withsecurelabs / snake-core Goto Github PK

Currently some zip archives that maintain folder structuring fail to unzip. This needs fixing.

Currently the lowest level of granularity for storing command output is <file_hash, scale, command>, this means that commands run with different arguments overwrite previous output. We need to update this to <file_hash, scale, command, args>. This will allow us to leverage the power of lower level scales like retdec which requires function names or offsets to decompile, rerunning each time is impractical...

Furthermore adding this feature will allow us to easily run a scale command on multiple files!

I have removed the samples in /var/db/snake, but somehow it still displays on the web interface.

How to delete the sample from snake properly?

Currently as parent/child relationships were a last minute add, they can only be created through scales. This means we cannot make manual links and we cannot edit them either. The hacky code in question is here: https://github.com/countercept/snake-core/blob/master/snake/utils/submitter.py#L61

Add in an Elastic based database engine to allow the choice between MongoDB and Elastic.

Finish implementing self describing arguments. This should allow for setting and displaying the default for optional arguments, as well setting and displaying valid arguments for those that are restricted.

NOTE: This will also require changes in snake-skin.

For Scales such as Yara it would be super useful to run a rule on many files and see if there were any hits. For this the API and the Scale commands functionality will have to be extended. A new form of command prototype will be required, one that takes a list of hashes instead of a FileStorage object. This still needs to be thought out and scoped, but will probably roughly be how it is implemented.

Note: This cannot be implemented until #4 is implemented

Snake really should have user based authentication to tie uploads to a user, restrict access and allow for audit based logs. Tornado supports third party auth, maybe we can use that?

NOTE: Will require changes to snake-skin.