Comments (2)
I think this can be implemented with out too many changes. 'Alert' could be changed to 'Archive' (on the server side configs) and most of it's current functionality can remain 'as-is'. The client presently specifies 'how' things are archived when the 'alert' flag is triggered (with --archive), and I would advocate this simply be tuned to how things should be archived when this flag is set. This opens up the ability for different clients to specify different archival requirements (all the things, just the file, nothing, etc) should the situation ever present itself for some reason?
So for the framework, the --archive would represent more something like..
None - The most common option is 'none' which will tell the server not to archive for this submission (default). This would override any configured archive option within the server disposition.py file.
File-on-archive - Only archive the submitted file if the 'archive' flag was found to have been true at some level of the recursive scan.
All-on-archive - Only archive the submitted file and all sub objects if the 'archive' flag was found to have been true at some level of the recursive scan.
All-the-files - Override server side settings and always archive files submitted from this client.
All-the-things - Override server side settings and always archive files and sub sub objects submitted from this client.
With the above said, I would want to preserve some flag that enables an analyst to determine whether the binary was detected to represent a threat at some level. This is part of what 'alert' was intended to accomplish, but the name 'alert' is a bit of misnomer seeing as how there is no alert being issued on behalf of FSF, more just that maybe you should? :) I would probably change the verbage here to 'threat' with the same t/f boolean type supported before. Alerting can then be informed based on this value.
With the proposed changes, analysts then have the ability to select archival criteria based on Yara/JQ hits that don't necessarily equate to a threat. They also have the ability to decide at the client level how it is archived server side (if at all) for each submission. Support for delineation between file archival and threat detection would then be accomplished.
Changes would need to be made in the core to accommodate this, some documentation and process mapping changes would need to happen as well. Existing implementations will also be impacted and something more comprehensive should be put together to support them.
from fsf.
from fsf.
Related Issues (20)
- Question about META_PE_SIGNATURE.py ? HOT 3
- META_JAVA_CLASS returns tuples, which are not supported in JSON HOT 4
- ft_macho yara signature has matching string condition to ft_java_class
- sanitize sample artifact in misc_hexascii_pe_in_html.yara HOT 1
- PE analyzer returns clashing types HOT 3
- Errors When Importing Macholibre HOT 1
- thresholding for alerting
- modular logging outputs
- Extend FSF_RPC to pass more source content
- Docstrings and PEP8 formatting
- setuptools install for fsfclient
- offload initializing loggers, configs, and yara.compile to FSF main process
- Decision: Post Processor Efficiency
- Automated Docker Image Build HOT 1
- RTF Processing Improvement
- Strings based analysis
- Can't get to run HOT 1
- Magic number for exit code
- Scanning frameworks
- Update Dockerfile
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fsf.