Skip to content

v1.3 — MalwareBazaar sharing

Choose a tag to compare

View all tags
@hett-patell hett-patell released this 26 May 09:16
· 33 commits to main since this release
v1.3
5256a5b

v1.3 — share cowrie payloads to MalwareBazaar

Adds shardlure share bazaar for uploading captured payloads to
abuse.ch MalwareBazaar, with automatic
family/architecture classification and sha256-based dedup.

New

  • internal/intel/bazaar package: multipart API client with Auth-Key
    support, family classifier (RedTail, Komari, Traffmonetizer, Mirai,
    Gafgyt, SSHScanner, XMRig, c3pool), ELF arch detection
    (x86-64 / i386 / aarch64 / arm / mips / ppc), shell + python
    headerless fallback.
  • shardlure share bazaar CLI:
    • --dry-run preview classification without uploading
    • --limit N cap upload count (0 = unlimited)
    • --sha <sha256> upload a single specific sample
    • --since <duration> change the fresh-sample window (default 240h)
    • --status list previous uploads from bazaar_uploads
    • --comment <str> override the per-sample comment
    • --endpoint <url> override the API endpoint
    • --anonymous submit without Auth-Key (not recommended)
  • Store: bazaar_uploads table (migration v5) with self-healing
    ensureBazaarUploadsTable; new ArtifactsForShare query filters
    on size, freshness, and dedup.
  • Config: intel.bazaar block (api_key, tags, max_bytes,
    freshness_days).
  • 14 new tests covering API, classifier, and orchestrator paths.

Fixed

  • version subcommand previously printed a hardcoded 0.1.0
    regardless of the released tag. Binaries now report the real
    version and commit, e.g. shardlure v1.3 (commit 5256a5b).

Operational notes

  • Requires a registered auth.abuse.ch
    account and Auth-Key in intel.bazaar.api_key. The yaml should be
    root-readable only (chmod 600).
  • Manual subcommand only — no automatic background upload.
  • file_already_known responses are treated as accepted and recorded
    for dedup; no_api_key and user_blacklisted halt the batch.
  • bazaar_uploads is exempt from MaintenancePurge retention,
    so the dedup set remains complete across the 24h cycle.

Pre-release smoke

Smoke-tested on a production cowrie VPS: 26 fresh samples uploaded
(11 inserted, 15 file_already_known) before tagging.

Verifying downloads

sha256sum -c SHA256SUMS

Upgrading from v1.1.1

Drop the new binary in place and restart the shardlure-live unit.
Migration v5 runs on first start and is idempotent.

Assets 6
Loading