Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provide browser access to Zeek-extracted files directory (quarantined, preserved) #34

Closed
mmguero opened this issue Jan 25, 2021 · 1 comment
Closed

provide browser access to Zeek-extracted files directory (quarantined, preserved) #34

mmguero opened this issue Jan 25, 2021 · 1 comment
Assignees
@mmguero
Labels
carving Relating to carving (extraction) of files from traffic and the scanning of those files enhancement New feature or request nginx Relating to Malcolm's use of nginx
Projects
Malcolm

Comments

@mmguero
Copy link
Collaborator

mmguero commented Jan 25, 2021

Zeek-extracted files can be preserved/"quarantined" based on scanning results, but there's not a real convenient way to get at those files.

I've added optional environment variables for a new feature:

  • EXTRACTED_FILE_HTTP_SERVER_ENABLE – if set to true, the directory containing Zeek-extracted files will be served over HTTP at ./extracted-files/ (e.g., https://localhost/extracted-files/ if you are connecting locally)

  • EXTRACTED_FILE_HTTP_SERVER_ENCRYPT – if set to true, those Zeek-extracted files will be AES-256-CBC-encrypted in an openssl enc-compatible format (e.g., openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe)

  • EXTRACTED_FILE_HTTP_SERVER_KEY – specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files; used in conjunction with EXTRACTED_FILE_HTTP_SERVER_ENCRYPT

The encryption is more for safety's sake than anything (as the files may contain live malware). It's a very no-frills HTTP server. It's disabled by default.
@mmguero mmguero added carving Relating to carving (extraction) of files from traffic and the scanning of those files enhancement New feature or request nginx Relating to Malcolm's use of nginx labels Jan 25, 2021
@mmguero mmguero self-assigned this Jan 25, 2021
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 25, 2021
@mmguero
for idaholab#34, provide browser access to Zeek-extracted files direc…
9292170 
…tory
@mmguero mmguero mentioned this issue Feb 5, 2021
Merged
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 5, 2021
@mmguero
Topic/2.6.1 merge (#159)
8d5e416 
Malcolm v2.6.1 contains the following changes:

v2.6.0...v2.6.1

* Added [TFTP](https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol) [Zeek parser](https://github.com/zeek/spicy-tftp) and corresponding Logstash parsing, Arkime WISE support and Kibana dashboards
* Provide browser-based access to zeek/extracted-files directory (idaholab#34)
* Fix LDAP analyzer not parsing all events (idaholab#35)
* Provide more fine-tuned controls for Zeek's node.cfg in Hedgehog sensor (idaholab#36, /pull/158)
* set zeek.uid to conn_uids for files.log entries (idaholab#33)
* Modify Zeek build chain to use default GCC compilers instead of LLVM/clang,which reduces build dependencies
* Use Firefox instead of Chromium for browser in ISO-installed versions of Malcolm and in Hedgehog Linux
* Updated copyright notices in text from "2020" to "2021" (which is the bulk of the changed files in this commit)
* Version bumps
  * Yara to 4.0.4
@mmguero
Copy link
Collaborator Author

mmguero commented Feb 5, 2021

Released in Malcolm v2.6.1

@mmguero mmguero closed this as completed Feb 5, 2021
@mmguero mmguero added this to Done in Malcolm Feb 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
carving Relating to carving (extraction) of files from traffic and the scanning of those files enhancement New feature or request nginx Relating to Malcolm's use of nginx
Projects
No open projects
Malcolm
  
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero