berggren / foorep Goto Github PK

Annotations should be returned when searching and listing samples in the repository.

Good evening,

Have you considered modifying foorep to relocate all samples to its own filesystem? At the moment, it appears that it leaves the samples in place. Various other tools do this:

1. Hash the sample
2. Copy the sample to a filesystem dedicated to the tool, naming the sample based on the hash
3. Do the database work, referencing the sample in the tool's filesystem.

Duplicates are detected at ingestion time and, if the sample has a name that is different than the existing sample, a record is created (or adjusted) to note the multiple sample names.

-David

You should be able to filter searches with annotations.

How are annotations returned? At present, I cannot figure out how to pull them out via the command line. I think I'd like an option for both search and list that includes the annotations in the output.

Further back of the napkin thinking....

If I add an annotation of "-t case" and use that to tie all malware samples associated with a case together, I'd like to be able to search for all annotations with "case=". The same would apply to IP=, etc.

How about types for annotations?

CIDR = cidr blocks
Date = date
etc

Then you can search for date ranges.

foorep annotate -t compile-date --type date -m 2012-12-11

-David

If you are submitting a set of samples via the command line, you might want to group them with tags:

for i in IR-2012-12-16
do:
foorep add $i annotate -t IR-2012-12-16
done

SIFT workstation, almost vanilla.

sudo foorepd

[19/Dec/2012:10:12:38] ENGINE Bus STARTING
CherryPy Checker:
The config entry 'tools.login_required.on' may be invalid, because the 'login_required' tool was not found.
section: [/]

[19/Dec/2012:10:12:38] ENGINE Started monitor thread '_TimeoutMonitor'.
[19/Dec/2012:10:12:38] ENGINE Started monitor thread 'Autoreloader'.
[19/Dec/2012:10:12:38] ENGINE Serving on 127.0.0.1:4780
[19/Dec/2012:10:12:38] ENGINE Bus STARTED
/usr/local/lib/python2.6/dist-packages/cherrypy/process/wspbus.py:225: RuntimeWarning: The main thread is exiting, but the Bus is in the states.STARTED state; shutting it down automatically now. You must either call bus.block() after start(), or call bus.exit() before the main thread exits.
"main thread exits." % self.state, RuntimeWarning)
[19/Dec/2012:10:12:38] ENGINE Bus STOPPING
[19/Dec/2012:10:12:38] ENGINE HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 4780)) shut down
[19/Dec/2012:10:12:38] ENGINE Stopped thread '_TimeoutMonitor'.
[19/Dec/2012:10:12:38] ENGINE Stopped thread 'Autoreloader'.
[19/Dec/2012:10:12:38] ENGINE Bus STOPPED
[19/Dec/2012:10:12:38] ENGINE Bus EXITING
[19/Dec/2012:10:12:38] ENGINE Bus EXITED

Also, might want to add apt-get install python-pyexiv2 to the install instructions.