Data that is attempted to be extracted/identified is as follows:
- File name
- File format
- MD5 hash
- SHA1 hash
- Binary size
- Programming language Used (identified by r2)
- Compiler info
- Compiled time
- PDB file paths
- Base address
- Yara Rule matching
sudo pip3 install -r requirements.txt
If using yara rules for sample tagging:
git submodule update --recursive
Note: The examples below are for direct ingestion into Elasticsearch not Logstash". By default the index is "samples"
- Get metadata about a single binary:
/r2elk.py --file /bin/ls | python -m json.tool
- Get metadata from a directory of binaries:
/r2elk.py --directory /bin/
- Get metadata from a directory of binaries and POST to Elastic server:
./r2elk.py --file /bin/ls --rhost http://127.0.0.1 --rport 9200 --index testing
- Run yara file against binary
./r2elk.py -f /bin/ls --yara ./rules/malware/malware_samples.yar
If you're interested in having a single field per import/export opposed to a
single field with a comma separated string of imports/exports, modify the
run_triage function to call
def run_triage(self): ''' Name: run_triage Purpose: Perform metadata triage of binaries. Paramters: N/A Return: JSON dump of metadata info. ''' self.get_metadata() self.get_imports_fields() self.get_exports_fields() self.get_hashes() self.__r2_close__() # Close r2 pipe object. return json.dumps(self.metadata)
- Do you have appropriate permission for reading files in specific directory?
- Symlinks are not followed.
If you're having issues processing yara rules and encounter an error below, you're likely missing a 3rd party package (pe/cuckoo).
[!] Error: ./rules/././capabilities/capabilities.yar(450): can't open include file: $FILE_NAME_HERE