search

PUNCH-Cyber / stoq-plugins-public

stoQ Public Plugins
https://stoq.punchcyber.com
Apache License 2.0
72 stars 24 forks source link

Help wanted - passing payload extracted by Yara dispatcher to Yara worker #87

Closed aleksf closed 4 years ago

aleksf commented 4 years ago

Hi,

I am trying to find out working configuration for following pipeline:

  1. RFC822 email file containing ZIP attachment is provided to smtp worker plugin from dirmon provider [Working]
  2. Yara dispatcher is used to call decompress on ZIP or decompress is invoked from smtp:always_dispatch to extract PE payload [Working]
  3. Yara invoked on extracted PE payload (not dispatcher, but yara:worker_rules) [Partially Working]

My current (suboptimal) configuration is below, which successfully accomplishes all steps. I invoke stoq as follows stoq run --config-file stoq.cfg -A filedir -s smtp -a yara - whilst it will run Yara worker on uncompressed payload, it also runs it on all other forms of payload (expected -a command line option behaviour).

[core]
log_level: DEBUG
providers: dirmon
archivers: filedir
connectors: filedir,stdout
dispatchers: yara
[dirmon]
source_dir=/home/stoq/Maildir/new
[filedir]
archive_dir=/home/stoq/analysis/archive
results_dir=/home/stoq/analysis/results
[smtp]
always_dispatch=hash,exif,mimetype,vtmis-search,tika
archive_attachments=True
extract_iocs=True
omit_body=True
[yara]
dispatch_rules=/home/stoq/stoqyara/dispatcher.yar
worker_rules=/home/stoq/stoqyara/rules/index-custom.yar
strings_limit = 10
timeout = 120
[vtmis-search]
apikey=

How I can configure stoq to only fire up Yara worker on payload, which is passed by particular plugin? In my case it's Yara dispatcher, which calls decompress.

mlaferrera commented 4 years ago

Hi @aleksf -- Great question and it gave me the idea to add two new options to the decompress plugin. You can now set always_dispatch (identical to the smtp plugin) and archive_extracted to the configuration for decompress. You'll need to upgrade your decompress plugin with the below command. Once done, just add the new configuration options and you should be all set.

stoq install --github --upgrade stoq:decompress

Optionally, you can also leverage your yara dispatcher to see payloads to the yara worker. Just write a yara dispatcher signature that sends all, or specific (i.e., pe files), payloads to yara worker.

aleksf commented 4 years ago

@mlaferrera it's awesome, it works as expected! I dropped calling Yara worker for payloads passed from every plugin, instead now smtp is calling Yara dispatcher, and if it's archive, decompress (thanks for change) calling Yara worker. By the way, extracted payload was already archived by archiver before the change you made.