Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removing CAPA and FLOSS #413

Merged
merged 3 commits into from
Nov 16, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Changelog
Changes to the project will be tracked in this file via the date of change.

## 2023-11-15
- Removed `ScanCapa` and `ScanFloss` from scanners, dependencies, and tests

## 2023-11-04
- Added `ScanIqy` to target and extract network addressed from IQY (Internet Query) files
- Added tests for `ScanIqy`
Expand Down
25 changes: 6 additions & 19 deletions build/python/backend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ LABEL maintainer="Target Brands, Inc. [email protected]"
ARG CONFIG_TESTS=false

ARG YARA_VERSION=4.3.1
ARG CAPA_VERSION=6.1.0
ARG EXIFTOOL_VERSION=12.60

# Environment variables
Expand Down Expand Up @@ -91,23 +90,6 @@ RUN apt-get -q update && \
perl Makefile.PL && \
make -s && \
make -s install && \
# Install FireEye CAPA rules and signatures
mkdir -p /etc/capa/rules/ && \
curl -OL https://github.com/mandiant/capa-rules/archive/refs/tags/v$CAPA_VERSION.zip && \
unzip v$CAPA_VERSION.zip -d /etc/capa/rules/ && \
rm -rf v$CAPA_VERSION.zip && \
mkdir -p /etc/capa/signatures/ && \
cd /etc/capa/signatures/ && \
curl -OL https://github.com/mandiant/capa/raw/master/sigs/1_flare_msvc_rtf_32_64.sig && \
curl -OL https://github.com/mandiant/capa/raw/master/sigs/2_flare_msvc_atlmfc_32_64.sig && \
curl -OL https://github.com/mandiant/capa/raw/master/sigs/3_flare_common_libs.sig && \
# Install FireEye FLOSS
# - Binary installation, not supported as Python 3 plugin
# - Requires binary to be executable
cd /tmp/ && \
curl -OL https://s3.amazonaws.com/build-artifacts.floss.flare.fireeye.com/travis/linux/dist/floss && \
chmod +x /tmp/floss && \
mv /tmp/floss /bin/floss && \
# Install YARA
cd /tmp/ && \
curl -OL https://github.com/VirusTotal/yara/archive/v$YARA_VERSION.tar.gz && \
Expand Down Expand Up @@ -204,9 +186,14 @@ RUN cd /strelka/ && \
USER $USERNAME

# Run build checks
# Use --build-arg SCANNER_TEST=test_scan_<scannername>.py to ignore all but selected scanner
# ex: docker-compose build --build-arg SCANNER_TEST=test_scan_yara.py
ARG SCANNER_TEST=""

# Run tests. Fail build if any tests fail.
RUN echo '[+] Run build checks' && \
cd /strelka/strelka/ && \
python3 -m pytest -p no:cacheprovider -s tests/ && \
if $SCANNER_TESTS; then python3 -m pytest -p no:cacheprovider -s tests/$SCANNER_TEST; fi && \
if $CONFIG_TESTS; then python3 -m pytest -s tests_configuration/; fi && \
echo '[+] Done'

Expand Down
22 changes: 0 additions & 22 deletions configs/python/backend/backend.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,19 +68,6 @@ scanners:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
# 'ScanCapa':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# - 'application/x-sharedlib'
# - 'elf_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# location_rules: '/etc/capa/rules/'
# location_signatures: '/etc/capa/signatures/'
# scanner_timeout: 20
# 'ScanCcn':
# - positive:
# flavors:
Expand Down Expand Up @@ -174,15 +161,6 @@ scanners:
- 'image/heic'
- 'image/heif'
priority: 5
# 'ScanFloss':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# limit: 100
'ScanFooter':
- positive:
flavors:
Expand Down
2 changes: 0 additions & 2 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -744,7 +744,6 @@ The table below describes each scanner and its options. Each scanner has the hid
| ScanBatch | Collects metadata from batch script files | N/A |
| ScanBase64 | Decodes base64-encoded files | N/A | [Nathan Icart](https://github.com/nateicart)
| ScanBzip2 | Decompresses bzip2 files | N/A |
| ScanCapa | Analyzes executable files with FireEye [capa](https://github.com/fireeye/capa) | `tempfile_directory` -- location where `tempfile` will write temporary files (defaults to `/tmp/`)<br>`location_rules` -- location of the capa rules file or directory (defaults to `/etc/capa/rules/`)<br>`location_signatures` -- location of the capa signature file or directory (defaults to `/etc/capa/signatures/`) |
| ScanCcn | Flags files containing credit card formatted numbers | N/A | [Ryan O'Horo](https://github.com/ryanohoro) |
| ScanCuckoo | Sends files to a Cuckoo sandbox | `url` -- URL of the Cuckoo sandbox (defaults to None)<br>`priority` -- Cuckoo priority assigned to the task (defaults to `3`)<br>`timeout` -- amount of time (in seconds) to wait for the task to upload (defaults to `10`)<br>`unique` -- boolean that tells Cuckoo to only analyze samples that have not been analyzed before (defaults to `True`)<br>`username` -- username used for authenticating to Cuckoo (defaults to None, optionally read from environment variable "CUCKOO_USERNAME")<br>`password` -- password used for authenticating to Cuckoo (defaults to None, optionally read from environment variable "CUCKOO_PASSWORD") |
| ScanDonut | Decrypts, extracts config and embedded payloads from Donut loader payloads (https://github.com/TheWover/donut) using donut-decrypt (https://github.com/volexity/donut-decryptor/) | | [Ryan O'Horo](https://github.com/ryanohoro) |
Expand All @@ -756,7 +755,6 @@ The table below describes each scanner and its options. Each scanner has the hid
| ScanEntropy | Calculates entropy of files | N/A |
| ScanExiftool | Collects metadata parsed by Exiftool | `tempfile_directory` -- location where tempfile writes temporary files (defaults to `/tmp/`)<br>`keys` -- list of keys to log (defaults to all) |
| ScanFalconSandbox | Sends files to an instance of Falcon Sandbox | `server` -- URL of the Falcon Sandbox API inteface <br>`priority` -- Falcon Sandbox priority assigned to the task (defaults to `3`)<br>`timeout` -- amount of time (in seconds) to wait for the task to upload (defaults to `60`)<br>`envID` -- list of numeric envrionment IDs that tells Falcon Sandbox which sandbox to submit a sample to (defaults to `[100]`)<br>`api_key` -- API key used for authenticating to Falcon Sandbox (defaults to None, optionally read from environment variable "FS_API_KEY")<br>`api_secret` -- API secret key used for authenticating to Falcon Sandbox (defaults to None, optionally read from environment variable "FS_API_SECKEY") |
| ScanFloss | Analyzes executable files with FireEye [floss](https://github.com/fireeye/flare-floss) | `tempfile_directory` -- location where `tempfile` will write temporary files (defaults to `/tmp/`)<br>`limit` -- Maximum amount of strings to collect. (defaults to `100`) |
| ScanFooter | Collects file footer | `length` -- number of footer characters to log as metadata (defaults to `50`) <br> `encodings` -- list of output encodings, any of `classic`, `raw`, `hex`, `backslash` |
| ScanGif | Extracts data embedded in GIF files | N/A |
| ScanGzip | Decompresses gzip files | N/A
Expand Down
22 changes: 0 additions & 22 deletions misc/kubernetes/backend-configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,19 +42,6 @@ data:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
# 'ScanCapa':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# - 'application/x-sharedlib'
# - 'elf_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# location_rules: '/etc/capa/rules/'
# location_signatures: '/etc/capa/signatures/'
# scanner_timeout: 20
'ScanDocx':
- positive:
flavors:
Expand Down Expand Up @@ -168,15 +155,6 @@ data:
- 'ImageHeight'
- 'ImageWidth'
tmp_directory: '/dev/shm/'
# 'ScanFloss':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# limit: 100
'ScanFooter':
- positive:
flavors:
Expand Down
Loading