Strelka Cheatsheet¶
Strelka is a real-time file scanning system designed for threat hunting, threat intelligence, and incident response. It performs file extraction and metadata collection at scale, enabling security teams to analyze suspicious files and identify potential threats through comprehensive file analysis and enrichment.
## Installation and Setup
### Docker Installation (Recommended)
**Quick Start with Docker Compose:**
**Custom Docker Compose:**
### Native Installation
**Ubuntu/Debian Installation:**
**CentOS/RHEL Installation:**
## Configuration
### Backend Configuration
**backend.yaml:**
### Frontend Configuration
**frontend.yaml:**
### Scanner Configuration
**Custom Scanner Options:**
## Command Line Usage
### Basic File Scanning
**Scan Single File:**
**Scan Multiple Files:**
### Batch Processing
**Directory Scanning:**
**Network Streaming:**
## API Usage
### REST API
**Submit File for Analysis:**
**Bulk File Submission:**
### Python API
**Basic Python Usage:**
**Advanced Python Integration:**
## Scanner Modules
### File Analysis Scanners
**ScanFile - File Type Detection:**
**ScanHash - Hash Calculation:**
**ScanEntropy - Entropy Analysis:**
### Executable Analysis
**ScanPe - PE File Analysis:**
### Archive Analysis
**ScanZip - ZIP Archive Analysis:**
### Document Analysis
**ScanPdf - PDF Analysis:**
## YARA Integration
### YARA Rules Configuration
**Custom YARA Rules:**
**YARA Rules Directory Structure:**
### Compiled YARA Rules
**Compile YARA Rules:**
## Integration Examples
### ELK Stack Integration
**Logstash Configuration:**
### MISP Integration
**MISP Attribute Creation:**
### Threat Intelligence Enrichment
**VirusTotal Integration:**
## Monitoring and Alerting
### Performance Monitoring
**System Metrics:**
**Application Metrics:**
### Alerting Configuration
**Prometheus Metrics:**
**Alert Rules:**
## Troubleshooting
### Common Issues
**Service Not Starting:**
**Scanning Issues:**
**Performance Issues:**
### Log Analysis
**Debug Logging:**
**Log Monitoring:**
# Clone Strelka repository
git clone https://github.com/target/strelka.git
cd strelka
# Build and start services
docker-compose up -d
# Verify services are running
docker-compose ps
version: '3.8'
services:
strelka-backend:
image: target/strelka:latest
container_name: strelka-backend
command: strelka-backend
volumes:
- ./configs/python/backend/backend.yaml:/etc/strelka/backend.yaml:ro
- ./configs/python/backend/logging.yaml:/etc/strelka/logging.yaml:ro
ports:
- "57314:57314"
networks:
- strelka-net
strelka-frontend:
image: target/strelka:latest
container_name: strelka-frontend
command: strelka-frontend
volumes:
- ./configs/python/frontend/frontend.yaml:/etc/strelka/frontend.yaml:ro
- ./configs/python/frontend/logging.yaml:/etc/strelka/logging.yaml:ro
- /tmp/strelka:/tmp/strelka
ports:
- "57413:57413"
depends_on:
- strelka-backend
networks:
- strelka-net
networks:
strelka-net:
driver: bridge
# Install dependencies
sudo apt-get update
sudo apt-get install -y python3 python3-pip python3-dev
sudo apt-get install -y build-essential libssl-dev libffi-dev
sudo apt-get install -y yara libyara-dev
# Install Python dependencies
pip3 install --upgrade pip
pip3 install strelka-scanner
# Install additional analysis tools
sudo apt-get install -y file binwalk exiftool
sudo apt-get install -y upx-ucl unrar-free p7zip-full
# Install EPEL repository
sudo yum install -y epel-release
# Install dependencies
sudo yum groupinstall -y "Development Tools"
sudo yum install -y python3 python3-pip python3-devel
sudo yum install -y openssl-devel libffi-devel yara-devel
# Install Strelka
pip3 install strelka-scanner
# Install analysis tools
sudo yum install -y file binwalk perl-Image-ExifTool
sudo yum install -y upx unrar p7zip
# Backend server configuration
server:
host: "0.0.0.0"
port: 57314
max_workers: 4
# Scanner configuration
scanners:
- name: "ScanEntropy"
priority: 5
- name: "ScanExiftool"
priority: 5
- name: "ScanFile"
priority: 5
- name: "ScanHash"
priority: 5
- name: "ScanHeader"
priority: 5
- name: "ScanPe"
priority: 5
options:
tmp_directory: "/tmp/strelka/"
- name: "ScanYara"
priority: 5
options:
location: "/etc/strelka/yara/"
# Taste configuration
taste:
- filename: ".*\\.exe$"
scanner: "ScanPe"
- filename: ".*\\.dll$"
scanner: "ScanPe"
- mime: "application/pdf"
scanner: "ScanPdf"
- mime: "application/zip"
scanner: "ScanZip"
# Frontend server configuration
server:
host: "0.0.0.0"
port: 57413
# Backend connection
backend:
host: "strelka-backend"
port: 57314
# Request limits
limits:
max_file_size: 268435456 # 256MB
time_to_live: 60
max_files_per_request: 100
# Response configuration
response:
log_extracted_files: true
log_thumbnails: false
# YARA scanner configuration
ScanYara:
options:
location: "/etc/strelka/yara/"
compiled_rules: true
timeout: 60
# PE scanner configuration
ScanPe:
options:
tmp_directory: "/tmp/strelka/"
extract_resources: true
extract_overlay: true
# ZIP scanner configuration
ScanZip:
options:
limit: 1000
password_file: "/etc/strelka/passwords.txt"
# PDF scanner configuration
ScanPdf:
options:
extract_text: true
limit: 2000
# Scan a file
strelka-oneshot /path/to/suspicious_file.exe
# Scan with specific backend
strelka-oneshot --backend localhost:57314 /path/to/file.pdf
# Scan with JSON output
strelka-oneshot --json /path/to/malware.zip
# Scan directory
find /path/to/files -type f -exec strelka-oneshot \\\\{\\\\} \;
# Scan with parallel processing
find /path/to/files -type f|xargs -P 4 -I \\\\{\\\\} strelka-oneshot \\\\{\\\\}
# Scan specific file types
find /path/to/files -name "*.exe" -exec strelka-oneshot \\\\{\\\\} \;
# Scan entire directory
strelka-dirstream --backend localhost:57314 /path/to/directory
# Scan with file filtering
strelka-dirstream --patterns "*.exe,*.dll,*.pdf" /path/to/directory
# Scan with output to file
strelka-dirstream /path/to/directory > scan_results.json
# Stream files from network share
strelka-dirstream --backend remote-backend:57314 //server/share/files
# Stream with authentication
strelka-dirstream --username user --password pass //server/share
# Submit single file
curl -X POST \
-F "file=@suspicious_file.exe" \
http://localhost:57413/scan
# Submit with metadata
curl -X POST \
-F "file=@malware.zip" \
-F "source=email_attachment" \
-F "filename=attachment.zip" \
http://localhost:57413/scan
# Submit multiple files
curl -X POST \
-F "file1=@file1.exe" \
-F "file2=@file2.dll" \
-F "file3=@file3.pdf" \
http://localhost:57413/scan
import requests
import json
# Submit file for scanning
def scan_file(file_path, strelka_url="http://localhost:57413"):
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
response = requests.post(f"\\\\{strelka_url\\\\}/scan", files=files)
return response.json()
# Scan file and parse results
result = scan_file("/path/to/suspicious_file.exe")
print(json.dumps(result, indent=2))
import requests
import json
import hashlib
from pathlib import Path
class StrelkaClient:
def __init__(self, base_url="http://localhost:57413"):
self.base_url = base_url
def scan_file(self, file_path, metadata=None):
"""Scan a single file with optional metadata"""
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
data = metadata or \\\\{\\\\}
response = requests.post(f"\\\\{self.base_url\\\\}/scan",
files=files, data=data)
return response.json()
def scan_directory(self, directory_path, extensions=None):
"""Scan all files in a directory"""
results = []
path = Path(directory_path)
for file_path in path.rglob('*'):
if file_path.is_file():
if extensions and file_path.suffix not in extensions:
continue
try:
result = self.scan_file(file_path)
results.append(\\\\{
'file_path': str(file_path),
'scan_result': result
\\\\})
except Exception as e:
print(f"Error scanning \\\\{file_path\\\\}: \\\\{e\\\\}")
return results
def get_file_hash(self, file_path):
"""Calculate file hash"""
sha256_hash = hashlib.sha256()
with open(file_path, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
sha256_hash.update(chunk)
return sha256_hash.hexdigest()
# Usage example
client = StrelkaClient()
result = client.scan_file("/path/to/malware.exe",
metadata=\\\\{"source": "email", "priority": "high"\\\\})
# Identifies file types and MIME types
# Output includes:
\\\\{
"file": \\\\{
"flavors": \\\\{
"mime": ["application/x-executable"],
"yara": ["pe_file"]
\\\\},
"size": 1048576
\\\\}
\\\\}
# Calculates multiple hash types
# Output includes:
\\\\{
"hash": \\\\{
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"ssdeep": "3::"
\\\\}
\\\\}
# Analyzes file entropy for packing detection
# Output includes:
\\\\{
"entropy": \\\\{
"entropy": 7.8,
"packed": true,
"sections": [
\\\\{"name": ".text", "entropy": 6.2\\\\},
\\\\{"name": ".data", "entropy": 7.9\\\\}
]
\\\\}
\\\\}
# Comprehensive PE file analysis
# Output includes:
\\\\{
"pe": \\\\{
"imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
"compile_time": "2023-01-15T10:30:00",
"sections": [
\\\\{
"name": ".text",
"virtual_address": "0x1000",
"virtual_size": 65536,
"raw_size": 65536,
"entropy": 6.2,
"md5": "abc123..."
\\\\}
],
"imports": [
\\\\{
"library": "kernel32.dll",
"functions": ["CreateFileA", "ReadFile", "WriteFile"]
\\\\}
],
"exports": [],
"resources": [
\\\\{
"type": "RT_VERSION",
"language": "LANG_ENGLISH",
"size": 1024
\\\\}
]
\\\\}
\\\\}
# Analyzes ZIP archives and extracts metadata
# Output includes:
\\\\{
"zip": \\\\{
"total_files": 5,
"extracted_files": 3,
"files": [
\\\\{
"filename": "document.pdf",
"size": 1048576,
"compressed_size": 524288,
"crc32": "0x12345678",
"modified_time": "2023-01-15T10:30:00"
\\\\}
],
"password_protected": false
\\\\}
\\\\}
# Analyzes PDF documents for threats
# Output includes:
\\\\{
"pdf": \\\\{
"total_pages": 10,
"author": "Unknown",
"creator": "Microsoft Word",
"producer": "Adobe PDF Library",
"creation_date": "2023-01-15T10:30:00",
"javascript": true,
"embedded_files": 2,
"forms": false,
"suspicious_elements": [
"JavaScript code detected",
"Embedded executable"
]
\\\\}
\\\\}
rule Suspicious_PE_Characteristics
\\\\{
meta:
description = "Detects suspicious PE characteristics"
author = "Security Team"
date = "2023-01-15"
strings:
$mz = \\\\{ 4D 5A \\\\}
$pe = "PE\x00\x00"
condition:
$mz at 0 and $pe and
(
pe.number_of_sections < 3 or
pe.number_of_sections > 10 or
pe.entry_point < pe.sections[0].virtual_address
)
\\\\}
rule Packed_Executable
\\\\{
meta:
description = "Detects packed executables"
condition:
pe.is_pe and
(
pe.sections[0].name contains "UPX" or
pe.sections[0].name contains ".aspack" or
pe.sections[0].name contains ".rlpack"
)
\\\\}
/etc/strelka/yara/
├── malware/
│ ├── apt.yar
│ ├── ransomware.yar
│ └── trojans.yar
├── packers/
│ ├── upx.yar
│ ├── aspack.yar
│ └── themida.yar
└── general/
├── suspicious.yar
└── crypto.yar
# Compile individual rule file
yarac /etc/strelka/yara/malware/apt.yar /etc/strelka/yara/compiled/apt.yarc
# Compile all rules in directory
find /etc/strelka/yara -name "*.yar" -exec yarac \\\\{\\\\} \\\\{\\\\}.compiled \;
# Compile rules with includes
yarac -d include_dir=/etc/strelka/yara/includes rules.yar rules.yarc
input \\\\{
file \\\\{
path => "/var/log/strelka/strelka.log"
codec => json
start_position => "beginning"
\\\\}
\\\\}
filter \\\\{
if [event][scanner] == "ScanYara" \\\\{
mutate \\\\{
add_tag => ["yara_match"]
\\\\}
\\\\}
if [event][scanner] == "ScanPe" \\\\{
mutate \\\\{
add_tag => ["pe_analysis"]
\\\\}
\\\\}
date \\\\{
match => [ "time", "ISO8601" ]
\\\\}
\\\\}
output \\\\{
elasticsearch \\\\{
hosts => ["localhost:9200"]
index => "strelka-%\\\\{+YYYY.MM.dd\\\\}"
\\\\}
\\\\}
import requests
import json
from pymisp import PyMISP
def create_misp_event(strelka_result, misp_url, misp_key):
"""Create MISP event from Strelka scan results"""
misp = PyMISP(misp_url, misp_key, ssl=False)
# Create new event
event = misp.new_event(
distribution=0,
threat_level_id=2,
analysis=1,
info=f"Strelka Analysis: \\\\{strelka_result.get('filename', 'Unknown')\\\\}"
)
# Add file hash attributes
if 'hash' in strelka_result:
hashes = strelka_result['hash']
for hash_type, hash_value in hashes.items():
misp.add_attribute(event, hash_type, hash_value)
# Add YARA matches
if 'yara' in strelka_result:
for match in strelka_result['yara']['matches']:
misp.add_attribute(event, 'yara', match['rule'])
# Add PE information
if 'pe' in strelka_result:
pe_info = strelka_result['pe']
if 'imphash' in pe_info:
misp.add_attribute(event, 'imphash', pe_info['imphash'])
return event
import requests
import time
def enrich_with_virustotal(file_hash, vt_api_key):
"""Enrich Strelka results with VirusTotal data"""
url = f"https://www.virustotal.com/vtapi/v2/file/report"
params = \\\\{
'apikey': vt_api_key,
'resource': file_hash
\\\\}
response = requests.get(url, params=params)
if response.status_code == 200:
return response.json()
return None
def process_strelka_results(strelka_result, vt_api_key):
"""Process Strelka results with threat intelligence"""
enriched_result = strelka_result.copy()
# Get file hash
if 'hash' in strelka_result and 'sha256' in strelka_result['hash']:
sha256 = strelka_result['hash']['sha256']
# Enrich with VirusTotal
vt_result = enrich_with_virustotal(sha256, vt_api_key)
if vt_result:
enriched_result['virustotal'] = vt_result
# Add threat score
threat_score = calculate_threat_score(strelka_result, vt_result)
enriched_result['threat_score'] = threat_score
return enriched_result
def calculate_threat_score(strelka_result, vt_result):
"""Calculate threat score based on analysis results"""
score = 0
# YARA matches
if 'yara' in strelka_result:
score += len(strelka_result['yara']['matches']) * 10
# Entropy analysis
if 'entropy' in strelka_result:
if strelka_result['entropy'].get('packed', False):
score += 20
# VirusTotal detections
if vt_result and vt_result.get('positives', 0) > 0:
score += vt_result['positives'] * 5
return min(score, 100) # Cap at 100
# Monitor Strelka processes
ps aux|grep strelka
# Check memory usage
free -h
cat /proc/meminfo|grep -E "(MemTotal|MemFree|MemAvailable)"
# Monitor disk usage
df -h /tmp/strelka
du -sh /tmp/strelka/*
# Network connections
netstat -tulpn|grep -E "(57314|57413)"
# Check backend status
curl -s http://localhost:57314/health
# Check frontend status
curl -s http://localhost:57413/health
# Monitor scan queue
curl -s http://localhost:57413/stats|jq '.queue_size'
# Check scan performance
curl -s http://localhost:57413/metrics
# prometheus.yml
scrape_configs:
- job_name: 'strelka'
static_configs:
- targets: ['localhost:57413']
metrics_path: '/metrics'
scrape_interval: 30s
# strelka_alerts.yml
groups:
- name: strelka
rules:
- alert: StrelkaHighQueueSize
expr: strelka_queue_size > 100
for: 5m
labels:
severity: warning
annotations:
summary: "Strelka queue size is high"
- alert: StrelkaBackendDown
expr: up\\\\{job="strelka"\\\\} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Strelka backend is down"
# Check Docker containers
docker-compose ps
docker-compose logs strelka-backend
docker-compose logs strelka-frontend
# Check configuration files
strelka-backend --config /etc/strelka/backend.yaml --validate
strelka-frontend --config /etc/strelka/frontend.yaml --validate
# Check file permissions
ls -la /etc/strelka/
ls -la /tmp/strelka/
# Test backend connectivity
telnet localhost 57314
# Test frontend API
curl -v http://localhost:57413/health
# Check scanner modules
strelka-oneshot --list-scanners
# Debug scanning
strelka-oneshot --debug /path/to/test_file
# Monitor resource usage
top -p $(pgrep -f strelka)
iostat -x 1
# Check scan times
grep "scan_time" /var/log/strelka/strelka.log
# Analyze slow scans
grep "timeout" /var/log/strelka/strelka.log
This comprehensive Strelka cheatsheet covers installation, configuration, scanning operations, and advanced integration for effective file analysis and threat detection.