-
Notifications
You must be signed in to change notification settings - Fork 4
ReplacingTheAnalysisEngine
If you wish to use an analysis tool other than the supplied YARA engine for analyzing binary data, you would want to implement a new analysis engine, then configure the Binary Analysis Toolkit to use it. For instance, you might want to write an engine that would submit binary data to a third-party service for analysis.
You will have to implement two object classes in Python:
- The engine object, which will be called for each binary to be analyzed and return back a series of Indicators of Compromise (IOCs) to be reported.
- The engine factory object, which will be called at toolkit startup to load your engine object and configure it for use.
These object classes should be placed somewhere that the Binary Analysis Toolkit code can find them, for example, on the PYTHONPATH.
The default analysis engine interfaces with the YARA library to handle analysis of binary data.
If your analysis engine is implemented as a library accessible in-process (such as the YARA engine), your Engine object is responsible for correctly calling the library function(s) and formatting the return value in the proper fashion.
If your analysis engine is implemented in some out-of-process fashion (a different process on the same host, or on a different host), your Engine object is responsible for handling the necessary interprocess communications with that analysis engine, via the appropriate communications channel. Your configuration information should include information required to set up this communications channel (such as the remote host name).
All configuration information for your analysis engine should be located in the engine: section of the configuration file. Your engine may make free use of any property name under this section, except for the special property name type: and any property names beginning with an underscore character.
The special property name _provider: under the engine: section should contain the fully-qualified class name of your engine factory object, which the engine manager code will load and then call to create your engine object.
As part of the creation process, your engine factory object will be passed a Config object, which will point to the engine: section of the configuration file. You can use the methods of this object to read any of the configuration properties you have defined.
N.B.: In the current toolkit implementation, the type: value under the engine: section must be set to the string "local". Otherwise, the engine creation code will fail.
Copyright © 2020 VMware Inc., All Rights Reserved.
Information here is current as of Carbon Black Cloud Binary Toolkit 1.0.0