Strelka Cheatsheet

📋 Kopieren Sie alle Strelka Befehle 📄 Strelka PDF Guide generieren

Strelka ist ein Echtzeit-Datei-Scansystem, das für Bedrohungsjagd, Bedrohungsintelligenz und zufällige Reaktion konzipiert ist. Es führt Dateiextraktion und Metadatensammlung im Maßstab durch, so dass Sicherheitsteams verdächtige Dateien analysieren und potenzielle Bedrohungen durch umfassende Dateianalyse und Anreicherung identifizieren können. ## Installation und Inbetriebnahme ### Docker Installation (empfohlen) **Quick Start mit Docker Compose:** ```bash # Clone Strelka repository git clone https://github.com/target/strelka.git cd strelka # Build and start services docker-compose up -d # Verify services are running docker-compose ps ```_ **Custom Docker komponiert:** ```yaml version: '3.8' services: strelka-backend: image: target/strelka:latest container_name: strelka-backend command: strelka-backend volumes: - ./configs/python/backend/backend.yaml:/etc/strelka/backend.yaml:ro - ./configs/python/backend/logging.yaml:/etc/strelka/logging.yaml:ro ports: - "57314:57314" networks: - strelka-net strelka-frontend: image: target/strelka:latest container_name: strelka-frontend command: strelka-frontend volumes: - ./configs/python/frontend/frontend.yaml:/etc/strelka/frontend.yaml:ro - ./configs/python/frontend/logging.yaml:/etc/strelka/logging.yaml:ro - /tmp/strelka:/tmp/strelka ports: - "57413:57413" depends_on: - strelka-backend networks: - strelka-net networks: strelka-net: driver: bridge ```_ ### Native Installation **Ubuntu/Debian Installation:** ```bash # Install dependencies sudo apt-get update sudo apt-get install -y python3 python3-pip python3-dev sudo apt-get install -y build-essential libssl-dev libffi-dev sudo apt-get install -y yara libyara-dev # Install Python dependencies pip3 install --upgrade pip pip3 install strelka-scanner # Install additional analysis tools sudo apt-get install -y file binwalk exiftool sudo apt-get install -y upx-ucl unrar-free p7zip-full ```_ **CentOS/RHEL Installation:** ```bash # Install EPEL repository sudo yum install -y epel-release # Install dependencies sudo yum groupinstall -y "Development Tools" sudo yum install -y python3 python3-pip python3-devel sudo yum install -y openssl-devel libffi-devel yara-devel # Install Strelka pip3 install strelka-scanner # Install analysis tools sudo yum install -y file binwalk perl-Image-ExifTool sudo yum install -y upx unrar p7zip ```_ ## Konfiguration ### Backend Konfiguration **backend.yaml:** ```yaml # Backend server configuration server: host: "0.0.0.0" port: 57314 max_workers: 4 # Scanner configuration scanners: - name: "ScanEntropy" priority: 5 - name: "ScanExiftool" priority: 5 - name: "ScanFile" priority: 5 - name: "ScanHash" priority: 5 - name: "ScanHeader" priority: 5 - name: "ScanPe" priority: 5 options: tmp_directory: "/tmp/strelka/" - name: "ScanYara" priority: 5 options: location: "/etc/strelka/yara/" # Taste configuration taste: - filename: ".*\\.exe$" scanner: "ScanPe" - filename: ".*\\.dll$" scanner: "ScanPe" - mime: "application/pdf" scanner: "ScanPdf" - mime: "application/zip" scanner: "ScanZip" ```_ ### Frontend Konfiguration **frontend.yaml:** ```yaml # Frontend server configuration server: host: "0.0.0.0" port: 57413 # Backend connection backend: host: "strelka-backend" port: 57314 # Request limits limits: max_file_size: 268435456 # 256MB time_to_live: 60 max_files_per_request: 100 # Response configuration response: log_extracted_files: true log_thumbnails: false ```_ ### Scannerkonfiguration **Kundenspezifische Scanner-Optionen:** ```yaml # YARA scanner configuration ScanYara: options: location: "/etc/strelka/yara/" compiled_rules: true timeout: 60 # PE scanner configuration ScanPe: options: tmp_directory: "/tmp/strelka/" extract_resources: true extract_overlay: true # ZIP scanner configuration ScanZip: options: limit: 1000 password_file: "/etc/strelka/passwords.txt" # PDF scanner configuration ScanPdf: options: extract_text: true limit: 2000 ```_ ## Verwendung der Befehlszeile ### Basic File Scanning **Einzeldatei scannen:** ```bash # Scan a file strelka-oneshot /path/to/suspicious_file.exe # Scan with specific backend strelka-oneshot --backend localhost:57314 /path/to/file.pdf # Scan with JSON output strelka-oneshot --json /path/to/malware.zip ```_ ** Mehrere Dateien scannen:** ```bash # Scan directory find /path/to/files -type f -exec strelka-oneshot \\\\{\\\\} \; # Scan with parallel processing find /path/to/files -type f|xargs -P 4 -I \\\\{\\\\} strelka-oneshot \\\\{\\\\} # Scan specific file types find /path/to/files -name "*.exe" -exec strelka-oneshot \\\\{\\\\} \; ```_ ### Batch Processing **Regie Scanning:** ```bash # Scan entire directory strelka-dirstream --backend localhost:57314 /path/to/directory # Scan with file filtering strelka-dirstream --patterns "*.exe,*.dll,*.pdf" /path/to/directory # Scan with output to file strelka-dirstream /path/to/directory > scan_results.json ```_ ** Netzwerk-Streaming:** ```bash # Stream files from network share strelka-dirstream --backend remote-backend:57314 //server/share/files # Stream with authentication strelka-dirstream --username user --password pass //server/share ```_ ## API Verwendung ### REST API ** Datei zur Analyse eintragen:** ```bash # Submit single file curl -X POST \ -F "file=@suspicious_file.exe" \ http://localhost:57413/scan # Submit with metadata curl -X POST \ -F "file=@malware.zip" \ -F "source=email_attachment" \ -F "filename=attachment.zip" \ http://localhost:57413/scan ```_ **Bulk Dateieintrag:** ```bash # Submit multiple files curl -X POST \ -F "file1=@file1.exe" \ -F "file2=@file2.dll" \ -F "file3=@file3.pdf" \ http://localhost:57413/scan ```_ ### Python API **Basic Python Verwendung:** ```python import requests import json # Submit file for scanning def scan_file(file_path, strelka_url="http://localhost:57413"): with open(file_path, 'rb') as f: files = \\\\{'file': f\\\\} response = requests.post(f"\\\\{strelka_url\\\\}/scan", files=files) return response.json() # Scan file and parse results result = scan_file("/path/to/suspicious_file.exe") print(json.dumps(result, indent=2)) ```_ **Erweiterte Integration von Python:** ```python import requests import json import hashlib from pathlib import Path class StrelkaClient: def __init__(self, base_url="http://localhost:57413"): self.base_url = base_url def scan_file(self, file_path, metadata=None): """Scan a single file with optional metadata""" with open(file_path, 'rb') as f: files = \\\\{'file': f\\\\} data = metadata or \\\\{\\\\} response = requests.post(f"\\\\{self.base_url\\\\}/scan", files=files, data=data) return response.json() def scan_directory(self, directory_path, extensions=None): """Scan all files in a directory""" results = [] path = Path(directory_path) for file_path in path.rglob('*'): if file_path.is_file(): if extensions and file_path.suffix not in extensions: continue try: result = self.scan_file(file_path) results.append(\\\\{ 'file_path': str(file_path), 'scan_result': result \\\\}) except Exception as e: print(f"Error scanning \\\\{file_path\\\\}: \\\\{e\\\\}") return results def get_file_hash(self, file_path): """Calculate file hash""" sha256_hash = hashlib.sha256() with open(file_path, "rb") as f: for chunk in iter(lambda: f.read(4096), b""): sha256_hash.update(chunk) return sha256_hash.hexdigest() # Usage example client = StrelkaClient() result = client.scan_file("/path/to/malware.exe", metadata=\\\\{"source": "email", "priority": "high"\\\\}) ```_ ## Scanner-Module ### Dateianalyse Scanner **ScanFile - Dateityp Erkennung:** ```python # Identifies file types and MIME types # Output includes: \\\\{ "file": \\\\{ "flavors": \\\\{ "mime": ["application/x-executable"], "yara": ["pe_file"] \\\\}, "size": 1048576 \\\\} \\\\} ```_ **ScanHash - Hash Berechnung:** ```python # Calculates multiple hash types # Output includes: \\\\{ "hash": \\\\{ "md5": "d41d8cd98f00b204e9800998ecf8427e", "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "ssdeep": "3::" \\\\} \\\\} ```_ **ScanEntropy - Entropy Analyse:** ```python # Analyzes file entropy for packing detection # Output includes: \\\\{ "entropy": \\\\{ "entropy": 7.8, "packed": true, "sections": [ \\\\{"name": ".text", "entropy": 6.2\\\\}, \\\\{"name": ".data", "entropy": 7.9\\\\} ] \\\\} \\\\} ```_ ### Ausführbare Analyse **ScanPe - PE Datei-Analyse:** ```python # Comprehensive PE file analysis # Output includes: \\\\{ "pe": \\\\{ "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744", "compile_time": "2023-01-15T10:30:00", "sections": [ \\\\{ "name": ".text", "virtual_address": "0x1000", "virtual_size": 65536, "raw_size": 65536, "entropy": 6.2, "md5": "abc123..." \\\\} ], "imports": [ \\\\{ "library": "kernel32.dll", "functions": ["CreateFileA", "ReadFile", "WriteFile"] \\\\} ], "exports": [], "resources": [ \\\\{ "type": "RT_VERSION", "language": "LANG_ENGLISH", "size": 1024 \\\\} ] \\\\} \\\\} ```_ ### Archivanalyse **ScanZip - ZIP Archiv Analyse:** ```python # Analyzes ZIP archives and extracts metadata # Output includes: \\\\{ "zip": \\\\{ "total_files": 5, "extracted_files": 3, "files": [ \\\\{ "filename": "document.pdf", "size": 1048576, "compressed_size": 524288, "crc32": "0x12345678", "modified_time": "2023-01-15T10:30:00" \\\\} ], "password_protected": false \\\\} \\\\} ```_ ### Dokumentenanalyse **ScanPdf - PDF Analyse:** ```python # Analyzes PDF documents for threats # Output includes: \\\\{ "pdf": \\\\{ "total_pages": 10, "author": "Unknown", "creator": "Microsoft Word", "producer": "Adobe PDF Library", "creation_date": "2023-01-15T10:30:00", "javascript": true, "embedded_files": 2, "forms": false, "suspicious_elements": [ "JavaScript code detected", "Embedded executable" ] \\\\} \\\\} ```_ ## YARA Integration ### YARA Regeln Konfiguration **Kunde YARA Regeln:** ```c rule Suspicious_PE_Characteristics \\\\{ meta: description = "Detects suspicious PE characteristics" author = "Security Team" date = "2023-01-15" strings: $mz = \\\\{ 4D 5A \\\\} $pe = "PE\x00\x00" condition: $mz at 0 and $pe and ( pe.number_of_sections < 3 or pe.number_of_sections > 10 or pe.entry_point < pe.sections[0].virtual_address ) \\\\} rule Packed_Executable \\\\{ meta: description = "Detects packed executables" condition: pe.is_pe and ( pe.sections[0].name contains "UPX" or pe.sections[0].name contains ".aspack" or pe.sections[0].name contains ".rlpack" ) \\\\} ```_ **YARA Regeln Verzeichnis Struktur:** ```bash /etc/strelka/yara/ ├── malware/ │ ├── apt.yar │ ├── ransomware.yar │ └── trojans.yar ├── packers/ │ ├── upx.yar │ ├── aspack.yar │ └── themida.yar └── general/ ├── suspicious.yar └── crypto.yar ```_ ### Compiled YARA Rules **Compile YARA Regeln:** ```bash # Compile individual rule file yarac /etc/strelka/yara/malware/apt.yar /etc/strelka/yara/compiled/apt.yarc # Compile all rules in directory find /etc/strelka/yara -name "*.yar" -exec yarac \\\\{\\\\} \\\\{\\\\}.compiled \; # Compile rules with includes yarac -d include_dir=/etc/strelka/yara/includes rules.yar rules.yarc ```_ ## Integrationsbeispiele ### ELK Stack Integration **Logstash Konfiguration:** ```ruby input \\\\{ file \\\\{ path => "/var/log/strelka/strelka.log" codec => json start_position => "beginning" \\\\} \\\\} filter \\\\{ if [event][scanner] == "ScanYara" \\\\{ mutate \\\\{ add_tag => ["yara_match"] \\\\} \\\\} if [event][scanner] == "ScanPe" \\\\{ mutate \\\\{ add_tag => ["pe_analysis"] \\\\} \\\\} date \\\\{ match => [ "time", "ISO8601" ] \\\\} \\\\} output \\\\{ elasticsearch \\\\{ hosts => ["localhost:9200"] index => "strelka-%\\\\{+YYYY.MM.dd\\\\}" \\\\} \\\\} ```_ ### MISP Integration **MISP Attribut Creation:** ```python import requests import json from pymisp import PyMISP def create_misp_event(strelka_result, misp_url, misp_key): """Create MISP event from Strelka scan results""" misp = PyMISP(misp_url, misp_key, ssl=False) # Create new event event = misp.new_event( distribution=0, threat_level_id=2, analysis=1, info=f"Strelka Analysis: \\\\{strelka_result.get('filename', 'Unknown')\\\\}" ) # Add file hash attributes if 'hash' in strelka_result: hashes = strelka_result['hash'] for hash_type, hash_value in hashes.items(): misp.add_attribute(event, hash_type, hash_value) # Add YARA matches if 'yara' in strelka_result: for match in strelka_result['yara']['matches']: misp.add_attribute(event, 'yara', match['rule']) # Add PE information if 'pe' in strelka_result: pe_info = strelka_result['pe'] if 'imphash' in pe_info: misp.add_attribute(event, 'imphash', pe_info['imphash']) return event ```_ ### Bedrohung der Intelligenz **Angemeldet Integration:** ```python import requests import time def enrich_with_virustotal(file_hash, vt_api_key): """Enrich Strelka results with VirusTotal data""" url = f"https://www.virustotal.com/vtapi/v2/file/report" params = \\\\{ 'apikey': vt_api_key, 'resource': file_hash \\\\} response = requests.get(url, params=params) if response.status_code == 200: return response.json() return None def process_strelka_results(strelka_result, vt_api_key): """Process Strelka results with threat intelligence""" enriched_result = strelka_result.copy() # Get file hash if 'hash' in strelka_result and 'sha256' in strelka_result['hash']: sha256 = strelka_result['hash']['sha256'] # Enrich with VirusTotal vt_result = enrich_with_virustotal(sha256, vt_api_key) if vt_result: enriched_result['virustotal'] = vt_result # Add threat score threat_score = calculate_threat_score(strelka_result, vt_result) enriched_result['threat_score'] = threat_score return enriched_result def calculate_threat_score(strelka_result, vt_result): """Calculate threat score based on analysis results""" score = 0 # YARA matches if 'yara' in strelka_result: score += len(strelka_result['yara']['matches']) * 10 # Entropy analysis if 'entropy' in strelka_result: if strelka_result['entropy'].get('packed', False): score += 20 # VirusTotal detections if vt_result and vt_result.get('positives', 0) > 0: score += vt_result['positives'] * 5 return min(score, 100) # Cap at 100 ```_ ## Überwachung und Alarmierung ### Leistungsüberwachung ** System Metrics:** ```bash # Monitor Strelka processes ps aux|grep strelka # Check memory usage free -h | cat /proc/meminfo | grep -E "(MemTotal | MemFree | MemAvailable)" | # Monitor disk usage df -h /tmp/strelka du -sh /tmp/strelka/* # Network connections | netstat -tulpn | grep -E "(57314 | 57413)" | ```_ **Application Metrics:** ```bash # Check backend status curl -s http://localhost:57314/health # Check frontend status curl -s http://localhost:57413/health # Monitor scan queue curl -s http://localhost:57413/stats|jq '.queue_size' # Check scan performance curl -s http://localhost:57413/metrics ```_ ### Konfiguration aktivieren **Prometheus Metriken:** ```yaml # prometheus.yml scrape_configs: - job_name: 'strelka' static_configs: - targets: ['localhost:57413'] metrics_path: '/metrics' scrape_interval: 30s ```_ **Währungsregeln:** ```yaml # strelka_alerts.yml groups: - name: strelka rules: - alert: StrelkaHighQueueSize expr: strelka_queue_size > 100 for: 5m labels: severity: warning annotations: summary: "Strelka queue size is high" - alert: StrelkaBackendDown expr: up\\\\{job="strelka"\\\\} == 0 for: 1m labels: severity: critical annotations: summary: "Strelka backend is down" ```_ ## Fehlerbehebung ### Gemeinsame Themen **Der Service beginnt nicht:** ```bash # Check Docker containers docker-compose ps docker-compose logs strelka-backend docker-compose logs strelka-frontend # Check configuration files strelka-backend --config /etc/strelka/backend.yaml --validate strelka-frontend --config /etc/strelka/frontend.yaml --validate # Check file permissions ls -la /etc/strelka/ ls -la /tmp/strelka/ ```_ ** Scannen von Problemen:** ```bash # Test backend connectivity telnet localhost 57314 # Test frontend API curl -v http://localhost:57413/health # Check scanner modules strelka-oneshot --list-scanners # Debug scanning strelka-oneshot --debug /path/to/test_file ```_ **Leistungsfragen:** ```bash # Monitor resource usage top -p $(pgrep -f strelka) iostat -x 1 # Check scan times grep "scan_time" /var/log/strelka/strelka.log # Analyze slow scans grep "timeout" /var/log/strelka/strelka.log ```_ ### Analyse der Ergebnisse **Debug Logging: ** ```yaml # logging.yaml version: 1 formatters: simple: format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s' handlers: console: class: logging.StreamHandler level: DEBUG formatter: simple loggers: strelka: level: DEBUG handlers: [console] ```_ **Log Monitoring: ** ```bash # Monitor real-time logs tail -f /var/log/strelka/strelka.log # Search for errors grep -i error /var/log/strelka/strelka.log # Analyze scan statistics | grep "scan_time" /var/log/strelka/strelka.log | awk '\\\\{print $NF\\\\}' | sort -n | ```_

Dieses umfassende Strelka-Catsheet umfasst Installation, Konfiguration, Scannen und erweiterte Integration für effektive Dateianalyse und Bedrohungserkennung.