strelka: backend: enabled: False config: backend: logging_cfg: '/etc/strelka/logging.yaml' limits: max_files: 0 time_to_live: 0 max_depth: 15 distribution: 600 scanner: 150 coordinator: addr: 'HOST:6380' db: 0 tasting: mime_db: '/usr/lib/file/magic.mgc' yara_rules: '/etc/strelka/taste/' scanners: 'ScanBase64PE': - positive: flavors: - 'base64_pe' priority: 5 'ScanBatch': - positive: flavors: - 'text/x-msdos-batch' - 'batch_file' priority: 5 'ScanBmpEof': - positive: flavors: - 'image/x-ms-bmp' - 'bmp_file' negative: source: - 'ScanTranscode' priority: 5 'ScanBzip2': - positive: flavors: - 'application/x-bzip2' - 'bzip2_file' priority: 5 'ScanDmg': - positive: flavors: - 'dmg_disk_image' - 'hfsplus_disk_image' priority: 5 'ScanDocx': - positive: flavors: - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' priority: 5 options: extract_text: False 'ScanDonut': - positive: flavors: - 'hacktool_win_shellcode_donut' priority: 5 'ScanElf': - positive: flavors: - 'application/x-object' - 'application/x-executable' - 'application/x-sharedlib' - 'application/x-coredump' - 'elf_file' priority: 5 'ScanEmail': - positive: flavors: - 'application/vnd.ms-outlook' - 'message/rfc822' - 'email_file' priority: 5 'ScanEncryptedDoc': - positive: flavors: - 'encrypted_word_document' priority: 5 options: max_length: 5 scanner_timeout: 150 log_pws: True password_file: "/etc/strelka/passwords.dat" 'ScanEncryptedZip': - positive: flavors: - 'encrypted_zip' priority: 5 options: max_length: 5 scanner_timeout: 150 log_pws: True password_file: '/etc/strelka/passwords.dat' 'ScanEntropy': - positive: flavors: - '*' priority: 5 'ScanExiftool': - positive: flavors: - 'application/msword' - 'application/vnd.openxmlformats-officedocument' - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - 'olecf_file' - 'ooxml_file' - 'audio/mpeg' - 'mp3_file' - 'mhtml_file' - 'application/pdf' - 'pdf_file' - 'text/rtf' - 'rtf_file' - 'wordml_file' - 'application/x-dosexec' - 'mz_file' - 'application/x-object' - 'application/x-executable' - 'application/x-sharedlib' - 'application/x-coredump' - 'elf_file' - 'lnk_file' - 'application/x-mach-binary' - 'macho_file' - 'image/gif' - 'gif_file' - 'image/jpeg' - 'jpeg_file' - 'image/png' - 'png_file' - 'image/tiff' - 'type_is_tiff' - 'image/x-ms-bmp' - 'bmp_file' - 'application/x-shockwave-flash' - 'fws_file' - 'psd_file' - 'video/mp4' - 'video/quicktime' - 'video/x-msvideo' - 'avi_file' - 'video/x-ms-wmv' - 'wmv_file' priority: 5 options: tmp_directory: '/dev/shm/' 'ScanFooter': - positive: flavors: - '*' priority: 5 options: length: 50 encodings: - classic - backslash 'ScanGif': - positive: flavors: - 'image/gif' - 'gif_file' priority: 5 'ScanGzip': - positive: flavors: - 'application/gzip' - 'application/x-gzip' - 'gzip_file' priority: 5 'ScanHash': - positive: flavors: - '*' priority: 5 'ScanHeader': - positive: flavors: - '*' priority: 5 options: length: 50 'ScanHtml': - positive: flavors: - 'hta_file' - 'text/html' - 'html_file' priority: 5 options: max_hyperlinks: 50 'ScanIqy': - positive: flavors: - 'iqy_file' priority: 5 'ScanIni': - positive: filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' flavors: - 'ini_file' priority: 5 'ScanIso': - positive: flavors: - 'application/x-iso9660-image' priority: 5 options: limit: 50 'ScanJarManifest': - positive: flavors: - 'jar_manifest_file' priority: 5 'ScanJavascript': - negative: flavors: - 'text/html' - 'html_file' positive: flavors: - 'javascript_file' - 'text/javascript' priority: 5 options: beautify: True 'ScanJpeg': - positive: flavors: - 'image/jpeg' - 'jpeg_file' priority: 5 'ScanJson': - positive: flavors: - 'application/json' - 'json_file' priority: 5 'ScanLibarchive': - positive: flavors: - 'application/vnd.ms-cab-compressed' - 'cab_file' - 'application/x-7z-compressed' - '_7zip_file' - 'application/x-cpio' - 'cpio_file' - 'application/x-xar' - 'xar_file' - 'arj_file' - 'iso_file' - 'application/x-debian-package' - 'debian_package_file' priority: 5 options: limit: 1000 'ScanLNK': - positive: flavors: - 'lnk_file' priority: 5 'ScanLsb': - positive: flavors: - 'image/png' - 'png_file' - 'image/jpeg' - 'jpeg_file' - 'image/x-ms-bmp' - 'bmp_file' - 'image/webp' negative: source: - 'ScanTranscode' priority: 5 'ScanLzma': - positive: flavors: - 'application/x-lzma' - 'lzma_file' - 'application/x-xz' - 'xz_file' priority: 5 'ScanMacho': - positive: flavors: - 'application/x-mach-binary' - 'macho_file' priority: 5 options: tmp_directory: '/dev/shm/' 'ScanManifest': - positive: flavors: - 'browser_manifest' priority: 5 'ScanMsi': - positive: flavors: - "image/vnd.fpx" - "application/vnd.ms-msi" - "application/x-msi" priority: 5 options: tmp_directory: '/dev/shm/' keys: - 'Author' - 'Characters' - 'Company' - 'CreateDate' - 'LastModifiedBy' - 'Lines' - 'ModifyDate' - 'Pages' - 'Paragraphs' - 'RevisionNumber' - 'Software' - 'Template' - 'Title' - 'TotalEditTime' - 'Words' 'ScanOcr': - positive: flavors: - 'image/jpeg' - 'jpeg_file' - 'image/png' - 'png_file' - 'image/tiff' - 'type_is_tiff' - 'image/x-ms-bmp' - 'bmp_file' priority: 5 options: extract_text: False tmp_directory: '/dev/shm/' 'ScanOle': - positive: flavors: - 'application/CDFV2' - 'application/msword' - 'olecf_file' priority: 5 'ScanOnenote': - positive: flavors: - 'application/onenote' - 'application/msonenote' - 'onenote_file' priority: 5 'ScanPdf': - positive: flavors: - 'application/pdf' - 'pdf_file' priority: 5 options: extract_text: False limit: 2000 'ScanPe': - positive: flavors: - 'application/x-dosexec' - 'mz_file' priority: 5 'ScanPgp': - positive: flavors: - 'application/pgp-keys' - 'pgp_file' priority: 5 'ScanPhp': - positive: flavors: - 'text/x-php' - 'php_file' priority: 5 'ScanPkcs7': - positive: flavors: - 'pkcs7_file' priority: 5 options: tmp_directory: '/dev/shm/' 'ScanPlist': - positive: flavors: - 'bplist_file' - 'plist_file' priority: 5 options: keys: - 'KeepAlive' - 'Label' - 'NetworkState' - 'Program' - 'ProgramArguments' - 'RunAtLoad' - 'StartInterval' 'ScanPngEof': - positive: flavors: - 'image/png' - 'png_file' negative: source: - 'ScanTranscode' priority: 5 'ScanQr': - positive: flavors: - 'image/jpeg' - 'jpeg_file' - 'image/png' - 'png_file' - 'image/tiff' - 'type_is_tiff' - 'image/x-ms-bmp' - 'bmp_file' - 'image/webp' priority: 5 options: support_inverted: True 'ScanRar': - positive: flavors: - 'application/x-rar' - 'rar_file' priority: 5 options: limit: 1000 'ScanRpm': - positive: flavors: - 'application/x-rpm' - 'rpm_file' priority: 5 options: tmp_directory: '/dev/shm/' 'ScanRtf': - positive: flavors: - 'text/rtf' - 'rtf_file' priority: 5 options: limit: 1000 'ScanSevenZip': - positive: flavors: - 'application/x-7z-compressed' - '_7zip_file' - "image/vnd.fpx" - "application/vnd.ms-msi" - "application/x-msi" priority: 5 options: scanner_timeout: 150 crack_pws: True log_pws: True 'ScanSwf': - positive: flavors: - 'application/x-shockwave-flash' - 'fws_file' - 'cws_file' - 'zws_file' priority: 5 'ScanTar': - positive: flavors: - 'application/x-tar' - 'tar_file' priority: 5 options: limit: 1000 'ScanTnef': - positive: flavors: - 'application/vnd.ms-tnef' - 'tnef_file' priority: 5 'ScanUpx': - positive: flavors: - 'upx_file' priority: 5 options: tmp_directory: '/dev/shm/' 'ScanUrl': - negative: flavors: - 'javascript_file' positive: flavors: - 'text/plain' priority: 5 'ScanVb': - positive: flavors: - 'vb_file' - 'vbscript' - 'hta_file' priority: 5 'ScanVba': - positive: flavors: - 'mhtml_file' - 'application/msword' - 'olecf_file' - 'wordml_file' priority: 5 options: analyze_macros: True 'ScanVhd': - positive: flavors: - 'application/x-vhd' - 'vhd_file' - 'vhdx_file' priority: 5 options: limit: 100 'ScanVsto': - positive: flavors: - 'vsto_file' priority: 5 'ScanX509': - positive: flavors: - 'x509_der_file' priority: 5 options: type: 'der' - positive: flavors: - 'x509_pem_file' priority: 5 options: type: 'pem' 'ScanXml': - positive: flavors: - 'application/xml' - 'text/xml' - 'xml_file' - 'mso_file' - 'soap_file' priority: 5 'ScanYara': - positive: flavors: - '*' priority: 5 options: location: '/etc/yara/' compiled: enabled: True filename: "rules.compiled" store_offset: True offset_meta_key: "StrelkaHexDump" offset_padding: 32 'ScanZip': - positive: flavors: - 'application/java-archive' - 'application/zip' - 'zip_file' - 'application/vnd.openxmlformats-officedocument' - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - 'ooxml_file' priority: 5 options: limit: 1000 password_file: '/etc/strelka/passwords.dat' 'ScanZlib': - positive: flavors: - 'application/zlib' - 'zlib_file' priority: 5 logging: version: 1 formatters: simple: format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' datefmt: '%Y-%m-%d %H:%M:%S' handlers: console: class: logging.StreamHandler formatter: simple stream: ext://sys.stdout root: level: DEBUG handlers: [console] loggers: OpenSSL: propagate: 0 bs4: propagate: 0 bz2: propagate: 0 chardet: propagate: 0 docx: propagate: 0 elftools: propagate: 0 email: propagate: 0 entropy: propagate: 0 esprima: propagate: 0 gzip: propagate: 0 hashlib: propagate: 0 json: propagate: 0 libarchive: propagate: 0 lxml: propagate: 0 lzma: propagate: 0 macholibre: propagate: 0 olefile: propagate: 0 oletools: propagate: 0 pdfminer: propagate: 0 pefile: propagate: 0 pgpdump: propagate: 0 pygments: propagate: 0 pylzma: propagate: 0 rarfile: propagate: 0 requests: propagate: 0 rpmfile: propagate: 0 ssdeep: propagate: 0 tarfile: propagate: 0 tnefparse: propagate: 0 yara: propagate: 0 zipfile: propagate: 0 zlib: propagate: 0 passwords: - infected - password filestream: enabled: False config: conn: server: 'HOST:57314' cert: '' timeout: dial: 5s file: 1m throughput: concurrency: 8 chunk: 32768 delay: 0s files: patterns: - '/nsm/strelka/unprocessed/*' delete: false gatekeeper: true processed: '/nsm/strelka/processed' response: report: 5s delta: 5s staging: '/nsm/strelka/staging' frontend: enabled: False config: server: ":57314" coordinator: addr: 'HOST:6380' db: 0 gatekeeper: addr: 'HOST:6381' db: 0 ttl: 1h response: log: "/var/log/strelka/strelka.log" broker: bootstrap: "PLACEHOLDER" protocol: "PLACEHOLDER" certlocation: "PLACEHOLDER" keylocation: "PLACEHOLDER" calocation: "PLACEHOLDER" topic: "PLACEHOLDER" s3redundancy: "PLACEHOLDER - This should be a boolean value" s3: accesskey: "PLACEHOLDER" secretkey: "PLACEHOLDER" bucketName: "PLACEHOLDER" region: "PLACEHOLDER" endpoint: "PLACEHOLDER" manager: enabled: False config: coordinator: addr: 'HOST:6380' db: 0 coordinator: enabled: False gatekeeper: enabled: False rules: enabled: True filecheck: historypath: '/nsm/strelka/history/' strelkapath: '/nsm/strelka/unprocessed/' logfile: '/opt/so/log/strelka/filecheck.log'