Admin Guide
Synapse-ReversingLabs Admin Guide
Configuration
Synapse-ReversingLabs requires a ReversingLabs API key. For information on how to sign up, please visit the ReversingLabs website.
Setting API key for global use
To set-up a global API key:
> reversinglabs.setup.apikey myapikey
Setting ReversingLabs API key for all users.
Using per-user API keys
A user may set-up their own API key:
> reversinglabs.setup.apikey --self myapikey
Setting ReversingLabs API key for the current user.
Setting the API Endpoint for global use
To configure a global API endpoint:
> reversinglabs.setup.endpoint "https://example.reversinglabs.com"
Setting ReversingLabs API Endpoint for all users.
Using per-user Endpoints
A user may configure their own API endpoint:
> reversinglabs.setup.endpoint --self "https://example.reversinglabs.com"
Setting ReversingLabs API Endpoint for the current user.
Setting the Proxy Settings for global use
To configure Synapse-ReversingLabs to use a proxy for all users:
> reversinglabs.setup.proxy "https://example.proxy.com"
Setting the ReversingLabs API proxy for all users.
To give users permission to set the proxy, you must grant them permission
power-ups.reversinglabs.admin. You may add this permission to users/roles from storm:
> auth.user.addrule visi power-ups.reversinglabs.admin
Added rule power-ups.reversinglabs.admin to user visi.
or:
> auth.role.addrule ninjas power-ups.reversinglabs.admin
Added rule power-ups.reversinglabs.admin to role ninjas.
Disabling API proxying
To disable any proxy settings including disabling any Cortex proxy settings:
> reversinglabs.setup.proxy --disable
Disabling proxy usage for the ReversingLabs Power-Up for all users.
Removing API proxy settings
To remove the global API proxy settings that Synapse-ReversingLabs uses:
> reversinglabs.setup.proxy --remove
Removing the ReversingLabs API proxy settings for all users.
Dependencies
Synapse-ReversingLabs requires the following Power-Ups to be installed:
Name : synapse-fileparser
Version: >=4.2.1,<5.0.0
Desc : Synapse-FileParser is needed to download extracted files for all reversinglabs.a1000.* commands.
Permissions
Package (synapse-reversinglabs) defines the following permissions:
power-ups.reversinglabs.user : Controls user access to Synapse-ReversingLabs. ( default: false )
power-ups.reversinglabs.admin : Controls access to Synapse-ReversingLabs proxy settings. ( default: false )
You may add rules to users/roles directly from storm:
> auth.user.addrule visi power-ups.reversinglabs.user
Added rule power-ups.reversinglabs.user to user visi.
or:
> auth.role.addrule ninjas power-ups.reversinglabs.user
Added rule power-ups.reversinglabs.user to role ninjas.
To customize the tag prefix applied to nodes, Synapse-ReversingLabs requires the
permission globals.set.reversinglabs:tag:prefix to be set on the user/role. You
may set this perm to users/roles directly from storm:
> auth.user.addrule visi globals.set.reversinglabs:tag:prefix
Added rule globals.set.reversinglabs:tag:prefix to user visi.
or:
> auth.role.addrule ninjas globals.set.reversinglabs:tag:prefix
Added rule globals.set.reversinglabs:tag:prefix to role ninjas.
Exported APIs
Synapse-ReversingLabs does not currently export any APIs.
Node Actions
Synapse-ReversingLabs provides the following node actions in Optic:
Name : reversinglabs.a1000.enrich
Desc : Enrich nodes using Synapse-ReversingLabs
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256, hash:512
Name : reversinglabs.a1000.download
Desc : Download the bytes for the file from ReversingLabs
Forms: file:bytes, hash:sha256
Name : reversinglabs.a1000.submit
Desc : Submit a file for analysis to ReversingLabs
Forms: file:bytes, hash:sha256
Onload Events
Synapse-ReversingLabs uses an onload event to create a Storm Dmon used by
reversinglabs.a1000.submit for submitting files in the background.