Small Python Daemon to use oletools over TCP sockets. Mainly to use oletools in Rspamd.
Rspamd oletools plugin documentation: Rspamd External Services - Oletools
Some extra details you can find in our blog series in German language here:
Emotet mit Rspamd und Oletools bekämpfen
Or google translated here:
Fight Emotet with Rspamd and Oletools
This Daemon is production tested but maybe not bug free. Feel free to test and please report any issues.
olefy expects office documents to be send to the TCP socket. Currently olefy saves the stream into a tmp file, calls olevba3 and returns the scan result as json.
We realized our current approach is not flexible enough and future proof to add more features here. We will create a more generic tool using generic protocols.
BEYOND EMOTET – NEXT GENERATION OPEN SOURCE E-MAIL ANALYSIS (CLT 2021)
github: oletools - python tools to analyze MS OLE2 files
http://www.decalage.info/python/oletools
As spammers are creating macro viruses which are trying to trick the current oletools releases into errors, we have created a little fork to add some cherry-picked patches and negotiate some errors faster than the oletools release cycle. Maybe have a look: oletools - patched by Heinlein
oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
Python3 >= 3.6 is required for olefy. Also oletools itself and some requirements will need Python3 >= 3.6 in near future.
pip3 install python-magic defusedxml or be aware using a packet containing this project: https://github.com/ahupp/python-magic. E.g. the Debian Stretch python3-magic is NOT workingsystemctl daemon-reload
systemctl unmask olefy.service
systemctl enable olefy.serviceOnly olefy depends on Python3 because we are using AsyncIO. If you like you can use the Python2 version, even the git version of oletools or a non-default python version. You only have to adjust the config.
Also you could start olefy.py standalone. Just edit the file directly and start it using the python3 interpreter.
Docker container can be built using the following commands:
docker build -f docker/Dockerfile -t myimage .It can then be used like so:
docker run --rm -d -p 10050:10050 myimageEnvironment variables listed in olefy.conf are supported. For instance:
docker run --rm -d -e OLEFY_BINDPORT=1234 -p 10050:1234 myimageA sample Kubernetes manifest is also provided.
Have a look to the commented olefy.conf. Set OLEFY_LOGLVL to 10 to see all details including the Rspamd scanning id.
Set OLEFY_LOGLVL=10 and have a look to the logs journalctl -u olefy
You can monitor the olefy service is working with sending just a PING to the service. olefy will return with PONG
echo PING | nc -q1 127.0.0.1 10050
Apache-2.0
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de
Tel: +4930 / 405051-110
Amtsgericht Berlin-Charlottenburg - HRB 93818 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin