Alert for safe files

[goochi1]

Background

Run Binaryalert fine

Desired Change

Need it to be able to send an alert if file is clean as well as if it has a virus. is this possible?

[austinbyers]

Good question. So you want a notification sent to the binaryalert_alerts SNS topic for clean results as well as yara matches? Or would you like to be able to invoke the analyzer directly and have it return Pass/Fail?

Can you describe your use case a little bit to help us understand how best to address this?

[goochi1]

Yes so once the file has been notes as 'clean' it would send an notification to the topic that we can use to make the document as available. Likewise i would like to be able to get a notification what it matches the rules so we can investigate the file.

I have tinkered with it to send a different email to the same topic. However i would like it to send to a new sns. I created a new sns in the terraform.

In the lamda_functions -> analyzer -> analyzer_aws_lib line 70. SNS.Topic(topic_arn).publish(

where is the topic_arn passed in? see it as YARA_ALERTS_SNS_TOPIC_ARN in main.py but how is the arn of the correct topic passed in?

[austinbyers]

Good idea - perhaps we could support another SNS topic for "clean" notifications. Users could specify either the same or a different one.

Anything which is an environment variable for the Lambda functions (including YARA_ALERTS_SNS_TOPIC_ARN) is defined in Terraform. In this case, terraform/lambda.tf#106

[goochi1]

Yes thats what i have been working on adding so far. Changed it so i get 2 different emails from the same topic but ideally need a new topic. which i have made but its just getting a new thing such as YARA_SAFE_SNS_TOPIC_ARN. I will look at the case and get back to you. Would it be of use for me to do a branch with my code? currently just put it in my own repo.

[goochi1]

Hitting a snag and would be good to get your opinion. Tried committing a branch but its not allowing me too

[austinbyers]

The easiest thing to do is to fork the BinaryAlert repo. Then you can commit changes to your fork as you see fit. If you have a branch you'd like to merge upstream (to the original repo), you can submit a pull request.

Does that make sense? So instead of committing directly to BinaryAlert (which is restricted), you can submit a pull request from your own forked repo

[austinbyers]

It's also worth remembering that the SNS alert format includes a NumMatchedRules top-level key. So another approach (instead of creating a separate topic) is that you could alert the same topic, but set NumMatchedRules == 0, which downstream applications can check.

[goochi1]

Hi Austin, hope you are well. i have put my code into this repo https://github.com/goochi1/binaryalert what is the best way of me sharing with you?

[austinbyers]

Up to you! I can see your repo, so I can manually merge your change in the next BA release. Or, you can create a PR to merge your add_safe_alert branch into the BinaryAlert master branch:

https://github.com/airbnb/binaryalert/compare/master...goochi1:task/steph_add_safe_alert?expand=1

And I'll review the PR!