration tests
docker-compose -f tests/integration/docker-compose.yml up --build
# Type checking
mypy src/
# Linting
flake8 src/[Specify license]
[Contributing guidelines]