search

CERT-Polska / karton-archive-extractor

Extractor of various archive formats for Karton framework
https://github.com/CERT-Polska/karton
GNU General Public License v3.0
5 stars 6 forks source link

allow payloads to be propagated to new tasks #56

Open conitrade-as opened 6 months ago

conitrade-as commented 6 months ago

This change set adds the ability to propagate payloads from received tasks to new tasks for extracted files.

This allows e.g. to specify in the parent task that the file came originally from an e-mail.

task.add_payload('ext_origin_id', 'email', persistent=True)

Any downstream karton consumers can use these propagated payloads to fine-tune their decision making. A simple example is provided below. We want to flag .docm files in a .zip archive received over e-mail:

sample = task.get_resource('sample')
ext_origin_id = task.get_payload('ext_origin_id')
extraction_level = task.get_payload('extraction_level')
if '.docm' in sample.name and extraction_level and ext_origin_id == 'email':
    print('.docm files extracted from .zip over email are considered super suspicious')
conitrade-as commented 5 months ago

@psrok1 @nazywam @msm-code Can someone of you please take a look at this PR?