Admin Guide
Synapse-MalwareBazaar Admin Guide
Configuration
Synapse-MalwareBazaar requires a MalwareBazaar API key. For information on how to sign up, please visit the abuse.ch Authentication Portal.
Setting the configuration for global use
To set-up a global configuration:
> malwarebazaar.config.add global_config global_apikey
Synapse-MalwareBazaar config "global_config" added
Creating a configuration for role-based use
Add an unscoped configuration:
> malwarebazaar.config.add myunscoped myapikey --scope unscoped
Synapse-MalwareBazaar config "myunscoped" added
Grant another user admin permissions to the new configuration:
> malwarebazaar.config.update myunscoped --perm user visi admin
Updated Synapse-MalwareBazaar config "myunscoped"
Grant a role read permissions to the new configuration:
> malwarebazaar.config.update myunscoped --perm role ninjas read
Updated Synapse-MalwareBazaar config "myunscoped"
Overriding the proxy configuration
In order to override the default proxy configuration in the Cortex the user must have the
power-ups.malwarebazaar.admin
or storm.lib.inet.http.proxy
permission.
When the proxy configuration is set to (false)
or a URL the permission will be checked
when a configuration is created/updated, and when it is used to make an HTTP request.
Dependencies
Synapse-MalwareBazaar requires the following Power-Ups to be installed:
Name : synapse-fileparser
Version: >4.16.0,<=5.0.0
Desc : Synapse-FileParser is used to extract the archived samples. If not installed the downloaded samples will not be extracted.
Permissions
Package (synapse-malwarebazaar) defines the following permissions:
power-ups.malwarebazaar.user : Controls user access to Synapse-MalwareBazaar. ( default: false )
You may add rules to users/roles directly from storm:
> auth.user.addrule visi power-ups.malwarebazaar.user
Added rule power-ups.malwarebazaar.user to user visi.
or:
> auth.role.addrule ninjas power-ups.malwarebazaar.user
Added rule power-ups.malwarebazaar.user to role ninjas.
Exported APIs
Synapse-MalwareBazaar does not currently export any APIs.
Workflows
Synapse-MalwareBazaar provides the following workflows in Optic:
Title: Configuration
Node Actions
Synapse-MalwareBazaar provides the following node actions in Optic:
Name : malwarebazaar.enrich
Desc : Enrich nodes using Synapse-MalwareBazaar.
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256
Name : malwarebazaar.download
Desc : Download a sample from MalwareBazaar.
Forms: file:bytes, hash:sha256
Onload Events
Synapse-MalwareBazaar uses the onload
event to run required data migrations.