Synapse Advanced Power-up to parse files because I don't have enterprise ;(
To parse a file, use zw.fileparser.parse
. Any input files that have a :mime
property set will be parsed according to that MIME, otherwise a MIME will be auto-detected and set on the node.
This package exposes one permission level:
zw.fileparser.user
: Allows use of the fileparser service$ cd /srv/syn/aha
$ docker compose exec aha /bin/bash
# in the AHA container
python -m synapse.tools.aha.provision.service 00.fileparser
one-time use URL: ssl://aha..............
Create a docker-compose.yml
file:
version: "3.3"
services:
00.fileparser:
user: "999"
image: synapse-fileparser
network_mode: host
restart: unless-stopped
volumes:
- ./storage:/vertex/storage
environment:
- SYN_FILEPARSER_AXON=aha://axon...
- SYN_FILEPARSER_HTTPS_PORT=null
- SYN_FILEPARSER_AHA_PROVISION=<replaceme>
$ docker build -t synapse-fileparser .
$ docker compose up
storm> service.add fileparser aha://fileparser...
_zw:file:mime:pe:import
type: _zw:file:mime:pe:import
base: guid
doc: The fused knowledge of a file:bytes node containing a pe import.
file: file:bytes
dll: str
name: str
address: int
ordinal: int
_zw:file:mime:elf:segment
Both this form and the corresponding section form are designed similarly to their corresponding Mach-O forms.
type: _zw:file:mime:elf:segment
base: guid
doc: A delineated region of bytes inside of an ELF binary.
file: file:bytes
hash: hash:sha256
type: enum
type:raw: int
disksize: int
memsize: int
size: int
_zw:file:mime:elf:section
type: _zw:file:mime:elf:section
base: guid
doc: A section inside a ELF binary denoting a named region of bytes inside a segment.
segment: _zw:file:mime:elf:segment
hash: hash:sha256
size: int
name: str
offset: int
type: enum
type:raw: int
file:mime:pe:export
_address: int
_ordinal: int
file:bytes
// bitness of the executable file
_exe:bitness: int
// exphash from pefile
_mime:pe:exphash: hash:sha256
// timestamp from debug directory entry
_mime:pe:debug:time: time
// imp/exphash by the parser
_mime:elf:imphash: hash:sha256
_mime:elf:exphash: hash:sha256
// e_ident[EI_OSABI] value
_mime:elf:os: enum
_mime:elf:os:raw: int
// e_type
_mime:elf:type: enum
file:subfile
// timestamps from archive file formats
// if the container file format doesn't include all three, mtime is used
_archive:mtime
_archive:ctime
_archive:atime