strelka icon indicating copy to clipboard operation
strelka copied to clipboard
verified publisher icon target

[REQUEST] Single Binary for Ad-hoc Analysis

Open weslambert opened this issue 4 years ago • 2 comments

Is your feature request related to a problem? Please describe. It would be great to have the ability to quickly analyze a file using a single slimmed-down binary, without having to connect to a remote backend. This would not necessarily require all components typically required for enterprise-level scanning, and would be excellent for demo/training/quick analysis without having to set up infrastructure. The expectation would be that it is used for ad-hoc analysis.

Describe alternatives you've considered Running a local version of the backend/other components Using docker-compose

weslambert avatar Oct 22 '21 12:10 weslambert

@weslambert: Per @ryanohoro's commit #295, users can attempt to analyze files with no need to compile or connect to a Strelka instance.

While this is not an executable, it does reduce the need for additional infrastructure as noted in the request.

src/python$ python setup.py install
src/python$ pip install -r requirements.txt
src/python$ strelka strelka/tests/fixtures/test.html
starting local analysis...
{"file": {"depth": 0, "flavors": {"mime": ["text/html"], "yara": ["html_file"]}, "name": "strelka/tests/fixtures/test.html", "scanners": ["ScanEntropy", "ScanFooter", "ScanHash", "ScanHeader", "ScanHtml", "ScanYara"], "size": 5875, "tree": {"node": "d6fd90b3-ba36-44fc-a45b-e7ca40c58fe2", "root": "d6fd90b3-ba36-44fc-a45b-e7ca40c58fe2"}}, "scan": {"entropy": {"elapsed": 3.6e-05, "entropy": 4.847574566795829}, "footer": {"elapsed": 2e-05, "footer": "pan></span>\n</p>\n\n\n<p>&nbsp;</p>\n\n\n</body>\n</html>", "backslash": "pan></span>\\n</p>\\n\\n\\n<p>&nbsp;</p>\\n\\n\\n</body>\\n</html>"}, "hash": {"elapsed": 0.004696, "md5": "ba4ffdba7f62b2333a23a97d3ba5f1f6", "sha1": "a1f900c64ed49bc111462c6fd91546640b5ac20c", "sha256": "38e2d4d56acf228fcebbbf5a60a16bb36ffcee490299ea52c9b1ffbcbeb62db8", "ssdeep": "96:qWJQC5siJJ+tH6STSTSTSTkvsAw2gF3BgwQWhhSTSTSTSTS/sItklIy7STSTSTSh:qOQGsiJJO3eeeIvspjJPyeeeefklCeew", "tlsh": "T14AC16713EF67021152BDA0E9E0BF4A64D494560CA3465BF4B2AE477ABFCD93136122CC"}, "header": {"elapsed": 3e-05, "header": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <title", "backslash": "<!DOCTYPE html>\\n<html lang=\"en\">\\n<head>\\n    <title"}, "html": {"elapsed": 0.005584, "total": {"scripts": 2, "forms": 0, "inputs": 0, "frames": 0, "extracted": 1, "spans": 35}, "title": "Lorem Ipsum", "scripts": [{"src": "https://example.com/example.js", "type": "text/javascript"}], "spans": [{"style": "font-size:11pt"}, {"style": "background-color:white"}, {"style": "font-family:Calibri,sans-serif"}, {"style": "font-size:52.5pt"}, {"style": "color:black"}, {"style": "font-size:12pt"}, {"style": "font-family:\"Times New Roman\",serif"}, {"style": "font-size:10.5pt"}, {"style": "font-family:\"Arial\",sans-serif"}]}, "yara": {"elapsed": 0.002338, "matches": ["test"]}}}
{"file": {"depth": 1, "flavors": {"mime": ["text/plain"], "yara": ["javascript_file"]}, "name": "script_1", "scanners": ["ScanEntropy", "ScanFooter", "ScanHash", "ScanHeader", "ScanJavascript", "ScanYara"], "size": 221, "source": "ScanHtml", "tree": {"node": "b13705b5-ee6b-4d02-b6bc-b17bd81b7744", "parent": "d6fd90b3-ba36-44fc-a45b-e7ca40c58fe2", "root": "d6fd90b3-ba36-44fc-a45b-e7ca40c58fe2"}}, "scan": {"entropy": {"elapsed": 3.1e-05, "entropy": 4.620200029985679}, "footer": {"elapsed": 1.7e-05, "footer": "   document.body.appendChild(newParagraphElement)\n", "backslash": "   document.body.appendChild(newParagraphElement)\\n"}, "hash": {"elapsed": 7e-05, "md5": "ed2a6dffc68bcbe361f4539b5f423d66", "sha1": "172771134de76ede1df66cfa95a839237e485c40", "sha256": "8c3e97cc7103eec2f8959b0f27e2011f09f26386131b075a59f2423c791917ff", "ssdeep": "6:8/tuR78mgO9lV3K0Ji8mOFf0/tuRhBeJY1lLB/etuRMv:8/tuRYu80J17F8/tuRhBein2tuRu", "tlsh": "T159D0A715143A07E4A34AB04F24344394F870045A30173115545F4CCF6F20E922485494"}, "header": {"elapsed": 1.3e-05, "header": "\n    newParagraphElement = document.createElement(", "backslash": "\\n    newParagraphElement = document.createElement("}, "javascript": {"elapsed": 0.031265, "tokens": ["Identifier", "Punctuator", "String"], "strings": ["span", "Lorem Ipsum"], "identifiers": ["newParagraphElement", "document", "createElement", "textLoremIpsum", "createTextNode", "appendChild", "body"], "beautified": true}, "yara": {"elapsed": 7e-05, "matches": ["test"]}}}

phutelmyer avatar Jan 24 '23 20:01 phutelmyer

Thanks, Paul! I think this is a great step in that direction, and I really appreciate all of the work that went into making this possible. Would this be amenable to being a library leveraged by an enrichment service, or something similar? I think it would still be useful to be able to provide analysis with a single binary that could be called by systems that leverage external tools without dependencies, but again, I think this is a great step forward.

weslambert avatar Jan 25 '23 03:01 weslambert