Strelka
Strelka Cheatsheet
Strelka es un sistema de análisis de archivos en tiempo real diseñado para la caza de amenazas, inteligencia de amenazas y respuesta a incidentes. Realiza la extracción de archivos y la colección de metadatos a escala, permitiendo a los equipos de seguridad analizar archivos sospechosos e identificar posibles amenazas a través del análisis integral de archivos y el enriquecimiento.
## Instalación y configuración
### Docker Instalación (Recomendada)
Inicio rápido con Docker Compose:**
**Custom Docker Compose:**
### Instalación nativa
**Ubuntu/Debian Instalación:**
**CentOS/RHEL Instalación:**
## Configuración
### Backend Configuration
**backend.yaml:**
## Configuración de Frontend
**frontend.yaml:**
Configuración de escáneres
** Opciones de escáner de átomos:**
## Command Line Usage
### Escaneo de archivos básicos
**Scan Single File:**
**Scan Multiple Files:**
## Batch Processing
**Escaneamiento de directorio:**
**Cambio de red:**
## API Usage
### REST API
**Enviar archivo para el análisis:**
**Bulk File Submission:**
#### Python API
**Python básico Usage:**
** Integración avanzada del pitón:**
## Scanner Modules
## Análisis de archivos escáneres
**ScanFile - Detección del tipo de archivo:**
**ScanHash - Hash Calculation:**
**ScanEntropy - Entropy Analysis:**
### Executable Analysis
**ScanPe - PE File Analysis:**
#### Archive Analysis
**ScanZip - ZIP Archive Analysis:**
### Document Analysis
**ScanPdf - PDF Análisis**
## YARA Integration
### YARA Rules Configuration
**Reglas generales de la YARA**
**YARA Rules Directory Structure:**
#### Compiled YARA Rules
**Reglas de YARA Compile:**
## Integración Ejemplos
### ELK Stack Integration
**Configuración Logstash:**
### MISP Integration
**MISP Creación de atributos:**
## Threat Intelligence Enrichment
**VirusTotal Integración**
## Monitoring and Alerting
### Performance Monitoring
**Metrices de sistema:**
**Metrices de aplicación:**
### Alerting Configuration
**Prometheus Metrics:**
** Reglas de admisión**
## Troubleshooting
#### Common Issues
**El servicio no comienza:**
**Scanning Issues:**
** Cuestiones de desempeño**
### Log Analysis
**Debug Logging: #
**Log Monitoring: #
# Clone Strelka repository
git clone https://github.com/target/strelka.git
cd strelka
# Build and start services
docker-compose up -d
# Verify services are running
docker-compose ps
version: '3.8'
services:
strelka-backend:
image: target/strelka:latest
container_name: strelka-backend
command: strelka-backend
volumes:
- ./configs/python/backend/backend.yaml:/etc/strelka/backend.yaml:ro
- ./configs/python/backend/logging.yaml:/etc/strelka/logging.yaml:ro
ports:
- "57314:57314"
networks:
- strelka-net
strelka-frontend:
image: target/strelka:latest
container_name: strelka-frontend
command: strelka-frontend
volumes:
- ./configs/python/frontend/frontend.yaml:/etc/strelka/frontend.yaml:ro
- ./configs/python/frontend/logging.yaml:/etc/strelka/logging.yaml:ro
- /tmp/strelka:/tmp/strelka
ports:
- "57413:57413"
depends_on:
- strelka-backend
networks:
- strelka-net
networks:
strelka-net:
driver: bridge
# Install dependencies
sudo apt-get update
sudo apt-get install -y python3 python3-pip python3-dev
sudo apt-get install -y build-essential libssl-dev libffi-dev
sudo apt-get install -y yara libyara-dev
# Install Python dependencies
pip3 install --upgrade pip
pip3 install strelka-scanner
# Install additional analysis tools
sudo apt-get install -y file binwalk exiftool
sudo apt-get install -y upx-ucl unrar-free p7zip-full
# Install EPEL repository
sudo yum install -y epel-release
# Install dependencies
sudo yum groupinstall -y "Development Tools"
sudo yum install -y python3 python3-pip python3-devel
sudo yum install -y openssl-devel libffi-devel yara-devel
# Install Strelka
pip3 install strelka-scanner
# Install analysis tools
sudo yum install -y file binwalk perl-Image-ExifTool
sudo yum install -y upx unrar p7zip
# Backend server configuration
server:
host: "0.0.0.0"
port: 57314
max_workers: 4
# Scanner configuration
scanners:
- name: "ScanEntropy"
priority: 5
- name: "ScanExiftool"
priority: 5
- name: "ScanFile"
priority: 5
- name: "ScanHash"
priority: 5
- name: "ScanHeader"
priority: 5
- name: "ScanPe"
priority: 5
options:
tmp_directory: "/tmp/strelka/"
- name: "ScanYara"
priority: 5
options:
location: "/etc/strelka/yara/"
# Taste configuration
taste:
- filename: ".*\\.exe$"
scanner: "ScanPe"
- filename: ".*\\.dll$"
scanner: "ScanPe"
- mime: "application/pdf"
scanner: "ScanPdf"
- mime: "application/zip"
scanner: "ScanZip"
# Frontend server configuration
server:
host: "0.0.0.0"
port: 57413
# Backend connection
backend:
host: "strelka-backend"
port: 57314
# Request limits
limits:
max_file_size: 268435456 # 256MB
time_to_live: 60
max_files_per_request: 100
# Response configuration
response:
log_extracted_files: true
log_thumbnails: false
# YARA scanner configuration
ScanYara:
options:
location: "/etc/strelka/yara/"
compiled_rules: true
timeout: 60
# PE scanner configuration
ScanPe:
options:
tmp_directory: "/tmp/strelka/"
extract_resources: true
extract_overlay: true
# ZIP scanner configuration
ScanZip:
options:
limit: 1000
password_file: "/etc/strelka/passwords.txt"
# PDF scanner configuration
ScanPdf:
options:
extract_text: true
limit: 2000
# Scan a file
strelka-oneshot /path/to/suspicious_file.exe
# Scan with specific backend
strelka-oneshot --backend localhost:57314 /path/to/file.pdf
# Scan with JSON output
strelka-oneshot --json /path/to/malware.zip
# Scan directory
find /path/to/files -type f -exec strelka-oneshot \\\\{\\\\} \;
# Scan with parallel processing
find /path/to/files -type f|xargs -P 4 -I \\\\{\\\\} strelka-oneshot \\\\{\\\\}
# Scan specific file types
find /path/to/files -name "*.exe" -exec strelka-oneshot \\\\{\\\\} \;
# Scan entire directory
strelka-dirstream --backend localhost:57314 /path/to/directory
# Scan with file filtering
strelka-dirstream --patterns "*.exe,*.dll,*.pdf" /path/to/directory
# Scan with output to file
strelka-dirstream /path/to/directory > scan_results.json
# Stream files from network share
strelka-dirstream --backend remote-backend:57314 //server/share/files
# Stream with authentication
strelka-dirstream --username user --password pass //server/share
# Submit single file
curl -X POST \
-F "file=@suspicious_file.exe" \
http://localhost:57413/scan
# Submit with metadata
curl -X POST \
-F "file=@malware.zip" \
-F "source=email_attachment" \
-F "filename=attachment.zip" \
http://localhost:57413/scan
# Submit multiple files
curl -X POST \
-F "file1=@file1.exe" \
-F "file2=@file2.dll" \
-F "file3=@file3.pdf" \
http://localhost:57413/scan
import requests
import json
# Submit file for scanning
def scan_file(file_path, strelka_url="http://localhost:57413"):
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
response = requests.post(f"\\\\{strelka_url\\\\}/scan", files=files)
return response.json()
# Scan file and parse results
result = scan_file("/path/to/suspicious_file.exe")
print(json.dumps(result, indent=2))
import requests
import json
import hashlib
from pathlib import Path
class StrelkaClient:
def __init__(self, base_url="http://localhost:57413"):
self.base_url = base_url
def scan_file(self, file_path, metadata=None):
"""Scan a single file with optional metadata"""
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
data = metadata or \\\\{\\\\}
response = requests.post(f"\\\\{self.base_url\\\\}/scan",
files=files, data=data)
return response.json()
def scan_directory(self, directory_path, extensions=None):
"""Scan all files in a directory"""
results = []
path = Path(directory_path)
for file_path in path.rglob('*'):
if file_path.is_file():
if extensions and file_path.suffix not in extensions:
continue
try:
result = self.scan_file(file_path)
results.append(\\\\{
'file_path': str(file_path),
'scan_result': result
\\\\})
except Exception as e:
print(f"Error scanning \\\\{file_path\\\\}: \\\\{e\\\\}")
return results
def get_file_hash(self, file_path):
"""Calculate file hash"""
sha256_hash = hashlib.sha256()
with open(file_path, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
sha256_hash.update(chunk)
return sha256_hash.hexdigest()
# Usage example
client = StrelkaClient()
result = client.scan_file("/path/to/malware.exe",
metadata=\\\\{"source": "email", "priority": "high"\\\\})
# Identifies file types and MIME types
# Output includes:
\\\\{
"file": \\\\{
"flavors": \\\\{
"mime": ["application/x-executable"],
"yara": ["pe_file"]
\\\\},
"size": 1048576
\\\\}
\\\\}
# Calculates multiple hash types
# Output includes:
\\\\{
"hash": \\\\{
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"ssdeep": "3::"
\\\\}
\\\\}
# Analyzes file entropy for packing detection
# Output includes:
\\\\{
"entropy": \\\\{
"entropy": 7.8,
"packed": true,
"sections": [
\\\\{"name": ".text", "entropy": 6.2\\\\},
\\\\{"name": ".data", "entropy": 7.9\\\\}
]
\\\\}
\\\\}
# Comprehensive PE file analysis
# Output includes:
\\\\{
"pe": \\\\{
"imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
"compile_time": "2023-01-15T10:30:00",
"sections": [
\\\\{
"name": ".text",
"virtual_address": "0x1000",
"virtual_size": 65536,
"raw_size": 65536,
"entropy": 6.2,
"md5": "abc123..."
\\\\}
],
"imports": [
\\\\{
"library": "kernel32.dll",
"functions": ["CreateFileA", "ReadFile", "WriteFile"]
\\\\}
],
"exports": [],
"resources": [
\\\\{
"type": "RT_VERSION",
"language": "LANG_ENGLISH",
"size": 1024
\\\\}
]
\\\\}
\\\\}
# Analyzes ZIP archives and extracts metadata
# Output includes:
\\\\{
"zip": \\\\{
"total_files": 5,
"extracted_files": 3,
"files": [
\\\\{
"filename": "document.pdf",
"size": 1048576,
"compressed_size": 524288,
"crc32": "0x12345678",
"modified_time": "2023-01-15T10:30:00"
\\\\}
],
"password_protected": false
\\\\}
\\\\}
# Analyzes PDF documents for threats
# Output includes:
\\\\{
"pdf": \\\\{
"total_pages": 10,
"author": "Unknown",
"creator": "Microsoft Word",
"producer": "Adobe PDF Library",
"creation_date": "2023-01-15T10:30:00",
"javascript": true,
"embedded_files": 2,
"forms": false,
"suspicious_elements": [
"JavaScript code detected",
"Embedded executable"
]
\\\\}
\\\\}
rule Suspicious_PE_Characteristics
\\\\{
meta:
description = "Detects suspicious PE characteristics"
author = "Security Team"
date = "2023-01-15"
strings:
$mz = \\\\{ 4D 5A \\\\}
$pe = "PE\x00\x00"
condition:
$mz at 0 and $pe and
(
pe.number_of_sections < 3 or
pe.number_of_sections > 10 or
pe.entry_point < pe.sections[0].virtual_address
)
\\\\}
rule Packed_Executable
\\\\{
meta:
description = "Detects packed executables"
condition:
pe.is_pe and
(
pe.sections[0].name contains "UPX" or
pe.sections[0].name contains ".aspack" or
pe.sections[0].name contains ".rlpack"
)
\\\\}
/etc/strelka/yara/
├── malware/
│ ├── apt.yar
│ ├── ransomware.yar
│ └── trojans.yar
├── packers/
│ ├── upx.yar
│ ├── aspack.yar
│ └── themida.yar
└── general/
├── suspicious.yar
└── crypto.yar
# Compile individual rule file
yarac /etc/strelka/yara/malware/apt.yar /etc/strelka/yara/compiled/apt.yarc
# Compile all rules in directory
find /etc/strelka/yara -name "*.yar" -exec yarac \\\\{\\\\} \\\\{\\\\}.compiled \;
# Compile rules with includes
yarac -d include_dir=/etc/strelka/yara/includes rules.yar rules.yarc
input \\\\{
file \\\\{
path => "/var/log/strelka/strelka.log"
codec => json
start_position => "beginning"
\\\\}
\\\\}
filter \\\\{
if [event][scanner] == "ScanYara" \\\\{
mutate \\\\{
add_tag => ["yara_match"]
\\\\}
\\\\}
if [event][scanner] == "ScanPe" \\\\{
mutate \\\\{
add_tag => ["pe_analysis"]
\\\\}
\\\\}
date \\\\{
match => [ "time", "ISO8601" ]
\\\\}
\\\\}
output \\\\{
elasticsearch \\\\{
hosts => ["localhost:9200"]
index => "strelka-%\\\\{+YYYY.MM.dd\\\\}"
\\\\}
\\\\}
import requests
import json
from pymisp import PyMISP
def create_misp_event(strelka_result, misp_url, misp_key):
"""Create MISP event from Strelka scan results"""
misp = PyMISP(misp_url, misp_key, ssl=False)
# Create new event
event = misp.new_event(
distribution=0,
threat_level_id=2,
analysis=1,
info=f"Strelka Analysis: \\\\{strelka_result.get('filename', 'Unknown')\\\\}"
)
# Add file hash attributes
if 'hash' in strelka_result:
hashes = strelka_result['hash']
for hash_type, hash_value in hashes.items():
misp.add_attribute(event, hash_type, hash_value)
# Add YARA matches
if 'yara' in strelka_result:
for match in strelka_result['yara']['matches']:
misp.add_attribute(event, 'yara', match['rule'])
# Add PE information
if 'pe' in strelka_result:
pe_info = strelka_result['pe']
if 'imphash' in pe_info:
misp.add_attribute(event, 'imphash', pe_info['imphash'])
return event
import requests
import time
def enrich_with_virustotal(file_hash, vt_api_key):
"""Enrich Strelka results with VirusTotal data"""
url = f"https://www.virustotal.com/vtapi/v2/file/report"
params = \\\\{
'apikey': vt_api_key,
'resource': file_hash
\\\\}
response = requests.get(url, params=params)
if response.status_code == 200:
return response.json()
return None
def process_strelka_results(strelka_result, vt_api_key):
"""Process Strelka results with threat intelligence"""
enriched_result = strelka_result.copy()
# Get file hash
if 'hash' in strelka_result and 'sha256' in strelka_result['hash']:
sha256 = strelka_result['hash']['sha256']
# Enrich with VirusTotal
vt_result = enrich_with_virustotal(sha256, vt_api_key)
if vt_result:
enriched_result['virustotal'] = vt_result
# Add threat score
threat_score = calculate_threat_score(strelka_result, vt_result)
enriched_result['threat_score'] = threat_score
return enriched_result
def calculate_threat_score(strelka_result, vt_result):
"""Calculate threat score based on analysis results"""
score = 0
# YARA matches
if 'yara' in strelka_result:
score += len(strelka_result['yara']['matches']) * 10
# Entropy analysis
if 'entropy' in strelka_result:
if strelka_result['entropy'].get('packed', False):
score += 20
# VirusTotal detections
if vt_result and vt_result.get('positives', 0) > 0:
score += vt_result['positives'] * 5
return min(score, 100) # Cap at 100
# Monitor Strelka processes
ps aux|grep strelka
# Check memory usage
free -h
cat /proc/meminfo|grep -E "(MemTotal|MemFree|MemAvailable)"
# Monitor disk usage
df -h /tmp/strelka
du -sh /tmp/strelka/*
# Network connections
netstat -tulpn|grep -E "(57314|57413)"
# Check backend status
curl -s http://localhost:57314/health
# Check frontend status
curl -s http://localhost:57413/health
# Monitor scan queue
curl -s http://localhost:57413/stats|jq '.queue_size'
# Check scan performance
curl -s http://localhost:57413/metrics
# prometheus.yml
scrape_configs:
- job_name: 'strelka'
static_configs:
- targets: ['localhost:57413']
metrics_path: '/metrics'
scrape_interval: 30s
# strelka_alerts.yml
groups:
- name: strelka
rules:
- alert: StrelkaHighQueueSize
expr: strelka_queue_size > 100
for: 5m
labels:
severity: warning
annotations:
summary: "Strelka queue size is high"
- alert: StrelkaBackendDown
expr: up\\\\{job="strelka"\\\\} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Strelka backend is down"
# Check Docker containers
docker-compose ps
docker-compose logs strelka-backend
docker-compose logs strelka-frontend
# Check configuration files
strelka-backend --config /etc/strelka/backend.yaml --validate
strelka-frontend --config /etc/strelka/frontend.yaml --validate
# Check file permissions
ls -la /etc/strelka/
ls -la /tmp/strelka/
# Test backend connectivity
telnet localhost 57314
# Test frontend API
curl -v http://localhost:57413/health
# Check scanner modules
strelka-oneshot --list-scanners
# Debug scanning
strelka-oneshot --debug /path/to/test_file
# Monitor resource usage
top -p $(pgrep -f strelka)
iostat -x 1
# Check scan times
grep "scan_time" /var/log/strelka/strelka.log
# Analyze slow scans
grep "timeout" /var/log/strelka/strelka.log
Esta amplia hoja de trampa Strelka cubre la instalación, configuración, operaciones de escaneo e integración avanzada para el análisis eficaz de archivos y la detección de amenazas.