assemblyline
assemblyline copied to clipboard
CybercentreCanada
Update Floss
Looks like the AL Floss Service is running version 1.7.0, while the latest version is 2.2.0. 2.x has some additional string deobfuscation techniques and nice performance improvements. https://www.mandiant.com/resources/blog/floss-version-2
It would be nice to update this to the latest version.
I also see that FrankenStrings says it uses Floss, so might need to check that. Any reason to have the Floss service if FrankenStrings does it too - maybe the Floss Service could be deprecated.
Looks like FS uses a specific ported Python module from Floss specifically to do with string extraction whereas the Floss service calls the Floss binary. So it's possible FS predates the Floss service and was using that tool for something specific before it was decided to just dedicate a service to the tool.
@cccs-jh could probably highlight the differences between each service
But since there's a new release of the tool, we should consider updating the appropriate services.
Frankenstrings used to have floss running inside it but I believe it was extract from it to be used as a seperate floss service. It's most likely just outdated README / service description.
Updating floss is planned, but will involve significant changes due to the change from python2 to python3. So the update may take some time. FrankenStrings no longer provides floss functionality but still uses a part of it to extract strings — essentially the part of floss that replicates the strings command. The README will be updated to reduce confusion.
