Package Documentation
Storm Package: synapse-reversinglabs
The following Commands are available from this package. This documentation is generated for version 0.6.0 of the package.
Storm Commands
This package implements the following Storm Commands.
reversinglabs.a1000.download
Download the bytes for a sample in the configured Axon
Examples:
// Download all files tagged with "my.files" to the configured Axon, yielding the created file:bytes nodes
file:bytes#my.files | reversinglabs.a1000.download --yield
// Download the bytes for the file c1d31b2af2f8ce75364b3952f0b0aa0b, and the bytes for any extracted file
// automatically making file:subfile relationships
hash:md5=c1d31b2af2f8ce75364b3952f0b0aa0b | reversinglabs.a1000.download --all
Usage: reversinglabs.a1000.download [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of results ingested to the given size (per-node).
--all : Download the bytes for any extracted files to the configured Axon and create
file:subfile relations.
--fetch : Pull the bytes for the file from TICloud into the configred Axon and Reversing Labs
Appliance.
reversinglabs.a1000.enrich
Retrieve the static analysis report for a given hash, optionally downloading the bytes for the file
and any extracted files into the configured Axon as well.
Examples:
// Enrich a set of 10 file:bytes nodes.
file:bytes | reversinglabs.a1000.enrich --size 10
// Enrich a hash:sha512 node and download the bytes for the file and any extracted files
// into the configured Axon.
hash:sha512#re.analysis.todo | reversinglabs.a1000.enrich --download
Usage: reversinglabs.a1000.enrich [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--asof <asof> : Specify the maximum age for a cached result. To disable caching, use --asof now.
(default: -30days)
--download : Download the corresponding bytes for the input nodes, and any extracted files, to the
configured Axon.
reversinglabs.a1000.submit
Submit a file from the configured Axon for analysis for ReversingLabs.
More detailed description talking about what kind of input the command takes
and what it does with it.
Examples:
// Submit all the files tagged with "my.files" to ReversingLabs' static analysis engine and pend on results
file:bytes#my.files | reversinglabs.a1000.submit
// Pend on results for submitting a single file to ReversingLabs,
// but only run the rl_cloud_sandbox environment
file:bytes=000032e7dc30e978e162553189d863915936d7c8e94788ac753e2785164b5f77 | reversinglabs.a1000.submit --sandboxes rl_cloud_sandbox
// Submit all the files tagged with "to.do" and do not pend on retrieving results
file:bytes#to.do | reversinglabs.a1000.submit --background --yield
// Submit a set of files and run them through the third party AV scanners ReversingLabs has
file:bytes#to.do | reversinglabs.a1000.submit --scanners --background
// Submit a set of files to both cloud processing and the third party AV scanners
file:bytes#my.files | reversinglabs.a1000.submit --scanners --sandboxes rl_cloud_sandbox --background
Usage: reversinglabs.a1000.submit [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--size <size> : Limit the number of results ingested to the given size (per-node).
--yield : Yield the newly created nodes.
--download : Also download the bytes for all the extracted files to the configured Axon.
--background : Block on waiting for analysis to finish.
--sandboxes [<sandboxes> ...]: Additionally submit the sample to the cloud sandboxes for analysis. Currently supported
values are "cloud" and "rl_cloud_sandbox"
--scanners : Additionally submit the sample to the multiple AV scanners ReversingLabs has.
reversinglabs.setup.apikey
Manage the ReversingLabs API key.
Examples
// Set a global ReversingLabs API key
reversinglabs.setup.apikey abcd1234
// Set a ReversingLabs API key for the current user
reversinglabs.setup.apikey --self abcd1234
// Display the API key scope of the current key
reversinglabs.setup.apikey --show-scope
// Display the current API key.
reversinglabs.setup.apikey --show-apikey
// Remove the current global API key.
reversinglabs.setup.apikey --remove
// Remove the per-user API key for the current user.
reversinglabs.setup.apikey --self --remove
Usage: reversinglabs.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
reversinglabs.setup.endpoint
Manage what URL the ReversingLabs Power-Up sends requests to.
Examples
// Set a global base endpoint
reversinglabs.setup.endpoint "https://a1000-example.reversinglabs.com/"
// Set a base endpiont for the current user
reversinglabs.setup.endpoint --self "https://a1000-example.my-private-cloud.com/"
// Display the scope of the current endpoint
reversinglabs.setup.endpoint --show-scope
// Remove the current global endpoint
reversinglabs.setup.endpoint --remove
// Remove the per-user endpoint for the current user
reversinglabs.setup.endpoint --self --remove
Usage: reversinglabs.setup.endpoint [options] <endpoint>
Options:
--help : Display the command usage.
--self : Set or remove the endpoint as a user variable. If not used, the endpoint is set
globally.
--show-scope : Display the API key scope in use (global vs self).
--show-endpoint : Display the endpoint value (requires admin perms or a "self" scope key).
--remove : Remove the configured endpoint. May be used with --self.
Arguments:
[endpoint] : The URL to forward API requests to.
reversinglabs.setup.proxy
Manage where the ReversingLabs Power-Up proxies API requests to.
Examples
// Set a new proxy URL that only affects only the ReversingLabs Power-Up
reversinglabs.setup.proxy socks5://yourproxy:1234
// Reset the configured ReversingLabs proxy and accept the system default proxy setting
reversinglabs.setup.proxy --remove
// Disable the use of any proxying, including the usage of any Cortex proxies
reversinglabs.setup.proxy --disable
Usage: reversinglabs.setup.proxy [options] <proxy>
Options:
--help : Display the command usage.
--show-proxy : Display the proxy value.
--disable : Remove and disable the use of any proxying and bypass any configured system proxy.
--remove : Remove the configured proxy url and use the default Cortex proxy setting.
Arguments:
[proxy] : A URL to proxy requests to.
reversinglabs.setup.tagprefix
Set the tag prefix when recording ReversingLabs tags.
The default tag prefix is "rep.revlabs" if not specified.
Any tags provided by a ReversingLabs API will be added within the given namespace.
For example, the ReversingLabs tag "trusted" would result in "rep.revlabs.trusted".
Any characters incompatible with tag names are replaced with "_".
Usage: reversinglabs.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
Storm Modules
This package does not export any Storm APIs.