Admin Guide

Configuration

Permissions

Package (synapse-fileparser) defines the following permissions:
power-ups.fileparser.user        : Allows a user to parse files with Synapse-FileParser. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.fileparser.user
Added rule power-ups.fileparser.user to user visi.

or:

> auth.role.addrule ninjas power-ups.fileparser.user
Added rule power-ups.fileparser.user to role ninjas.

Exported APIs

Synapse FileParser exports the following Storm APIs.

parse(sha256, conf=$lib.null)
-----------------------------

    Parse a file by SHA-256 and extract nodes from metadata.

    Args:
        sha256 (str): The SHA-256 of the file.
        conf (dict or null): The parser configuration dictionary.

    Returns:
        null


parseNode(n, conf=$lib.null)
----------------------------

    Parse a file node, or a file associated with the node, and extract nodes from metadata.

    If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
    file:bytes node will be used.

    Args:
        n (node): A file node, hash node, or inet:email:message.
        conf (dict or null): The parser configuration dictionary.

    Returns:
        null


getParseGenr(sha256, conf=$lib.null)
------------------------------------

    Return the parser generator for a given SHA-256.

    Args:
        sha256 (str): The SHA-256 of the file.
        conf (dict or null): The parser configuration dictionary.

    Returns:
        generator: A generator that yields [str, tuple, dict] parser events.


hexdump(n, size=(1024))
-----------------------

    Print the hexdump of a file node, or a file associated with the node.

    If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
    file:bytes node will be used.

    Args:
        n (node): A file node, hash node, or inet:email:message.
        size (int): The max number of bytes to dump.

    Returns:
        null


strings(n, size=(1024), scrape=$lib.false, filters=$lib.null)
-------------------------------------------------------------

    Brute-force detect ASCII strings from a file node, or a file associated with the node, and print the results.

    If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
    file:bytes node will be used.

    Args:
        n (node): A file node, hash node, or inet:email:message.
        size (int): The max number of bytes to parse.
        scrape (bool): Scrape indicators from the strings to create refs.
        filters (str | list): Regular expression pattern(s) to filter the
            output. If a list is specified, only one of the patterns needs to
            match for the string to be printed.

    Returns:
        null


iterStrings(n, size=(1024))
---------------------------

    Emit brute-force detected ASCII strings from a file node, or a file associated with the node.

    If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
    file:bytes node will be used.

    Args:
        n (node): A file node, hash node, or inet:email:message.
        size (int): The max number of bytes to parse.

    Emits:
        (str or null): The detected strings or null if a SHA-256 could not resolved from the node.


getParserInfo(mime=$lib.null)
-----------------------------

    Get the status of active parsing tasks.

    Returns:
        list: A list of info dicts for the active parsing tasks.


cancel(iden)
------------

    Cancel a running parsing task by iden.

    Args:
        iden (str): The iden of the task.

    Returns:
        tuple: A (bool, str) tuple indicating whether the cancel request was successful.


iterText(sha256, conf=$lib.null)
--------------------------------

    Get a generator for iterating over parsed text from a file.

    The SHA-256 in the messages are for the file/subfile that the
    data belongs to.

    Args:
        sha256 (str): The SHA-256 of the file.
        conf (dict or null): The parser configuration dictionary.

    Returns:
        generator: A generator that yields [ok, sha256, text] messages.


fireText(sha256, conf=$lib.null)
--------------------------------

    Retrieve data from a file using a htmlToJson template.

    Warn and debug messages will be printed to the console.

    Args:
        sha256 (str): The SHA-256 of the file.
        template (dict): An htmlToJson template.
        conf (dict or null): The parser configuration dictionary.

    Returns:
        tuple: An [ok, data] tuple.


parseYaraRules(text, timeout=(60))
----------------------------------

    Parse a set of yara rules and return the rules without creating nodes.

    Args:
        text (str): The text to parse.
        timeout (int): A timeout for the parse operation.

    Returns:
        generator: A generator that yields [ok, data] messages.

Node Actions

Synapse FileParser provides the following node actions in Optic:

Name : parse
Desc : $lib.null
Forms: file:bytes

Name : wget
Desc : $lib.null
Forms: inet:url