Question 1

How to use Fenrir to scan an entire server for IOCs?

Accepted Answer

Run the script with the root directory as a parameter, e.g., './fenrir.sh /', after configuring IOC files and exclusions in the script header. Ensure you have proper permissions and adjust settings like file size limits to optimize the scan.

Question 2

Fenrir vs LOKI: which is better for open-source IOC scanning?

Accepted Answer

Fenrir is better for portability and zero dependencies, using only Bash, while LOKI offers more features with YARA support but requires Python and YARA installation. Choose Fenrir for quick scans on restricted systems, LOKI for deeper analysis with custom signatures.

Question 3

Can Fenrir detect malware in compressed files like .gz logs?

Accepted Answer

Yes, Fenrir uses grep to search for strings within compressed log files, as demonstrated in the README screenshots, allowing analysis of archived logs without prior decompression.

Question 4

What system tools does Fenrir depend on to work?

Accepted Answer

Fenrir relies on common Unix utilities such as grep, md5sum, sha1sum, sha256sum, stat, and lsof. It checks for their availability but assumes standard installations, which may vary across platforms.

Question 5

How to add custom file hash IOCs to Fenrir?

Accepted Answer

Edit the IOC files referenced in the script header, adding new hash entries in the specified format (e.g., MD5, SHA1). The script reads these files during initialization to match against scanned files.

Question 6

Is Fenrir suitable for incident response on Mac OS systems?

Accepted Answer

Yes, Fenrir is designed to run on OSX as well as Linux/Unix, using Bash and common tools. However, be cautious of tool differences, like 'stat' output, which might affect time stamp accuracy on some Mac versions.

Fenrir

What is Fenrir?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions