Storm Package: synapse-fileparser
The following Commands are available from this package. This documentation is generated for version 4.20.0 of the package.
Storm Commands
This package implements the following Storm Commands.
fileparser.hexdump
Display a hexdump of the file/hash node.
Usage: fileparser.hexdump [options]
Options:
--help : Display the command usage.
--size <size> : The max number of bytes to dump. (default: 256)
fileparser.parse
Parse a file/hash node and extract nodes from metadata.
By default the MIME will be auto-detected, however it can also be specified via the --mime option
using either the parser name, alias, or actual MIME as shown in fileparser.parsers.
Examples:
// Parse file and pivot to created references
file:bytes#my.txt.file | fileparser.parse | -(refs)> *
// Parse a zip file and pivot to the archive entries
file:bytes#my.zip.file | fileparser.parse | -> file:archive:entry:parent :file-> file:bytes
// Parse X.509 file and pivot to created nodes
file:bytes#my.cert.file | fileparser.parse | :sha256 -> crypto:x509:cert:sha256
// Specify MIME using the parser name
file:bytes#my.file | fileparser.parse --mime rfc822
// Do not recursively parse subfiles/archive entries
// The subfile will still have a file:archive:entry node created and be uploaded to the Axon
file:bytes#my.zip.file | fileparser.parse --no-recurse
// Parse a file and specify mime-specific configuration options
file:bytes#my.exe.file | fileparser.parse --conf ({ "exe:strings": $lib.true, "exe:strings:minlen": 12 })
Usage: fileparser.parse [options]
Options:
--help : Display the command usage.
--mime <mime> : The mime type or mime alias of the file.
--timeout <timeout> : Parser execution timeout in seconds (defaults to None).
--passwd <passwd> : Use password to unlock file (see individual parser help for support).
--no-recurse : Do not recursively parse subfiles.
--debug : Print debug output from the parser.
--conf <conf> : Configuration options dictionary for individual parsers.
The command is aware of how to automatically handle the following forms as input nodes:
file:bytes
hash:md5
hash:sha1
hash:sha256
inet:email:message
fileparser.parsers
List available parsers.
Examples:
// List summary information for all parsers
fileparser.parsers
// List detailed information for a specific parser
fileparser.parsers --mime pdf
Usage: fileparser.parsers [options]
Options:
--help : Display the command usage.
--mime <mime> : The mime type or mime alias to get detailed information for.
fileparser.status
Status of active parsing tasks.
Usage: fileparser.status [options]
Options:
--help : Display the command usage.
--debug : Print task debug information.
fileparser.strings
Brute-force detect ASCII strings from the file/hash node. String output
may be filtered using the --filters command line option. The --filters argument
can be either a string or a list of strings.
Examples:
// Filter strings that look like an IP address and scrape them
file:bytes:name=foo.txt | fileparser.strings --filters "\d+\.\d+\.\d+\.\d+" --scrape
// Filter strings with the word "woot"
file:bytes:name=foo.txt | fileparser.strings --filters "woot"
// Case-insensitive filter for "woot"
file:bytes:name=foo.txt | fileparser.strings --filters "(?i)woot"
// Filter strings that start with "woot" or end with "foo"
file:bytes:name=foo.txt | fileparser.strings --filters ("^woot", "foo$")
Usage: fileparser.strings [options]
Options:
--help : Display the command usage.
--size <size> : The max number of bytes to parse. (default: 1024)
--scrape : Scrape indicators from the strings to create refs.
--filters <filters> : Regular expression pattern (or patterns) to filter results with. (default: None)
fileparser.text
Print text extracted from samples.
Usage: fileparser.text [options]
Options:
--help : Display the command usage.
--size <size> : The max number of bytes to parse. (default: 1024)
--mime <mime> : The mime type or mime alias of the file.
--timeout <timeout> : Parser execution timeout in seconds (defaults to None).
--passwd <passwd> : Use password to unlock file (see individual parser help for support).
--no-recurse : Do not recursively parse subfiles.
--debug : Print debug output from the parser.
--conf <conf> : Configuration options dictionary for individual parsers.
Storm Modules
This package does not export any Storm APIs.