Changes to the project will be tracked in this file via the date of change.
- Added
ScanBMPEoF
steganalysis scanner. (University of Minnesota) - Added
ScanLSB
steganalysis scanner. (University of Minnesota) - Added
ScanNF
steganalysis scanner. (University of Minnesota) - Added
ScanPNGEoF
steganalysis scanner. (University of Minnesota)
- Adding
embedded_files
andneeds_pass
fields toScanPDF
- Updated
ScanLNK
with additional fields and new scanner structure. (Ryan Borre / @Derekt2 / @swackhamer) - Added Github CodeQL vulnerability identification Action
- Fixed / updated
ScanPdf
with new functionality. May require current implementations to change parsing. (Ryan Borre) - Removed
[DEBUG]
warnings fromScanQR
. - Updated
ScanELF
with bug fix. - Removed error logging from
ScanELF
- Updating build to include
exiftool
dependency. (@cameron-dunn-sublime)
- Pinned and updated all
go
build dockerfiles to1.17.6
- Updated all
go mod
files to matchgo
requirements. - Updated
numpy
dependency. - Updated
readme
with new client application build instructions.
- Fix bug with
scan_javascript
pertaining to regular expression identification. (@cawalch)
- Updating
lxml
from version4.6.3
to4.6.5
. - Updating
CAPA
from version3.0.1
to3.0.3
. - Updating
exiftool
from version12.36
to12.38
.
- Modified
mmrpc
Dockerfile to fix compilation build issues on ARM architecture.
- Modified
exiftool
repository reference to increase stability - Updating
backend
dependencies - Updating
go
dependencies
- Fix K8S backend configmap yaml (@cameron-dunn-sublime)
- Updated
exiftool
from version12.28
to12.30
(@cameron-dunn-sublime)
- Updated
exiftool
from version12.25
to12.28
- Default YARA volume mount and placeholder test YARA rule to verify ScanYARA functionality. (@Derekt2)
scan_pe
refactor / additions (@swackhamer)
scan_qr
QR code scanner (@aaronherman)
- Updated
YARA
from 3.11.0 to 4.0.5
- Updated various
python
dependencies
- Bug fix for
scan_footer
scan_footer
file footer scanner
- Updated
pygments
dependency
- Refactored
go
Dockerfiles - Hardcoded container names
- Changed ScanPDF scanner from
pdfminer.six
toPyMuPDF
- Accepted
dependabot
pull request, updating dependencylxml
from4.6.2
to4.6.3
README
updated with formatting and images
Python-Client
Strelka standalone python file submission client (@scottpas)Strelka Oneshot
DockerfileGitHub Actions
additional workflows for client builds
- Updated
filestream
sample config
Filestream Processed Directory
Added ability to move files from a staging directory to a processed directory on completion. (@weslambert)
GitHub Actions
Strelka builder and badge to test main branch on push and each day
- Updated
go
Dockerfiles with module fixes
- Pinned python versions for module
cryptography
ubuntu
versions forstrelka-backend
andstrelka-mmrpc
updated to20.04
- Accepted
dependabot
pull request, updating dependencylxml
from4.5.0
to4.6.2
kubernetes
deployment example added. (@scottpas)
- Added option to disable Strelka Backend shutdown (@weslambert)
scan_manifest
scanner (@Derekt2)
- Pinned redis module to version 8 due to bug causing frontend and manager to fail compilation (target#142) (phutelmyer)
scan_capa
FireEye scanner (@phutelmyer)scan_floss
FireEye scanner (@phutelmyer)
- Fixed bug caused by update to go-redis, requiring Context objects to be added to redis commands
- Fixed bug causing path issue when building container.
strelka-oneshot
cli app to allow for submission of a file for testing without the need for a config file. (@rhaist)swig
as build/wheel dependency for M2Crypto (@rhaist)
- Updating dependencies for various packages (@rhaist)
- Formatting all go source files to match official guidelines (@rhaist)
- Added additional error handling for
scan_lnk
scanner (@Derekt2) - Typo fixed in README.md (@weslambert)
- Added
tree.root
metadata totree
object - Added
scan_base64_pe
scanner which decodes base64-encoded files - Added
scan_lnk
scanner which provides metadata for LNK files - Added
yara.tags
toyara
scanner which collects Tags from YARA matches
- Changed scanner imports in
scan_vba
. Changed olevba3 package to olevba due to deprecation.
- Added additional error handling for corrupt documents in ScanDocx
- Updated YARA version from 3.10 to 3.11
- Removed logging reference in ScanEncryptedDoc
- Modified error handling for ScanPlist
- Added ScanAntiword into backend scanner configuration file (commented out)
- Added ScanEncryptedDoc which allows users to decrypt documents.
- Added additional error handling for ScanDocx
- Modified ScanPE to include additional error handling.
- Added ScanDoc support for additional metadata extraction.
- Added support for ScanRar RAR extraction with passwords.
- Added olecf flavor to ScanIni default
- Fixed bug in ScanTnef where key is not present, an exception is thrown.
- Fixed bug in ScanPe when header field is nonexistent (jshlbrd)
- Improved speed of ScanZip decryption (jshlbrd)
- ScanMmbot fields are now internally consistent with other event dictionaries (jshlbrd)
- Fixed bug in ScanMacho dynamic symbols (jshlbrd)
- Renamed 'decompressed_size' to 'size' across all decompression scanners (jshlbrd)
- Two new fields in ScanIni (comments and sections) (jshlbrd)
- New scanner ScanZlib can decompress Zlib files (jshlbrd)
- Fixed unintended CRC exception when decrypting ZIP files (jshlbrd)
- New scanner ScanIni can parse INI files (jshlbrd)
- Renamed strelka-redis to strelka-manager (jshlbrd)
- Updated ScanPe to better sync with ScanElf and ScanMacho (jshlbrd)
- Fixed frontend crashing issues when empty files are sent to cluster (jshlbrd)
- Added Gatekeeper (temporary event cache), a new required component (jshlbrd)
- Transitioned ScanMacho from macholibre to LIEF (jshlbrd)
- Fixed multiple issues in ScanElf JSON dictionary (jshlbrd)
- Transitioned ScanElf from pyelftools to LIEF (jshlbrd)
- Fixed ScanPdf f-string flags (jshlbrd)
- scan_* dictionaries are now nested under scan: {} (jshlbrd)
- 'time' field is now 'request.time' (jshlbrd)
- 'file.scanners_list' is now 'file.scanners' (jshlbrd)
- Updated YAML files to use 2 spaces instead of 4 spaces (jshlbrd)
- Conflicting variable names were refactored (jshlbrd)
- Added .env file for cleaner execution of docker-compose (jshlbrd)
- go-redis Z commands changed to non-literal (jshlbrd)
- 'throughput' section added to fileshot and filestream configuration files (jshlbrd)
- Added default docker-compose DNS hosts to misc/envoy/* configuration templates (jshlbrd)
- Added Docker volume mapping to frontend in default docker-compose (jshlbrd)
- Forked pyopenssl replaced with M2Crypto (jshlbrd)
- 'tree' event dictionary is now nested under 'file' event dictionary (jshlbrd)
- Scanner event dictionaries now start with 'scan_' (jshlbrd)
- Timestamps are now unix/epoch (jshlbrd)
- ScanExiftool now outputs 'human readable' data (jshlbrd)
- Looping Redis commands sleep at a consistent interval of 250ms (jshlbrd)
- 'cache' is no longer used -- 'coordinator' takes over all Redis tasks (jshlbrd)
- Switched pyopenssl to forked package (jshlbrd)
- Archived 0MQ branch (jshlbrd)
- Migrated gRPC to master (jshlbrd)
- Dockerfile now supports UTC and local time (ufomorme)
- Scan event start and finish timestamps now support UTC and local time (ufomorme)
- Improved YARA tasting signature for email files (DavidJBianco)
- Fixed install path for taste directory (jshlbrd)
- "beautified" field (bool) to ScanJavascript (jshlbrd)
- strelka_dirstream.py now supports recursive directory scanning (zachsis)
- ScanZip now supports decryption via password bruteforcing (ksdahl)
- Unit tests for ScanPe added (infosec-intern)
- strelka_dirstream.py now supports moving files after upload (zachsis)
- Added version info to ScanPe (infosec-intern)
- Expanded identification of email files (DavidJBianco)
- pip packages now installed via requirements.txt file(s) (infosec-intern)
- EOF error flag to ScanBzip2 (jshlbrd)
- taste_yara now loads files from directories, not a static file (ksdahl)
- Options for manually setting ZeroMQ TCP reconnections on the task socket (between broker and workers) (jshlbrd)
- "request_port" option renamed to "request_socket_port" (jshlbrd)
- "task_port" option renamed to "task_socket_port" (jshlbrd)
- strelka_dirstream.py switched from using inotify to directory polling (jshlbrd)
- strelka_dirstream.py supports monitoring multiple directories (jshlbrd)
- extract-strelka.bro will temporarily disable file extraction when the extraction directory reaches a maximum threshold (jshlbrd)
- New scanner ScanFalconSandbox can send files to CrowdStrike's Falcon Sandbox (ksdahl)
- New scanner ScanPhp can collect tokenized metadata from PHP files (jshlbrd)
- New scanner ScanStrings can collect strings from file data (similar to Unix "strings" utility) (jshlbrd)
- ScanPdf was unintentionally extracting duplicate streams, but now it is fixed to only extract unique streams (jshlbrd)
- ScanJavascript now supports deobfuscating JavaScript files before parsing metadata (jshlbrd)
- ScanUrl now supports user-defined regular expressions that can be called per-file (jshlbrd)
- Refactored taste.yara
javascript_file
rule for readability (jshlbrd) - Removed JavaScript files from ScanUrl in the default strelka.yml (jshlbrd)
- Project went public!