Strelka Cheatsheet

Strelka is a real-time file scanning system designed for threat hunting, threat intelligence, and incident response. It performs file extraction and metadata collection at scale, enabling security teams to analyze suspicious files and identify potential threats through comprehensive file analysis and enrichment.

Installation and Setup

Docker Installation (Recommended)

Quick Start with Docker Compose:

# Clone Strelka repository
git clone https://github.com/target/strelka.git
cd strelka

# Build and start services
docker-compose up -d

# Verify services are running
docker-compose ps

Custom Docker Compose:

version: '3.8'
services:
  strelka-backend:
    image: target/strelka:latest
    container_name: strelka-backend
    command: strelka-backend
    volumes:
      - ./configs/python/backend/backend.yaml:/etc/strelka/backend.yaml:ro
      - ./configs/python/backend/logging.yaml:/etc/strelka/logging.yaml:ro
    ports:
      - "57314:57314"
    networks:
      - strelka-net

  strelka-frontend:
    image: target/strelka:latest
    container_name: strelka-frontend
    command: strelka-frontend
    volumes:
      - ./configs/python/frontend/frontend.yaml:/etc/strelka/frontend.yaml:ro
      - ./configs/python/frontend/logging.yaml:/etc/strelka/logging.yaml:ro
      - /tmp/strelka:/tmp/strelka
    ports:
      - "57413:57413"
    depends_on:
      - strelka-backend
    networks:
      - strelka-net

networks:
  strelka-net:
    driver: bridge

Native Installation

Ubuntu/Debian Installation:

# Install dependencies
sudo apt-get update
sudo apt-get install -y python3 python3-pip python3-dev
sudo apt-get install -y build-essential libssl-dev libffi-dev
sudo apt-get install -y yara libyara-dev

# Install Python dependencies
pip3 install --upgrade pip
pip3 install strelka-scanner

# Install additional analysis tools
sudo apt-get install -y file binwalk exiftool
sudo apt-get install -y upx-ucl unrar-free p7zip-full

CentOS/RHEL Installation:

# Install EPEL repository
sudo yum install -y epel-release

# Install dependencies
sudo yum groupinstall -y "Development Tools"
sudo yum install -y python3 python3-pip python3-devel
sudo yum install -y openssl-devel libffi-devel yara-devel

# Install Strelka
pip3 install strelka-scanner

# Install analysis tools
sudo yum install -y file binwalk perl-Image-ExifTool
sudo yum install -y upx unrar p7zip

Configuration

Backend Configuration

backend.yaml:

# Backend server configuration
server:
  host: "0.0.0.0"
  port: 57314
  max_workers: 4
  
# Scanner configuration
scanners:
  - name: "ScanEntropy"
    priority: 5
    
  - name: "ScanExiftool"
    priority: 5
    
  - name: "ScanFile"
    priority: 5
    
  - name: "ScanHash"
    priority: 5
    
  - name: "ScanHeader"
    priority: 5
    
  - name: "ScanPe"
    priority: 5
    options:
      tmp_directory: "/tmp/strelka/"
      
  - name: "ScanYara"
    priority: 5
    options:
      location: "/etc/strelka/yara/"

# Taste configuration
taste:
  - filename: ".*\\.exe$"
    scanner: "ScanPe"
    
  - filename: ".*\\.dll$"
    scanner: "ScanPe"
    
  - mime: "application/pdf"
    scanner: "ScanPdf"
    
  - mime: "application/zip"
    scanner: "ScanZip"

Frontend Configuration

frontend.yaml:

# Frontend server configuration
server:
  host: "0.0.0.0"
  port: 57413
  
# Backend connection
backend:
  host: "strelka-backend"
  port: 57314
  
# Request limits
limits:
  max_file_size: 268435456  # 256MB
  time_to_live: 60
  max_files_per_request: 100
  
# Response configuration
response:
  log_extracted_files: true
  log_thumbnails: false

Scanner Configuration

Custom Scanner Options:

# YARA scanner configuration
ScanYara:
  options:
    location: "/etc/strelka/yara/"
    compiled_rules: true
    timeout: 60
    
# PE scanner configuration
ScanPe:
  options:
    tmp_directory: "/tmp/strelka/"
    extract_resources: true
    extract_overlay: true
    
# ZIP scanner configuration
ScanZip:
  options:
    limit: 1000
    password_file: "/etc/strelka/passwords.txt"
    
# PDF scanner configuration
ScanPdf:
  options:
    extract_text: true
    limit: 2000

Command Line Usage

Basic File Scanning

Scan Single File:

# Scan a file
strelka-oneshot /path/to/suspicious_file.exe

# Scan with specific backend
strelka-oneshot --backend localhost:57314 /path/to/file.pdf

# Scan with JSON output
strelka-oneshot --json /path/to/malware.zip

Scan Multiple Files:

# Scan directory
find /path/to/files -type f -exec strelka-oneshot {} \;

# Scan with parallel processing
find /path/to/files -type f | xargs -P 4 -I {} strelka-oneshot {}

# Scan specific file types
find /path/to/files -name "*.exe" -exec strelka-oneshot {} \;

Batch Processing

Directory Scanning:

# Scan entire directory
strelka-dirstream --backend localhost:57314 /path/to/directory

# Scan with file filtering
strelka-dirstream --patterns "*.exe,*.dll,*.pdf" /path/to/directory

# Scan with output to file
strelka-dirstream /path/to/directory > scan_results.json

Network Streaming:

# Stream files from network share
strelka-dirstream --backend remote-backend:57314 //server/share/files

# Stream with authentication
strelka-dirstream --username user --password pass //server/share

API Usage

REST API

Submit File for Analysis:

# Submit single file
curl -X POST \
  -F "file=@suspicious_file.exe" \
  http://localhost:57413/scan

# Submit with metadata
curl -X POST \
  -F "file=@malware.zip" \
  -F "source=email_attachment" \
  -F "filename=attachment.zip" \
  http://localhost:57413/scan

Bulk File Submission:

# Submit multiple files
curl -X POST \
  -F "file1=@file1.exe" \
  -F "file2=@file2.dll" \
  -F "file3=@file3.pdf" \
  http://localhost:57413/scan

Python API

Basic Python Usage:

import requests
import json

# Submit file for scanning
def scan_file(file_path, strelka_url="http://localhost:57413"):
    with open(file_path, 'rb') as f:
        files = {'file': f}
        response = requests.post(f"{strelka_url}/scan", files=files)
        return response.json()

# Scan file and parse results
result = scan_file("/path/to/suspicious_file.exe")
print(json.dumps(result, indent=2))

Advanced Python Integration:

import requests
import json
import hashlib
from pathlib import Path

class StrelkaClient:
    def __init__(self, base_url="http://localhost:57413"):
        self.base_url = base_url
        
    def scan_file(self, file_path, metadata=None):
        """Scan a single file with optional metadata"""
        with open(file_path, 'rb') as f:
            files = {'file': f}
            data = metadata or {}
            response = requests.post(f"{self.base_url}/scan", 
                                   files=files, data=data)
            return response.json()
    
    def scan_directory(self, directory_path, extensions=None):
        """Scan all files in a directory"""
        results = []
        path = Path(directory_path)
        
        for file_path in path.rglob('*'):
            if file_path.is_file():
                if extensions and file_path.suffix not in extensions:
                    continue
                    
                try:
                    result = self.scan_file(file_path)
                    results.append({
                        'file_path': str(file_path),
                        'scan_result': result
                    })
                except Exception as e:
                    print(f"Error scanning {file_path}: {e}")
                    
        return results
    
    def get_file_hash(self, file_path):
        """Calculate file hash"""
        sha256_hash = hashlib.sha256()
        with open(file_path, "rb") as f:
            for chunk in iter(lambda: f.read(4096), b""):
                sha256_hash.update(chunk)
        return sha256_hash.hexdigest()

# Usage example
client = StrelkaClient()
result = client.scan_file("/path/to/malware.exe", 
                         metadata={"source": "email", "priority": "high"})

Scanner Modules

File Analysis Scanners

ScanFile - File Type Detection:

# Identifies file types and MIME types
# Output includes:
{
  "file": {
    "flavors": {
      "mime": ["application/x-executable"],
      "yara": ["pe_file"]
    },
    "size": 1048576
  }
}

ScanHash - Hash Calculation:

# Calculates multiple hash types
# Output includes:
{
  "hash": {
    "md5": "d41d8cd98f00b204e9800998ecf8427e",
    "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
    "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "ssdeep": "3::"
  }
}

ScanEntropy - Entropy Analysis:

# Analyzes file entropy for packing detection
# Output includes:
{
  "entropy": {
    "entropy": 7.8,
    "packed": true,
    "sections": [
      {"name": ".text", "entropy": 6.2},
      {"name": ".data", "entropy": 7.9}
    ]
  }
}

Executable Analysis

ScanPe - PE File Analysis:

# Comprehensive PE file analysis
# Output includes:
{
  "pe": {
    "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
    "compile_time": "2023-01-15T10:30:00",
    "sections": [
      {
        "name": ".text",
        "virtual_address": "0x1000",
        "virtual_size": 65536,
        "raw_size": 65536,
        "entropy": 6.2,
        "md5": "abc123..."
      }
    ],
    "imports": [
      {
        "library": "kernel32.dll",
        "functions": ["CreateFileA", "ReadFile", "WriteFile"]
      }
    ],
    "exports": [],
    "resources": [
      {
        "type": "RT_VERSION",
        "language": "LANG_ENGLISH",
        "size": 1024
      }
    ]
  }
}

Archive Analysis

ScanZip - ZIP Archive Analysis:

# Analyzes ZIP archives and extracts metadata
# Output includes:
{
  "zip": {
    "total_files": 5,
    "extracted_files": 3,
    "files": [
      {
        "filename": "document.pdf",
        "size": 1048576,
        "compressed_size": 524288,
        "crc32": "0x12345678",
        "modified_time": "2023-01-15T10:30:00"
      }
    ],
    "password_protected": false
  }
}

Document Analysis

ScanPdf - PDF Analysis:

# Analyzes PDF documents for threats
# Output includes:
{
  "pdf": {
    "total_pages": 10,
    "author": "Unknown",
    "creator": "Microsoft Word",
    "producer": "Adobe PDF Library",
    "creation_date": "2023-01-15T10:30:00",
    "javascript": true,
    "embedded_files": 2,
    "forms": false,
    "suspicious_elements": [
      "JavaScript code detected",
      "Embedded executable"
    ]
  }
}

YARA Integration

YARA Rules Configuration

Custom YARA Rules:

rule Suspicious_PE_Characteristics
{
    meta:
        description = "Detects suspicious PE characteristics"
        author = "Security Team"
        date = "2023-01-15"
        
    strings:
        $mz = { 4D 5A }
        $pe = "PE\x00\x00"
        
    condition:
        $mz at 0 and $pe and
        (
            pe.number_of_sections < 3 or
            pe.number_of_sections > 10 or
            pe.entry_point < pe.sections[0].virtual_address
        )
}

rule Packed_Executable
{
    meta:
        description = "Detects packed executables"
        
    condition:
        pe.is_pe and
        (
            pe.sections[0].name contains "UPX" or
            pe.sections[0].name contains ".aspack" or
            pe.sections[0].name contains ".rlpack"
        )
}

YARA Rules Directory Structure:

/etc/strelka/yara/
├── malware/
│   ├── apt.yar
│   ├── ransomware.yar
│   └── trojans.yar
├── packers/
│   ├── upx.yar
│   ├── aspack.yar
│   └── themida.yar
└── general/
    ├── suspicious.yar
    └── crypto.yar

Compiled YARA Rules

Compile YARA Rules:

# Compile individual rule file
yarac /etc/strelka/yara/malware/apt.yar /etc/strelka/yara/compiled/apt.yarc

# Compile all rules in directory
find /etc/strelka/yara -name "*.yar" -exec yarac {} {}.compiled \;

# Compile rules with includes
yarac -d include_dir=/etc/strelka/yara/includes rules.yar rules.yarc

Integration Examples

ELK Stack Integration

Logstash Configuration:

input {
  file {
    path => "/var/log/strelka/strelka.log"
    codec => json
    start_position => "beginning"
  }
}

filter {
  if [event][scanner] == "ScanYara" {
    mutate {
      add_tag => ["yara_match"]
    }
  }
  
  if [event][scanner] == "ScanPe" {
    mutate {
      add_tag => ["pe_analysis"]
    }
  }
  
  date {
    match => [ "time", "ISO8601" ]
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "strelka-%{+YYYY.MM.dd}"
  }
}

MISP Integration

MISP Attribute Creation:

import requests
import json
from pymisp import PyMISP

def create_misp_event(strelka_result, misp_url, misp_key):
    """Create MISP event from Strelka scan results"""
    misp = PyMISP(misp_url, misp_key, ssl=False)
    
    # Create new event
    event = misp.new_event(
        distribution=0,
        threat_level_id=2,
        analysis=1,
        info=f"Strelka Analysis: {strelka_result.get('filename', 'Unknown')}"
    )
    
    # Add file hash attributes
    if 'hash' in strelka_result:
        hashes = strelka_result['hash']
        for hash_type, hash_value in hashes.items():
            misp.add_attribute(event, hash_type, hash_value)
    
    # Add YARA matches
    if 'yara' in strelka_result:
        for match in strelka_result['yara']['matches']:
            misp.add_attribute(event, 'yara', match['rule'])
    
    # Add PE information
    if 'pe' in strelka_result:
        pe_info = strelka_result['pe']
        if 'imphash' in pe_info:
            misp.add_attribute(event, 'imphash', pe_info['imphash'])
    
    return event

Threat Intelligence Enrichment

VirusTotal Integration:

import requests
import time

def enrich_with_virustotal(file_hash, vt_api_key):
    """Enrich Strelka results with VirusTotal data"""
    url = f"https://www.virustotal.com/vtapi/v2/file/report"
    params = {
        'apikey': vt_api_key,
        'resource': file_hash
    }
    
    response = requests.get(url, params=params)
    if response.status_code == 200:
        return response.json()
    return None

def process_strelka_results(strelka_result, vt_api_key):
    """Process Strelka results with threat intelligence"""
    enriched_result = strelka_result.copy()
    
    # Get file hash
    if 'hash' in strelka_result and 'sha256' in strelka_result['hash']:
        sha256 = strelka_result['hash']['sha256']
        
        # Enrich with VirusTotal
        vt_result = enrich_with_virustotal(sha256, vt_api_key)
        if vt_result:
            enriched_result['virustotal'] = vt_result
            
        # Add threat score
        threat_score = calculate_threat_score(strelka_result, vt_result)
        enriched_result['threat_score'] = threat_score
    
    return enriched_result

def calculate_threat_score(strelka_result, vt_result):
    """Calculate threat score based on analysis results"""
    score = 0
    
    # YARA matches
    if 'yara' in strelka_result:
        score += len(strelka_result['yara']['matches']) * 10
    
    # Entropy analysis
    if 'entropy' in strelka_result:
        if strelka_result['entropy'].get('packed', False):
            score += 20
    
    # VirusTotal detections
    if vt_result and vt_result.get('positives', 0) > 0:
        score += vt_result['positives'] * 5
    
    return min(score, 100)  # Cap at 100

Monitoring and Alerting

Performance Monitoring

System Metrics:

# Monitor Strelka processes
ps aux | grep strelka

# Check memory usage
free -h
cat /proc/meminfo | grep -E "(MemTotal|MemFree|MemAvailable)"

# Monitor disk usage
df -h /tmp/strelka
du -sh /tmp/strelka/*

# Network connections
netstat -tulpn | grep -E "(57314|57413)"

Application Metrics:

# Check backend status
curl -s http://localhost:57314/health

# Check frontend status
curl -s http://localhost:57413/health

# Monitor scan queue
curl -s http://localhost:57413/stats | jq '.queue_size'

# Check scan performance
curl -s http://localhost:57413/metrics

Alerting Configuration

Prometheus Metrics:

# prometheus.yml
scrape_configs:
  - job_name: 'strelka'
    static_configs:
      - targets: ['localhost:57413']
    metrics_path: '/metrics'
    scrape_interval: 30s

Alert Rules:

# strelka_alerts.yml
groups:
  - name: strelka
    rules:
      - alert: StrelkaHighQueueSize
        expr: strelka_queue_size > 100
        for: 5m
        labels:
          severity: warning
        annotations:
          summary: "Strelka queue size is high"
          
      - alert: StrelkaBackendDown
        expr: up{job="strelka"} == 0
        for: 1m
        labels:
          severity: critical
        annotations:
          summary: "Strelka backend is down"

Troubleshooting

Common Issues

Service Not Starting:

# Check Docker containers
docker-compose ps
docker-compose logs strelka-backend
docker-compose logs strelka-frontend

# Check configuration files
strelka-backend --config /etc/strelka/backend.yaml --validate
strelka-frontend --config /etc/strelka/frontend.yaml --validate

# Check file permissions
ls -la /etc/strelka/
ls -la /tmp/strelka/

Scanning Issues:

# Test backend connectivity
telnet localhost 57314

# Test frontend API
curl -v http://localhost:57413/health

# Check scanner modules
strelka-oneshot --list-scanners

# Debug scanning
strelka-oneshot --debug /path/to/test_file

Performance Issues:

# Monitor resource usage
top -p $(pgrep -f strelka)
iostat -x 1

# Check scan times
grep "scan_time" /var/log/strelka/strelka.log

# Analyze slow scans
grep "timeout" /var/log/strelka/strelka.log

Log Analysis

Debug Logging:

# logging.yaml
version: 1
formatters:
  simple:
    format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
handlers:
  console:
    class: logging.StreamHandler
    level: DEBUG
    formatter: simple
loggers:
  strelka:
    level: DEBUG
    handlers: [console]

Log Monitoring:

# Monitor real-time logs
tail -f /var/log/strelka/strelka.log

# Search for errors
grep -i error /var/log/strelka/strelka.log

# Analyze scan statistics
grep "scan_time" /var/log/strelka/strelka.log | awk '{print $NF}' | sort -n

This comprehensive Strelka cheatsheet covers installation, configuration, scanning operations, and advanced integration for effective file analysis and threat detection.