Changes to the project will be tracked in this file via the date of change.
- Changes to
ScanExiftool
scanner and tests - Update
google.golang.org/grpc
dependency
- Improvements and tests for
ScanQR
scanner (@ryanohoro)
- Adding the ability to use precompiled YARA rules: Speed up YARA initialization on Strelka boot by using precompiled rules
- Configuration file updates: Adding compiled YARA location
- Updates to multiple scanners: To accommodate new package versions
- Updates to multiple scanner tests: To accommodate updated scanners
- Minor XL4MA scanner updates: Removing references to author / comments
- Dockerfile improvements and fixes: Removing references to venv as poetry is used. Other various additions to ensure package installs work.
- Small error handling fixes
- Updated Ubuntu base image from
22.10
to23.04
. Updated documentation and references.
- Bug fix for IOC collection
- Adding
ScanOnenote
extraction counter - Bug fix for
ScanTranscode
test
- Updating
pygments
dependency
- Adds feature to ScanOCR that will perform OCR on PDF documents (If enabled). (@alexk307)
- Bumps
grpcio
dependencies forpython
andgo
- Bug fix for Frontend Request ID (@nighttardis)
- Updating
requests
dependency.
- Added compilation script for project
Go
binaries to be used for local compilation, testing, and releases.
- Added support for Docker Hub Tag submission
- Changes for
ScanUdf
/ New Tests forScanHtml
(@ryanohoro)
- Updating YARA dependency
- Add support / tests for UDF image files using
ScanVhd
(@ryanohoro)
- Adding
ScanSave
scanner (@keiche) - Updating
go.mod
files (@cameron-dunn-sublime) - Updating
docker
container names (@malvidin)
- Bumping Redis Dependency
- Slimming Backend Dockerfile, several scanner fixes (@Derekt2)
- Updating Github workflows to accomodate above fixes
- Removing
mmbot
references
- Updating docs / removing broken test / adding no build support
- Bug fix / updating
ScanManifest
(@Derekt2)
- Bug fix to account for default mime DB (@jertel)
- Ading
ScanVsto
to extract VSTO file metadata.
- Adding
ScanPDF
XREF collection with limiters, tests, and updated docstrings.
- Adding rich fields to
ScanPE
- Changing
ScanIso
pattern configuration inbackend.yml
(@ryanohoro)
- Go client updates to address vulnerability.
- Updating
capa
and associated tests.
- Adding default password file reference to
EncryptedZip
andEncryptedDoc
scanners. - Bug fixes for multiple scanners.
- Moving
strelka-ui
indocker-compose.yaml
to a prebuilt image to reduce error potential and decrease build time.
- Bug fix for YARA scanner (@ryanohoro)
- Removing redundant Python setup/requirements (@ryanohoro)
- Adding Strelka UI to default
docker-compose.yaml
. (@ryanohoro) - Adding Scanner checker on worker start to display scanner load errors. (@ryanohoro)
- Adding
ScanTranscode
which converts new or uncommon image formats. (@ryanohoro)
- Adding
Jaeger
support service for tracing. (@ryanohoro)
- Telemetry tracing support added. (@ryanohoro)
- Updating
cryptography
dependency across project. - Added 'ScanOnenote' and associated tests.
- Removed
ScanBITS
and associated references. - Added style / formatting Github action automations
- Added tests and option limiters to
ScanHtml
andScanJavascript
- Bug fix + tests for
ScanXl4ma
- Documentation update (@jertel)
- Updating backend flavors
- Bug fixes and tests
- Added
ScanTlsh
scanner and tests (@ryanborre)
- Bug fixes for various tastes / tests (@ryanohoro)
- Updating scanners with common function for file submission to reduce code reuse / potential errors (@ryanohoro)
- Added additional functionality (e.g.,
ScanOcr
can not concatenate output into single line) (@ryanohoro)
- Additional tests (@ryanohoro)
- Refactoring backend (@ryanohoro)
- Bug fix for strelka backend (cached scanners) (@ryanohoro)
- Test updates (@ryanohoro)
- Adds local execution functionality (@ryanohoro)
- ARM fix for container build
- Updated documentation for tests (@ryanohoro)
- Adds
ScanSevenZip
and associated tests. (@ryanohoro)
- Adds tests for
ScanPgp
,ScanPlist
,ScanNf
, Updates forScanOle
(@ryanohoro) - Bug fix in
ScanQR
(@ryanohoro) - Adds support for WEBP to multiple scanners (@ryanohoro)
- Increase collection potential for PGP (@ryanohoro)
- Backend Dockerfile modification (@ryanohoro)
- Adds tracebacks to events that have unhandled exceptions. (@ryanohoro)
- Updates to
ScanCapa
, tests, and associated build files. (@ryanohoro)
- Adds a test for scanner timeout behavior
test_scan_delay
(@ryanohoro)
- Adds an encodings option to ScanHeader/ScanFooter for additional data encodings (@ryanohoro)
- Adds a new test that throws an exception in a scanner and verifies an event with an uncaught_exception flag is created. (@ryanohoro)
- Added dozens of tests over the last few weeks.
- Updated with bugfixes or updates:
ScanBase64
,ScanEncryptedZip
,ScanIni
,ScanJPEG
,ScanLibarchive
,ScanMacho
,ScanPDF
,ScanPNGEoF
,ScanQR
,ScanRar
,ScanTAR
,ScanUPX
,ScanVHD
,ScanZip
(@ryanohoro)
- Setup package pinning for Backend Dockerfile (@ryanohoro)
- Updated default YARA tastes to include CCN support (@ryanohoro)
- Updated
backend.yaml
to include CCN support (@ryanohoro)
- Updated
Fileshot
go client to include additional functionality - Updated
Fileshot
Dockerfile dependencies
- Added
ScanDmg
Scanner (@ryanohoro)
- Added CMake to Backend dockerfile for LIEF (M1 Fix) (@aaronherman)
- Added support for Winzip AES (Updated Backend Dockerfile)
- Small update to fix test warning for ScanPDF
- Small update to fix test warning for ScanQR
- Updated workflows. (@ryanohoro)
- Updated multiple dependencies. (@ryanohoro)
- Added
ScanDocx
Scanner test. (@ryanohoro) - Added
ScanLNK
Scanner test. - Added
ScanDocx
Scanner test. (@ryanohoro) - Added
ScanPe
Scanner test. (@ryanohoro) - Added
ScanJpeg
Scanner test. (@ryanohoro) - Added
ScanHtml
Scanner test. (@ryanohoro) - Added
ScanPdf
Scanner test. (@ryanohoro) - Added
ScanExiftool
Scanner test. (@ryanohoro) - Added
ScanRar
Scanner test. (@ryanohoro) - Added
ScanZip
Scanner test. (@ryanohoro) - Added
ScanEncryptedZip
Scanner test. (@ryanohoro)
- Updated
ScanLNK
YAARA taste. - Updated
ScanPngEof
to fix some bugs (@ryanohoro) - Updated multiple dependencies.
- Added
ScanVHD
Scanner. (@ryanohoro) - Added
ScanVHD
Scanner test. (@ryanohoro)
- Added
ScanISO
Scanner test. (@ryanohoro)
- Added
ScanMsi
Scanner. - Added
ScanMsi
Scanner test.
- Added PyTest scanner testing functionality (@cawalch)
- Added several scanner tests (
ScanFooter
,ScanGif
,ScanURL
) (@cawalch) - Added documentation for test execution.
- Updated
ScanPDF
to include phone number collection (@Derekt2)
- Updated
ScanISO
to include additional metadata (e.g., Creation Date) - Updated
ScanISO
to include bucketing of of hidden directories. - Updated
ScanZip
to include known password extraction. - Updated
ScanZip
to display file names, sizes, and compression metrics. (@ryanohoro)
- Updated
ScanPE
to fix issues with security certificate parsing. - Updated verisons / dependencies
- Updated verisons / dependencies
- Added
ScanBITS
Windows BITS file scanner. - Added
ScanXL4MA
Excel 4 macro scanner. (Ryan Borre) - Added
AddIOC
IOC parsing to allow for IOC storage in root files. (Ryan Borre)
- Updated
ScanPDF
with small fix. (Ryan Borre)
- Added
ScanISO
for ISO metadata collection and file extraction. - Updated
ScanLibarchive
inbackend.yml
to removeiso_file
- Updated
ScanLibarchive
inbackend.yml
to removeiso_file
. - Disabled
ScanELF
inbackend.yml
after observing excessive data extraction issues.
- Updated README.
- Updated base docker image for
backend
andmmrpc
. - Updated various dependencies.
- Added
TLSH
hashing toScanHash
- Updated
lxml
dependency.
- Updated
lxml
dependency.
- Updated Filesetream to decrease privilege access. (@cawalch)
- Updated
ScanEmail
with new logic and collection fields. - Updated
numpy
dependency.
- Updated
numpy
dependency.
- Updated Readme.
- Updated Readme.
- Bug fix for
signal
timeout functionality.
- Updated backend timeout functionality, replacing
interruptingcow
withsignal
(@cawalch)
- Added
ScanBMPEoF
steganalysis scanner. (University of Minnesota) - Added
ScanLSB
steganalysis scanner. (University of Minnesota) - Added
ScanNF
steganalysis scanner. (University of Minnesota) - Added
ScanPNGEoF
steganalysis scanner. (University of Minnesota)
- Adding
embedded_files
andneeds_pass
fields toScanPDF
- Updated
ScanLNK
with additional fields and new scanner structure. (Ryan Borre / @Derekt2 / @swackhamer) - Added Github CodeQL vulnerability identification Action
- Fixed / updated
ScanPdf
with new functionality. May require current implementations to change parsing. (Ryan Borre) - Removed
[DEBUG]
warnings fromScanQR
. - Updated
ScanELF
with bug fix. - Removed error logging from
ScanELF
- Updating build to include
exiftool
dependency. (@cameron-dunn-sublime)
- Pinned and updated all
go
build dockerfiles to1.17.6
- Updated all
go mod
files to matchgo
requirements. - Updated
numpy
dependency. - Updated
readme
with new client application build instructions.
- Fix bug with
scan_javascript
pertaining to regular expression identification. (@cawalch)
- Updating
lxml
from version4.6.3
to4.6.5
. - Updating
CAPA
from version3.0.1
to3.0.3
. - Updating
exiftool
from version12.36
to12.38
.
- Modified
mmrpc
Dockerfile to fix compilation build issues on ARM architecture.
- Modified
exiftool
repository reference to increase stability - Updating
backend
dependencies - Updating
go
dependencies
- Fix K8S backend configmap yaml (@cameron-dunn-sublime)
- Updated
exiftool
from version12.28
to12.30
(@cameron-dunn-sublime)
- Updated
exiftool
from version12.25
to12.28
- Default YARA volume mount and placeholder test YARA rule to verify ScanYARA functionality. (@Derekt2)
scan_pe
refactor / additions (@swackhamer)
scan_qr
QR code scanner (@aaronherman)
- Updated
YARA
from 3.11.0 to 4.0.5
- Updated various
python
dependencies
- Bug fix for
scan_footer
scan_footer
file footer scanner
- Updated
pygments
dependency
- Refactored
go
Dockerfiles - Hardcoded container names
- Changed ScanPDF scanner from
pdfminer.six
toPyMuPDF
- Accepted
dependabot
pull request, updating dependencylxml
from4.6.2
to4.6.3
README
updated with formatting and images
Python-Client
Strelka standalone python file submission client (@scottpas)Strelka Oneshot
DockerfileGitHub Actions
additional workflows for client builds
- Updated
filestream
sample config
Filestream Processed Directory
Added ability to move files from a staging directory to a processed directory on completion. (@weslambert)
GitHub Actions
Strelka builder and badge to test main branch on push and each day
- Updated
go
Dockerfiles with module fixes
- Pinned python versions for module
cryptography
ubuntu
versions forstrelka-backend
andstrelka-mmrpc
updated to20.04
- Accepted
dependabot
pull request, updating dependencylxml
from4.5.0
to4.6.2
kubernetes
deployment example added. (@scottpas)
- Added option to disable Strelka Backend shutdown (@weslambert)
scan_manifest
scanner (@Derekt2)
- Pinned redis module to version 8 due to bug causing frontend and manager to fail compilation (target#142) (phutelmyer)
scan_capa
FireEye scanner (@phutelmyer)scan_floss
FireEye scanner (@phutelmyer)
- Fixed bug caused by update to go-redis, requiring Context objects to be added to redis commands
- Fixed bug causing path issue when building container.
strelka-oneshot
cli app to allow for submission of a file for testing without the need for a config file. (@rhaist)swig
as build/wheel dependency for M2Crypto (@rhaist)
- Updating dependencies for various packages (@rhaist)
- Formatting all go source files to match official guidelines (@rhaist)
- Added additional error handling for
scan_lnk
scanner (@Derekt2) - Typo fixed in README.md (@weslambert)
- Added
tree.root
metadata totree
object - Added
scan_base64_pe
scanner which decodes base64-encoded files - Added
scan_lnk
scanner which provides metadata for LNK files - Added
yara.tags
toyara
scanner which collects Tags from YARA matches
- Changed scanner imports in
scan_vba
. Changed olevba3 package to olevba due to deprecation.
- Added additional error handling for corrupt documents in ScanDocx
- Updated YARA version from 3.10 to 3.11
- Removed logging reference in ScanEncryptedDoc
- Modified error handling for ScanPlist
- Added ScanAntiword into backend scanner configuration file (commented out)
- Added ScanEncryptedDoc which allows users to decrypt documents.
- Added additional error handling for ScanDocx
- Modified ScanPE to include additional error handling.
- Added ScanDoc support for additional metadata extraction.
- Added support for ScanRar RAR extraction with passwords.
- Added olecf flavor to ScanIni default
- Fixed bug in ScanTnef where key is not present, an exception is thrown.
- Fixed bug in ScanPe when header field is nonexistent (jshlbrd)
- Improved speed of ScanZip decryption (jshlbrd)
- ScanMmbot fields are now internally consistent with other event dictionaries (jshlbrd)
- Fixed bug in ScanMacho dynamic symbols (jshlbrd)
- Renamed 'decompressed_size' to 'size' across all decompression scanners (jshlbrd)
- Two new fields in ScanIni (comments and sections) (jshlbrd)
- New scanner ScanZlib can decompress Zlib files (jshlbrd)
- Fixed unintended CRC exception when decrypting ZIP files (jshlbrd)
- New scanner ScanIni can parse INI files (jshlbrd)
- Renamed strelka-redis to strelka-manager (jshlbrd)
- Updated ScanPe to better sync with ScanElf and ScanMacho (jshlbrd)
- Fixed frontend crashing issues when empty files are sent to cluster (jshlbrd)
- Added Gatekeeper (temporary event cache), a new required component (jshlbrd)
- Transitioned ScanMacho from macholibre to LIEF (jshlbrd)
- Fixed multiple issues in ScanElf JSON dictionary (jshlbrd)
- Transitioned ScanElf from pyelftools to LIEF (jshlbrd)
- Fixed ScanPdf f-string flags (jshlbrd)
- scan_* dictionaries are now nested under scan: {} (jshlbrd)
- 'time' field is now 'request.time' (jshlbrd)
- 'file.scanners_list' is now 'file.scanners' (jshlbrd)
- Updated YAML files to use 2 spaces instead of 4 spaces (jshlbrd)
- Conflicting variable names were refactored (jshlbrd)
- Added .env file for cleaner execution of docker-compose (jshlbrd)
- go-redis Z commands changed to non-literal (jshlbrd)
- 'throughput' section added to fileshot and filestream configuration files (jshlbrd)
- Added default docker-compose DNS hosts to misc/envoy/* configuration templates (jshlbrd)
- Added Docker volume mapping to frontend in default docker-compose (jshlbrd)
- Forked pyopenssl replaced with M2Crypto (jshlbrd)
- 'tree' event dictionary is now nested under 'file' event dictionary (jshlbrd)
- Scanner event dictionaries now start with 'scan_' (jshlbrd)
- Timestamps are now unix/epoch (jshlbrd)
- ScanExiftool now outputs 'human readable' data (jshlbrd)
- Looping Redis commands sleep at a consistent interval of 250ms (jshlbrd)
- 'cache' is no longer used -- 'coordinator' takes over all Redis tasks (jshlbrd)
- Switched pyopenssl to forked package (jshlbrd)
- Archived 0MQ branch (jshlbrd)
- Migrated gRPC to master (jshlbrd)
- Dockerfile now supports UTC and local time (ufomorme)
- Scan event start and finish timestamps now support UTC and local time (ufomorme)
- Improved YARA tasting signature for email files (DavidJBianco)
- Fixed install path for taste directory (jshlbrd)
- "beautified" field (bool) to ScanJavascript (jshlbrd)
- strelka_dirstream.py now supports recursive directory scanning (zachsis)
- ScanZip now supports decryption via password bruteforcing (ksdahl)
- Unit tests for ScanPe added (infosec-intern)
- strelka_dirstream.py now supports moving files after upload (zachsis)
- Added version info to ScanPe (infosec-intern)
- Expanded identification of email files (DavidJBianco)
- pip packages now installed via requirements.txt file(s) (infosec-intern)
- EOF error flag to ScanBzip2 (jshlbrd)
- taste_yara now loads files from directories, not a static file (ksdahl)
- Options for manually setting ZeroMQ TCP reconnections on the task socket (between broker and workers) (jshlbrd)
- "request_port" option renamed to "request_socket_port" (jshlbrd)
- "task_port" option renamed to "task_socket_port" (jshlbrd)
- strelka_dirstream.py switched from using inotify to directory polling (jshlbrd)
- strelka_dirstream.py supports monitoring multiple directories (jshlbrd)
- extract-strelka.bro will temporarily disable file extraction when the extraction directory reaches a maximum threshold (jshlbrd)
- New scanner ScanFalconSandbox can send files to CrowdStrike's Falcon Sandbox (ksdahl)
- New scanner ScanPhp can collect tokenized metadata from PHP files (jshlbrd)
- New scanner ScanStrings can collect strings from file data (similar to Unix "strings" utility) (jshlbrd)
- ScanPdf was unintentionally extracting duplicate streams, but now it is fixed to only extract unique streams (jshlbrd)
- ScanJavascript now supports deobfuscating JavaScript files before parsing metadata (jshlbrd)
- ScanUrl now supports user-defined regular expressions that can be called per-file (jshlbrd)
- Refactored taste.yara
javascript_file
rule for readability (jshlbrd) - Removed JavaScript files from ScanUrl in the default strelka.yml (jshlbrd)
- Project went public!