Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated VMRay Analyzer #823

Merged
merged 11 commits into from
Jan 14, 2021
Merged

Updated VMRay Analyzer #823

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7d628bf
VMRay: fix required boolean being unable to set to False
mback2k Jun 22, 2020
c49d44c
VMRay: add artifact extraction, more taxonomies and report details
mback2k Jun 22, 2020
f40f456
VMRay: major refactoring
53A-1 Jun 26, 2020
6967e93
VMRay: fix artifact generation regarding context meta information
mback2k Jul 6, 2020
f26507b
VMRay: fix artifact generation to use valid Cortex data types
mback2k Jul 6, 2020
eeba5ce
VMRay: improve artifact tags to include description of content
mback2k Jul 6, 2020
66b7ec0
VMRay: default to unknown severity to avoid empty tag
mback2k Jul 6, 2020
77b6a77
VMRay: add support for MISP-style sandbox reports in summary
mback2k Jul 6, 2020
3854861
VMRay: add support for optional submission parameters and user config
mback2k Jul 10, 2020
3836aa9
VMRay: add support for continuations (i.e. fetching large result sets)
53A-1 Jul 23, 2020
1218f84
Implemented workaround for Cortex issue #328
53A-1 Jan 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 113 additions & 6 deletions analyzers/VMRay/VMRay.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@
"license": "AGPL-V3",
"author": "Nils Kuhnert, CERT-Bund",
"url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
"version": "3.0",
"version": "3.1",
"description": "VMRay Sandbox file analysis.",
"dataTypeList": ["hash", "file"],
"dataTypeList": [
"hash",
"file",
"url"
],
"command": "VMRay/vmray.py",
"baseConfig": "VMRay",
"configurationItems": [
Expand All @@ -28,7 +32,7 @@
"description": "Verify certificates",
"type": "boolean",
"multi": false,
"required": true,
"required": false,
"defaultValue": true
},
{
Expand All @@ -39,12 +43,115 @@
"required": false
},
{
"name": "disablereanalyze",
"description": "If set to true, samples won't get re-analyzed.",
"name": "query_retry_wait",
"description": "The amount of seconds to wait before trying to fetch the results.",
"type": "number",
"multi": false,
"required": false,
"defaultValue": 10
},
{
"name": "recursive_sample_limit",
"description": "The maximum amount of recursive samples which will be analyzed. 0 disables recursion.",
"type": "number",
"multi": false,
"required": false,
"defaultValue": 10
},
{
"name": "reanalyze",
"description": "If set to true, known samples will be re-analyzed on submission. This is enabled by default.",
"type": "boolean",
"multi": false,
"required": false,
"defaultValue": true
},
{
"name": "shareable",
"description": "If set to true, the hash of the sample will be shared with VirusTotal if the TLP level is white or green.",
"type": "boolean",
"multi": false,
"required": false,
"defaultValue": false
},
{
"name": "archive_password",
"description": "The password that will be used to extract archives.",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "malware"
},
{
"name": "archive_compound_sample",
"description": "If set to true, files inside archives are treated as a single, compound sample. Otherwise, each file is treated as its own sample.",
"type": "boolean",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_jobs",
"description": "Limits the amount of jobs that can be created by jobrules for a submission.",
"type": "number",
"multi": false,
"required": false
},
{
"name": "enable_reputation",
"description": "If set to true, reputation lookups will be performed for submitted samples and analysis artifacts (file hash and URL lookups) by the VMRay cloud reputation service and additional third party services. The user analyzer setting is used as default value for this parameter.",
"type": "boolean",
"multi": false,
"required": false
},
{
"name": "enable_whois",
"description": "If set to true, domains seen during analyses are queried with external WHOIS service. The user analyzer setting is used as default value for this parameter.",
"type": "boolean",
"multi": false,
"required": false
},
{
"name": "analyzer_mode",
"description": "Specifies which types of analyzers will be used for analyzing this sample. Supported strings are 'reputation', 'reputation_static', 'reputation_static_dynamic', 'static_dynamic', and 'static'. The user analyzer setting is used as default value for this parameter.",
"type": "string",
"multi": false,
"required": false
},
{
"name": "known_malicious",
"description": "If set to true, triage will be used to pre-filter known malicious samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.",
"type": "boolean",
"multi": false,
"required": false
},
{
"name": "known_benign",
"description": "If set to true, triage will be used to pre-filter known benign samples by results of reputation lookup (if allowed) and static analysis. The user analyzer setting is used as default value for this parameter.",
"type": "boolean",
"multi": false,
"required": false
},
{
"name": "tags",
"description": "Tags to attach to the sample.",
"type": "string",
"multi": true,
"required": false
},
{
"name": "timeout",
"description": "Analysis timeout in seconds.",
"type": "number",
"multi": false,
"required": false
},
{
"name": "net_scheme_name",
"description": "Name of the network schema.",
"type": "string",
"multi": false,
"required": false
}
]
}
}
Loading