Admin Guide

Synapse-ReversingLabs Admin Guide

Configuration

Synapse-ReversingLabs requires a ReversingLabs API key. For information on how to sign up, please visit the ReversingLabs website.

Setting API key for global use

To set-up a global API key:

> reversinglabs.setup.apikey myapikey
Setting ReversingLabs API key for all users.

Using per-user API keys

A user may set-up their own API key:

> reversinglabs.setup.apikey --self myapikey
Setting ReversingLabs API key for the current user.

Setting the API Endpoint for global use

To configure a global API endpoint:

> reversinglabs.setup.endpoint "https://example.reversinglabs.com"
Setting ReversingLabs API Endpoint for all users.

Using per-user Endpoints

A user may configure their own API endpoint:

> reversinglabs.setup.endpoint --self "https://example.reversinglabs.com"
Setting ReversingLabs API Endpoint for the current user.

Setting the Proxy Settings for global use

To configure Synapse-ReversingLabs to use a proxy for all users:

> reversinglabs.setup.proxy "https://example.proxy.com"
Setting the ReversingLabs API proxy for all users.

To give users permission to set the proxy, you must grant them permission power-ups.reversinglabs.admin. You may add this permission to users/roles from storm:

> auth.user.addrule visi power-ups.reversinglabs.admin
Added rule power-ups.reversinglabs.admin to user visi.

or:

> auth.role.addrule ninjas power-ups.reversinglabs.admin
Added rule power-ups.reversinglabs.admin to role ninjas.

Disabling API proxying

To disable any proxy settings including disabling any Cortex proxy settings:

> reversinglabs.setup.proxy --disable
Disabling proxy usage for the ReversingLabs Power-Up for all users.

Removing API proxy settings

To remove the global API proxy settings that Synapse-ReversingLabs uses:

> reversinglabs.setup.proxy --remove
Removing the ReversingLabs API proxy settings for all users.

Dependencies

Synapse-ReversingLabs requires the following Power-Ups to be installed:

Name   : synapse-fileparser
Version: >=4.2.1,<5.0.0
Desc   : Synapse-FileParser is needed to download extracted files for all reversinglabs.a1000.* commands.

Permissions

Package (synapse-reversinglabs) defines the following permissions:
power-ups.reversinglabs.user     : Controls user access to Synapse-ReversingLabs. ( default: false )
power-ups.reversinglabs.admin    : Controls access to Synapse-ReversingLabs proxy settings. ( default: false )

You may add rules to users/roles directly from storm:

> auth.user.addrule visi power-ups.reversinglabs.user
Added rule power-ups.reversinglabs.user to user visi.

or:

> auth.role.addrule ninjas power-ups.reversinglabs.user
Added rule power-ups.reversinglabs.user to role ninjas.

To customize the tag prefix applied to nodes, Synapse-ReversingLabs requires the permission globals.set.reversinglabs:tag:prefix to be set on the user/role. You may set this perm to users/roles directly from storm:

> auth.user.addrule visi globals.set.reversinglabs:tag:prefix
Added rule globals.set.reversinglabs:tag:prefix to user visi.

or:

> auth.role.addrule ninjas globals.set.reversinglabs:tag:prefix
Added rule globals.set.reversinglabs:tag:prefix to role ninjas.

Exported APIs

Synapse-ReversingLabs does not currently export any APIs.

Node Actions

Synapse-ReversingLabs provides the following node actions in Optic:

Name : reversinglabs.a1000.enrich
Desc : Enrich nodes using Synapse-ReversingLabs
Forms: file:bytes, hash:md5, hash:sha1, hash:sha256, hash:512

Name : reversinglabs.a1000.download
Desc : Download the bytes for the file from ReversingLabs
Forms: file:bytes, hash:sha256

Name : reversinglabs.a1000.submit
Desc : Submit a file for analysis to ReversingLabs
Forms: file:bytes, hash:sha256

Onload Events

Synapse-ReversingLabs uses an onload event to create a Storm Dmon used by reversinglabs.a1000.submit for submitting files in the background.