Strelka Cheatsheet¶
Strelka is a real-time file scanning system designed for chasse aux menaces, Renseignement sur les Menaces, and réponse aux incidents. It performs file extraction and metadata collection at scale, enabling security teams to analyze suspicious files and identify potential threats through comprehensive file analysis and enrichment.
## Installation and Setup
### Docker Installation (Recommended)
**Quick Start with Docker Compose:**
**Custom Docker Compose:**
### Native Installation
**Ubuntu/Debian Installation:**
**CentOS/RHEL Installation:**
## configuration
### Backend configuration
**backend.yaml:**
### Frontend configuration
**frontend.yaml:**
### Scanner configuration
**Custom Scanner options:**
## commande Line utilisation
### Basic File Scanning
**Scan Single File:**
**Scan Multiple Files:**
### Batch processusing
**Directory Scanning:**
**Network Streaming:**
## API utilisation
### REST API
**Submit File for Analysis:**
**Bulk File Submission:**
### Python API
**Basic Python utilisation:**
**Advanced Python Integration:**
## Scanner Modules
### File Analysis Scanners
**ScanFile - File Type Detection:**
**Scanhash - hash Calculation:**
**ScanEntropy - Entropy Analysis:**
### Executable Analysis
**ScanPe - PE File Analysis:**
### Archive Analysis
**ScanZip - ZIP Archive Analysis:**
### Document Analysis
**ScanPdf - PDF Analysis:**
## YARA Integration
### YARA Rules configuration
**Custom YARA Rules:**
**YARA Rules Directory Structure:**
### Compiled YARA Rules
**Compile YARA Rules:**
## Integration exemples
### ELK Stack Integration
**Logstash configuration:**
### MISP Integration
**MISP Attribute Creation:**
### Renseignement sur les Menaces Enrichment
**VirusTotal Integration:**
## Monitoring and Alerting
### Performance Monitoring
**System Metrics:**
**Application Metrics:**
### Alerting configuration
**Prometheus Metrics:**
**Alert Rules:**
## dépannage
### Common Issues
**service Not Starting:**
**Scanning Issues:**
**Performance Issues:**
### Analyse de Logs
**Debug Logging:**
**Log Monitoring:**
# Clone Strelka repository
git clone https://github.com/cible/strelka.git
cd strelka
# Build and start services
docker-compose up -d
# Verify services are running
docker-compose ps
version: '3.8'
services:
strelka-backend:
image: cible/strelka:latest
container_name: strelka-backend
commande: strelka-backend
volumes:
- ./configs/python/backend/backend.yaml:/etc/strelka/backend.yaml:ro
- ./configs/python/backend/logging.yaml:/etc/strelka/logging.yaml:ro
ports:
- "57314:57314"
networks:
- strelka-net
strelka-frontend:
image: cible/strelka:latest
container_name: strelka-frontend
commande: strelka-frontend
volumes:
- ./configs/python/frontend/frontend.yaml:/etc/strelka/frontend.yaml:ro
- ./configs/python/frontend/logging.yaml:/etc/strelka/logging.yaml:ro
- /tmp/strelka:/tmp/strelka
ports:
- "57413:57413"
depends_on:
- strelka-backend
networks:
- strelka-net
networks:
strelka-net:
driver: bridge
# Install dependencies
sudo apt-get update
sudo apt-get install -y python3 python3-pip python3-dev
sudo apt-get install -y build-essential libssl-dev libffi-dev
sudo apt-get install -y yara libyara-dev
# Install Python dependencies
pip3 install --upgrade pip
pip3 install strelka-scanner
# Install additional analysis tools
sudo apt-get install -y file binwalk exiftool
sudo apt-get install -y upx-ucl unrar-free p7zip-full
# Install EPEL repository
sudo yum install -y epel-release
# Install dependencies
sudo yum groupinstall -y "Development Tools"
sudo yum install -y python3 python3-pip python3-devel
sudo yum install -y openssl-devel libffi-devel yara-devel
# Install Strelka
pip3 install strelka-scanner
# Install analysis tools
sudo yum install -y file binwalk perl-Image-ExifTool
sudo yum install -y upx unrar p7zip
# Backend server configuration
server:
hôte: "0.0.0.0"
port: 57314
max_workers: 4
# Scanner configuration
scanners:
- name: "ScanEntropy"
priority: 5
- name: "ScanExiftool"
priority: 5
- name: "ScanFile"
priority: 5
- name: "Scanhash"
priority: 5
- name: "ScanHeader"
priority: 5
- name: "ScanPe"
priority: 5
options:
tmp_directory: "/tmp/strelka/"
- name: "ScanYara"
priority: 5
options:
location: "/etc/strelka/yara/"
# Taste configuration
taste:
- filename: ".*\\.exe$"
scanner: "ScanPe"
- filename: ".*\\.dll$"
scanner: "ScanPe"
- mime: "application/pdf"
scanner: "ScanPdf"
- mime: "application/zip"
scanner: "ScanZip"
# Frontend server configuration
server:
hôte: "0.0.0.0"
port: 57413
# Backend connexion
backend:
hôte: "strelka-backend"
port: 57314
# Request limits
limits:
max_file_size: 268435456 # 256MB
time_to_live: 60
max_files_per_request: 100
# Response configuration
response:
log_extracted_files: true
log_thumbnails: false
# YARA scanner configuration
ScanYara:
options:
location: "/etc/strelka/yara/"
compiled_rules: true
timeout: 60
# PE scanner configuration
ScanPe:
options:
tmp_directory: "/tmp/strelka/"
extract_resources: true
extract_overlay: true
# ZIP scanner configuration
ScanZip:
options:
limit: 1000
mot de passe_file: "/etc/strelka/mot de passes.txt"
# PDF scanner configuration
ScanPdf:
options:
extract_text: true
limit: 2000
# Scan a file
strelka-oneshot /path/to/suspicious_file.exe
# Scan with specific backend
strelka-oneshot --backend localhôte:57314 /path/to/file.pdf
# Scan with JSON output
strelka-oneshot --json /path/to/logiciel malveillant.zip
# Scan directory
find /path/to/files -type f -exec strelka-oneshot \\\\{\\\\} \;
# Scan with parallel processusing
find /path/to/files -type f|xargs -P 4 -I \\\\{\\\\} strelka-oneshot \\\\{\\\\}
# Scan specific file types
find /path/to/files -name "*.exe" -exec strelka-oneshot \\\\{\\\\} \;
# Scan entire directory
strelka-dirstream --backend localhôte:57314 /path/to/directory
# Scan with file filtering
strelka-dirstream --patterns "*.exe,*.dll,*.pdf" /path/to/directory
# Scan with output to file
strelka-dirstream /path/to/directory > scan_results.json
# Stream files from network share
strelka-dirstream --backend remote-backend:57314 //server/share/files
# Stream with authentification
strelka-dirstream --nom d'utilisateur user --mot de passe pass //server/share
# Submit single file
curl -X POST \
-F "file=@suspicious_file.exe" \
http://localhôte:57413/scan
# Submit with metadata
curl -X POST \
-F "file=@logiciel malveillant.zip" \
-F "source=email_attachment" \
-F "filename=attachment.zip" \
http://localhôte:57413/scan
# Submit multiple files
curl -X POST \
-F "file1=@file1.exe" \
-F "file2=@file2.dll" \
-F "file3=@file3.pdf" \
http://localhôte:57413/scan
import requests
import json
# Submit file for scanning
def scan_file(file_path, strelka_url="http://localhôte:57413"):
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
response = requests.post(f"\\\\{strelka_url\\\\}/scan", files=files)
return response.json()
# Scan file and parse results
result = scan_file("/path/to/suspicious_file.exe")
print(json.dumps(result, indent=2))
import requests
import json
import hashlib
from pathlib import Path
class StrelkaClient:
def __init__(self, base_url="http://localhôte:57413"):
self.base_url = base_url
def scan_file(self, file_path, metadata=None):
"""Scan a single file with optional metadata"""
with open(file_path, 'rb') as f:
files = \\\\{'file': f\\\\}
data = metadata or \\\\{\\\\}
response = requests.post(f"\\\\{self.base_url\\\\}/scan",
files=files, data=data)
return response.json()
def scan_directory(self, directory_path, extensions=None):
"""Scan all files in a directory"""
results = []
path = Path(directory_path)
for file_path in path.rglob('*'):
if file_path.is_file():
if extensions and file_path.suffix not in extensions:
continue
try:
result = self.scan_file(file_path)
results.append(\\\\{
'file_path': str(file_path),
'scan_result': result
\\\\})
except Exception as e:
print(f"Error scanning \\\\{file_path\\\\}: \\\\{e\\\\}")
return results
def get_file_hash(self, file_path):
"""Calculate file hash"""
sha256_hash = hashlib.sha256()
with open(file_path, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
sha256_hash.update(chunk)
return sha256_hash.hexdigest()
# utilisation exemple
client = StrelkaClient()
result = client.scan_file("/path/to/logiciel malveillant.exe",
metadata=\\\\{"source": "email", "priority": "high"\\\\})
# Identifies file types and MIME types
# Output includes:
\\\\{
"file": \\\\{
"flavors": \\\\{
"mime": ["application/x-executable"],
"yara": ["pe_file"]
\\\\},
"size": 1048576
\\\\}
\\\\}
# Calculates multiple hash types
# Output includes:
\\\\{
"hash": \\\\{
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"ssdeep": "3::"
\\\\}
\\\\}
# Analyzes file entropy for packing detection
# Output includes:
\\\\{
"entropy": \\\\{
"entropy": 7.8,
"packed": true,
"sections": [
\\\\{"name": ".text", "entropy": 6.2\\\\},
\\\\{"name": ".data", "entropy": 7.9\\\\}
]
\\\\}
\\\\}
# Comprehensive PE file analysis
# Output includes:
\\\\{
"pe": \\\\{
"imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
"compile_time": "2023-01-15T10:30:00",
"sections": [
\\\\{
"name": ".text",
"virtual_address": "0x1000",
"virtual_size": 65536,
"raw_size": 65536,
"entropy": 6.2,
"md5": "abc123..."
\\\\}
],
"imports": [
\\\\{
"library": "kernel32.dll",
"functions": ["CreateFileA", "ReadFile", "WriteFile"]
\\\\}
],
"exports": [],
"resources": [
\\\\{
"type": "RT_VERSION",
"language": "LANG_ENGLISH",
"size": 1024
\\\\}
]
\\\\}
\\\\}
# Analyzes ZIP archives and extracts metadata
# Output includes:
\\\\{
"zip": \\\\{
"total_files": 5,
"extracted_files": 3,
"files": [
\\\\{
"filename": "document.pdf",
"size": 1048576,
"compressed_size": 524288,
"crc32": "0x12345678",
"modified_time": "2023-01-15T10:30:00"
\\\\}
],
"mot de passe_protected": false
\\\\}
\\\\}
# Analyzes PDF documents for threats
# Output includes:
\\\\{
"pdf": \\\\{
"total_pages": 10,
"author": "Unknown",
"creator": "Microsoft Word",
"producer": "Adobe PDF Library",
"creation_date": "2023-01-15T10:30:00",
"javascript": true,
"embedded_files": 2,
"forms": false,
"suspicious_elements": [
"JavaScript code detected",
"Embedded executable"
]
\\\\}
\\\\}
rule Suspicious_PE_Characteristics
\\\\{
meta:
Description = "Detects suspicious PE characteristics"
author = "Security Team"
date = "2023-01-15"
strings:
$mz = \\\\{ 4D 5A \\\\}
$pe = "PE\x00\x00"
condition:
$mz at 0 and $pe and
(
pe.number_of_sections < 3 or
pe.number_of_sections > 10 or
pe.entry_point < pe.sections[0].virtual_address
)
\\\\}
rule Packed_Executable
\\\\{
meta:
Description = "Detects packed executables"
condition:
pe.is_pe and
(
pe.sections[0].name contains "UPX" or
pe.sections[0].name contains ".aspack" or
pe.sections[0].name contains ".rlpack"
)
\\\\}
/etc/strelka/yara/
├── logiciel malveillant/
│ ├── apt.yar
│ ├── rançongiciel.yar
│ └── cheval de Troies.yar
├── packers/
│ ├── upx.yar
│ ├── aspack.yar
│ └── themida.yar
└── general/
├── suspicious.yar
└── crypto.yar
# Compile individual rule file
yarac /etc/strelka/yara/logiciel malveillant/apt.yar /etc/strelka/yara/compiled/apt.yarc
# Compile all rules in directory
find /etc/strelka/yara -name "*.yar" -exec yarac \\\\{\\\\} \\\\{\\\\}.compiled \;
# Compile rules with includes
yarac -d include_dir=/etc/strelka/yara/includes rules.yar rules.yarc
input \\\\{
file \\\\{
path => "/var/log/strelka/strelka.log"
codec => json
start_position => "beginning"
\\\\}
\\\\}
filter \\\\{
if [event][scanner] == "ScanYara" \\\\{
mutate \\\\{
add_tag => ["yara_match"]
\\\\}
\\\\}
if [event][scanner] == "ScanPe" \\\\{
mutate \\\\{
add_tag => ["pe_analysis"]
\\\\}
\\\\}
date \\\\{
match => [ "time", "ISO8601" ]
\\\\}
\\\\}
output \\\\{
elasticsearch \\\\{
hôtes => ["localhôte:9200"]
index => "strelka-%\\\\{+YYYY.MM.dd\\\\}"
\\\\}
\\\\}
import requests
import json
from pymisp import PyMISP
def create_misp_event(strelka_result, misp_url, misp_clé):
"""Create MISP event from Strelka scan results"""
misp = PyMISP(misp_url, misp_clé, ssl=False)
# Create new event
event = misp.new_event(
distribution=0,
threat_level_id=2,
analysis=1,
info=f"Strelka Analysis: \\\\{strelka_result.get('filename', 'Unknown')\\\\}"
)
# Add file hash attributes
if 'hash' in strelka_result:
hashes = strelka_result['hash']
for hash_type, hash_value in hashes.items():
misp.add_attribute(event, hash_type, hash_value)
# Add YARA matches
if 'yara' in strelka_result:
for match in strelka_result['yara']['matches']:
misp.add_attribute(event, 'yara', match['rule'])
# Add PE information
if 'pe' in strelka_result:
pe_info = strelka_result['pe']
if 'imphash' in pe_info:
misp.add_attribute(event, 'imphash', pe_info['imphash'])
return event
import requests
import time
def enrich_with_virustotal(file_hash, vt_api_clé):
"""Enrich Strelka results with VirusTotal data"""
url = f"https://www.virustotal.com/vtapi/v2/file/report"
params = \\\\{
'apiclé': vt_api_clé,
'resource': file_hash
\\\\}
response = requests.get(url, params=params)
if response.status_code == 200:
return response.json()
return None
def processus_strelka_results(strelka_result, vt_api_clé):
"""processus Strelka results with Renseignement sur les Menaces"""
enriched_result = strelka_result.copy()
# Get file hash
if 'hash' in strelka_result and 'sha256' in strelka_result['hash']:
sha256 = strelka_result['hash']['sha256']
# Enrich with VirusTotal
vt_result = enrich_with_virustotal(sha256, vt_api_clé)
if vt_result:
enriched_result['virustotal'] = vt_result
# Add threat score
threat_score = calculate_threat_score(strelka_result, vt_result)
enriched_result['threat_score'] = threat_score
return enriched_result
def calculate_threat_score(strelka_result, vt_result):
"""Calculate threat score based on analysis results"""
score = 0
# YARA matches
if 'yara' in strelka_result:
score += len(strelka_result['yara']['matches']) * 10
# Entropy analysis
if 'entropy' in strelka_result:
if strelka_result['entropy'].get('packed', False):
score += 20
# VirusTotal detections
if vt_result and vt_result.get('positives', 0) > 0:
score += vt_result['positives'] * 5
return min(score, 100) # Cap at 100
# Monitor Strelka processuses
ps aux|grep strelka
# Check memory utilisation
free -h
| | cat /proc/meminfo | grep -E "(MemTotal | MemFree | MemAvailable)" | |
# Monitor disk utilisation
df -h /tmp/strelka
du -sh /tmp/strelka/*
# Network connexions
| | netstat -tulpn | grep -E "(57314 | 57413)" | |
# Check backend status
curl -s http://localhôte:57314/health
# Check frontend status
curl -s http://localhôte:57413/health
# Monitor scan queue
curl -s http://localhôte:57413/stats|jq '.queue_size'
# Check scan performance
curl -s http://localhôte:57413/metrics
# prometheus.yml
scrape_configs:
- job_name: 'strelka'
static_configs:
- cibles: ['localhôte:57413']
metrics_path: '/metrics'
scrape_interval: 30s
# strelka_alerts.yml
groups:
- name: strelka
rules:
- alert: StrelkaHighQueueSize
expr: strelka_queue_size > 100
for: 5m
labels:
severity: warning
annotations:
summary: "Strelka queue size is high"
- alert: StrelkaBackendDown
expr: up\\\\{job="strelka"\\\\} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Strelka backend is down"
# Check Docker containers
docker-compose ps
docker-compose logs strelka-backend
docker-compose logs strelka-frontend
# Check configuration files
strelka-backend --config /etc/strelka/backend.yaml --validate
strelka-frontend --config /etc/strelka/frontend.yaml --validate
# Check file permissions
ls -la /etc/strelka/
ls -la /tmp/strelka/
# Test backend connectivity
telnet localhôte 57314
# Test frontend API
curl -v http://localhôte:57413/health
# Check scanner modules
strelka-oneshot --list-scanners
# Debug scanning
strelka-oneshot --debug /path/to/test_file
# Monitor resource utilisation
top -p $(pgrep -f strelka)
iostat -x 1
# Check scan times
grep "scan_time" /var/log/strelka/strelka.log
# Analyze slow scans
grep "timeout" /var/log/strelka/strelka.log
This comprehensive Strelka cheatsheet covers Installation, configuration, scanning operations, and advanced integration for effective file analysis and threat detection.