Extractor of various archive formats for Karton framework
Project description
Extractor karton service
Performs extraction of known archive types and e-mail attachments. Produces "raw" artifacts for further classification.
Author: CERT.pl
Maintainers: psrok1, nazywam
Consumes:
{
"type": "sample",
"stage": "recognized",
"kind": "archive"
"payload": {
"sample": <Resource>,
"extraction_level": <int, default: 0>,
"password": <archive password>,
}
}
Produces:
{
"type": "sample",
"kind": "raw",
"payload": {
"sample": <Resource>,
"parent": <Resource>,
"extraction_level": <int++>
}
}
Usage
First of all, make sure you have setup the core system: https://github.com/CERT-Polska/karton
In order to unpack all available formats you'll also need a few native dependencies that sflock relies on, the installation method recommended by sflock is:
RUN sed -i 's/ main/ main non-free/' /etc/apt/sources.list \
&& apt-get update && apt-get install -y \
p7zip-full \
rar \
unace \
cabextract \
lzip
Then install karton-archive-extractor from PyPi:
$ pip install karton-archive-extractor
$ karton-archive-extractor
Configuration
There are several configuration options you can tweak up to your liking.
[archive-extractor]
# Maximum levels of nested extraction
max_depth = 5
# Maximum unpacked child filesize, larger files are not reported
max_size = 26214400
# Maximum number of children files for further analysis
max_children = 1000
To learn more about configuring your karton services, take a look at karton configuration docs
Running in Docker
Sflock uses ZipJail as a usermode syscall filtering mechanism. As a result, in our experience, container running the karton service has to have the SYS_PTRACE capability in order for the ptrace to execute correctly. Make sure it's enabled if you run into problems extracting certain archive types.
Supported archive/compression formats*
.7z
.ace
.bup
.cab
.daa
.eml
.gz
.gzip
.iso
.lha
.lz
.lzh
.msg
.mso
.pdf
.rar
.tar
.tar.bz2
.tar.gz
.udf
.vhd
.vhdx
.xz
.zip
* Assuming you are running Linux, please see the sflock's readme for more information
PE files debloating
Some malicious PE files contain intentionally added junk to make them too big for processing. Starting from v1.4.0, archive extractor supports optional debloating of these files, using debloat tool made by Squiblydoo.
certpl/karton-archive-extractor Docker image debloats PE files by default. To enable debloating in
karton-archive-extractor installed from PyPI, you need to install additional extra dependencies:
pip install karton-archive-extractor[debloat]
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for karton_archive_extractor-1.4.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1f338a79fe365e996622239ba52c8e23b949d3e2ef64163d918227c51c4f936d |
|
| MD5 | 166f55e4cba2db1268d36c6108f853f2 |
|
| BLAKE2b-256 | 65e3ed46d146174739d969556de4c0b325736c90f0e758038c9b978e2b7220f6 |
