Overview
stoQ is a automation framework that helps to simplify the mundane and repetitive tasks an analyst is required to do. It allows analysts and DevSecOps teams the ability to quickly transition between different data sources, databases, decoders/encoders, and numerous other tasks using enriched and consistent data structures. stoQ was designed to be enterprise ready and scalable, while also being lean enough for individual security researchers.
Documentation
If you're interested in learning more about stoQ, to include how to develop your own plugins, checkout the full documentation.
This git repository contains publicly available plugins that have been created for use with stoQ. The core stoQ repository can be found here.
Installation
Details on how to install these plugins can be found here.
Plugin List
Below is a listing of all public stoQ plugins, a description, and thier respective plugin class.
| Plugin Name | Description | Plugin Type |
|---|---|---|
| decompress | Extract content from a multitude of archive formats | Worker |
| dirmon | Monitor a directory for newly created files for processing | Provider |
| entropy | Calculate shannon entropy of a payload | Worker |
| es-search | Saves results to ElasticSearch | Connector |
| exif | Processes a payload using ExifTool | Worker |
| falcon-sandbox | Scan payloads using Falcon Sandbox | Worker |
| filedir | Ingest a file or directory for processing | Provider, Connector, Archiver |
| gcs | Read and write data to Google Cloud Storage | Archiver, Connector |
| hash | Hash content | Worker |
| hash_ssdeep | Generate a ssdeep hash of payloads | Worker |
| iocextract | Regex routines to extract and normalize IOC's from a payload | Worker |
| javaclass | Decodes and extracts information from Java Class files | Worker |
| jinja | Decorate results using a template | Connector, Decorator |
| kafka-queue | Publish and consume messages from a Kafka server | Archiver, Connector, Provider |
| lief | Parse and abstract PE, ELF and MachO files using LIEF | Worker |
| mimetype | Determine mimetype of a payload | Worker |
| mongodb | Save results and archive payloads to/from mongodb | Archiver, Connector |
| mraptor | Port of mraptor3 from oletools | Worker |
| ole | Carve OLE streams within Microsoft Office Documents | Worker |
| opswat | Scan payloads using OPSWAT MetaDefender | Worker |
| pecarve | Carve portable executable files from a data stream | Worker |
| peinfo | Gather relevant information about an executable using pefile | Worker |
| pubsub | Interact with Google Cloud Pub/Sub | Archiver, Connector, Provider |
| redis-queue | Interact with Redis server | Archiver, Connector, Provider |
| rtf | Extract objects from RTF payloads | Worker |
| s3 | Read and write data to Amazon S3 buckets | Archiver, Connector |
| smtp | SMTP Parser Worker | Worker |
| stdout | Sends results to STDOUT | Connector |
| swfcarve | Carve and decompress SWF files from payloads | Worker |
| symhash | Calculate symbol table hashes of a Mach-O executable file | Worker |
| tika | Upload content to a Tika server for automated text extraction | Worker |
| tnef | TNEF File Extractor | Worker |
| trid | Identify file types from their TrID signature | Worker |
| vtmis-filefeed | Process VTMIS File Feed | Provider, Worker |
| vtmis-search | Search VTMIS for sha1 hash of a payload or from results of iocextract plugin |
Worker, Dispatcher, Deep Dispatcher |
| xdpcarve | Carve and decode streams from XDP documents | Worker |
| xorsearch | Scan a payload using xorsearch | Worker |
| yara | Process a payload using yara | Worker, Dispatcher |