├── README.md ├── dashboards └── 907d9020-2437-11e9-91fd-0d3328fb90df.json ├── etc ├── cron.d │ └── bro-file-copy ├── filebeat │ └── filebeat.yml ├── logstash │ ├── 6100_strelka.conf │ ├── 9506_strelka.conf │ └── logstash-strelka-template.json ├── strelka │ ├── backend │ │ ├── backend.yaml │ │ ├── logging.yaml │ │ ├── passwords.dat │ │ └── taste │ │ │ └── taste.yara │ ├── docker-compose.yaml │ ├── filestream │ │ └── filestream.yaml │ ├── frontend │ │ └── frontend.yaml │ └── manager │ │ └── manager.yaml └── systemd │ └── system │ └── strelka.service ├── install_strelka └── usr └── sbin ├── so-strelka-restart ├── so-strelka-start └── so-strelka-stop /README.md: -------------------------------------------------------------------------------- 1 | # securityonion-strelka 2 | 3 | ![image](https://user-images.githubusercontent.com/16829864/51959540-ddc9f900-2422-11e9-9fbe-1ea1197c7d96.png) 4 | 5 | #### Work in progress (not officially supported to work with Security Onion -- TEST AT YOUR OWN RISK!) 6 | - Integrates the great work of [@jshlbrd](https://github.com/jshlbrd) ([Strelka](https://github.com/target/strelka)) with Security Onion. 7 | - Tested on standalone and distributed Security Onion deployments. 8 | - **PLEASE NOTE**: [The official Strelka documentation](https://github.com/target/strelka#should-i-run-my-strelka-cluster-on-my-brosuricata-network-sensor) recommends that you install Strelka on a seperate node to perform processing of files without taxing sensor components. These scripts will install Strelka directly on Security Onion (Standalone/Forward Node). Depending on the amount of traffic you are monitoring, and the number of files extracted by Bro (on average), you may indeed see the need to move Strelka (at least the server process) to a dedicated node (on the TODO list to have this as a future option). 9 | - Currently monitors `/nsm/strelka`. Files are copied (every minute) from `/nsm/bro/extracted` to `/nsm/strelka`, then read by Strelka, and deleted after processed. Original files remain in `/nsm/bro/extracted` and are managed by Security Onion as normal. If you have a Security Onion installation with pre-existing extracted files (and you would like them scanned), you will need to manually copy these files to the `/nsm/strelka` directory. 10 | 11 | #### TODO: 12 | - Better parsing/mapping of fields. 13 | - Better correlation with existing log data presented by Security Onion. 14 | - Consider moving/adding the ability to move Strelka server process to master server to avoid taxing sensor components. 15 | - Consider adding [Strelka Bro extraction script](https://github.com/target/strelka/blob/master/etc/bro/extract-strelka.bro). 16 | 17 | ##### Install on Standalone 18 | 19 | - `wget https://raw.githubusercontent.com/weslambert/securityonion-strelka/master/install_strelka && sudo chmod +x install_strelka && sudo ./install_strelka` 20 | 21 | ##### Install in Distributed Environment 22 | 23 | Not currently supported. 24 | 25 | ##### Logs 26 | 27 | - Raw logs are located in `/var/log/strelka/` (on standalone/forward nodes) 28 | 29 | ##### Kibana 30 | - Navigate to `Discover` and type the following in the search field: 31 | `tags:strelka` or `event_type:strelka` 32 | 33 | (May have to refresh field list under Management -> Index Patterns) 34 | -------------------------------------------------------------------------------- /etc/cron.d/bro-file-copy: -------------------------------------------------------------------------------- 1 | # /etc/cron.d/bro-file-copy 2 | # 3 | # Crontab entry to copy files from Bro extracted directory to a directory monitored and managed by Strelka. 4 | 5 | STRELKADIR=/nsm/strelka 6 | SHELL=/bin/sh 7 | PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 8 | 9 | * * * * * root /usr/bin/find /nsm/bro/extracted/ -mmin -1 -exec cp -p {} $STRELKADIR \; 10 | -------------------------------------------------------------------------------- /etc/filebeat/filebeat.yml: -------------------------------------------------------------------------------- 1 | ###################### Filebeat Configuration Example ######################### 2 | 3 | # This file is an example configuration file highlighting only the most common 4 | # options. The filebeat.reference.yml file from the same directory contains all the 5 | # supported options with more comments. You can use it as a reference. 6 | # 7 | # You can find the full configuration reference here: 8 | # https://www.elastic.co/guide/en/beats/filebeat/index.html 9 | 10 | # For more available modules and options, please see the filebeat.reference.yml sample 11 | # configuration file. 12 | 13 | #=========================== Filebeat inputs ============================= 14 | 15 | filebeat.inputs: 16 | 17 | # Each - is an input. Most options can be set at the input level, so 18 | # you can use different inputs for various configurations. 19 | # Below are the input specific configurations. 20 | 21 | - type: log 22 | 23 | # Change to true to enable this input configuration. 24 | enabled: true 25 | 26 | # Paths that should be crawled and fetched. Glob based paths. 27 | paths: 28 | - /var/log/strelka/*.log 29 | #- c:\programdata\elasticsearch\logs\* 30 | 31 | # Exclude lines. A list of regular expressions to match. It drops the lines that are 32 | # matching any regular expression from the list. 33 | #exclude_lines: ['^DBG'] 34 | 35 | # Include lines. A list of regular expressions to match. It exports the lines that are 36 | # matching any regular expression from the list. 37 | #include_lines: ['^ERR', '^WARN'] 38 | 39 | # Exclude files. A list of regular expressions to match. Filebeat drops the files that 40 | # are matching any regular expression from the list. By default, no files are dropped. 41 | #exclude_files: ['.gz$'] 42 | 43 | # Optional additional fields. These fields can be freely picked 44 | # to add additional information to the crawled log files for filtering 45 | #fields: 46 | # level: debug 47 | # review: 1 48 | 49 | ### Multiline options 50 | 51 | # Multiline can be used for log messages spanning multiple lines. This is common 52 | # for Java Stack Traces or C-Line Continuation 53 | 54 | # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ 55 | #multiline.pattern: ^\[ 56 | 57 | # Defines if the pattern set under pattern should be negated or not. Default is false. 58 | #multiline.negate: false 59 | 60 | # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern 61 | # that was (not) matched before or after or as long as a pattern is not matched based on negate. 62 | # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash 63 | #multiline.match: after 64 | 65 | 66 | #============================= Filebeat modules =============================== 67 | 68 | #filebeat.config.modules: 69 | # Glob pattern for configuration loading 70 | # path: ${path.config}/modules.d/*.yml 71 | 72 | # Set to true to enable config reloading 73 | # reload.enabled: false 74 | 75 | # Period on which files under path should be checked for changes 76 | #reload.period: 10s 77 | 78 | #==================== Elasticsearch template setting ========================== 79 | 80 | #setup.template.settings: 81 | # index.number_of_shards: 3 82 | #index.codec: best_compression 83 | #_source.enabled: false 84 | 85 | #================================ General ===================================== 86 | 87 | # The name of the shipper that publishes the network data. It can be used to group 88 | # all the transactions sent by a single shipper in the web interface. 89 | #name: 90 | 91 | # The tags of the shipper are included in their own field with each 92 | # transaction published. 93 | tags: ["strelka"] 94 | 95 | # Optional fields that you can specify to add additional information to the 96 | # output. 97 | #fields: 98 | # env: staging 99 | 100 | 101 | #============================== Dashboards ===================================== 102 | # These settings control loading the sample dashboards to the Kibana index. Loading 103 | # the dashboards is disabled by default and can be enabled either by setting the 104 | # options here, or by using the `-setup` CLI flag or the `setup` command. 105 | #setup.dashboards.enabled: false 106 | 107 | # The URL from where to download the dashboards archive. By default this URL 108 | # has a value which is computed based on the Beat name and version. For released 109 | # versions, this URL points to the dashboard archive on the artifacts.elastic.co 110 | # website. 111 | #setup.dashboards.url: 112 | 113 | #============================== Kibana ===================================== 114 | 115 | # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. 116 | # This requires a Kibana endpoint configuration. 117 | #setup.kibana: 118 | 119 | # Kibana Host 120 | # Scheme and port can be left out and will be set to the default (http and 5601) 121 | # In case you specify and additional path, the scheme is required: http://localhost:5601/path 122 | # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 123 | #host: "localhost:5601" 124 | 125 | #============================= Elastic Cloud ================================== 126 | 127 | # These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/). 128 | 129 | # The cloud.id setting overwrites the `output.elasticsearch.hosts` and 130 | # `setup.kibana.host` options. 131 | # You can find the `cloud.id` in the Elastic Cloud web UI. 132 | #cloud.id: 133 | 134 | # The cloud.auth setting overwrites the `output.elasticsearch.username` and 135 | # `output.elasticsearch.password` settings. The format is `:`. 136 | #cloud.auth: 137 | 138 | #================================ Outputs ===================================== 139 | 140 | # Configure what output to use when sending the data collected by the beat. 141 | 142 | #-------------------------- Elasticsearch output ------------------------------ 143 | #output.elasticsearch: 144 | # Array of hosts to connect to. 145 | #hosts: ["localhost:9200"] 146 | 147 | # Optional protocol and basic auth credentials. 148 | #protocol: "https" 149 | #username: "elastic" 150 | #password: "changeme" 151 | 152 | #----------------------------- Logstash output -------------------------------- 153 | output.logstash: 154 | # The Logstash hosts 155 | hosts: ["localhost:5044"] 156 | 157 | # Optional SSL. By default is off. 158 | # List of root certificates for HTTPS server verifications 159 | #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] 160 | 161 | # Certificate for SSL client authentication 162 | #ssl.certificate: "/etc/pki/client/cert.pem" 163 | 164 | # Client Certificate Key 165 | #ssl.key: "/etc/pki/client/cert.key" 166 | 167 | #================================ Logging ===================================== 168 | 169 | # Sets log level. The default log level is info. 170 | # Available log levels are: error, warning, info, debug 171 | logging.level: debug 172 | 173 | # At debug level, you can selectively enable logging only for some components. 174 | # To enable all selectors use ["*"]. Examples of other selectors are "beat", 175 | # "publish", "service". 176 | #logging.selectors: ["*"] 177 | 178 | #============================== Xpack Monitoring =============================== 179 | # filebeat can export internal metrics to a central Elasticsearch monitoring 180 | # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The 181 | # reporting is disabled by default. 182 | 183 | # Set to true to enable the monitoring reporter. 184 | #xpack.monitoring.enabled: false 185 | 186 | # Uncomment to send the metrics to Elasticsearch. Most settings from the 187 | # Elasticsearch output are accepted here as well. Any setting that is not set is 188 | # automatically inherited from the Elasticsearch output configuration, so if you 189 | # have the Elasticsearch output configured, you can simply uncomment the 190 | # following line. 191 | #xpack.monitoring.elasticsearch: 192 | -------------------------------------------------------------------------------- /etc/logstash/6100_strelka.conf: -------------------------------------------------------------------------------- 1 | # Logstash config file to parse scan results from Strelka (https://github.com/target/strelka) on Security Onion# 2 | # Author: Wes Lambert, wlambertts@gmail.com 3 | # 4 | # Updated by Wes Lambert and Dustin Lee 5 | # 6 | # Last Update: 10/30/2018 7 | 8 | filter { 9 | if "strelka" in [tags] { 10 | 11 | # Parse initial message 12 | json { 13 | source => "message" 14 | } 15 | 16 | # Move some stuff around 17 | mutate { 18 | rename => { "[scan_exiftool][exiftool]" => "exif" } 19 | rename => { "[scan_pe][version_info]" => "version_info" } 20 | #rename => { "[scan_pe]" => "pe" } 21 | rename => { "url" => "urls" } 22 | # If Redis input 23 | replace => { "type" => "strelka" } 24 | } 25 | 26 | mutate { 27 | remove_field => [ "scan_exiftool" ] 28 | } 29 | 30 | if [scan_hash] { 31 | ruby { 32 | code => " 33 | begin 34 | dynamicField= event.get('scan_hash') 35 | if dynamicField!= NIL 36 | dynamicField.keys.each{|key| 37 | event.set(key, dynamicField[key]) 38 | } 39 | event.remove('scan_hash') 40 | end 41 | end 42 | " 43 | } 44 | } 45 | 46 | if [exif] { 47 | ruby { 48 | code => "event.get('[exif]').each {|hash| event.set( '[scan_exiftool][' + hash['field'].downcase + ']', hash['value']) };" 49 | } 50 | } 51 | 52 | if [version_info] { 53 | ruby { 54 | code => "event.get('[version_info]').each {|hash| event.set( '[scan_pe][' + hash['name'].downcase + ']', hash['value']) };" 55 | } 56 | } 57 | # Check filename type, convert, and add field if needed 58 | if [request][attributes][filename] =~ /Scan.*/ { 59 | mutate { 60 | rename => { "[request][attributes][filename]" => "filename" } 61 | } 62 | } else { 63 | mutate { 64 | rename => { "[request][attributes][filename]" => "extracted_filename" } 65 | add_field => { "parse_filename" => "%{extracted_filename}" } 66 | } 67 | } 68 | # Parse bro source and fuid based on file-extraction naming convention 69 | if [parse_filename] { 70 | mutate { 71 | #add_field => { "parse_filename" => "%{extracted_filename}" } 72 | gsub => [ "parse_filename", "\.", "-" ] 73 | split => [ "parse_filename" , "-"] 74 | add_field => [ "source", "%{[parse_filename][0]}" ] 75 | add_field => [ "fuid", "%{[parse_filename][1]}" ] 76 | } 77 | } 78 | # Get rid of this stuff 79 | mutate { 80 | remove_field => [ "host", "results", "sourcefile", "directory", "filename" , "source", "parse_filename", "beat", "exif", "prospector", "elapsed", "message", "version_info" ] 81 | remove_tag => [ "beat" ] 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /etc/logstash/9506_strelka.conf: -------------------------------------------------------------------------------- 1 | # Author: Wes Lambert, wlambertts@gmail.com 2 | # Last Update: 10/10/2018 3 | 4 | filter { 5 | if "strelka" in [tags] { 6 | mutate { 7 | #do nothing 8 | } 9 | } 10 | } 11 | output { 12 | if "strelka" in [tags] { 13 | # stdout { codec => rubydebug } 14 | elasticsearch { 15 | hosts => elasticsearch 16 | index => "logstash-strelka-%{+YYYY.MM.dd}" 17 | template_name => "logstash-strelka" 18 | template => "/logstash-strelka-template.json" 19 | template_overwrite => true 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /etc/logstash/logstash-strelka-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "index_patterns": ["logstash-strelka-*"], 3 | "version":50001, 4 | "order" : 0, 5 | "settings":{ 6 | "number_of_replicas":0, 7 | "number_of_shards":1, 8 | "index.refresh_interval":"30s", 9 | "index.mapping.total_fields.limit": "1500" 10 | }, 11 | "mappings":{ 12 | "doc":{ 13 | "dynamic": false, 14 | "date_detection": false, 15 | "properties":{ 16 | "beat": { 17 | "properties": { 18 | "hostname": { 19 | "ignore_above": 1024, 20 | "type": "keyword" 21 | }, 22 | "name": { 23 | "ignore_above": 1024, 24 | "type": "keyword" 25 | }, 26 | "timezone": { 27 | "ignore_above": 1024, 28 | "type": "keyword" 29 | }, 30 | "version": { 31 | "ignore_above": 1024, 32 | "type": "keyword" 33 | } 34 | } 35 | }, 36 | "character_set":{ 37 | "type":"text", 38 | "fields":{ 39 | "keyword":{ 40 | "type":"keyword" 41 | } 42 | } 43 | }, 44 | "code_size":{ 45 | "type":"text", 46 | "fields":{ 47 | "keyword":{ 48 | "type":"keyword" 49 | } 50 | } 51 | }, 52 | "comments":{ 53 | "type":"text", 54 | "fields":{ 55 | "keyword":{ 56 | "type":"keyword" 57 | } 58 | } 59 | }, 60 | "company_name":{ 61 | "type":"text", 62 | "fields":{ 63 | "keyword":{ 64 | "type":"keyword" 65 | } 66 | } 67 | }, 68 | "dll_characteristics":{ 69 | "type":"text", 70 | "fields":{ 71 | "keyword":{ 72 | "type":"keyword" 73 | } 74 | } 75 | }, 76 | "elapsed_time":{ 77 | "type":"text", 78 | "fields":{ 79 | "keyword":{ 80 | "type":"keyword" 81 | } 82 | } 83 | }, 84 | "scan_entropy":{ 85 | "type":"object", 86 | "dynamic":"true" 87 | }, 88 | "entry_point":{ 89 | "type":"text", 90 | "fields":{ 91 | "keyword":{ 92 | "type":"keyword" 93 | } 94 | } 95 | }, 96 | "scan_exiftool":{ 97 | "type":"object", 98 | "dynamic":"true" 99 | }, 100 | "exiftool_version":{ 101 | "type":"text", 102 | "fields":{ 103 | "keyword":{ 104 | "type":"keyword" 105 | } 106 | } 107 | }, 108 | "export_functions":{ 109 | "type":"text", 110 | "fields":{ 111 | "keyword":{ 112 | "type":"keyword" 113 | } 114 | } 115 | }, 116 | "extracted_filename":{ 117 | "type":"text", 118 | "fields":{ 119 | "keyword":{ 120 | "type":"keyword" 121 | } 122 | } 123 | }, 124 | "file":{ 125 | "type":"object", 126 | "dynamic":"true" 127 | }, 128 | "file_description":{ 129 | "type":"text", 130 | "fields":{ 131 | "keyword":{ 132 | "type":"keyword" 133 | } 134 | } 135 | }, 136 | "file_flags":{ 137 | "type":"text", 138 | "fields":{ 139 | "keyword":{ 140 | "type":"keyword" 141 | } 142 | } 143 | }, 144 | "file_flags_mask":{ 145 | "type":"text", 146 | "fields":{ 147 | "keyword":{ 148 | "type":"keyword" 149 | } 150 | } 151 | }, 152 | "file_mimetype":{ 153 | "type":"text", 154 | "fields":{ 155 | "keyword":{ 156 | "type":"keyword" 157 | } 158 | } 159 | }, 160 | "file_os":{ 161 | "type":"text", 162 | "fields":{ 163 | "keyword":{ 164 | "type":"keyword" 165 | } 166 | } 167 | }, 168 | "file_subtype":{ 169 | "type":"text", 170 | "fields":{ 171 | "keyword":{ 172 | "type":"keyword" 173 | } 174 | } 175 | }, 176 | "fileheader_timestamp":{ 177 | "type":"text", 178 | "fields":{ 179 | "keyword":{ 180 | "type":"keyword" 181 | } 182 | } 183 | }, 184 | "filetype":{ 185 | "type":"text", 186 | "fields":{ 187 | "keyword":{ 188 | "type":"keyword" 189 | } 190 | } 191 | }, 192 | "filetype_extension":{ 193 | "type":"text", 194 | "fields":{ 195 | "keyword":{ 196 | "type":"keyword" 197 | } 198 | } 199 | }, 200 | "fileversion":{ 201 | "type":"text", 202 | "fields":{ 203 | "keyword":{ 204 | "type":"keyword" 205 | } 206 | } 207 | }, 208 | "fileversion_number":{ 209 | "type":"text", 210 | "fields":{ 211 | "keyword":{ 212 | "type":"keyword" 213 | } 214 | } 215 | }, 216 | "finish_time":{ 217 | "type":"text", 218 | "fields":{ 219 | "keyword":{ 220 | "type":"keyword" 221 | } 222 | } 223 | }, 224 | "flags":{ 225 | "type":"text", 226 | "fields":{ 227 | "keyword":{ 228 | "type":"keyword" 229 | } 230 | } 231 | }, 232 | "gif":{ 233 | "type":"object", 234 | "dynamic":"true" 235 | }, 236 | "hash":{ 237 | "type":"object", 238 | "dynamic":"true" 239 | }, 240 | "scan_header":{ 241 | "type":"object", 242 | "dynamic":"true" 243 | }, 244 | "heap_commitsize":{ 245 | "type":"text", 246 | "fields":{ 247 | "keyword":{ 248 | "type":"keyword" 249 | } 250 | } 251 | }, 252 | "heap_reservesize":{ 253 | "type":"text", 254 | "fields":{ 255 | "keyword":{ 256 | "type":"keyword" 257 | } 258 | } 259 | }, 260 | "html":{ 261 | "type":"object", 262 | "dynamic":"true" 263 | }, 264 | "image_base":{ 265 | "type":"text", 266 | "fields":{ 267 | "keyword":{ 268 | "type":"keyword" 269 | } 270 | } 271 | }, 272 | "image_characteristics":{ 273 | "type":"text", 274 | "fields":{ 275 | "keyword":{ 276 | "type":"keyword" 277 | } 278 | } 279 | }, 280 | "image_magic":{ 281 | "type":"text", 282 | "fields":{ 283 | "keyword":{ 284 | "type":"keyword" 285 | } 286 | } 287 | }, 288 | "image_version":{ 289 | "type":"text", 290 | "fields":{ 291 | "keyword":{ 292 | "type":"keyword" 293 | } 294 | } 295 | }, 296 | "imphash":{ 297 | "type":"text", 298 | "fields":{ 299 | "keyword":{ 300 | "type":"keyword" 301 | } 302 | } 303 | }, 304 | "imports":{ 305 | "type":"text", 306 | "fields":{ 307 | "keyword":{ 308 | "type":"keyword" 309 | } 310 | } 311 | }, 312 | "initialized_datasize":{ 313 | "type":"text", 314 | "fields":{ 315 | "keyword":{ 316 | "type":"keyword" 317 | } 318 | } 319 | }, 320 | "input": { 321 | "properties": { 322 | "type": { 323 | "ignore_above": 1024, 324 | "type": "keyword" 325 | } 326 | } 327 | }, 328 | "internalname":{ 329 | "type":"text", 330 | "fields":{ 331 | "keyword":{ 332 | "type":"keyword" 333 | } 334 | } 335 | }, 336 | "javascript":{ 337 | "type":"object", 338 | "dynamic": "true" 339 | }, 340 | "jpeg":{ 341 | "type":"object", 342 | "dynamic": "true" 343 | }, 344 | "languagecode":{ 345 | "type":"text", 346 | "fields":{ 347 | "keyword":{ 348 | "type":"keyword" 349 | } 350 | } 351 | }, 352 | "legalcopyright":{ 353 | "type":"text", 354 | "fields":{ 355 | "keyword":{ 356 | "type":"keyword" 357 | } 358 | } 359 | }, 360 | "legaltrademarks":{ 361 | "type":"text", 362 | "fields":{ 363 | "keyword":{ 364 | "type":"keyword" 365 | } 366 | } 367 | }, 368 | "linker_version":{ 369 | "type":"text", 370 | "fields":{ 371 | "keyword":{ 372 | "type":"keyword" 373 | } 374 | } 375 | }, 376 | "machine_id":{ 377 | "type":"text", 378 | "fields":{ 379 | "keyword":{ 380 | "type":"keyword" 381 | } 382 | } 383 | }, 384 | "machine_type":{ 385 | "type":"text", 386 | "fields":{ 387 | "keyword":{ 388 | "type":"keyword" 389 | } 390 | } 391 | }, 392 | "object_filetype":{ 393 | "type":"text", 394 | "fields":{ 395 | "keyword":{ 396 | "type":"keyword" 397 | } 398 | } 399 | }, 400 | "ocr":{ 401 | "type":"object", 402 | "dynamic": "true" 403 | }, 404 | "offset":{ 405 | "type":"long", 406 | "fields":{ 407 | "keyword":{ 408 | "type":"keyword" 409 | } 410 | } 411 | }, 412 | "original_filename":{ 413 | "type":"text", 414 | "fields":{ 415 | "keyword":{ 416 | "type":"keyword" 417 | } 418 | } 419 | }, 420 | "osversion":{ 421 | "type":"text", 422 | "fields":{ 423 | "keyword":{ 424 | "type":"keyword" 425 | } 426 | } 427 | }, 428 | "scan_pe":{ 429 | "type":"object", 430 | "dynamic":"true" 431 | }, 432 | "pe_type":{ 433 | "type":"text", 434 | "fields":{ 435 | "keyword":{ 436 | "type":"keyword" 437 | } 438 | } 439 | }, 440 | "privatebuild":{ 441 | "type":"text", 442 | "fields":{ 443 | "keyword":{ 444 | "type":"keyword" 445 | } 446 | } 447 | }, 448 | "productname":{ 449 | "type":"text", 450 | "fields":{ 451 | "keyword":{ 452 | "type":"keyword" 453 | } 454 | } 455 | }, 456 | "productversion":{ 457 | "type":"text", 458 | "fields":{ 459 | "keyword":{ 460 | "type":"keyword" 461 | } 462 | } 463 | }, 464 | "productversion_number":{ 465 | "type":"text", 466 | "fields":{ 467 | "keyword":{ 468 | "type":"keyword" 469 | } 470 | } 471 | }, 472 | "prospector": { 473 | "properties": { 474 | "type": { 475 | "ignore_above": 1024, 476 | "type": "keyword" 477 | } 478 | } 479 | }, 480 | "request":{ 481 | "type":"object", 482 | "dynamic":"true" 483 | }, 484 | "source_depth":{ 485 | "type":"text", 486 | "fields":{ 487 | "keyword":{ 488 | "type":"keyword" 489 | } 490 | } 491 | }, 492 | "source_hash":{ 493 | "type":"text", 494 | "fields":{ 495 | "keyword":{ 496 | "type":"keyword" 497 | } 498 | } 499 | }, 500 | "source_parenthash":{ 501 | "type":"text", 502 | "fields":{ 503 | "keyword":{ 504 | "type":"keyword" 505 | } 506 | } 507 | }, 508 | "source_parentuid":{ 509 | "type":"text", 510 | "fields":{ 511 | "keyword":{ 512 | "type":"keyword" 513 | } 514 | } 515 | }, 516 | "source_roothash":{ 517 | "type":"text", 518 | "fields":{ 519 | "keyword":{ 520 | "type":"keyword" 521 | } 522 | } 523 | }, 524 | "source_rootuid":{ 525 | "type":"text", 526 | "fields":{ 527 | "keyword":{ 528 | "type":"keyword" 529 | } 530 | } 531 | }, 532 | "source_scannerlist":{ 533 | "type":"text", 534 | "fields":{ 535 | "keyword":{ 536 | "type":"keyword" 537 | } 538 | } 539 | }, 540 | "source_size":{ 541 | "type":"text", 542 | "fields":{ 543 | "keyword":{ 544 | "type":"keyword" 545 | } 546 | } 547 | }, 548 | "source_uid":{ 549 | "type":"text", 550 | "fields":{ 551 | "keyword":{ 552 | "type":"keyword" 553 | } 554 | } 555 | }, 556 | "specialbuild":{ 557 | "type":"text", 558 | "fields":{ 559 | "keyword":{ 560 | "type":"keyword" 561 | } 562 | } 563 | }, 564 | "ssdeep":{ 565 | "type":"text", 566 | "fields":{ 567 | "keyword":{ 568 | "type":"keyword" 569 | } 570 | } 571 | }, 572 | "stack_commit_size":{ 573 | "type":"text", 574 | "fields":{ 575 | "keyword":{ 576 | "type":"keyword" 577 | } 578 | } 579 | }, 580 | "stack_reserve_size":{ 581 | "type":"text", 582 | "fields":{ 583 | "keyword":{ 584 | "type":"keyword" 585 | } 586 | } 587 | }, 588 | "start_time":{ 589 | "type":"text", 590 | "fields":{ 591 | "keyword":{ 592 | "type":"keyword" 593 | } 594 | } 595 | }, 596 | "subsystem_version":{ 597 | "type":"text", 598 | "fields":{ 599 | "keyword":{ 600 | "type":"keyword" 601 | } 602 | } 603 | }, 604 | "swf":{ 605 | "type":"object", 606 | "dynamic":"true" 607 | }, 608 | "time":{ 609 | "type":"text", 610 | "fields":{ 611 | "keyword":{ 612 | "type":"keyword" 613 | } 614 | } 615 | }, 616 | "total_sections":{ 617 | "type":"text", 618 | "fields":{ 619 | "keyword":{ 620 | "type":"keyword" 621 | } 622 | } 623 | }, 624 | "tree":{ 625 | "type":"object", 626 | "dynamic":"true" 627 | }, 628 | "uninitialized_datasize":{ 629 | "type":"text", 630 | "fields":{ 631 | "keyword":{ 632 | "type":"keyword" 633 | } 634 | } 635 | }, 636 | "urls":{ 637 | "type":"object", 638 | "dynamic":"true" 639 | }, 640 | "warnings":{ 641 | "type":"text", 642 | "fields":{ 643 | "keyword":{ 644 | "type":"keyword" 645 | } 646 | } 647 | }, 648 | "worker":{ 649 | "type":"text", 650 | "fields":{ 651 | "keyword":{ 652 | "type":"keyword" 653 | } 654 | } 655 | }, 656 | "scan_yara":{ 657 | "type":"object", 658 | "dynamic":"true" 659 | } 660 | } 661 | } 662 | } 663 | } 664 | -------------------------------------------------------------------------------- /etc/strelka/backend/backend.yaml: -------------------------------------------------------------------------------- 1 | logging_cfg: '/etc/strelka/logging.yaml' 2 | limits: 3 | max_files: 5000 4 | time_to_live: 900 5 | max_depth: 15 6 | distribution: 600 7 | scanner: 150 8 | coordinator: 9 | addr: 'strelka_coordinator_1:6379' 10 | db: 0 11 | tasting: 12 | mime_db: null 13 | yara_rules: '/etc/strelka/taste/' 14 | scanners: 15 | 'ScanBase64': 16 | - positive: 17 | filename: '^base64_' 18 | priority: 5 19 | 'ScanBatch': 20 | - positive: 21 | flavors: 22 | - 'text/x-msdos-batch' 23 | - 'batch_file' 24 | priority: 5 25 | 'ScanBzip2': 26 | - positive: 27 | flavors: 28 | - 'application/x-bzip2' 29 | - 'bzip2_file' 30 | priority: 5 31 | 'ScanDocx': 32 | - positive: 33 | flavors: 34 | - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' 35 | priority: 5 36 | options: 37 | extract_text: False 38 | 'ScanElf': 39 | - positive: 40 | flavors: 41 | - 'application/x-object' 42 | - 'application/x-executable' 43 | - 'application/x-sharedlib' 44 | - 'application/x-coredump' 45 | - 'elf_file' 46 | priority: 5 47 | 'ScanEmail': 48 | - positive: 49 | flavors: 50 | - 'application/vnd.ms-outlook' 51 | - 'message/rfc822' 52 | - 'email_file' 53 | priority: 5 54 | 'ScanEntropy': 55 | - positive: 56 | flavors: 57 | - '*' 58 | priority: 5 59 | 'ScanExiftool': 60 | - positive: 61 | flavors: 62 | - 'application/msword' 63 | - 'application/vnd.openxmlformats-officedocument' 64 | - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' 65 | - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' 66 | - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' 67 | - 'olecf_file' 68 | - 'ooxml_file' 69 | - 'audio/mpeg' 70 | - 'mp3_file' 71 | - 'mhtml_file' 72 | - 'application/pdf' 73 | - 'pdf_file' 74 | - 'text/rtf' 75 | - 'rtf_file' 76 | - 'wordml_file' 77 | - 'application/x-dosexec' 78 | - 'mz_file' 79 | - 'application/x-object' 80 | - 'application/x-executable' 81 | - 'application/x-sharedlib' 82 | - 'application/x-coredump' 83 | - 'elf_file' 84 | - 'lnk_file' 85 | - 'application/x-mach-binary' 86 | - 'macho_file' 87 | - 'image/gif' 88 | - 'gif_file' 89 | - 'image/jpeg' 90 | - 'jpeg_file' 91 | - 'image/png' 92 | - 'png_file' 93 | - 'image/tiff' 94 | - 'type_is_tiff' 95 | - 'image/x-ms-bmp' 96 | - 'bmp_file' 97 | - 'application/x-shockwave-flash' 98 | - 'fws_file' 99 | - 'psd_file' 100 | - 'video/mp4' 101 | - 'video/quicktime' 102 | - 'video/x-msvideo' 103 | - 'avi_file' 104 | - 'video/x-ms-wmv' 105 | - 'wmv_file' 106 | priority: 5 107 | options: 108 | tmp_directory: '/dev/shm/' 109 | 'ScanGif': 110 | - positive: 111 | flavors: 112 | - 'image/gif' 113 | - 'gif_file' 114 | priority: 5 115 | 'ScanGzip': 116 | - positive: 117 | flavors: 118 | - 'application/gzip' 119 | - 'application/x-gzip' 120 | - 'gzip_file' 121 | priority: 5 122 | 'ScanHash': 123 | - positive: 124 | flavors: 125 | - '*' 126 | priority: 5 127 | 'ScanHeader': 128 | - positive: 129 | flavors: 130 | - '*' 131 | priority: 5 132 | options: 133 | length: 50 134 | 'ScanHtml': 135 | - positive: 136 | flavors: 137 | - 'hta_file' 138 | - 'text/html' 139 | - 'html_file' 140 | priority: 5 141 | options: 142 | parser: "html5lib" 143 | 'ScanIni': 144 | - positive: 145 | filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' 146 | flavors: 147 | - 'ini_file' 148 | priority: 5 149 | 'ScanJarManifest': 150 | - positive: 151 | flavors: 152 | - 'jar_manifest_file' 153 | priority: 5 154 | 'ScanJavascript': 155 | - negative: 156 | flavors: 157 | - 'text/html' 158 | - 'html_file' 159 | positive: 160 | flavors: 161 | - 'javascript_file' 162 | - 'text/javascript' 163 | priority: 5 164 | options: 165 | beautify: True 166 | 'ScanJpeg': 167 | - positive: 168 | flavors: 169 | - 'image/jpeg' 170 | - 'jpeg_file' 171 | priority: 5 172 | 'ScanJson': 173 | - positive: 174 | flavors: 175 | - 'application/json' 176 | - 'json_file' 177 | priority: 5 178 | 'ScanLibarchive': 179 | - positive: 180 | flavors: 181 | - 'application/vnd.ms-cab-compressed' 182 | - 'cab_file' 183 | - 'application/x-7z-compressed' 184 | - '_7zip_file' 185 | - 'application/x-cpio' 186 | - 'cpio_file' 187 | - 'application/x-xar' 188 | - 'xar_file' 189 | - 'arj_file' 190 | - 'iso_file' 191 | - 'application/x-debian-package' 192 | - 'debian_package_file' 193 | priority: 5 194 | options: 195 | limit: 1000 196 | 'ScanLzma': 197 | - positive: 198 | flavors: 199 | - 'application/x-lzma' 200 | - 'lzma_file' 201 | - 'application/x-xz' 202 | - 'xz_file' 203 | priority: 5 204 | 'ScanMacho': 205 | - positive: 206 | flavors: 207 | - 'application/x-mach-binary' 208 | - 'macho_file' 209 | priority: 5 210 | options: 211 | tmp_directory: '/dev/shm/' 212 | 'ScanMmbot': 213 | - positive: 214 | flavors: 215 | - 'vb_file' 216 | - 'vbscript' 217 | priority: 5 218 | options: 219 | server: 'strelka_mmrpc_1:33907' 220 | 'ScanOcr': 221 | - positive: 222 | flavors: 223 | - 'image/jpeg' 224 | - 'jpeg_file' 225 | - 'image/png' 226 | - 'png_file' 227 | - 'image/tiff' 228 | - 'type_is_tiff' 229 | - 'image/x-ms-bmp' 230 | - 'bmp_file' 231 | priority: 5 232 | options: 233 | extract_text: False 234 | tmp_directory: '/dev/shm/' 235 | 'ScanOle': 236 | - positive: 237 | flavors: 238 | - 'application/CDFV2' 239 | - 'application/msword' 240 | - 'olecf_file' 241 | priority: 5 242 | 'ScanPdf': 243 | - positive: 244 | flavors: 245 | - 'application/pdf' 246 | - 'pdf_file' 247 | priority: 5 248 | options: 249 | extract_text: False 250 | limit: 2000 251 | 'ScanPe': 252 | - positive: 253 | flavors: 254 | - 'application/x-dosexec' 255 | - 'mz_file' 256 | priority: 5 257 | 'ScanPgp': 258 | - positive: 259 | flavors: 260 | - 'application/pgp-keys' 261 | - 'pgp_file' 262 | priority: 5 263 | 'ScanPhp': 264 | - positive: 265 | flavors: 266 | - 'text/x-php' 267 | - 'php_file' 268 | priority: 5 269 | 'ScanPkcs7': 270 | - positive: 271 | flavors: 272 | - 'pkcs7_file' 273 | priority: 5 274 | options: 275 | tmp_directory: '/dev/shm/' 276 | 'ScanPlist': 277 | - positive: 278 | flavors: 279 | - 'bplist_file' 280 | - 'plist_file' 281 | priority: 5 282 | options: 283 | keys: 284 | - 'KeepAlive' 285 | - 'Label' 286 | - 'NetworkState' 287 | - 'Program' 288 | - 'ProgramArguments' 289 | - 'RunAtLoad' 290 | - 'StartInterval' 291 | 'ScanRar': 292 | - positive: 293 | flavors: 294 | - 'application/x-rar' 295 | - 'rar_file' 296 | priority: 5 297 | options: 298 | limit: 1000 299 | 'ScanRpm': 300 | - positive: 301 | flavors: 302 | - 'application/x-rpm' 303 | - 'rpm_file' 304 | priority: 5 305 | options: 306 | tmp_directory: '/dev/shm/' 307 | 'ScanRtf': 308 | - positive: 309 | flavors: 310 | - 'text/rtf' 311 | - 'rtf_file' 312 | priority: 5 313 | options: 314 | limit: 1000 315 | 'ScanRuby': 316 | - positive: 317 | flavors: 318 | - 'text/x-ruby' 319 | priority: 5 320 | 'ScanSwf': 321 | - positive: 322 | flavors: 323 | - 'application/x-shockwave-flash' 324 | - 'fws_file' 325 | - 'cws_file' 326 | - 'zws_file' 327 | priority: 5 328 | 'ScanTar': 329 | - positive: 330 | flavors: 331 | - 'application/x-tar' 332 | - 'tar_file' 333 | priority: 5 334 | options: 335 | limit: 1000 336 | 'ScanTnef': 337 | - positive: 338 | flavors: 339 | - 'application/vnd.ms-tnef' 340 | - 'tnef_file' 341 | priority: 5 342 | 'ScanUpx': 343 | - positive: 344 | flavors: 345 | - 'upx_file' 346 | priority: 5 347 | options: 348 | tmp_directory: '/dev/shm/' 349 | 'ScanUrl': 350 | - negative: 351 | flavors: 352 | - 'javascript_file' 353 | positive: 354 | flavors: 355 | - 'text/plain' 356 | priority: 5 357 | 'ScanVb': 358 | - positive: 359 | flavors: 360 | - 'vb_file' 361 | - 'vbscript' 362 | priority: 5 363 | 'ScanVba': 364 | - positive: 365 | flavors: 366 | - 'mhtml_file' 367 | - 'application/msword' 368 | - 'olecf_file' 369 | - 'wordml_file' 370 | priority: 5 371 | options: 372 | analyze_macros: True 373 | 'ScanX509': 374 | - positive: 375 | flavors: 376 | - 'x509_der_file' 377 | priority: 5 378 | options: 379 | type: 'der' 380 | - positive: 381 | flavors: 382 | - 'x509_pem_file' 383 | priority: 5 384 | options: 385 | type: 'pem' 386 | 'ScanXml': 387 | - positive: 388 | flavors: 389 | - 'application/xml' 390 | - 'text/xml' 391 | - 'xml_file' 392 | - 'mso_file' 393 | - 'soap_file' 394 | priority: 5 395 | 'ScanYara': 396 | - positive: 397 | flavors: 398 | - '*' 399 | priority: 5 400 | options: 401 | location: '/etc/yara/' 402 | 'ScanZip': 403 | - positive: 404 | flavors: 405 | - 'application/java-archive' 406 | - 'application/zip' 407 | - 'zip_file' 408 | - 'application/vnd.openxmlformats-officedocument' 409 | - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' 410 | - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' 411 | - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' 412 | - 'ooxml_file' 413 | priority: 5 414 | options: 415 | limit: 1000 416 | password_file: '/etc/strelka/passwords.dat' 417 | 'ScanZlib': 418 | - positive: 419 | flavors: 420 | - 'application/zlib' 421 | - 'zlib_file' 422 | priority: 5 423 | -------------------------------------------------------------------------------- /etc/strelka/backend/logging.yaml: -------------------------------------------------------------------------------- 1 | version: 1 2 | formatters: 3 | simple: 4 | format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' 5 | datefmt: '%Y-%m-%d %H:%M:%S' 6 | handlers: 7 | console: 8 | class: logging.StreamHandler 9 | formatter: simple 10 | stream: ext://sys.stdout 11 | root: 12 | level: DEBUG 13 | handlers: [console] 14 | loggers: 15 | OpenSSL: 16 | propagate: 0 17 | bs4: 18 | propagate: 0 19 | bz2: 20 | propagate: 0 21 | chardet: 22 | propagate: 0 23 | docx: 24 | propagate: 0 25 | elftools: 26 | propagate: 0 27 | email: 28 | propagate: 0 29 | entropy: 30 | propagate: 0 31 | esprima: 32 | propagate: 0 33 | gzip: 34 | propagate: 0 35 | hashlib: 36 | propagate: 0 37 | json: 38 | propagate: 0 39 | libarchive: 40 | propagate: 0 41 | lxml: 42 | propagate: 0 43 | lzma: 44 | propagate: 0 45 | macholibre: 46 | propagate: 0 47 | olefile: 48 | propagate: 0 49 | oletools: 50 | propagate: 0 51 | pdfminer: 52 | propagate: 0 53 | pefile: 54 | propagate: 0 55 | pgpdump: 56 | propagate: 0 57 | pygments: 58 | propagate: 0 59 | pylzma: 60 | propagate: 0 61 | rarfile: 62 | propagate: 0 63 | requests: 64 | propagate: 0 65 | rpmfile: 66 | propagate: 0 67 | ssdeep: 68 | propagate: 0 69 | tarfile: 70 | propagate: 0 71 | tnefparse: 72 | propagate: 0 73 | yara: 74 | propagate: 0 75 | zipfile: 76 | propagate: 0 77 | zlib: 78 | propagate: 0 79 | -------------------------------------------------------------------------------- /etc/strelka/backend/passwords.dat: -------------------------------------------------------------------------------- 1 | infected 2 | password 3 | -------------------------------------------------------------------------------- /etc/strelka/backend/taste/taste.yara: -------------------------------------------------------------------------------- 1 | // Archive Files 2 | 3 | rule _7zip_file 4 | { 5 | meta: 6 | type = "archive" 7 | strings: 8 | $a = { 37 7A BC AF 27 1C } 9 | condition: 10 | $a at 0 11 | } 12 | 13 | rule arj_file 14 | { 15 | meta: 16 | type = "archive" 17 | condition: 18 | uint16(0) == 0xEA60 19 | } 20 | 21 | rule cab_file 22 | { 23 | meta: 24 | type = "archive" 25 | strings: 26 | $a = { 4D 53 43 46 00 00 00 00 } 27 | condition: 28 | $a at 0 or 29 | ( uint16(0) == 0x5A4D and $a ) 30 | } 31 | 32 | rule cpio_file 33 | { 34 | meta: 35 | type = "archive" 36 | strings: 37 | $a = { 30 37 30 37 30 31 } 38 | condition: 39 | $a at 0 40 | } 41 | 42 | rule iso_file 43 | { 44 | meta: 45 | type = "archive" 46 | strings: 47 | $a = { 43 44 30 30 31 } 48 | condition: 49 | $a at 0x8001 and $a at 0x8801 and $a at 0x9001 50 | } 51 | 52 | rule mhtml_file 53 | { 54 | meta: 55 | type = "archive" 56 | strings: 57 | $a = "MIME-Version: 1.0" 58 | $b = "This document is a Single File Web Page, also known as a Web Archive file" 59 | condition: 60 | $a at 0 and $b 61 | } 62 | 63 | rule rar_file 64 | { 65 | meta: 66 | type = "archive" 67 | condition: 68 | uint16(0) == 0x6152 and uint8(2) == 0x72 and uint16(3) == 0x1A21 and uint8(5) == 0x07 69 | } 70 | 71 | rule tar_file 72 | { 73 | meta: 74 | type = "archive" 75 | strings: 76 | $a = { 75 73 74 61 72 } 77 | condition: 78 | uint16(0) == 0x9D1F or 79 | uint16(0) == 0xA01F or 80 | $a at 257 81 | } 82 | 83 | rule xar_file 84 | { 85 | meta: 86 | type = "archive" 87 | condition: 88 | uint32(0) == 0x21726178 89 | } 90 | 91 | rule zip_file 92 | { 93 | meta: 94 | type = "archive" 95 | condition: 96 | ( uint32(0) == 0x04034B50 and not uint32(4) == 0x00060014 ) 97 | } 98 | 99 | // Audio Files 100 | 101 | rule mp3_file 102 | { 103 | meta: 104 | type = "audio" 105 | condition: 106 | uint16(0) == 0x4449 and uint8(2) == 0x33 107 | } 108 | 109 | // Certificate Files 110 | 111 | rule pkcs7_file 112 | { 113 | meta: 114 | type = "certificate" 115 | strings: 116 | $a = "-----BEGIN PKCS7-----" 117 | condition: 118 | (uint16(0) == 0x8230 and uint16(4) == 0x0906) or 119 | uint32(0) == 0x09068030 or 120 | $a at 0 121 | } 122 | 123 | rule x509_der_file 124 | { 125 | meta: 126 | type = "certificate" 127 | condition: 128 | uint16(0) == 0x8230 and ( uint16(4) == 0x8230 or uint16(4) == 0x8130 ) 129 | } 130 | 131 | rule x509_pem_file 132 | { 133 | meta: 134 | type = "certificate" 135 | strings: 136 | $a = "-----BEGIN CERTI" 137 | condition: 138 | $a at 0 139 | } 140 | 141 | // Compressed Files 142 | 143 | rule bzip2_file 144 | { 145 | meta: 146 | type = "compressed" 147 | condition: 148 | uint16(0) == 0x5A42 and uint8(2) == 0x68 149 | } 150 | 151 | rule gzip_file 152 | { 153 | meta: 154 | type = "compressed" 155 | condition: 156 | uint16(0) == 0x8B1F and uint8(2) == 0x08 157 | } 158 | 159 | rule lzma_file 160 | { 161 | meta: 162 | type = "compressed" 163 | condition: 164 | uint16(0) == 0x005D and uint8(2) == 0x00 165 | } 166 | 167 | rule xz_file 168 | { 169 | meta: 170 | type = "compressed" 171 | condition: 172 | uint32(0) == 0x587A37FD and uint16(4) == 0x005A 173 | } 174 | 175 | // Document Files 176 | 177 | rule doc_subheader_file 178 | { 179 | meta: 180 | type = "document" 181 | condition: 182 | uint32(0) == 0x00C1A5EC 183 | } 184 | 185 | rule mso_file 186 | { 187 | meta: 188 | type = "document" 189 | strings: 190 | $a = { 3C 3F 6D 73 6F 2D 61 70 70 6C 69 63 61 74 69 6F 6E 20 } // 660 | condition: 661 | $a at 0 or 662 | $b at 0 or 663 | $c at 0 or 664 | $d at 0 or 665 | $e at 0 or 666 | $f at 0 or 667 | $g at 0 or 668 | $h at 0 or 669 | $i at 0 or 670 | $j at 0 or 671 | $k at 0 or 672 | $l at 0 or 673 | $m at 0 or 674 | $n at 0 675 | } 676 | 677 | rule json_file 678 | { 679 | meta: 680 | type = "text" 681 | strings: 682 | $a = { 7B [0-5] 22 } 683 | condition: 684 | $a at 0 685 | } 686 | 687 | rule php_file 688 | { 689 | meta: 690 | type = "text" 691 | strings: 692 | $a = { 3c 3f 70 68 70 } 693 | condition: 694 | $a at 0 695 | } 696 | 697 | rule soap_file 698 | { 699 | meta: 700 | description = "Simple Object Access Protocol" 701 | type = "text" 702 | strings: 703 | $a = { 3C 73 6F 61 70 65 6E 76 3A 45 6E 76 65 6C 6F 70 65 } // 717 | $c = { 3C 73 74 79 6C 65 53 68 65 65 74 20 78 6D 6C 6E 73 3D } //