Merge branch 'master' of github.com:teamdfir/sift-saltstack

* 'master' of github.com:teamdfir/sift-saltstack:
  Re-add INDXParse to init (#59)
  Fix for malfind yarascan plugin issue 389 (#61)
  Update PDF Hash for Zimmermantools (#62)

sift/config/user/pdfs.sls

@@ -47,7 +47,7 @@ set pdfs = [
     "id": "poster-zimmerman-tools",
     "filename": "Zimmerman-Tools-Poster.pdf",
     "source": "https://sansorg.egnyte.com/dd/l96Cpf39jx/",
-    "hash": "bc9072d1ef9c1a90c157ebc0b738c1cf2578f2453c255dd87161387f3025c2c7"
+    "hash": "8cbc02298b743217ffebd5887787d7bad7b4ea30715f9a74715aa31c41f8b7cc"
   },
   {
     "id": "poster-hunt-evil",

sift/python-packages/indxparse.sls

@@ -8,6 +8,7 @@ include:
   - sift.packages.pkg-config
   - sift.packages.python3-pip
   - sift.packages.python2-pip
+  - sift.packages.python2-dev
   - sift.packages.python-wxgtk3
 
 sift-python-packages-indxparse:
@@ -20,12 +21,13 @@ sift-python-packages-indxparse:
       - sls: sift.packages.g++
       - sls: sift.packages.pkg-config
       - sls: sift.packages.python2-pip
+      - sls: sift.packages.python2-dev
       - sls: sift.packages.libfuse-dev
       - sls: sift.packages.python-wxgtk3
 
 sift-python-packages-indxparse-shebang:
   file.prepend:
     - name: /usr/local/bin/INDXParse.py
-    - text: '#!/usr/bin/env python'
+    - text: '#!/usr/bin/env python2'
     - watch:
       - pip: sift-python-packages-indxparse

sift/python-packages/init.sls

@@ -8,6 +8,7 @@ include:
   - sift.python-packages.distorm3
   - sift.python-packages.docopt
   - sift.python-packages.geoip2
+  - sift.python-packages.indxparse
   - sift.python-packages.ioc_writer
   - sift.python-packages.lxml
   - sift.python-packages.ntdsxtract
@@ -40,6 +41,7 @@ sift-python-packages:
       - sls: sift.python-packages.distorm3
       - sls: sift.python-packages.docopt
       - sls: sift.python-packages.geoip2
+      - sls: sift.python-packages.indxparse
       - sls: sift.python-packages.ioc_writer
       - sls: sift.python-packages.lxml
       - sls: sift.python-packages.ntdsxtract

sift/python-packages/volatility.sls

@@ -1,5 +1,13 @@
 {%- set remove_plugins = ["malprocfind.py","idxparser.py","chromehistory.py","mimikatz.py","openioc_scan.py","pstotal.py","firefoxhistory.py","autoruns.py","malfinddeep.py","prefetch.py","ssdeepscan.py","uninstallinfo.py","trustrecords.py","usnparser.py","apihooksdeep.py","editbox.py","javarat.py"] -%}
 
+# Name: Volatility Framework
+# Website: https://github.com/volatilityfoundation/volatility
+# Description: Memory forensics tool and framework
+# Category: Perform Memory Forensics
+# Author: https://github.com/volatilityfoundation/volatility/blob/2.6.1/AUTHORS.txt
+# License: GNU General Public License (GPL) v2: https://github.com/volatilityfoundation/volatility/blob/2.6.1/LICENSE.txt
+# Notes: Use vol.py to invoke this version of Volatility. To eliminate conflicts among command-line options for Volatility plugins, the following `yarascan` options have been changed: `-Y` became `-U` and `-C` became `-c`.
+
 include:
   - sift.repos.sift
   - sift.packages.git
@@ -91,3 +99,23 @@ sift-python-volatility-mimikatz-plugin-update:
     - watch:
       - git: sift-python-volatility-community-plugins
       - pip: sift-python-packages-volatility
+
+sift-python-packages-volatility-malfind-yarascan-options1:
+  file.replace:
+    - name: /usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py
+    - pattern: short_option = 'C'
+    - repl: short_option = 'c'
+    - prepend_if_not_found: False
+    - count: 1
+    - require:
+      - git: sift-python-volatility-community-plugins
+
+sift-python-packages-volatility-malfind-yarascan-options2:
+  file.replace:
+    - name: /usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py
+    - pattern: short_option = 'Y'
+    - repl: short_option = 'U'
+    - prepend_if_not_found: False
+    - count: 1
+    - require:
+      - file: sift-python-packages-volatility-malfind-yarascan-options1