Merge branch 'master' into ScanXML_Refactor+AdditionalFunctionality

configs/python/backend/backend.yaml

@@ -1,3 +1,4 @@
+
 version: 2024.04.22.01
 logging_cfg: '/etc/strelka/logging.yaml'
 limits:
@@ -107,6 +108,7 @@ scanners:
           - 'application/vnd.ms-outlook'
           - 'message/rfc822'
           - 'email_file'
+          - 'email_file_broad'
       priority: 5
       options:
         create_thumbnail: True
@@ -272,6 +274,11 @@ scanners:
           - 'application/json'
           - 'json_file'
       priority: 5
+  'ScanJnlp':
+    - positive:
+        flavors:
+          - "jnlp_file"
+      priority: 5
   'ScanLibarchive':
     - positive:
         flavors:

configs/python/backend/taste/taste.yara

@@ -464,6 +464,23 @@ rule email_file {
         $e in (0..2048)
 }
 
+rule email_file_broad
+{
+    meta:
+        type = "email"
+    strings:
+        $ = "Received: "
+        $ = "Origin-messageId: "
+        $ = "Return-Path: "
+        $ = "From: "
+        $ = "To: "
+        $ = "Subject: "
+        $ = "Date: "
+    condition:
+        magic.mime_type() == "message/rfc822" or
+        all of them
+}
+
 rule tnef_file {
     meta:
         description = "Transport Neutral Encapsulation Format"

docs/README.md

@@ -798,7 +798,8 @@ The table below describes each scanner and its options. Each scanner has the hid
 | ScanIso           | Collects and extracts files from ISO files                                                                                                                                        | `limit` -- maximum number of files to extract (defaults to `0`)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
 | ScanJarManifest   | Collects metadata from JAR manifest files                                                                                                                                         | N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
 | ScanJavascript    | Collects metadata from Javascript files                                                                                                                                           | `beautify` -- beautifies JavaScript before parsing (defaults to `True`)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| ScanJpeg          | Extracts data embedded in JPEG files                                                                                                                                              | N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+| ScanJpeg          | Extracts data embedded in JPEG files                                                                                                                                              | N/A
+| ScanJnlp         | Identifies JNLP files that reference external HTTP resources, particularly those not associated with trusted domains | N/A | Ryan Borre, [Paul Hutelmyer](https://github.com/phutelmyer)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | ScanJson          | Collects keys from JSON files                                                                                                                                                     | N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | ScanLibarchive    | Extracts files from libarchive-compatible archives.                                                                                                                               | `limit` -- maximum number of files to extract (defaults to `1000`)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | ScanLnk           | Collects metadata from lnk files.                                                                                                                                                 | N/A                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Ryan Borre, [DerekT2](https://github.com/Derekt2), [Nathan Icart](https://github.com/nateicart)