olefy - oletools verify over TCP socket
Small Python Daemon to use oletools over TCP sockets. Mainly to use oletools in Rspamd.
Rspamd oletools plugin documentation: Rspamd External Services - Oletools
Some extra details you can find in our blog series in German language here:
Or google translated here:
State of Development
This Daemon is production tested but maybe not bug free. Feel free to test and please report any issues.
How it works
olefy expects office documents to be send to the TCP socket. Currently olefy saves the stream into a tmp file, calls olevba3 and returns the scan result as json.
We realized our current approach is not flexible enough and future proof to add more features here. We will create a more generic tool using generic protocols.
As spammers are creating macro viruses which are trying to trick the current oletools releases into errors, we have created a little fork to add some cherry-picked patches and negotiate some errors faster than the oletools release cycle. Maybe have a look: oletools - patched by Heinlein
oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
Python3 >= 3.6 is required for olefy. Also oletools itself and some requirements will need Python3 >= 3.6 in near future.
Install Python3 oletools and python-magic
- use pip3, apt, yum, zypper or the source to install the Python3 version of oletools
- for python-magic use
pip3 install python-magicor be aware using a packet containing this project: https://github.com/ahupp/python-magic. E.g. the Debian python3-magic is NOT working
- clone or download this repo
- add the user and group olefy or edit olefy.service to use any other existing user/group
- edit olefy.conf to fit your needs --> The paths fit for Debian style systems and maybe not yours
- copy olefy.py daemon file to /usr/local/bin
- copy olefy.conf to /etc
- copy the systemd service file olefy.service to /etc/systemd/system
- enable and unmask the Service
systemctl daemon-reload systemctl unmask olefy.service systemctl enable olefy.service
Only olefy depends on Python3 because we are using AsyncIO. If you like you can use the Python2 version, even the git version of oletools or a non-default python version. You only have to adjust the config.
Also you could start olefy.py standalone. Just edit the file directly and start it using the python3 interpreter.
Docker and Kubernetes usage
Docker container can be built using the following commands:
docker build -f docker/Dockerfile -t myimage .
It can then be used like so:
docker run --rm -d -p 10050:10050 myimage
Environment variables listed in olefy.conf are supported. For instance:
docker run --rm -d -e OLEFY_BINDPORT=1234 -p 10050:1234 myimage
A sample Kubernetes manifest is also provided.
Have a look to the commented olefy.conf. Set OLEFY_LOGLVL to 10 to see all details including the Rspamd scanning id.
OLEFY_LOGLVL=10 and have a look to the logs
journalctl -u olefy
You can monitor the olefy service is working with sending just a PING to the service. olefy will return with PONG
echo PING | nc -q1 127.0.0.1 10050
Heinlein Support GmbH Schwedter Str. 8/9b, 10119 Berlin https://www.heinlein-support.de Tel: +4930 / 405051-110 Amtsgericht Berlin-Charlottenburg - HRB 93818 B Geschäftsführer: Peer Heinlein - Sitz: Berlin