Feature Request: Enable modules to process the FSF scan output

[akniffe1]

I'd like to see a way for modules to run on the returned scan results, like a "meta module". The advantage of this is that Analysts could begin to develop post processing logic for the delicious data produced by FSF. Image a world with:

• modules that could help identify significant object hierarchies (i.e. a zip that contains somewhere a high entropy exe)
• modules to submit chunks of FSF analysis (not just the raw file buffer) to other services / logging engines for aggregation (i.e. combining the parent file attributes with another log source containing the state of the transaction that was observed and led to the submission of the file for analysis)

In keeping with the overall objective, I'd suggest that "meta modules" be triggered by content logged to the orderedDict, by default module execution, or finally after the execution of all available modules.

[jxb5151]

I definitely agree that some kind of post processor component is in order to both extend logging capabilities and capture important observations seen in the JSON reporting. This will require some time to explore the best way to implement this!

[jxb5151]

The latest project update should address the feature request on identifying relationships from FSF output (see notes on post-processing with jq). After some offline correspondence we agreed that data consumption of what is presently logged to files is best done via an add-on agent. Several of these exist already, depending on the data repository and implementation. Opportunities to fill those gaps would be neat projects in their own right that would have utility far beyond FSF logs.

Thanks for the awesome suggestions!

[geekscrapy]

I'd also love to see this - for something like creating a module which submits to a sandbox based on previous findings would be very powerfull (e.g. if an export module is found in a dll - we submit as a dll to Cuckoo Sandbox)