[Falcon Sandbox API]的Python客户端库和命令行工具(https://www.falconsandbox.com/docs/api/v2).
falcon-sandbox的Python项目详细描述
猎鹰沙盒python库
使用命令行包装器的Falcon Sandbox API的Python库。最初为ACE开发的库。编写命令行包装器是为了更方便地与Falcon沙盒交互,供英特尔分析师和Event Sentry使用。在
安装
pip install falcon-sandbox
猎鹰沙盒CLI脚本
安装后,将提供名为“falcon sandbox”的命令行脚本,可用于与falcon沙盒服务交互。在
命令行脚本在~/<current-user>/.config/falcon.ini处查找所需的配置设置。脚本将提示您输入所需的信息,并在第一次执行时写入该文件(如果该文件不存在)。是这样的:
$ falcon-sandbox get system -v
2019-11-22 16:46:38 analysis falcon_sandbox.helpers.load_config[8545] CRITICAL Didn't find any config files defined at these paths: ['/data/home/user/.config/falcon.ini']
Did not find user configuration, would you like to create one? [Y/n]
FQDN of your Falcon sandbox server: private.falcon-sandbox.com
Your API key: oki53wxinm7ep8ja4ucomuyerfake5o9zi5bipvqvxskycrqxcfzqwkeea5ouvxg3
Do you need to use the system proxy to connect to the sandbox? [Y/n]
2019-11-22 16:46:54 analysis root[8545] INFO Wrote user configuration to: /data/home/user/.config/falcon.ini
{'api': '2.6.0', 'instance': '8.6.1-0a10823e3', 'sandbox': '8.30'}
根级帮助:
^{pr2}$示例
提交
提交文件和URL。命令行的默认行为是等待提交的作业完成,然后将整个结果下载为json。在
文件
对于从命令行提交,默认行为是等待提交完成,并以json格式下载所有结果。 请注意,结果文件可能相当大。因为这个原因,它们被分块下载。在
$ falcon-sandbox submit -f PMNT_089_08102019.xls -e 100
2019-11-22 17:08:54 analysis falcon_sandbox[11412] INFO Got job id 5dd85bd85c757507273ee1dc for PMNT_089_08102019.xls submission
{'environment_id': 100,
'job_id': '5dd85bd85c757507273ee1dc',
'sha256': '6e5734c914eee85fcd56522857a00a10de76a6bb4fe533fd58d618acd21dfa1d',
'submission_id': '5dd85bd85c757507273ee1db'}
2019-11-22 17:08:54 analysis falcon_sandbox[11412] INFO job 5dd85bd85c757507273ee1dc is in IN_QUEUE state..
2019-11-22 17:09:21 analysis falcon_sandbox[11412] INFO job 5dd85bd85c757507273ee1dc is in IN_PROGRESS state..
...
2019-11-22 17:15:03 analysis falcon_sandbox[11412] INFO job 5dd85bd85c757507273ee1dc is in IN_PROGRESS state..
2019-11-22 17:15:12 analysis falcon_sandbox[11412] INFO Job 5dd85bd85c757507273ee1dc has moved to a SUCCESS state
2019-11-22 17:15:12 analysis falcon_sandbox[11412] INFO Wrote 5dd85bd85c757507273ee1dc.falcon.json
网址
$ falcon-sandbox submit -u 'https://firebasestorage.googleapis.com/v0/b/gu0-81b2b.appspot.com/o/index.html'
2019-11-22 17:16:48 analysis falcon_sandbox[12330] INFO Got job id 5dd85db23fec58f54c3ee1de for https://firebasestorage.googleapis.com/v0/b/gu0-81b2b.appspot.com/o/index.html submission
{'environment_id': 100,
'job_id': '5dd85db23fec58f54c3ee1de',
'sha256': '678895ccfd6c05d3f3bfba70fdea60a274181de66d94f356897d7d67875829a0',
'submission_id': '5dd85db23fec58f54c3ee1dd',
'submission_type': 'page_url'}
2019-11-22 17:16:48 analysis falcon_sandbox[12330] INFO job 5dd85db23fec58f54c3ee1de is in IN_QUEUE state..
2019-11-22 17:16:57 analysis falcon_sandbox[12330] INFO job 5dd85db23fec58f54c3ee1de is in IN_QUEUE state..
...
2019-11-22 17:23:33 analysis falcon_sandbox[12330] INFO job 5dd85db23fec58f54c3ee1de is in IN_PROGRESS state..
2019-11-22 17:23:40 analysis falcon_sandbox[12330] INFO Job 5dd85db23fec58f54c3ee1de has moved to a SUCCESS state
2019-11-22 17:23:41 analysis falcon_sandbox[12330] INFO Wrote 5dd85db23fec58f54c3ee1de.falcon.json
获取
获取系统信息、分析概述和所有各种报表数据。在
获取概述摘要
$ falcon-sandbox get overview 6e5734c914eee85fcd56522857a00a10de76a6bb4fe533fd58d618acd21dfa1d -s
{'analysis_start_time': '2019-10-15T19:14:46+00:00',
'last_multi_scan': '2019-11-22T21:37:49+00:00',
'multiscan_result': None,
'sha256': '6e5734c914eee85fcd56522857a00a10de76a6bb4fe533fd58d618acd21dfa1d',
'threat_score': 55,
'verdict': 'malicious'}
获取/下载原始样本。
$ falcon-sandbox get report 5da61a9d5c75754c1165dd98 -s
2019-11-22 17:00:53 analysis falcon_sandbox[10517] INFO Wrote PMNT_089_08102019.xls
以json格式获取整个报表
$ falcon-sandbox get report 5da61a9d5c75754c1165dd98
2019-11-22 17:03:00 analysis falcon_sandbox[10760] INFO Wrote 5da61a9d5c75754c1165dd98.falcon.json
$
$ cat 5da61a9d5c75754c1165dd98.falcon.json | jq '.' | grep verdict -B 5 -A 5
"threatsigimpact": "70",
"theoreticalmaxthreatsigimpact": "5718",
"theoreticalmaxthreatsigimpact_practical": "2802",
"overallconfidence": "55"
},
"verdict": {
"threatlevel": "2",
"threatscore": "55",
"isreliable": "true"
},
"signatures_triplets": "",
"warnings": {
"warning": [
"Enforcing malicious verdict, as a reliable source indicates high confidence",
"Not all sources for indicator ID \"api-55\" are available in the report"
]
},
"characteristics": {
"has_carved_files": "false",
获取可用环境
$ falcon-sandbox get system -e | grep description
'description': 'Windows 7 32 bit',
'description': 'Windows 7 64 bit',
'description': 'Windows 10 64 bit',
'description': 'Android Static Analysis',
'description': 'Linux (Ubuntu 16.04, 64 bit)',
搜索
按哈希、作业id或术语搜索。在
哈希值
$ falcon-sandbox search -ha c1af0757c42aa3790719a6d5f64c57c5aa40af22916213758807eafe5e9e7351,8b764864c36daa127e3980c015839b5d5c0f5f7b482e2fe42a3a70808778b6af | grep job_id
'job_id': '5dd6bd9f3fec583a48aeb00e',
'job_id': '5dd66fc35c7575d80caeb00e',
条款
非常基本的术语搜索。在
$ falcon-sandbox search -t 'filename:PMNT_089_08102019.xls'
{'count': 1,
'result': [{'analysis_start_time': '2019-10-15 19:14:46',
'av_detect': None,
'environment_description': 'Windows 7 64 bit',
'environment_id': 110,
'job_id': '5da61a9d5c75754c1165dd98',
'sha256': '6e5734c914eee85fcd56522857a00a10de76a6bb4fe533fd58d618acd21dfa1d',
'size': 705024,
'submit_name': 'PMNT_089_08102019.xls',
'threat_score': 55,
'type': None,
'type_short': 'xls',
'verdict': 'malicious',
'vx_family': None}],
'search_terms': [{'id': 'filename', 'value': 'PMNT_089_08102019.xls'}]}
作业状态
$ falcon-sandbox search -s 5dd6bd9f3fec583a48aeb00e,5dd66fc35c7575d80caeb00e
[{'environment_id': 100,
'error': None,
'error_origin': None,
'error_type': None,
'job_id': '5dd6bd9f3fec583a48aeb00e',
'query': '5dd6bd9f3fec583a48aeb00e',
'related_reports': [],
'sha256': 'c1af0757c42aa3790719a6d5f64c57c5aa40af22916213758807eafe5e9e7351',
'state': 'SUCCESS'},
{'environment_id': 100,
'error': None,
'error_origin': None,
'error_type': None,
'job_id': '5dd66fc35c7575d80caeb00e',
'query': '5dd66fc35c7575d80caeb00e',
'related_reports': [],
'sha256': '8b764864c36daa127e3980c015839b5d5c0f5f7b482e2fe42a3a70808778b6af',
'state': 'SUCCESS'}]
- 项目
标签:
欢迎加入QQ群-->: 979659372
