Skip to content

Commit

Permalink
Merge pull request #429 from ryanohoro/limitscanzip
Browse files Browse the repository at this point in the history
ScanZip Improvements - Limits Changes, Zero File Size Support, Encryption Updates
  • Loading branch information
phutelmyer authored Jan 29, 2024
2 parents 514ff69 + 5dac4a5 commit 7c632da
Show file tree
Hide file tree
Showing 15 changed files with 460 additions and 162 deletions.
4 changes: 4 additions & 0 deletions configs/python/backend/backend.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -694,6 +694,10 @@ scanners:
priority: 5
options:
limit: 1000
limit_metadata: True
size_limit: 250000000
crack_pws: False
log_pws: True
password_file: '/etc/strelka/passwords.dat'
'ScanZlib':
- positive:
Expand Down
16 changes: 8 additions & 8 deletions docs/README.md

Large diffs are not rendered by default.

18 changes: 9 additions & 9 deletions src/python/strelka/scanners/scan_docx.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,17 @@ def scan(self, data, file, options, expire_at):
self.event["identifier"] = docx_doc.core_properties.identifier
self.event["keywords"] = docx_doc.core_properties.keywords
self.event["language"] = docx_doc.core_properties.language
self.event[
"last_modified_by"
] = docx_doc.core_properties.last_modified_by
self.event["last_modified_by"] = (
docx_doc.core_properties.last_modified_by
)
if docx_doc.core_properties.last_printed is not None:
self.event[
"last_printed"
] = docx_doc.core_properties.last_printed.isoformat()
self.event["last_printed"] = (
docx_doc.core_properties.last_printed.isoformat()
)
if docx_doc.core_properties.modified is not None:
self.event[
"modified"
] = docx_doc.core_properties.modified.isoformat()
self.event["modified"] = (
docx_doc.core_properties.modified.isoformat()
)
self.event["revision"] = docx_doc.core_properties.revision
self.event["subject"] = docx_doc.core_properties.subject
self.event["title"] = docx_doc.core_properties.title
Expand Down
4 changes: 2 additions & 2 deletions src/python/strelka/scanners/scan_encrypted_zip.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,8 +133,8 @@ def scan(self, data, file, options, expire_at):
is_aes = True
break

with pyzipper.AESZipFile(zip_io) if is_aes else pyzipper.ZipFile(
zip_io
with (
pyzipper.AESZipFile(zip_io) if is_aes else pyzipper.ZipFile(zip_io)
) as zip_obj:
file_list = zip_obj.filelist # .filelist
for file_list_item in file_list:
Expand Down
26 changes: 13 additions & 13 deletions src/python/strelka/scanners/scan_iso.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,19 +27,19 @@ def scan(self, data, file, options, expire_at):

# Attempt to get Meta
try:
self.event["meta"][
"date_created"
] = self._datetime_from_volume_date(iso.pvd.volume_creation_date)
self.event["meta"][
"date_effective"
] = self._datetime_from_volume_date(iso.pvd.volume_effective_date)
self.event["meta"][
"date_expiration"
] = self._datetime_from_volume_date(iso.pvd.volume_expiration_date)
self.event["meta"][
"date_modification"
] = self._datetime_from_volume_date(
iso.pvd.volume_modification_date
self.event["meta"]["date_created"] = (
self._datetime_from_volume_date(iso.pvd.volume_creation_date)
)
self.event["meta"]["date_effective"] = (
self._datetime_from_volume_date(iso.pvd.volume_effective_date)
)
self.event["meta"]["date_expiration"] = (
self._datetime_from_volume_date(iso.pvd.volume_expiration_date)
)
self.event["meta"]["date_modification"] = (
self._datetime_from_volume_date(
iso.pvd.volume_modification_date
)
)
self.event["meta"][
"volume_identifier"
Expand Down
12 changes: 6 additions & 6 deletions src/python/strelka/scanners/scan_lnk.py
Original file line number Diff line number Diff line change
Expand Up @@ -140,18 +140,18 @@ def scan(self, data, file, options, expire_at):

try:
if extradata.IconEnvironmentDataBlock:
self.event[
"icon_target"
] = extradata.IconEnvironmentDataBlock.TargetAnsi
self.event["icon_target"] = (
extradata.IconEnvironmentDataBlock.TargetAnsi
)
except strelka.ScannerTimeout:
raise
except Exception:
self.flags.append("Unable to parse IconEnvironmentDataBlock")

if extradata.TrackerDataBlock:
self.event[
"machine_id"
] = extradata.TrackerDataBlock.MachineID.strip(b"\x00")
self.event["machine_id"] = (
extradata.TrackerDataBlock.MachineID.strip(b"\x00")
)
self.event["mac"] = str(
uuid.UUID(bytes_le=extradata.TrackerDataBlock.Droid[16:])
).split("-")[-1]
Expand Down
24 changes: 12 additions & 12 deletions src/python/strelka/scanners/scan_pe.py
Original file line number Diff line number Diff line change
Expand Up @@ -532,18 +532,18 @@ def scan(self, data, file, options, expire_at):
self.event["address_of_entry_point"] = pe.OPTIONAL_HEADER.AddressOfEntryPoint
self.event["image_base"] = pe.OPTIONAL_HEADER.ImageBase
self.event["size_of_code"] = pe.OPTIONAL_HEADER.SizeOfCode
self.event[
"size_of_initialized_data"
] = pe.OPTIONAL_HEADER.SizeOfInitializedData
self.event["size_of_initialized_data"] = (
pe.OPTIONAL_HEADER.SizeOfInitializedData
)
self.event["size_of_headers"] = pe.OPTIONAL_HEADER.SizeOfHeaders
self.event["size_of_heap_reserve"] = pe.OPTIONAL_HEADER.SizeOfHeapReserve
self.event["size_of_image"] = pe.OPTIONAL_HEADER.SizeOfImage
self.event["size_of_stack_commit"] = pe.OPTIONAL_HEADER.SizeOfStackCommit
self.event["size_of_stack_reserve"] = pe.OPTIONAL_HEADER.SizeOfStackReserve
self.event["size_of_heap_commit"] = pe.OPTIONAL_HEADER.SizeOfHeapCommit
self.event[
"size_of_uninitialized_data"
] = pe.OPTIONAL_HEADER.SizeOfUninitializedData
self.event["size_of_uninitialized_data"] = (
pe.OPTIONAL_HEADER.SizeOfUninitializedData
)
self.event["file_alignment"] = pe.OPTIONAL_HEADER.FileAlignment
self.event["section_alignment"] = pe.OPTIONAL_HEADER.SectionAlignment
self.event["checksum"] = pe.OPTIONAL_HEADER.CheckSum
Expand All @@ -552,12 +552,12 @@ def scan(self, data, file, options, expire_at):
self.event["minor_image_version"] = pe.OPTIONAL_HEADER.MinorImageVersion
self.event["major_linker_version"] = pe.OPTIONAL_HEADER.MajorLinkerVersion
self.event["minor_linker_version"] = pe.OPTIONAL_HEADER.MinorLinkerVersion
self.event[
"major_operating_system_version"
] = pe.OPTIONAL_HEADER.MajorOperatingSystemVersion
self.event[
"minor_operating_system_version"
] = pe.OPTIONAL_HEADER.MinorOperatingSystemVersion
self.event["major_operating_system_version"] = (
pe.OPTIONAL_HEADER.MajorOperatingSystemVersion
)
self.event["minor_operating_system_version"] = (
pe.OPTIONAL_HEADER.MinorOperatingSystemVersion
)
self.event["major_subsystem_version"] = pe.OPTIONAL_HEADER.MajorSubsystemVersion
self.event["minor_subsystem_version"] = pe.OPTIONAL_HEADER.MinorSubsystemVersion
self.event["image_version"] = float(
Expand Down
24 changes: 12 additions & 12 deletions src/python/strelka/scanners/scan_pgp.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ def parse_pgpdump(self, data):
secret_key_entry["creation_time"] = creation_time.isoformat()
expiration_time = getattr(packet, "expiration_time", None)
if expiration_time is not None:
secret_key_entry[
"expiration_time"
] = expiration_time.isoformat()
secret_key_entry["expiration_time"] = (
expiration_time.isoformat()
)

if secret_key_entry not in self.event["secret_keys"]:
self.event["secret_keys"].append(secret_key_entry)
Expand All @@ -98,9 +98,9 @@ def parse_pgpdump(self, data):
public_key_entry["creation_time"] = creation_time.isoformat()
expiration_time = getattr(packet, "expiration_time", None)
if expiration_time is not None:
public_key_entry[
"expiration_time"
] = expiration_time.isoformat()
public_key_entry["expiration_time"] = (
expiration_time.isoformat()
)

if public_key_entry not in self.event["public_keys"]:
self.event["public_keys"].append(public_key_entry)
Expand Down Expand Up @@ -135,14 +135,14 @@ def parse_pgpdump(self, data):
}
creation_time = getattr(packet, "creation_time", None)
if creation_time is not None:
signature_packet_entry[
"creation_time"
] = creation_time.isoformat()
signature_packet_entry["creation_time"] = (
creation_time.isoformat()
)
expiration_time = getattr(packet, "expiration_time", None)
if expiration_time is not None:
signature_packet_entry[
"expiration_time"
] = expiration_time.isoformat()
signature_packet_entry["expiration_time"] = (
expiration_time.isoformat()
)

if signature_packet_entry not in self.event["signatures"]:
self.event["signatures"].append(signature_packet_entry)
Expand Down
1 change: 0 additions & 1 deletion src/python/strelka/scanners/scan_vsto.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
"""


import base64
import hashlib

Expand Down
Loading

0 comments on commit 7c632da

Please sign in to comment.