Package Documentation

Storm Package: synapse-reversinglabs

The following Commands are available from this package. This documentation is generated for version 0.5.0 of the package.

Storm Commands

This package implements the following Storm Commands.

reversinglabs.a1000.download

Download the bytes for a sample in the configured Axon

Examples:

  // Download all files tagged with "my.files" to the configured Axon, yielding the created file:bytes nodes
  file:bytes#my.files | reversinglabs.a1000.download --yield

  // Download the bytes for the file c1d31b2af2f8ce75364b3952f0b0aa0b, and the bytes for any extracted file
  // automatically making file:subfile relationships
  hash:md5=c1d31b2af2f8ce75364b3952f0b0aa0b | reversinglabs.a1000.download --all


Usage: reversinglabs.a1000.download [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --all                       : Download the bytes for any extracted files to the configured Axon and create file:subfile relations.
  --fetch                     : Pull the bytes for the file from TICloud into the configred Axon and Reversing Labs Appliance.

reversinglabs.a1000.enrich

Retrieve the static analysis report for a given hash, optionally downloading the bytes for the file
and any extracted files into the configured Axon as well.

Examples:

  // Enrich a set of 10 file:bytes nodes.
  file:bytes | reversinglabs.a1000.enrich --size 10

  // Enrich a hash:sha512 node and download the bytes for the file and any extracted files
  // into the configured Axon.
  hash:sha512#re.analysis.todo | reversinglabs.a1000.enrich --download


Usage: reversinglabs.a1000.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now. (default: -30days)
  --download                  : Download the corresponding bytes for the input nodes, and any extracted files, to the configured Axon.

reversinglabs.a1000.submit

Submit a file from the configured Axon for analysis for ReversingLabs.

More detailed description talking about what kind of input the command takes
and what it does with it.

Examples:

  // Submit all the files tagged with "my.files" to ReversingLabs' static analysis engine and pend on results
  file:bytes#my.files | reversinglabs.a1000.submit

  // Pend on results for submitting a single file to ReversingLabs,
  // but only run the rl_cloud_sandbox environment
  file:bytes=000032e7dc30e978e162553189d863915936d7c8e94788ac753e2785164b5f77 | reversinglabs.a1000.submit --sandboxes rl_cloud_sandbox

  // Submit all the files tagged with "to.do" and do not pend on retrieving results
  file:bytes#to.do | reversinglabs.a1000.submit --background --yield

  // Submit a set of files and run them through the third party AV scanners ReversingLabs has
  file:bytes#to.do | reversinglabs.a1000.submit --scanners --background

  // Submit a set of files to both cloud processing and the third party AV scanners
  file:bytes#my.files | reversinglabs.a1000.submit --scanners --sandboxes rl_cloud_sandbox --background


Usage: reversinglabs.a1000.submit [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --download                  : Also download the bytes for all the extracted files to the configured Axon.
  --background                : Block on waiting for analysis to finish.
  --sandboxes [<sandboxes> ...]: Additionally submit the sample to the cloud sandboxes for analysis. Currently supported values are "cloud" and "rl_cloud_sandbox"
  --scanners                  : Additionally submit the sample to the multiple AV scanners ReversingLabs has.

reversinglabs.setup.apikey

Manage the ReversingLabs API key.

Examples

    // Set a global ReversingLabs API key
    reversinglabs.setup.apikey abcd1234

    // Set a ReversingLabs API key for the current user
    reversinglabs.setup.apikey --self abcd1234

    // Display the API key scope of the current key
    reversinglabs.setup.apikey --show-scope

    // Display the current API key.
    reversinglabs.setup.apikey --show-apikey

    // Remove the current global API key.
    reversinglabs.setup.apikey --remove

    // Remove the per-user API key for the current user.
    reversinglabs.setup.apikey --self --remove


Usage: reversinglabs.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the key as a user variable. If not used, the key is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-apikey               : Display the API key value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API key. May be used with --self.

Arguments:

  [apikey]                    : The API key string.

reversinglabs.setup.endpoint

Manage what URL the ReversingLabs Power-Up sends requests to.

Examples

  // Set a global base endpoint
  reversinglabs.setup.endpoint "https://a1000-example.reversinglabs.com/"

  // Set a base endpiont for the current user
  reversinglabs.setup.endpoint --self "https://a1000-example.my-private-cloud.com/"

  // Display the scope of the current endpoint
  reversinglabs.setup.endpoint --show-scope

  // Remove the current global endpoint
  reversinglabs.setup.endpoint --remove

  // Remove the per-user endpoint for the current user
  reversinglabs.setup.endpoint --self --remove


Usage: reversinglabs.setup.endpoint [options] <endpoint>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the endpoint as a user variable. If not used, the endpoint is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-endpoint             : Display the endpoint value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured endpoint. May be used with --self.

Arguments:

  [endpoint]                  : The URL to forward API requests to.

reversinglabs.setup.proxy

Manage where the ReversingLabs Power-Up proxies API requests to.

Examples

    // Set a new proxy URL that only affects only the ReversingLabs Power-Up
    reversinglabs.setup.proxy socks5://yourproxy:1234

    // Reset the configured ReversingLabs proxy and accept the system default proxy setting
    reversinglabs.setup.proxy --remove

    // Disable the use of any proxying, including the usage of any Cortex proxies
    reversinglabs.setup.proxy --disable


Usage: reversinglabs.setup.proxy [options] <proxy>

Options:

  --help                      : Display the command usage.
  --show-proxy                : Display the proxy value.
  --disable                   : Remove and disable the use of any proxying and bypass any configured system proxy.
  --remove                    : Remove the configured proxy url and use the default Cortex proxy setting.

Arguments:

  [proxy]                     : A URL to proxy requests to.

reversinglabs.setup.tagprefix

Set the tag prefix when recording ReversingLabs tags.
The default tag prefix is "rep.revlabs" if not specified.

Any tags provided by a ReversingLabs API will be added within the given namespace.
For example, the ReversingLabs tag "trusted" would result in "rep.revlabs.trusted".
Any characters incompatible with tag names are replaced with "_".


Usage: reversinglabs.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

Storm Modules

This package does not export any Storm APIs.