Peekaboo Extended Email Attachment Behavior Observation Owl
knownreport
Install using venv/bin/pip install peekabooav==2.1rc3. See CHANGELOG.md for changes since last release.
Install using venv/bin/pip install peekabooav==2.1rc2. See CHANGELOG.md for changes since last release.
Install using ./setup.py
. Uninstallable and yanked from pypi.org due to dependency on our modified cortex4py github repo. See CHANGELOG.md for changes since last release.
This release fix an error with sqlalchemy version > 1.4. It only affects this release, the affected code has later been removed.
A running instance of Peekaboo is not affected unless sqlalchemy version is updated manually.
This release introduces a breaking change that fixes a security issue in Peekaboo 2.0 that potentially allowed to evade analysis through a specially crafted attachment name: The example ruleset configuration contained an expression rule designed to ignore S/MIME signature attachments. This expression contained an error so that only the beginning of the filename was matched.
This release changes the behaviour of equality matches against regular expressions so that the whole operand needs to match the pattern. An explicit end-of-line anchor ($) is no longer required. This is done to more closely match the reasonable expectations of users writing rules.
Users should also consider emptying the database of cached analysis results to avoid any chance of reuse of results from previous successful attempts at evading analysis.
Workaround for environments that cannot update: Change the first statement of expression.2 in section [expressions] of ruleset.conf from
sample.name_declared == /smime.p7[mcs]/
to
sample.name_declared == /smime.p7[mcs]$/
to accept only filenames exactly matching smime.p7s
, smime.p7m
or smime.p7c
.
Thanks to @mardom1 and @sukram230799 for finding and reporting the issue.
Changes from 2.0:
ruleset.conf.sample
section [rules]
for details.Install using venv/bin/pip install peekabooav==2.0rc2
. See CHANGELOG.md for changes since last release.
Install using venv/bin/pip install peekabooav==2.0rc1
. See CHANGELOG.md for changes since last release.
cuckoo_analysis_failed
to override what
constitutes failure and what reliably indicates success$LANG
and friendsmalware_reports
directory configurablepeekaboo.conf
can be
mostly empty in standard setupsanalysis_jobs
to get an actual job
log[cluster]
in
peekaboo.conf.sample
analysis_results
table from DB schema for simplicity and
performance, bump version to 6