Skip to content

Commit

Permalink
Merge pull request #413 from target/remove-capa-and-floss
Browse files Browse the repository at this point in the history 
Removing CAPA and FLOSS
  • Loading branch information
@phutelmyer
phutelmyer authored Nov 16, 2023
2 parents b39c78f + 21f748f commit c63c98f
Show file tree
Hide file tree
Showing 10 changed files with 401 additions and 827 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Changelog
Changes to the project will be tracked in this file via the date of change.

## 2023-11-15
- Removed `ScanCapa` and `ScanFloss` from scanners, dependencies, and tests

## 2023-11-04
- Added `ScanIqy` to target and extract network addressed from IQY (Internet Query) files
- Added tests for `ScanIqy`
Expand Down
25 changes: 6 additions & 19 deletions build/python/backend/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ LABEL maintainer="Target Brands, Inc. TTS-CFC-OpenSource@target.com"
ARG CONFIG_TESTS=false

ARG YARA_VERSION=4.3.1
ARG CAPA_VERSION=6.1.0
ARG EXIFTOOL_VERSION=12.60

# Environment variables
Expand Down Expand Up @@ -91,23 +90,6 @@ RUN apt-get -q update && \
perl Makefile.PL && \
make -s && \
make -s install && \
# Install FireEye CAPA rules and signatures
mkdir -p /etc/capa/rules/ && \
curl -OL https://github.com/mandiant/capa-rules/archive/refs/tags/v$CAPA_VERSION.zip && \
unzip v$CAPA_VERSION.zip -d /etc/capa/rules/ && \
rm -rf v$CAPA_VERSION.zip && \
mkdir -p /etc/capa/signatures/ && \
cd /etc/capa/signatures/ && \
curl -OL https://github.com/mandiant/capa/raw/master/sigs/1_flare_msvc_rtf_32_64.sig && \
curl -OL https://github.com/mandiant/capa/raw/master/sigs/2_flare_msvc_atlmfc_32_64.sig && \
curl -OL https://github.com/mandiant/capa/raw/master/sigs/3_flare_common_libs.sig && \
# Install FireEye FLOSS
# - Binary installation, not supported as Python 3 plugin
# - Requires binary to be executable
cd /tmp/ && \
curl -OL https://s3.amazonaws.com/build-artifacts.floss.flare.fireeye.com/travis/linux/dist/floss && \
chmod +x /tmp/floss && \
mv /tmp/floss /bin/floss && \
# Install YARA
cd /tmp/ && \
curl -OL https://github.com/VirusTotal/yara/archive/v$YARA_VERSION.tar.gz && \
Expand Down Expand Up @@ -204,9 +186,14 @@ RUN cd /strelka/ && \
USER $USERNAME

# Run build checks
# Use --build-arg SCANNER_TEST=test_scan_<scannername>.py to ignore all but selected scanner
# ex: docker-compose build --build-arg SCANNER_TEST=test_scan_yara.py
ARG SCANNER_TEST=""

# Run tests. Fail build if any tests fail.
RUN echo '[+] Run build checks' && \
cd /strelka/strelka/ && \
python3 -m pytest -p no:cacheprovider -s tests/ && \
if $SCANNER_TESTS; then python3 -m pytest -p no:cacheprovider -s tests/$SCANNER_TEST; fi && \
if $CONFIG_TESTS; then python3 -m pytest -s tests_configuration/; fi && \
echo '[+] Done'

Expand Down
22 changes: 0 additions & 22 deletions configs/python/backend/backend.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,19 +68,6 @@ scanners:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
# 'ScanCapa':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# - 'application/x-sharedlib'
# - 'elf_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# location_rules: '/etc/capa/rules/'
# location_signatures: '/etc/capa/signatures/'
# scanner_timeout: 20
# 'ScanCcn':
# - positive:
# flavors:
Expand Down Expand Up @@ -174,15 +161,6 @@ scanners:
- 'image/heic'
- 'image/heif'
priority: 5
# 'ScanFloss':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# limit: 100
'ScanFooter':
- positive:
flavors:
Expand Down
2 changes: 0 additions & 2 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -744,7 +744,6 @@ The table below describes each scanner and its options. Each scanner has the hid
| ScanBatch | Collects metadata from batch script files | N/A |
| ScanBase64 | Decodes base64-encoded files | N/A | [Nathan Icart](https://github.com/nateicart)
| ScanBzip2 | Decompresses bzip2 files | N/A |
| ScanCapa | Analyzes executable files with FireEye [capa](https://github.com/fireeye/capa) | `tempfile_directory` -- location where `tempfile` will write temporary files (defaults to `/tmp/`)<br>`location_rules` -- location of the capa rules file or directory (defaults to `/etc/capa/rules/`)<br>`location_signatures` -- location of the capa signature file or directory (defaults to `/etc/capa/signatures/`) |
| ScanCcn | Flags files containing credit card formatted numbers | N/A | [Ryan O'Horo](https://github.com/ryanohoro) |
| ScanCuckoo | Sends files to a Cuckoo sandbox | `url` -- URL of the Cuckoo sandbox (defaults to None)<br>`priority` -- Cuckoo priority assigned to the task (defaults to `3`)<br>`timeout` -- amount of time (in seconds) to wait for the task to upload (defaults to `10`)<br>`unique` -- boolean that tells Cuckoo to only analyze samples that have not been analyzed before (defaults to `True`)<br>`username` -- username used for authenticating to Cuckoo (defaults to None, optionally read from environment variable "CUCKOO_USERNAME")<br>`password` -- password used for authenticating to Cuckoo (defaults to None, optionally read from environment variable "CUCKOO_PASSWORD") |
| ScanDonut | Decrypts, extracts config and embedded payloads from Donut loader payloads (https://github.com/TheWover/donut) using donut-decrypt (https://github.com/volexity/donut-decryptor/) | | [Ryan O'Horo](https://github.com/ryanohoro) |
Expand All @@ -756,7 +755,6 @@ The table below describes each scanner and its options. Each scanner has the hid
| ScanEntropy | Calculates entropy of files | N/A |
| ScanExiftool | Collects metadata parsed by Exiftool | `tempfile_directory` -- location where tempfile writes temporary files (defaults to `/tmp/`)<br>`keys` -- list of keys to log (defaults to all) |
| ScanFalconSandbox | Sends files to an instance of Falcon Sandbox | `server` -- URL of the Falcon Sandbox API inteface <br>`priority` -- Falcon Sandbox priority assigned to the task (defaults to `3`)<br>`timeout` -- amount of time (in seconds) to wait for the task to upload (defaults to `60`)<br>`envID` -- list of numeric envrionment IDs that tells Falcon Sandbox which sandbox to submit a sample to (defaults to `[100]`)<br>`api_key` -- API key used for authenticating to Falcon Sandbox (defaults to None, optionally read from environment variable "FS_API_KEY")<br>`api_secret` -- API secret key used for authenticating to Falcon Sandbox (defaults to None, optionally read from environment variable "FS_API_SECKEY") |
| ScanFloss | Analyzes executable files with FireEye [floss](https://github.com/fireeye/flare-floss) | `tempfile_directory` -- location where `tempfile` will write temporary files (defaults to `/tmp/`)<br>`limit` -- Maximum amount of strings to collect. (defaults to `100`) |
| ScanFooter | Collects file footer | `length` -- number of footer characters to log as metadata (defaults to `50`) <br> `encodings` -- list of output encodings, any of `classic`, `raw`, `hex`, `backslash` |
| ScanGif | Extracts data embedded in GIF files | N/A |
| ScanGzip | Decompresses gzip files | N/A
Expand Down
22 changes: 0 additions & 22 deletions misc/kubernetes/backend-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,19 +42,6 @@ data:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
# 'ScanCapa':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# - 'application/x-sharedlib'
# - 'elf_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# location_rules: '/etc/capa/rules/'
# location_signatures: '/etc/capa/signatures/'
# scanner_timeout: 20
'ScanDocx':
- positive:
flavors:
Expand Down Expand Up @@ -168,15 +155,6 @@ data:
- 'ImageHeight'
- 'ImageWidth'
tmp_directory: '/dev/shm/'
# 'ScanFloss':
# - positive:
# flavors:
# - 'application/x-dosexec'
# - 'mz_file'
# priority: 5
# options:
# tmp_directory: '/dev/shm/'
# limit: 100
'ScanFooter':
- positive:
flavors:
Expand Down
Loading

0 comments on commit c63c98f

Please sign in to comment.