Skip to content

Commit 39a16c0

Browse files
authored
Merge branch 'master' into ScanXML_Refactor+AdditionalFunctionality
2 parents 6f5a8e7 + c621fe8 commit 39a16c0

File tree

9 files changed

+358
-169
lines changed

9 files changed

+358
-169
lines changed

configs/python/backend/backend.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
12
version: 2024.04.22.01
23
logging_cfg: '/etc/strelka/logging.yaml'
34
limits:
@@ -107,6 +108,7 @@ scanners:
107108
- 'application/vnd.ms-outlook'
108109
- 'message/rfc822'
109110
- 'email_file'
111+
- 'email_file_broad'
110112
priority: 5
111113
options:
112114
create_thumbnail: True
@@ -272,6 +274,11 @@ scanners:
272274
- 'application/json'
273275
- 'json_file'
274276
priority: 5
277+
'ScanJnlp':
278+
- positive:
279+
flavors:
280+
- "jnlp_file"
281+
priority: 5
275282
'ScanLibarchive':
276283
- positive:
277284
flavors:

configs/python/backend/taste/taste.yara

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -464,6 +464,23 @@ rule email_file {
464464
$e in (0..2048)
465465
}
466466

467+
rule email_file_broad
468+
{
469+
meta:
470+
type = "email"
471+
strings:
472+
$ = "Received: "
473+
$ = "Origin-messageId: "
474+
$ = "Return-Path: "
475+
$ = "From: "
476+
$ = "To: "
477+
$ = "Subject: "
478+
$ = "Date: "
479+
condition:
480+
magic.mime_type() == "message/rfc822" or
481+
all of them
482+
}
483+
467484
rule tnef_file {
468485
meta:
469486
description = "Transport Neutral Encapsulation Format"

docs/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -798,7 +798,8 @@ The table below describes each scanner and its options. Each scanner has the hid
798798
| ScanIso | Collects and extracts files from ISO files | `limit` -- maximum number of files to extract (defaults to `0`) |
799799
| ScanJarManifest | Collects metadata from JAR manifest files | N/A |
800800
| ScanJavascript | Collects metadata from Javascript files | `beautify` -- beautifies JavaScript before parsing (defaults to `True`) |
801-
| ScanJpeg | Extracts data embedded in JPEG files | N/A |
801+
| ScanJpeg | Extracts data embedded in JPEG files | N/A
802+
| ScanJnlp | Identifies JNLP files that reference external HTTP resources, particularly those not associated with trusted domains | N/A | Ryan Borre, [Paul Hutelmyer](https://github.com/phutelmyer) |
802803
| ScanJson | Collects keys from JSON files | N/A |
803804
| ScanLibarchive | Extracts files from libarchive-compatible archives. | `limit` -- maximum number of files to extract (defaults to `1000`) |
804805
| ScanLnk | Collects metadata from lnk files. | N/A | Ryan Borre, [DerekT2](https://github.com/Derekt2), [Nathan Icart](https://github.com/nateicart)

0 commit comments

Comments
 (0)