FIR (Fast Incident Response by CERT Société générale) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents.

IRMA is an asynchronous and customizable analysis system for suspicious files.

This plugin adds a menu in the navigation bar of FIR. You can scan files for malwares with your own IRMA installation. When you scan a file, the plugin adds its hashes to the FIR artifacts database. These hashes can be correlated with other files or hashes associated with incidents.

You can start an instance of this plugin as a standalone server. If the standalone server is installed in the same environment as FIR, files scanned with this server are added to the FIR artifacts database. You can manage your users and their rights in the Django admin site.

Warning: This plugin needs some features not merged in the FIR official repository. PRs will be submitted soon!

You'll need a working installation of IRMA (IRMA docs)!

You should install it in a virtualenv. If you plan to use this software as a FIR plugin or you want this software (as a standalone server) to add artifacts in the FIR database, you must use FIR's virtualenv.

(your_env)$ git clone https://github.com/gcrahay/fir_irma_plugin.git
(your_env)$ cd fir_irma_plugin
(your_env)$ python setup.py install

Add fir_irma in $FIR_HOME/fir/config/installed_apps.txt as stated in FIR plugins doc.

Add this line in your urlpatterns list in $FIR_HOME/fir/urls.py:

url(r'^irma/', include('fir_irma.urls', namespace='irma')),

In your $FIR_HOME, launch:

(your_env)$ ./manage.py migrate

Configure settings variables and user permissions (see Configuration).

You have a demo Django project in this repository.

If you want the server to add artifacts in your FIR database, configure DATABASES variable in settings.py accordingly. Make sure that incidents and fir_artifacts are in your INSTALLED_APPS. The SECRET_KEY parameters should be the same as in your FIR settings if you share the database.

Configure settings variables and user permissions (see Configuration). Don't forget to set the IRMA_IS_STANDALONE to True.

• IRMA_BASE_URL: Base URL of your IRMA frontend, default: http://127.0.0.1
• IRMA_HAS_UI: Add user interface URLs (Angular application), default: True
• IRMA_IS_STANDALONE: Use as a standalone server (outside FIR), default: False
• IRMA_ANONYMOUS_SCAN: Anonymous users can scan files, requires IRMA_IS_STANDALONE, default: False
• IRMA_REFRESH_MS: UI refresh timeout during scan in ms, default: 3000

• scan_files: User can submit files. This is the minimal permission. Overriden by IRMA_ANONYMOUS_SCAN in a standalone server.
• read_all_results: Scan results are not filtered. Without this permission, an user can only see results of his own scans.
• can_force_scan: User can bypass the scan cache and force a new scan.

Files listed below are djangoized files from quarkslab/irma-frontend :

• irma_frontend_web/*
• fir_irma/static/irma/*
• fir_irma/templates/views/*
• fir_irma/templates/irma.js
• fir_irma/templates/partial_irma.html
• fir_irma/templates/standalone/standalone_base.html
• fir_irma/templates/standalone/interface.html

These files are under the copyright of Quarkslab and under Apache License Version 2.0.