Strelka Cheatsheet
Strelka is a real-time file scanning system designed for caza de amenazas, Inteligencia de Amenazas, and respuesta a incidentes. It performs file extraction and metadata collection at scale, enabling security teams to analyze suspicious files and identify potential threats through comprehensive file analysis and enrichment.
## instalación and Setup
### Docker instalación (Recommended)
**Quick Start with Docker Compose:**
# Clone Strelka repository
git clone https://github.com/objetivo/strelka.git
cd strelka
# Build and start servicios
docker-compose up -d
# Verify servicios are running
docker-compose ps
version: '3.8'
servicios:
strelka-backend:
image: objetivo/strelka:latest
container_name: strelka-backend
comando: strelka-backend
volumes:
- ./configs/python/backend/backend.yaml:/etc/strelka/backend.yaml:ro
- ./configs/python/backend/logging.yaml:/etc/strelka/logging.yaml:ro
puertos:
- "57314:57314"
networks:
- strelka-net
strelka-frontend:
image: objetivo/strelka:latest
container_name: strelka-frontend
comando: strelka-frontend
volumes:
- ./configs/python/frontend/frontend.yaml:/etc/strelka/frontend.yaml:ro
- ./configs/python/frontend/logging.yaml:/etc/strelka/logging.yaml:ro
- /tmp/strelka:/tmp/strelka
puertos:
- "57413:57413"
depends_on:
- strelka-backend
networks:
- strelka-net
networks:
strelka-net:
driver: bridge
# Install dependencies
sudo apt-get update
sudo apt-get install -y python3 python3-pip python3-dev
sudo apt-get install -y build-essential libssl-dev libffi-dev
sudo apt-get install -y yara libyara-dev
# Install Python dependencies
pip3 install --upgrade pip
pip3 install strelka-scanner
# Install additional analysis tools
sudo apt-get install -y file binwalk exiftool
sudo apt-get install -y upx-ucl unrar-free p7zip-full
# Install EPEL repository
sudo yum install -y epel-release
# Install dependencies
sudo yum groupinstall -y "Development Tools"
sudo yum install -y python3 python3-pip python3-devel
sudo yum install -y openssl-devel libffi-devel yara-devel
# Install Strelka
pip3 install strelka-scanner
# Install analysis tools
sudo yum install -y file binwalk perl-Image-ExifTool
sudo yum install -y upx unrar p7zip
# Backend server configuración
server:
host: "0.0.0.0"
puerto: 57314
max_workers: 4
# Scanner configuración
scanners:
- name: "ScanEntropy"
priority: 5
- name: "ScanExiftool"
priority: 5
- name: "ScanFile"
priority: 5
- name: "Scanhash"
priority: 5
- name: "ScanHeader"
priority: 5
- name: "ScanPe"
priority: 5
opcións:
tmp_directory: "/tmp/strelka/"
- name: "ScanYara"
priority: 5
opcións:
location: "/etc/strelka/yara/"
# Taste configuración
taste:
- filename: ".*\\.exe$"
scanner: "ScanPe"
- filename: ".*\\.dll$"
scanner: "ScanPe"
- mime: "application/pdf"
scanner: "ScanPdf"
- mime: "application/zip"
scanner: "ScanZip"
# Frontend server configuración
server:
host: "0.0.0.0"
puerto: 57413
# Backend conexión
backend:
host: "strelka-backend"
puerto: 57314
# Request limits
limits:
max_file_size: 268435456 # 256MB
time_to_live: 60
max_files_per_request: 100
# Response configuración
response:
log_extracted_files: true
log_thumbnails: false
# YARA scanner configuración
ScanYara:
opcións:
location: "/etc/strelka/yara/"
compiled_rules: true
timeout: 60
# PE scanner configuración
ScanPe:
opcións:
tmp_directory: "/tmp/strelka/"
extract_resources: true
extract_overlay: true
# ZIP scanner configuración
ScanZip:
opcións:
limit: 1000
contraseña_file: "/etc/strelka/contraseñas.txt"
# PDF scanner configuración
ScanPdf:
opcións:
extract_text: true
limit: 2000
# Scan a file
strelka-oneshot /path/to/suspicious_file.exe
# Scan with specific backend
strelka-oneshot --backend localhost:57314 /path/to/file.pdf
# Scan with JSON output
strelka-oneshot --json /path/to/malware.zip
# Scan directory
find /path/to/files -type f -exec strelka-oneshot \\\\{\\\\} \;
# Scan with parallel procesoing
find /path/to/files -type f|xargs -P 4 -I \\\\{\\\\} strelka-oneshot \\\\{\\\\}
# Scan specific file types
find /path/to/files -name "*.exe" -exec strelka-oneshot \\\\{\\\\} \;
# Scan entire directory
strelka-dirstream --backend localhost:57314 /path/to/directory
# Scan with file filtering
strelka-dirstream --patterns "*.exe,*.dll,*.pdf" /path/to/directory
# Scan with output to file
strelka-dirstream /path/to/directory > scan_results.json
# Stream files from network share
strelka-dirstream --backend remote-backend:57314 //server/share/files
# Stream with autenticación
strelka-dirstream --nombre de usuario user --contraseña pass //server/share
# Submit single file
curl -X POST \
-F "file=@suspicious_file.exe" \
http://localhost:57413/scan
# Submit with metadata
curl -X POST \
-F "file=@malware.zip" \
-F "source=email_attachment" \
-F "filename=attachment.zip" \
http://localhost:57413/scan
# Submit multiple files
curl -X POST \
-F "file1=@file1.exe" \
-F "file2=@file2.dll" \
-F "file3=@file3.pdf" \
http://localhost:57413/scan
impuerto requests
impuerto json
# Submit file for scanning
def scan_file(file_path, strelka_url="http://localhost:57413"):
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
response = requests.post(f"\\\\{strelka_url\\\\}/scan", files=files)
return response.json()
# Scan file and parse results
result = scan_file("/path/to/suspicious_file.exe")
print(json.dumps(result, indent=2))
impuerto requests
impuerto json
impuerto hashlib
from pathlib impuerto Path
class StrelkaClient:
def __init__(self, base_url="http://localhost:57413"):
self.base_url = base_url
def scan_file(self, file_path, metadata=None):
"""Scan a single file with opciónal metadata"""
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
data = metadata or \\\\{\\\\}
response = requests.post(f"\\\\{self.base_url\\\\}/scan",
files=files, data=data)
return response.json()
def scan_directory(self, directory_path, extensions=None):
"""Scan all files in a directory"""
results = []
path = Path(directory_path)
for file_path in path.rglob('*'):
if file_path.is_file():
if extensions and file_path.suffix not in extensions:
continue
try:
result = self.scan_file(file_path)
results.append(\\\\{
'file_path': str(file_path),
'scan_result': result
\\\\})
except Exception as e:
print(f"Error scanning \\\\{file_path\\\\}: \\\\{e\\\\}")
return results
def get_file_hash(self, file_path):
"""Calculate file hash"""
sha256_hash = hashlib.sha256()
with open(file_path, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
sha256_hash.update(chunk)
return sha256_hash.hexdigest()
# uso ejemplo
client = StrelkaClient()
result = client.scan_file("/path/to/malware.exe",
metadata=\\\\{"source": "email", "priority": "high"\\\\})
# Identifies file types and MIME types
# Output includes:
\\\\{
"file": \\\\{
"flavors": \\\\{
"mime": ["application/x-executable"],
"yara": ["pe_file"]
\\\\},
"size": 1048576
\\\\}
\\\\}
# Calculates multiple hash types
# Output includes:
\\\\{
"hash": \\\\{
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"ssdeep": "3::"
\\\\}
\\\\}
# Analyzes file entropy for packing detection
# Output includes:
\\\\{
"entropy": \\\\{
"entropy": 7.8,
"packed": true,
"sections": [
\\\\{"name": ".text", "entropy": 6.2\\\\},
\\\\{"name": ".data", "entropy": 7.9\\\\}
]
\\\\}
\\\\}
# Comprehensive PE file analysis
# Output includes:
\\\\{
"pe": \\\\{
"imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
"compile_time": "2023-01-15T10:30:00",
"sections": [
\\\\{
"name": ".text",
"virtual_address": "0x1000",
"virtual_size": 65536,
"raw_size": 65536,
"entropy": 6.2,
"md5": "abc123..."
\\\\}
],
"impuertos": [
\\\\{
"library": "kernel32.dll",
"functions": ["CreateFileA", "ReadFile", "WriteFile"]
\\\\}
],
"expuertos": [],
"resources": [
\\\\{
"type": "RT_VERSION",
"language": "LANG_ENGLISH",
"size": 1024
\\\\}
]
\\\\}
\\\\}
# Analyzes ZIP archives and extracts metadata
# Output includes:
\\\\{
"zip": \\\\{
"total_files": 5,
"extracted_files": 3,
"files": [
\\\\{
"filename": "document.pdf",
"size": 1048576,
"compressed_size": 524288,
"crc32": "0x12345678",
"modified_time": "2023-01-15T10:30:00"
\\\\}
],
"contraseña_protected": false
\\\\}
\\\\}
# Analyzes PDF documents for threats
# Output includes:
\\\\{
"pdf": \\\\{
"total_pages": 10,
"author": "Unknown",
"creator": "Microsoft Word",
"producer": "Adobe PDF Library",
"creation_date": "2023-01-15T10:30:00",
"javascript": true,
"embedded_files": 2,
"forms": false,
"suspicious_elements": [
"JavaScript code detected",
"Embedded executable"
]
\\\\}
\\\\}
rule Suspicious_PE_Characteristics
\\\\{
meta:
Descripción = "Detects suspicious PE characteristics"
author = "Security Team"
date = "2023-01-15"
strings:
$mz = \\\\{ 4D 5A \\\\}
$pe = "PE\x00\x00"
condition:
$mz at 0 and $pe and
(
pe.number_of_sections < 3 or
pe.number_of_sections > 10 or
pe.entry_point < pe.sections[0].virtual_address
)
\\\\}
rule Packed_Executable
\\\\{
meta:
Descripción = "Detects packed executables"
condition:
pe.is_pe and
(
pe.sections[0].name contains "UPX" or
pe.sections[0].name contains ".aspack" or
pe.sections[0].name contains ".rlpack"
)
\\\\}
/etc/strelka/yara/
├── malware/
│ ├── apt.yar
│ ├── ransomware.yar
│ └── troyanos.yar
├── packers/
│ ├── upx.yar
│ ├── aspack.yar
│ └── themida.yar
└── general/
├── suspicious.yar
└── crypto.yar
# Compile individual rule file
yarac /etc/strelka/yara/malware/apt.yar /etc/strelka/yara/compiled/apt.yarc
# Compile all rules in directory
find /etc/strelka/yara -name "*.yar" -exec yarac \\\\{\\\\} \\\\{\\\\}.compiled \;
# Compile rules with includes
yarac -d include_dir=/etc/strelka/yara/includes rules.yar rules.yarc
input \\\\{
file \\\\{
path => "/var/log/strelka/strelka.log"
codec => json
start_position => "beginning"
\\\\}
\\\\}
filter \\\\{
if [event][scanner] == "ScanYara" \\\\{
mutate \\\\{
add_tag => ["yara_match"]
\\\\}
\\\\}
if [event][scanner] == "ScanPe" \\\\{
mutate \\\\{
add_tag => ["pe_analysis"]
\\\\}
\\\\}
date \\\\{
match => [ "time", "ISO8601" ]
\\\\}
\\\\}
output \\\\{
elasticsearch \\\\{
hosts => ["localhost:9200"]
index => "strelka-%\\\\{+YYYY.MM.dd\\\\}"
\\\\}
\\\\}
impuerto requests
impuerto json
from pymisp impuerto PyMISP
def create_misp_event(strelka_result, misp_url, misp_clave):
"""Create MISP event from Strelka scan results"""
misp = PyMISP(misp_url, misp_clave, ssl=False)
# Create new event
event = misp.new_event(
distribution=0,
threat_level_id=2,
analysis=1,
info=f"Strelka Analysis: \\\\{strelka_result.get('filename', 'Unknown')\\\\}"
)
# Add file hash attributes
if 'hash' in strelka_result:
hashes = strelka_result['hash']
for hash_type, hash_value in hashes.items():
misp.add_attribute(event, hash_type, hash_value)
# Add YARA matches
if 'yara' in strelka_result:
for match in strelka_result['yara']['matches']:
misp.add_attribute(event, 'yara', match['rule'])
# Add PE information
if 'pe' in strelka_result:
pe_info = strelka_result['pe']
if 'imphash' in pe_info:
misp.add_attribute(event, 'imphash', pe_info['imphash'])
return event
impuerto requests
impuerto time
def enrich_with_virustotal(file_hash, vt_api_clave):
"""Enrich Strelka results with VirusTotal data"""
url = f"https://www.virustotal.com/vtapi/v2/file/repuerto"
params = \\\\{
'apiclave': vt_api_clave,
'resource': file_hash
\\\\}
response = requests.get(url, params=params)
if response.status_code == 200:
return response.json()
return None
def proceso_strelka_results(strelka_result, vt_api_clave):
"""proceso Strelka results with Inteligencia de Amenazas"""
enriched_result = strelka_result.copy()
# Get file hash
if 'hash' in strelka_result and 'sha256' in strelka_result['hash']:
sha256 = strelka_result['hash']['sha256']
# Enrich with VirusTotal
vt_result = enrich_with_virustotal(sha256, vt_api_clave)
if vt_result:
enriched_result['virustotal'] = vt_result
# Add threat score
threat_score = calculate_threat_score(strelka_result, vt_result)
enriched_result['threat_score'] = threat_score
return enriched_result
def calculate_threat_score(strelka_result, vt_result):
"""Calculate threat score based on analysis results"""
score = 0
# YARA matches
if 'yara' in strelka_result:
score += len(strelka_result['yara']['matches']) * 10
# Entropy analysis
if 'entropy' in strelka_result:
if strelka_result['entropy'].get('packed', False):
score += 20
# VirusTotal detections
if vt_result and vt_result.get('positives', 0) > 0:
score += vt_result['positives'] * 5
return min(score, 100) # Cap at 100
# Monitor Strelka procesoes
ps aux|grep strelka
# Check memory uso
free -h
| cat /proc/meminfo | grep -E "(MemTotal | MemFree | MemAvailable)" |
# Monitor disk uso
df -h /tmp/strelka
du -sh /tmp/strelka/*
# Network conexións
| netstat -tulpn | grep -E "(57314 | 57413)" |
# Check backend status
curl -s http://localhost:57314/health
# Check frontend status
curl -s http://localhost:57413/health
# Monitor scan queue
curl -s http://localhost:57413/stats|jq '.queue_size'
# Check scan performance
curl -s http://localhost:57413/metrics
# prometheus.yml
scrape_configs:
- job_name: 'strelka'
static_configs:
- objetivos: ['localhost:57413']
metrics_path: '/metrics'
scrape_interval: 30s
# strelka_alerts.yml
groups:
- name: strelka
rules:
- alert: StrelkaHighQueueSize
expr: strelka_queue_size > 100
for: 5m
labels:
severity: warning
annotations:
summary: "Strelka queue size is high"
- alert: StrelkaBackendDown
expr: up\\\\{job="strelka"\\\\} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Strelka backend is down"
# Check Docker containers
docker-compose ps
docker-compose logs strelka-backend
docker-compose logs strelka-frontend
# Check configuración files
strelka-backend --config /etc/strelka/backend.yaml --validate
strelka-frontend --config /etc/strelka/frontend.yaml --validate
# Check file permissions
ls -la /etc/strelka/
ls -la /tmp/strelka/
# Test backend connectivity
telnet localhost 57314
# Test frontend API
curl -v http://localhost:57413/health
# Check scanner modules
strelka-oneshot --list-scanners
# Debug scanning
strelka-oneshot --debug /path/to/test_file
# Monitor resource uso
top -p $(pgrep -f strelka)
iostat -x 1
# Check scan times
grep "scan_time" /var/log/strelka/strelka.log
# Analyze slow scans
grep "timeout" /var/log/strelka/strelka.log
# logging.yaml
version: 1
formatters:
simple:
format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
level: DEBUG
formatter: simple
loggers:
strelka:
level: DEBUG
handlers: [console]
# Monitor real-time logs
tail -f /var/log/strelka/strelka.log
# Search for errors
grep -i error /var/log/strelka/strelka.log
# Analyze scan statistics
| grep "scan_time" /var/log/strelka/strelka.log | awk '\\\\{print $NF\\\\}' | sort -n |
This comprehensive Strelka cheatsheet covers instalación, configuración, scanning operations, and advanced integration for effective file analysis and threat detection.