-
Notifications
You must be signed in to change notification settings - Fork 411
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving parser's metadata & output #781
Comments
Hello, yes we are open to any improvements/suggestions. So by parts:
Cheers from Kyiv. |
Hi @doomedraven, thanks for your quick reply. 1 & 2: Making DESCRIPTION, AUTHOR, FAMILY(malware the parser is for), TLP (TLP of the parser) mandatory would go a long way for us. eg:
3: Ok we understand! Thanks! |
sounds good, thank you |
I'm certainly happy to hear that parsers from CAPE are helping Canada - great to hear. Certainly no reason we can't add those fields and use a validation library. Out of interest, do you make use of the sandbox as a whole, or just the static configuration parsers? I am curious and note that while there is a Cuckoo service in AssemblyLine, there is no support for CAPE. Perhaps there is some feedback the project could benefit from here? Certainly one of the main reasons for the existence of this project is the automated unpacking of malware, which would seem to me to be a perfect fit for a service in AssemblyLine. |
We're currently working on revamping our ConfigExtractor service which only handles MWCP, Malduck (via MWCFG), and RATDecoders. We'd like to add CAPE to the roster but as we were rewriting the backend library, we noticed there was discrepancies between the output from different frameworks. So standardizing the output goes a big way in terms of Assemblyline because this helps us tag the output correctly. A big holdback from the service is that you'd have to bake in the parsers at build time to make use of them (so as you can imagine, to keep up with you guys we'd have to build several times per day 😜). We'd like to change that service to allow the users to dynamically add parsers for the service to use from Assemblyline (hence the ask to separate the parser modules into their own repo but we can get around that). |
at the end, you will need to write a "proxy" for those frameworks to transform name fields. as everyone uses names that they want + the problem of different dependencies of each frameworks is a pain, is why i did move all from those to pure python |
Exactly - handling the runtime for the different frameworks isn't so much the issue, it's the output that comes out. But at the same time, I can't really enforce the idea 'oh you must use these fields and they must be this type' and so on (but it would simplify things for the general public + new parser writers). 🤷♂️ |
so guys any update on this? i don't see any pull request with those changes |
Hi @kevoreilly, just noticed your reply on this thread! There is an Assemblyline service for CAPE maintained by NVISO (https://github.com/NVISOsecurity/assemblyline-service-cape). We're in the process of investigating replacement for cuckoo, as its showing its age. Currently we had great success with running https://github.com/hasherezade/hollows_hunter inside Cuckoo and using various parsers (including yours) to extract the config from HH's memory dumps. One reason why we need to decouple the sandbox and parsers is we get memory dump submitted directly. |
Well I bet that's nowhere near as good as cape itself! |
hello all, as we solved the initial issue im gonna close it, if you want to discuss something else related to this subject, just post new msg here |
@doomedraven We now have an official ontology (and a framework) that'd we'd like to propose to be used: Any feedback on what you guys think is much appreciated! |
i will be out for almost 1.5 from tomorrow. but i will try to find some time to get a look |
Any updates on this? |
sorry totally forgot about this. framework looks good |
Can you let us know if you have some interest in adopting it?, it would help standardize extractor output which would be great for exporting the data in other system (e.g store in a DB). We are looking at supporting CAPE's extractor in our standalone config extractor service so MACO would help with that as well. Quick update too, the Assemblyline team is now fully onboard with CAPE (as you've seen with recent PRs), we just released the official CAPE integration: https://github.com/CybercentreCanada/assemblyline-service-cape Thanks for your work on this project, more collaboration incoming! |
Im more than fine to adapt it,
the uniq thing that I personally don’t use any of the public extractors.
So if you can help with mapping the fields, im more than happy to merge those changes.
… On 5 Jul 2022, at 21:03, JP ***@***.***> wrote:
Can you let us know if you have some interest in adopting it?, it would help standardize extractor output which would be great for exporting the data in other system (e.g store in a DB). We are looking at supporting CAPE's extractor in our standalone config extractor service so MACO would help with that as well.
Quick update too, the Assemblyline team is now fully onboard with CAPE (as you've seen with recent PRs), we just released the official CAPE integration: https://github.com/CybercentreCanada/assemblyline-service-cape <https://github.com/CybercentreCanada/assemblyline-service-cape>
Thanks for your work on this project, more collaboration incoming!
—
Reply to this email directly, view it on GitHub <#781 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH36K3VCQJ65BDX4W6O3VSSBJNANCNFSM5PU4IUAQ>.
You are receiving this because you were mentioned.
|
I'm currently working on the library that will run the different frameworks and doing service testing, but once I get that finalized, I can start on a PR to convert the CAPE parsers output to the MaCo format. |
that would be amazing, thank you |
Initial PR with the first round of conversions: #1037 |
Hi CAPE Team!
First let me thank you for all the hard work put on this project over the years. IoC extracted from your parsers are helping Canada be a safer place.
I’m reaching out from the Assemblyline team at the Canadian Cyber Centre. (Home - Assemblyline 4 (cybercentrecanada.github.io).
We’ve noticed that you recently made some cleanup in your parsers and we are wondering if you would be open to a few extra changes in order to make it easier to integrate & consume parsers’ data.
A few ideas:
Finally, one common problem for us is the lack of standardized output between parsers and frameworks.
We think it would be easy could come up with a simple (key:value) ontology for frequently extracted type of information which would help to standardize fields across parsers(IP, domains, mutex etc), yet still allow for flexibility for custom fields. It could be a simple library imported in the parsers. MWCP did provided a bit of that but it looks like you are moving away from it.
We would be happy to contribute via PRs.
Cheers from Canada! 👋
The text was updated successfully, but these errors were encountered: