Integration with Malware Repository Framework

[tomchop]

trafficstars

The Malware Repository Framework (https://github.com/Tigzy/malware-repo) offers a way to store malware. How can we integrate Yeti with it?

• Create a feed to fetch malware sample information from Malware Repo
• Create an analytics that sends samples to malware repo. Results are collected through feeds.

Thoughts?

[Tigzy]

I don't know much about Yeti internals, but if there's a place to put API keys the file storage can be hooked to upload files too MRF? then, display a link to MRF sample page in Yeti

[tomchop]

Here's what I think we could build:

• Create a feed for Yeti that sends hashes to MRF and gets data that it can store back. Have this feed running in the background.
• Add a new sample to Yeti. This pushes the sample to MRF.
• MRF carries out analysis asynchronously (fingerprinting, scoring, static and dynamic analysis etc.)
• In the background, Yeti goes through all it's hashes and asks MRF for any additional data it may have, so it will get results when they are ready.

Thoughts?

[Tigzy]

See MRF as an extended samples storage. So I think the best way to take advantage of it would be to store the samples into MRF (as it's the main purpose), then just keep the hash on Yeti side + a way to query metadata/download (if needed) by hash.

[tomchop]

I agree that this might be a case of data duplication, but we need a way to store the actual samples for people that don't use MRF. The logic to send a sample to Yeti is already built in pyeti's CLI tools; I think changing this to support both a setup with and without MRF is too convoluted.

Maybe MRF users could use pyeti's "add hash" function? (we can easily build that). Does MRF have a CLI way to store files?