Admin Guide
Configuration
Permissions
Package (synapse-fileparser) defines the following permissions:
power-ups.fileparser.user : Allows a user to parse files with Synapse-FileParser. ( default: false )
You may add rules to users/roles directly from storm:
> auth.user.addrule visi power-ups.fileparser.user
Added rule power-ups.fileparser.user to user visi.
or:
> auth.role.addrule ninjas power-ups.fileparser.user
Added rule power-ups.fileparser.user to role ninjas.
Exported APIs
Synapse FileParser exports the following Storm APIs.
parse(sha256, conf=$lib.null)
-----------------------------
Parse a file by SHA-256 and extract nodes from metadata.
Args:
sha256 (str): The SHA-256 of the file.
conf (dict or null): The parser configuration dictionary.
Returns:
null
parseNode(n, conf=$lib.null)
----------------------------
Parse a file node, or a file associated with the node, and extract nodes from metadata.
If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
file:bytes node will be used.
Args:
n (node): A file node, hash node, or inet:email:message.
conf (dict or null): The parser configuration dictionary.
Returns:
null
getParseGenr(sha256, conf=$lib.null)
------------------------------------
Return the parser generator for a given SHA-256.
Args:
sha256 (str): The SHA-256 of the file.
conf (dict or null): The parser configuration dictionary.
Returns:
generator: A generator that yields [str, tuple, dict] parser events.
hexdump(n, size=(1024))
-----------------------
Print the hexdump of a file node, or a file associated with the node.
If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
file:bytes node will be used.
Args:
n (node): A file node, hash node, or inet:email:message.
size (int): The max number of bytes to dump.
Returns:
null
strings(n, size=(1024), scrape=$lib.false, filters=$lib.null)
-------------------------------------------------------------
Brute-force detect ASCII strings from a file node, or a file associated with the node, and print the results.
If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
file:bytes node will be used.
Args:
n (node): A file node, hash node, or inet:email:message.
size (int): The max number of bytes to parse.
scrape (bool): Scrape indicators from the strings to create refs.
filters (str | list): Regular expression pattern(s) to filter the
output. If a list is specified, only one of the patterns needs to
match for the string to be printed.
Returns:
null
iterStrings(n, size=(1024))
---------------------------
Emit brute-force detected ASCII strings from a file node, or a file associated with the node.
If a hash:md5, hash:sha1, or inet:email:message node is provided the first associated
file:bytes node will be used.
Args:
n (node): A file node, hash node, or inet:email:message.
size (int): The max number of bytes to parse.
Emits:
(str or null): The detected strings or null if a SHA-256 could not resolved from the node.
getParserInfo(mime=$lib.null)
-----------------------------
Get the status of active parsing tasks.
Returns:
list: A list of info dicts for the active parsing tasks.
cancel(iden)
------------
Cancel a running parsing task by iden.
Args:
iden (str): The iden of the task.
Returns:
tuple: A (bool, str) tuple indicating whether the cancel request was successful.
iterText(sha256, conf=$lib.null)
--------------------------------
Get a generator for iterating over parsed text from a file.
The SHA-256 in the messages are for the file/subfile that the
data belongs to.
Args:
sha256 (str): The SHA-256 of the file.
conf (dict or null): The parser configuration dictionary.
Returns:
generator: A generator that yields [ok, sha256, text] messages.
fireText(sha256, conf=$lib.null)
--------------------------------
Retrieve data from a file using a htmlToJson template.
Warn and debug messages will be printed to the console.
Args:
sha256 (str): The SHA-256 of the file.
template (dict): An htmlToJson template.
conf (dict or null): The parser configuration dictionary.
Returns:
tuple: An [ok, data] tuple.
parseYaraRules(text, timeout=(60))
----------------------------------
Parse a set of yara rules and return the rules without creating nodes.
Args:
text (str): The text to parse.
timeout (int): A timeout for the parse operation.
Returns:
generator: A generator that yields [ok, data] messages.
Node Actions
Synapse FileParser provides the following node actions in Optic:
Name : parse
Desc : $lib.null
Forms: file:bytes
Name : wget
Desc : $lib.null
Forms: inet:url