-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathservice_manifest.yml
executable file
·90 lines (74 loc) · 2.3 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: ConfigExtractor
version: $SERVICE_TAG
description: >
ConfigExtractor service
This service runs parsers to extract malware configuration data
accepts: .*
rejects: empty|metadata/.*
stage: SECONDARY
category: Static Analysis
file_required: true
timeout: 10
disable_cache: false
# Disabled at first so Administrator can assign appropriate storage class
enabled: false
is_external: false
licence_count: 0
uses_tags: false
uses_temp_submission_data: true
# Service configuration block (dictionary of config variables)
heuristics:
- heur_id: 1
name: Extracted Malware Configuration
score: 1000
filetype: "*"
description: Category - Malware - Indicates configuration block was extracted
- heur_id: 2
name: De-obfuscated Network IOCs
score: 50
filetype: "*"
signature_score_map:
# Connection usage may be indicative of maliciousness
c2: 1000
upload: 1000
download: 1000
propagate: 1000
tunnel: 1000
ransom: 1000
decoy: 10 # Used to mask actual malicious connection but the connections themselves aren't malicious
other: 10
description: Indicates a network IOC was extracted from malware configuration
# Docker configuration block which defines:
# - the name of the docker container that will be created
# - cpu and ram allocation by the container
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-configextractor:$SERVICE_TAG
cpu_cores: 1.0
ram_mb: 1024
dependencies:
updates:
container:
allow_internet_access: true
command: ["python", "-m", "configextractor_.update_server"]
image: ${REGISTRY}cccs/assemblyline-service-configextractor:$SERVICE_TAG
ports: ["5003"]
environment:
- name: UPDATER_DIR
value: /mnt/updates
run_as_core: True
volumes:
updates:
mount_path: /mnt/updates
capacity: 1048576 #1Gi
storage_class: default
update_config:
generates_signatures: true
sources:
# Pending: https://github.com/kevoreilly/CAPEv2/pull/1037#issuecomment-1242071140
- name: CAPE
pattern: .*/modules/processing/parsers/CAPE/$
uri: https://github.com/cccc-rs/CAPEv2.git
default_classification: TLP:W
update_interval_seconds: 21600 # Quarter-day (every 6 hours)
wait_for_update: true
signature_delimiter: file