Changes to the project will be tracked in this file via the date of change.
- Updating build to include
exiftooldependency. (@cameron-dunn-sublime)
- Pinned and updated all
gobuild dockerfiles to1.17.6 - Updated all
go modfiles to matchgorequirements. - Updated
numpydependency. - Updated
readmewith new client application build instructions.
- Fix bug with
scan_javascriptpertaining to regular expression identification. (@cawalch)
- Updating
lxmlfrom version4.6.3to4.6.5. - Updating
CAPAfrom version3.0.1to3.0.3. - Updating
exiftoolfrom version12.36to12.38.
- Modified
mmrpcDockerfile to fix compilation build issues on ARM architecture.
- Modified
exiftoolrepository reference to increase stability - Updating
backenddependencies - Updating
godependencies
- Fix K8S backend configmap yaml (@cameron-dunn-sublime)
- Updated
exiftoolfrom version12.28to12.30(@cameron-dunn-sublime)
- Updated
exiftoolfrom version12.25to12.28
- Default YARA volume mount and placeholder test YARA rule to verify ScanYARA functionality. (@Derekt2)
scan_perefactor / additions (@swackhamer)
scan_qrQR code scanner (@aaronherman)
- Updated
YARAfrom 3.11.0 to 4.0.5
- Updated various
pythondependencies
- Bug fix for
scan_footer
scan_footerfile footer scanner
- Updated
pygmentsdependency
- Refactored
goDockerfiles - Hardcoded container names
- Changed ScanPDF scanner from
pdfminer.sixtoPyMuPDF - Accepted
dependabotpull request, updating dependencylxmlfrom4.6.2to4.6.3
READMEupdated with formatting and images
Python-ClientStrelka standalone python file submission client (@scottpas)Strelka OneshotDockerfileGitHub Actionsadditional workflows for client builds
- Updated
filestreamsample config
Filestream Processed DirectoryAdded ability to move files from a staging directory to a processed directory on completion. (@weslambert)
GitHub ActionsStrelka builder and badge to test main branch on push and each day
- Updated
goDockerfiles with module fixes
- Pinned python versions for module
cryptography
ubuntuversions forstrelka-backendandstrelka-mmrpcupdated to20.04- Accepted
dependabotpull request, updating dependencylxmlfrom4.5.0to4.6.2
kubernetesdeployment example added. (@scottpas)
- Added option to disable Strelka Backend shutdown (@weslambert)
scan_manifestscanner (@Derekt2)
- Pinned redis module to version 8 due to bug causing frontend and manager to fail compilation (target#142) (phutelmyer)
scan_capaFireEye scanner (@phutelmyer)scan_flossFireEye scanner (@phutelmyer)
- Fixed bug caused by update to go-redis, requiring Context objects to be added to redis commands
- Fixed bug causing path issue when building container.
strelka-oneshotcli app to allow for submission of a file for testing without the need for a config file. (@rhaist)swigas build/wheel dependency for M2Crypto (@rhaist)
- Updating dependencies for various packages (@rhaist)
- Formatting all go source files to match official guidelines (@rhaist)
- Added additional error handling for
scan_lnkscanner (@Derekt2) - Typo fixed in README.md (@weslambert)
- Added
tree.rootmetadata totreeobject - Added
scan_base64_pescanner which decodes base64-encoded files - Added
scan_lnkscanner which provides metadata for LNK files - Added
yara.tagstoyarascanner which collects Tags from YARA matches
- Changed scanner imports in
scan_vba. Changed olevba3 package to olevba due to deprecation.
- Added additional error handling for corrupt documents in ScanDocx
- Updated YARA version from 3.10 to 3.11
- Removed logging reference in ScanEncryptedDoc
- Modified error handling for ScanPlist
- Added ScanAntiword into backend scanner configuration file (commented out)
- Added ScanEncryptedDoc which allows users to decrypt documents.
- Added additional error handling for ScanDocx
- Modified ScanPE to include additional error handling.
- Added ScanDoc support for additional metadata extraction.
- Added support for ScanRar RAR extraction with passwords.
- Added olecf flavor to ScanIni default
- Fixed bug in ScanTnef where key is not present, an exception is thrown.
- Fixed bug in ScanPe when header field is nonexistent (jshlbrd)
- Improved speed of ScanZip decryption (jshlbrd)
- ScanMmbot fields are now internally consistent with other event dictionaries (jshlbrd)
- Fixed bug in ScanMacho dynamic symbols (jshlbrd)
- Renamed 'decompressed_size' to 'size' across all decompression scanners (jshlbrd)
- Two new fields in ScanIni (comments and sections) (jshlbrd)
- New scanner ScanZlib can decompress Zlib files (jshlbrd)
- Fixed unintended CRC exception when decrypting ZIP files (jshlbrd)
- New scanner ScanIni can parse INI files (jshlbrd)
- Renamed strelka-redis to strelka-manager (jshlbrd)
- Updated ScanPe to better sync with ScanElf and ScanMacho (jshlbrd)
- Fixed frontend crashing issues when empty files are sent to cluster (jshlbrd)
- Added Gatekeeper (temporary event cache), a new required component (jshlbrd)
- Transitioned ScanMacho from macholibre to LIEF (jshlbrd)
- Fixed multiple issues in ScanElf JSON dictionary (jshlbrd)
- Transitioned ScanElf from pyelftools to LIEF (jshlbrd)
- Fixed ScanPdf f-string flags (jshlbrd)
- scan_* dictionaries are now nested under scan: {} (jshlbrd)
- 'time' field is now 'request.time' (jshlbrd)
- 'file.scanners_list' is now 'file.scanners' (jshlbrd)
- Updated YAML files to use 2 spaces instead of 4 spaces (jshlbrd)
- Conflicting variable names were refactored (jshlbrd)
- Added .env file for cleaner execution of docker-compose (jshlbrd)
- go-redis Z commands changed to non-literal (jshlbrd)
- 'throughput' section added to fileshot and filestream configuration files (jshlbrd)
- Added default docker-compose DNS hosts to misc/envoy/* configuration templates (jshlbrd)
- Added Docker volume mapping to frontend in default docker-compose (jshlbrd)
- Forked pyopenssl replaced with M2Crypto (jshlbrd)
- 'tree' event dictionary is now nested under 'file' event dictionary (jshlbrd)
- Scanner event dictionaries now start with 'scan_' (jshlbrd)
- Timestamps are now unix/epoch (jshlbrd)
- ScanExiftool now outputs 'human readable' data (jshlbrd)
- Looping Redis commands sleep at a consistent interval of 250ms (jshlbrd)
- 'cache' is no longer used -- 'coordinator' takes over all Redis tasks (jshlbrd)
- Switched pyopenssl to forked package (jshlbrd)
- Archived 0MQ branch (jshlbrd)
- Migrated gRPC to master (jshlbrd)
- Dockerfile now supports UTC and local time (ufomorme)
- Scan event start and finish timestamps now support UTC and local time (ufomorme)
- Improved YARA tasting signature for email files (DavidJBianco)
- Fixed install path for taste directory (jshlbrd)
- "beautified" field (bool) to ScanJavascript (jshlbrd)
- strelka_dirstream.py now supports recursive directory scanning (zachsis)
- ScanZip now supports decryption via password bruteforcing (ksdahl)
- Unit tests for ScanPe added (infosec-intern)
- strelka_dirstream.py now supports moving files after upload (zachsis)
- Added version info to ScanPe (infosec-intern)
- Expanded identification of email files (DavidJBianco)
- pip packages now installed via requirements.txt file(s) (infosec-intern)
- EOF error flag to ScanBzip2 (jshlbrd)
- taste_yara now loads files from directories, not a static file (ksdahl)
- Options for manually setting ZeroMQ TCP reconnections on the task socket (between broker and workers) (jshlbrd)
- "request_port" option renamed to "request_socket_port" (jshlbrd)
- "task_port" option renamed to "task_socket_port" (jshlbrd)
- strelka_dirstream.py switched from using inotify to directory polling (jshlbrd)
- strelka_dirstream.py supports monitoring multiple directories (jshlbrd)
- extract-strelka.bro will temporarily disable file extraction when the extraction directory reaches a maximum threshold (jshlbrd)
- New scanner ScanFalconSandbox can send files to CrowdStrike's Falcon Sandbox (ksdahl)
- New scanner ScanPhp can collect tokenized metadata from PHP files (jshlbrd)
- New scanner ScanStrings can collect strings from file data (similar to Unix "strings" utility) (jshlbrd)
- ScanPdf was unintentionally extracting duplicate streams, but now it is fixed to only extract unique streams (jshlbrd)
- ScanJavascript now supports deobfuscating JavaScript files before parsing metadata (jshlbrd)
- ScanUrl now supports user-defined regular expressions that can be called per-file (jshlbrd)
- Refactored taste.yara
javascript_filerule for readability (jshlbrd) - Removed JavaScript files from ScanUrl in the default strelka.yml (jshlbrd)
- Project went public!