PeekabooAV Versions Save

• Peekaboo now provides a REST API. The old UNIX domain socket is gone and there's no longer a long-lived client connection providing a summary report on multiple samples. Samples are now submitted individually, yielding a job ID for subsequent attempts at retrieving a report. Both inputs and outputs of the API are JSON. The AMaViS plugin and peekaboo-util are updated to match.
• Embedded Cuckoo mode and python2 support are removed.
• Breaking change: Equality operators in expressions using regexes do now need to match the whole string up to the end.
• New database schema version 9. Removes tables PeekabooMetadata and AnalysisJournal, and adds field analysis_time as well as state to SampleInfo.
• Generic rules can now make use of the new analyser knownreport
• Introduce cortexreport toolbox analyser to connect to Cortex by TheHive. There already are a few sub analysers that can be used.
• Reduce amount of data copied from Cuckoo reports for memory efficiency and security reasons. Reduces the amount of information available in Peekaboo processing failure dumps as well. URL to access original report via Cuckoo API is provided instead.
• The CortexAnalyser or more precisely every CortexAnalyser can now access domain, hash, and ip artifacts from within the Generic rules.
• FileInfoAnalyzerReport has new attibutes md5sum, sha256sum, and ssdeepsum (now don't get to excited, ssdeep hashes can only be used as strings)
• Input validation of reports adds a new pip requirement: schema
• Availability of external resources, particularly Cuckoo and Cortex APIs is no longer checked at startup. Lack of availability is reported as individual job failure.
• PID file is no longer created by default (but can be re-enabled by specifying a path).

Install using venv/bin/pip install peekabooav==2.1rc3. See CHANGELOG.md for changes since last release.

Install using venv/bin/pip install peekabooav==2.1rc2. See CHANGELOG.md for changes since last release.

Install using ./setup.py. Uninstallable and yanked from pypi.org due to dependency on our modified cortex4py github repo. See CHANGELOG.md for changes since last release.

This release fix an error with sqlalchemy version > 1.4. It only affects this release, the affected code has later been removed.

A running instance of Peekaboo is not affected unless sqlalchemy version is updated manually.

This release introduces a breaking change that fixes a security issue in Peekaboo 2.0 that potentially allowed to evade analysis through a specially crafted attachment name: The example ruleset configuration contained an expression rule designed to ignore S/MIME signature attachments. This expression contained an error so that only the beginning of the filename was matched.

This release changes the behaviour of equality matches against regular expressions so that the whole operand needs to match the pattern. An explicit end-of-line anchor ($) is no longer required. This is done to more closely match the reasonable expectations of users writing rules.

Users should also consider emptying the database of cached analysis results to avoid any chance of reuse of results from previous successful attempts at evading analysis.

Workaround for environments that cannot update: Change the first statement of expression.2 in section [expressions] of ruleset.conf from

sample.name_declared == /smime.p7[mcs]/

to

sample.name_declared == /smime.p7[mcs]$/

to accept only filenames exactly matching smime.p7s, smime.p7m or smime.p7c.

Thanks to @mardom1 and @sukram230799 for finding and reporting the issue.

Changes from 2.0:

• Breaking change / security content: Equality operators in expressions using regexes do now need to match the whole string up to the end.
• Fix cluster duplicate handler dying (#160)

• Embedded Cuckoo mode and python2 support are deprecated now and scheduled for removal in a future release. Warnings to that effect are printed at startup if embed mode is in use or python2 is detected. Both are more than likely to be gone in release 2.1 so update your setup now!
• Generic rules allow to evaluate expressions with sample, cuckooreport and olereport and filereport
• Distribute and install sample configuration files in/from PyPI source distribution
• Make list of rules to run configurable in members and order. See ruleset.conf.sample section [rules] for details.
• Lower default for in-flight lock staleness to 15 minutes.
• Detect unknown config sections and options and refuse to start if any are found.
• Submit the sample with its original filename if available when using the REST API. (#81, #82)
• Improve REST API access robustness by introducing configurable urllib3 retry handling with backoff and defined endless retry or failure report to client. (#43)
• Introduce peekaboo-util.py with subcommands scan-file (as a super charged replacement for scan_file.py (#107)), ping and raw (for diagnosis, scripting and debugging).
• Add database indices to speed up processing and lower database CPU load. Rename analyses_time column to analysis_time in analysis_jobs table. Raises schema version to 7. (#124)
• No longer require configuration of a primary group to drop privileges to. Instead use the droppriv user's primary group and supplementary group list by default.
• Add new options socket_group and socket_mode to explicitly open up the socket to client connections with a secure default.

Install using venv/bin/pip install peekabooav==2.0rc2. See CHANGELOG.md for changes since last release.

Install using venv/bin/pip install peekabooav==2.0rc1. See CHANGELOG.md for changes since last release.

• give threads names for easier identification
• add configuration for rule cuckoo_analysis_failed to override what constitutes failure and what reliably indicates success
• localise client communication, i.e. have the system report findings in English by default but provide gettext-compatible translation templates for other languages
• add German translation (which was hard-coded in the source before)
• add configuration option to force language of client communication beyond $LANG and friends
• massively speed up shutdown
• make the malware_reports directory configurable
• add reporting of an overall analysis result (not just per sample-results) to correctly convey failures in addition to good/bad decisions to the client
• usage of separate python virtualenvs for peekaboo and cuckoo is now recommended because we use newer module versions than cuckoo
• make internal configuration defaults work so that peekaboo.conf can be mostly empty in standard setups
• log multiple analysis jobs per sample in analysis_jobs to get an actual job log
• multi-node concurrency coordinated via DB, see section [cluster] in peekaboo.conf.sample
• remove analysis_results table from DB schema for simplicity and performance, bump version to 6
• many bug fixes, internal cleanups and improviments