Skip to content

CybercentreCanada/assemblyline-service-ancestry

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits

.vscode

.vscode

 
 

ancestry

ancestry

 
 

pipelines

pipelines

 
 

.git-blame-ignore-revs

.git-blame-ignore-revs

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

service_manifest.yml

service_manifest.yml

 
 

Repository files navigation

Ancestry Service (BETA)

Signature-based Assemblyline service that focuses on file genealogy

Signatures

(BETA) Signatures are defined as service configuration and each signature follows the following format:

config:
  signatures:
    exe_from_office_document: # Signature name
      pattern: "document/office/.+,ROOT\\|executable/windows/(?:pe|dll)(?:32|64),EXTRACTED" # Regex pattern
      score: 1000 # Score associated to signature hit

Depending on the capabilities we want this service to have, this will be prone change when ready for production.

What do signatures run on?

The signatures run on temporary information that the Assemblyline Dispatcher passes to the service. As such, for the time being, we've decided to format the data as pairs that include the filetype and it's relation to the parent file, if any, joined by |.

For example: A file zip file that has an embedded PE with a RSA certificate will look like: document/office/onenote,ROOT|executable/windows/pe64,EXTRACTED|certificate/rsa,EXTRACTED

About

Assemblyline 4 file geneology analysis service

cybercentrecanada.github.io/assemblyline4_docs/

Topics

malware-analysis assemblyline

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases 17

v4.5.0.stable3 Latest
Apr 18, 2024
+ 16 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages