stratosphereips
Add the filename when reporting "Malicious downloaded file"
The files.log file has the fuid that can be used to access the http.log file which has the file name in the 'uri' field
Hey @AlyaGomaa I can work on this. I see that we compare hash to determine if a file is malicious. We get hash from files.log. I am not sure how to search for fuid in http.log file? When testing for malicious file, it doesn't have access to htttp.log file, correct?
Hey @AlyaGomaa, I looked into the issue. I am bit confused. Is this that there is file_handler.handle_files() function that add newly downloaded file to database, and checks through "check_malicous_ssl".
I also see, threat_intelligence function called "is_malicious_hash", that check "malicious downloaded file" through hash, but doesn't access any log files.
I am not sure which one tests for malicious file downloaded.
yes the is_malicious_hash() in threat intel module searches for the hash in remote websites like circl lu, urlhaus etc. the check_malicious_ssl() searches for the hash in the feeds hardcoded in slips, the ones in config/SSL_feeds.csv
this issue is about modifying the set_evidence_malicious_hash() function to include the file name if possible
Hey @AlyaGomaa, I understand that this function will be triggered by files.log file. On seeing I got that I need to add file_name as a part of file_info in file_handler.py handle_files function.
I can get file_name from add_out_http, uri part by comparing fuid and resp_fuids in http.log. I am not sure how can I access this http.log, to add it as a part of file_info.
I will let @AlyaGomaa answer. But you can get the URI from the redis database directly. All that information should be stored there. To access you can use the uid (needs confirmation)
hi @patel-lay the handle_http() in flow_handler.py deals with the http.log flows, you can access them there Also all altflows (flows that are not conn.log) are stored in the sqlite db and can be retieved using get_altflow_from_uid(), i recommend you use it