polyswarm-api 0.5.4

目录

• polyswarm-api
  • Installation
  • Usage
    • Use the provided CLI
      • Configuration
      • Perform Scans
      • Perform Searches
      • Lookup UUIDs
      • Download Files
      • Perform Rescans
    • Use the library:
      • Create an API Client
      • Perform Scans
      • Perform Searches
        • Metadata Terms
        • Allowed Query Searches
          • Query String
          • Check If Field Exists
          • Range Query
          • Terms (Array) Query
      • Download Files
      • Perform Hunts
      • Perform Rescans
      • Get a Stream
  • Questions? Problems?

polyswarm api

公共和私有polyswarmapi的接口。

支持python3.5>；=3.5.4和python3.6>；=3.6.5

安装

来自PYPI:

pip install polyswarm-api

来源：

python3 setup.py install

用法

使用提供的cli

配置

$ exportPOLYSWARM_API_KEY=<Your API key from polyswarm.network>
$ exportPOLYSWARM_COMMUNITY=lima
$ polyswarm
Usage: polyswarm [OPTIONS] COMMAND [ARGS]...

  This is a PolySwarm CLI client, which allows you to interact directly with
  the PolySwarm network to scan files, search hashes, and more.

Options:
  -a, --api-key TEXT              Your API key for polyswarm.network
                                  (required)
  -u, --api-uri TEXT              The API endpoint (ADVANCED)
  -o, --output-file FILENAME      Path to output file.
  --fmt, --output-format [text|json]
                                  Output format. Human-readable text or JSON.
  --color / --no-color            Use colored output in text mode.
  -v, --verbose
  -c, --community TEXT            Community to use.
  -h, --help                      Show this message and exit.

Commands:
  download    download file(s)
  historical  interact with historical scans
  live        interact with live scans
  lookup      lookup UUID(s)
  rescan      rescan files(s) by hash
  scan        scan files/directories
  search      search forhash or query
  stream      access the polyswarm file stream

执行扫描

$ polyswarm scan /tmp/eicar
Scan report for GUID 39b04176-51eb-4431-82d0-a0a3176164f0
=========================================================
Report for file eicar, hash: 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
        tachyon: Clean
        nanoav: Malicious, metadata: {"infections": [{"name": "Marker.Dos.EICAR-Test-File.dyb"}]}
        zillya: Malicious
        clamav-engine: Malicious, metadata: Eicar-Test-Signature
        k7-engine: Malicious, metadata: Trojan (000139291)
        ikarus: Malicious, metadata: EICAR-Test-File
        xvirus: Malicious, metadata: 
        drweb: Malicious, metadata: infected with EICAR Test File (NOT a Virus!)
        lionic: Clean

$ polyswarm url https://www.XXXXXX.XXXX/admin.php?f=1.gif
Scan report for GUID 550bcbfe-7d75-4de0-8d23-8b490e7ee58b
=========================================================
Report for file admin.php?f=1.gif, hash: c9d2152432e5ed53513c510b5ce94557313af965ba93f7819651542408344dae
	Trustlook: Malicious, metadata: [{'malware_family': 'Malware', 'scanner': {'environment': {'operating_system': 'Linux', 'architecture': 'x86_64'}}}]

执行搜索

$ polyswarm -o /tmp/test.txt search hash 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
$ cat /tmp/test.txt
Found 1 matches to the search query.
Search results forsha256=131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
File 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
	File type: mimetype: text/plain, extended_info: EICAR virus test files
	SHA256: 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
	SHA1: cf8bd9dfddff007f75adf4c2be48005cea317c62
	MD5: 69630e4574ec6798239b091cda43dca0
	Observed countries: US,PR
	Observed filenames: 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267,eicar.com.txt,eicar.txt

$ polyswarm -o /tmp/test.txt search metadata "strings.domains:en.wikipedia.org AND exiftool.ZipFileName:AndroidManifest.xml AND exiftool.ZipRequiredVersion:>19"
$ cat /tmp/test.txt | more
Found 18 matches to the search query.
Search results for{'query': {'query_string': {'query': 'strings.domains:en.wikipedia.org AND exiftool.ZipFileName:AndroidManifest.xml AND exiftool.ZipRequiredVersion:>19'}}}
File 1d38780c2327086816d0a87d878d57b943d6ad5109b9389b5d5ffe3f9065698b
	File type: mimetype: application/java-archive, extended_info: Java archive data (JAR)
	SHA256: 1d38780c2327086816d0a87d878d57b943d6ad5109b9389b5d5ffe3f9065698b
	SHA1: 76f5b2c6abbd6b30dc00fbe797001bf7247f423b
	MD5: 12a1028e90696d9f3926ac3ab150950c
	First seen: Sun, 24 Mar 201915:27:32 GMT
	Observed countries: 
	Observed filenames: 1d38780c2327086816d0a87d878d57b943d6ad5109b9389b5d5ffe3f9065698b


File d8e6ac2884597021479796d252fcd61dbbfd71f7c07af54d71478af377e0bfb9
	File type: mimetype: application/java-archive, extended_info: Java archive data (JAR)
	SHA256: d8e6ac2884597021479796d252fcd61dbbfd71f7c07af54d71478af377e0bfb9
	SHA1: a5b267cd66d0da885d252b279d28cb887f8b901c
	MD5: bb0dd7f93ef2eaacfde18d07909fac0b
	First seen: Sun, 31 Mar 201908:58:17 GMT
	Observed countries: 
	Observed filenames: d8e6ac2884597021479796d252fcd61dbbfd71f7c07af54d71478af377e0bfb9


File 041044068eb8295a4d80786c3f55c77c641b6f3eb33187bbf504aa923ec5db78
	File type: mimetype: application/java-archive, extended_info: Java archive data (JAR)
	SHA256: 041044068eb8295a4d80786c3f55c77c641b6f3eb33187bbf504aa923ec5db78
	SHA1: 5ab68f339ddf9d8701d2c3947cc0596652b92cb0
	MD5: c93a8476c16cc7e044be305b71fe1b1f
	First seen: Wed, 27 Mar 201907:02:24 GMT
	Observed countries: 
--More--

查找uuid

$ polyswarm -vvv -o /tmp/test.json --fmt json lookup 39b04176-51eb-4431-82d0-a0a3176164f0
DEBUG:root:Creating API instance: api_key:<redacted>
DEBUG:asyncio:Using selector: EpollSelector

$ cat /tmp/test.json
[{"files": [{"assertions": [{"author": "0x1EdF29c0977aF06215032383F93deB9899D90118", "bid": 62500000000000000, "mask": true, "metadata": "", "verdict": false, "engine": "tachyon"}, {"author": "0x2b4C240B376E5406C5e2559C27789d776AE97EFD", "bid": 62500000000000000, "mask": true, "metadata": "{\"infections\": [{\"name\": \"Marker.Dos.EICAR-Test-File.dyb\"}]}", "verdict": true, "engine": "nanoav"}, {"author": "0xf6019C1f057D26FFB2b41C221E0DB4Ef88931C86", "bid": 62500000000000000, "mask": true, "metadata": null, "verdict": null, "engine": "zillya"}, {"author": "0x3750266F07E0590aA16e55c32e08e48878010f8f", "bid": 62500000000000000, "mask": true, "metadata": "Eicar-Test-Signature", "verdict": true, "engine": "clamav-engine"}, {"author": "0xbE0B3ec289aaf9206659F8214c49D083Dc1a9E17", "bid": 62500000000000000, "mask": true, "metadata": "Trojan ( 000139291 )", "verdict": true, "engine": "k7-engine"}, {"author": "0xA4815D9b8f710e610E8957F4aD13F725a4331cbB", "bid": 62500000000000000, "mask": true, "metadata": "EICAR-Test-File", "verdict": true, "engine": "ikarus"}, {"author": "0x59Af39803354Bd08971Ac8e7C6dB7410a25Ab8DA", "bid": 62500000000000000, "mask": true, "metadata": "", "verdict": true, "engine": "xvirus"}, {"author": "0x7c6A9f9f9f1a67774999FF0e26ffdBa2c9347eeB", "bid": 62500000000000000, "mask": true, "metadata": "infected with EICAR Test File (NOT a Virus!)", "verdict": true, "engine": "drweb"}, {"author": "0x0457C40dBA29166c1D2485F93946688C1FC6Cc58", "bid": 62500000000000000, "mask": true, "metadata": "", "verdict": false, "engine": "lionic"}], "bounty_guid": "dee1769b-0428-4e98-a39d-aa1c230435bf", "bounty_status": "Settled", "failed": false, "filename": "eicar", "hash": "131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267", "result": true, "size": 69, "votes": [{"arbiter": "0xdC6a0F9C3AF726Ba05AaC14605Ac9B3b958512d7", "vote": true, "engine": "clamav-arbiter"}, {"arbiter": "0x2E03565b735E2343F7F0501A7772A42B1C0E8893", "vote": true, "engine": "psarbiter"}, {"arbiter": "0x1f50Cf288b5d19a55ac4c6514e5bA6a704BD03EC", "vote": false, "engine": "hatchingarb"}], "window_closed": true}], "forced": false, "status": "Duplicate", "uuid": "39b04176-51eb-4431-82d0-a0a3176164f0"}]

下载文件

$ polyswarm download test/ 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
Downloaded 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267: test/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267

执行重新扫描

$ polyswarm rescan 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
Scan report for GUID 46a112f2-a368-4b59-96b0-0dffac5306a6
=========================================================
Report for file 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267, hash: 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
        lionic: Malicious, metadata: {"infections": [{"path": "C:/Windows/TEMP/polyswarm-artifactn8mjdwm9", "time": "2019/02/21 20:04:37", "name": "Test.File.EICAR.y!c", "location": "polyswarm-artifactn8mjdwm9"}]}
        ikarus: Malicious, metadata: EICAR-Test-File
        clamav-engine: Malicious, metadata: Eicar-Test-Signature
        drweb: Malicious, metadata: infected with EICAR Test File (NOT a Virus!)
        xvirus: Unknown/failed to respond
        tachyon: Clean
        nanoav: Malicious, metadata: {"infections": [{"name": "Marker.Dos.EICAR-Test-File.dyb"}]}
        zillya: Malicious, metadata: Status:Infected EICAR.TestFile
        k7-engine: Malicious, metadata: Trojan (000139291)

有关json格式的信息，请参见API.md。

使用库：

创建API客户端

importpolyswarm_apiapi_key="317b21cb093263b701043cb0831a53b9"api=polyswarm_api.PolyswarmAPI(key=api_key)

注意：您需要从^{}获取自己的api密钥

执行扫描

results=api.scan_directory("/path/to/directory")results=api.scan_file("/path/to/eicar")results=api.scan_url("http://bad.com")

执行搜索

results=api.search_hash("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f")results=api.search_hashes(["275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"])query={"query":{"exists":{"field":"lief.libraries"}}}results=api.search_query(query)

元数据术语

以下是polyswarm当前支持的术语的非详尽列表。 在搜索时，每个嵌套的级别将由.分隔，例如pefile.imphash。 字段的名称区分大小写，因此请注意正确指定它们。下表并非详尽无遗。 如果您想查看更多字段或工具，请联系info@polyswarm.io。

• lief-固化的{}输出

  • has_nx
  • is_pie
  • libraries-导入库的列表
  • entrypoint-十进制入口点
  • virtual_size-以十进制表示的虚拟大小
  • exported_functions-导出函数的列表
  • imported_functions-导入函数的列表

• pefile-固化的pefile输出

  • is_dll-布尔型
  • is_exe-布尔型
  • exports-导出函数
  • ^文件的{}-imphash
  • imports格式的导入字典dllname: [list, of, functions]
  • uses_cfg-布尔型
  • uses_dep-布尔型
  • uses_seh-布尔型
  • compile_date-布尔型
  • has_import_table-布尔型
  • has_export_table-布尔型
  • is_probably_packed-布尔型
  • warnings-来自pefile解析器的警告

• exiftool-exiftool输出（来自exiftool -j）

  • MIMEType-文件的mimetype
  • InternalName-从可执行文件中提取的内部名称
  • OriginalFileName-文件的原始名称
  • Author-文件的作者
  • Title-文件的标题
  • Subject-文件的主题
  • LanguageCode-可执行文件使用的语言（例如“英语（美国）”）
  • CharacterSet-文件的字符集
  • Language-文件语言（例如'en-gb'）
  • ModifyDate-上次修改的文档时间字符串
  • CreateDate-从文档创建时间字符串
  • 更多；查看exiftool文档了解更多信息。

• strings-有趣的静态提取字符串

  • domains-观察到的结构域
  • urls-url（包括电子邮件之类的内容）
  • ipv4-IPv4地址
  • ipv6-ipv6地址

允许的查询搜索

对于查询搜索，目前只允许使用一个子集Elasticsearch查询。

出于安全原因，仅允许使用以下简单形式（不允许使用具有所有其他属性的完整形式）。

为了简化命令行搜索，cli的默认输入格式是一个查询字段，该字段将被包装成JSON ^{} request。 这是lik对大多数查询来说已经足够了。 注意：有些字符，如反斜杠，必须用反斜杠转义。

查询字符串

{"query":{"query_string":{"query":"this AND that OR something:>10"}}}

<检查是否存在字段>

{"query":{"exists":{"field":"lief.libraries"}}}

注意：Elasticsearch Exists Query。

范围查询

{"query":{"range":{"age":{"gte":10,"lte":20}}}}

注意：Elasticsearch Range Query。这些对于日期字段特别有趣。您将在日期数学here上找到一个引用。

**Note:** [Elasticsearch Query String](https://www.elastic.co/guide/en/elasticsearch/reference/6.7/query-dsl-query-string-query.html).


###### Simple Query String

```json
{
    "query": {
        "simple_query_string": {
            "query": "\"fried eggs\" +(eggplant | potato) -frittata",
            "fields": ["title^5", "body"],
            "default_operator": "and"
        }
    }
}

注意：Elasticsearch Simple Query String。

术语（数组）查询

{"query":{"terms":{"user":["kimchy","elasticsearch"]}}}

注意：Elasticsearch Terms Query。

下载文件

results=api.download_file("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f","test/")results=api.rescan_file("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f")results=api.new_live_hunt(open("eicar.yara").read())results=api.get_live_results(hunt_id=results['result']['hunt_id'])results=api.new_historical_hunt(open("eicar.yara").read())results=api.get_historical_results(hunt_id=results['result']['hunt_id'])results=api.get_stream(destination_dir="/my/malware/path")

执行搜索

results=api.new_live_hunt(open("eicar.yara").read())results=api.get_live_results(hunt_id=results['result']['hunt_id'])results=api.new_historical_hunt(open("eicar.yara").read())results=api.get_historical_results(hunt_id=results['result']['hunt_id'])

执行重新扫描

results=api.rescan_file("275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f")

获取流

results=api.get_stream(destination_dir="/my/malware/path")

有问题吗？问题？

在info@polyswarm.io处提交票据或发送电子邮件给我们。

标签：

• api
• true
• 客户端
• 消费者
• query
• results
• engine
• metadata
• malicious
• polyswarm

欢迎加入QQ群-->： 979659372

推荐PyPI第三方库

• seriate

  序列排序算法的实现。

• eems

  eems-简易能源监测系统

• pythia-learn

  粒子环境中的机器学习指纹

• coo

  轻松安排Twitter更新

• diffenv

  比较开发环境

• TestGen4Web-Python

  一组纯蟒蛇的翻译

• chimne

  编译Web资产

• collective.blueprint.jsonmigrator

  从2.0到4.0的plone大迁移的有用的跨地理蓝图

• pysimhash

  python的cpp中的simhash模块

• pygel

  在纯python中实现gobject/glib/gio的一些功能，但是增加了许多新功能。

• gentool

  没有项目描述

• python-mano-wrappers

  符合ETSI SOL0005的各种manos的rest API包装

• seed-test

  二

• pyddq

  用于醉酒数据质量的python api

• aio.manhole.server

  aio异步框架的检查孔服务器