Storm Package: synapse-fileparser

The following Commands are available from this package. This documentation is generated for version 4.20.0 of the package.

Storm Commands

This package implements the following Storm Commands.

fileparser.hexdump

Display a hexdump of the file/hash node.

Usage: fileparser.hexdump [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : The max number of bytes to dump. (default: 256)

fileparser.parse

Parse a file/hash node and extract nodes from metadata.

By default the MIME will be auto-detected, however it can also be specified via the --mime option
using either the parser name, alias, or actual MIME as shown in fileparser.parsers.

Examples:

  // Parse file and pivot to created references
  file:bytes#my.txt.file | fileparser.parse | -(refs)> *

  // Parse a zip file and pivot to the archive entries
  file:bytes#my.zip.file | fileparser.parse | -> file:archive:entry:parent :file-> file:bytes

  // Parse X.509 file and pivot to created nodes
  file:bytes#my.cert.file | fileparser.parse | :sha256 -> crypto:x509:cert:sha256

  // Specify MIME using the parser name
  file:bytes#my.file | fileparser.parse --mime rfc822

  // Do not recursively parse subfiles/archive entries
  // The subfile will still have a file:archive:entry node created and be uploaded to the Axon
  file:bytes#my.zip.file | fileparser.parse --no-recurse

  // Parse a file and specify mime-specific configuration options
  file:bytes#my.exe.file | fileparser.parse --conf ({ "exe:strings": $lib.true, "exe:strings:minlen": 12 })


Usage: fileparser.parse [options]

Options:

  --help                      : Display the command usage.
  --mime <mime>               : The mime type or mime alias of the file.
  --timeout <timeout>         : Parser execution timeout in seconds (defaults to None).
  --passwd <passwd>           : Use password to unlock file (see individual parser help for support).
  --no-recurse                : Do not recursively parse subfiles.
  --debug                     : Print debug output from the parser.
  --conf <conf>               : Configuration options dictionary for individual parsers.

The command is aware of how to automatically handle the following forms as input nodes:

  • file:bytes

  • hash:md5

  • hash:sha1

  • hash:sha256

  • inet:email:message

fileparser.parsers

List available parsers.

Examples:

  // List summary information for all parsers
  fileparser.parsers

  // List detailed information for a specific parser
  fileparser.parsers --mime pdf


Usage: fileparser.parsers [options]

Options:

  --help                      : Display the command usage.
  --mime <mime>               : The mime type or mime alias to get detailed information for.

fileparser.status

Status of active parsing tasks.

Usage: fileparser.status [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Print task debug information.

fileparser.strings

Brute-force detect ASCII strings from the file/hash node. String output
may be filtered using the --filters command line option. The --filters argument
can be either a string or a list of strings.

Examples:

  // Filter strings that look like an IP address and scrape them
  file:bytes:name=foo.txt | fileparser.strings --filters "\d+\.\d+\.\d+\.\d+" --scrape

  // Filter strings with the word "woot"
  file:bytes:name=foo.txt | fileparser.strings --filters "woot"

  // Case-insensitive filter for "woot"
  file:bytes:name=foo.txt | fileparser.strings --filters "(?i)woot"

  // Filter strings that start with "woot" or end with "foo"
  file:bytes:name=foo.txt | fileparser.strings --filters ("^woot", "foo$")


Usage: fileparser.strings [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : The max number of bytes to parse. (default: 1024)
  --scrape                    : Scrape indicators from the strings to create refs.
  --filters <filters>         : Regular expression pattern (or patterns) to filter results with. (default: None)

fileparser.text

Print text extracted from samples.

Usage: fileparser.text [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : The max number of bytes to parse. (default: 1024)
  --mime <mime>               : The mime type or mime alias of the file.
  --timeout <timeout>         : Parser execution timeout in seconds (defaults to None).
  --passwd <passwd>           : Use password to unlock file (see individual parser help for support).
  --no-recurse                : Do not recursively parse subfiles.
  --debug                     : Print debug output from the parser.
  --conf <conf>               : Configuration options dictionary for individual parsers.

Storm Modules

This package does not export any Storm APIs.