Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Related files feature #676

Open
2 of 4 tasks
vandir opened this issue Sep 19, 2022 · 1 comment · May be fixed by #725
Open
2 of 4 tasks

Related files feature #676

vandir opened this issue Sep 19, 2022 · 1 comment · May be fixed by #725
Assignees
@Repumba
Labels
type:feature New feature description e.g. which involves implementation of new components zone:backend MWDB backend core related tasks

Comments

@vandir
Copy link

vandir commented Sep 19, 2022
edited

Feature Category

  • Correctness
  • User Interface / User Experience
  • Performance
  • Other (please explain)

Describe the problem

We need a way to upload a file associated with a sample that should not be analyzed or investigated, like a .IDB (Ida database) file, a .pdf report or other goodware supporting data but simply shown as download links in the custom attribute section or in a new "Related files" tab like the following:

Schermata 2022-09-19 alle 16 43 59

Describe the solution you'd like

The related files should be shown as download links in the custom attribute section or in a new "Related files" tab. The related files should not be shown in the samples list because they are not malwares.

Describe alternatives you've considered

We see that there are only 3 type of objects: sample, blob and config. We maybe need an additional object type named supporting_data or associated_file that must not be analyzed and listed in "samples" but shown in a new tab (like what happens with config).

We also considered the opportunity to create a plugin that intercept and abort the upload process when the uploaded file is a .IDB or .PDF but we miss a webhook like before_file_creation that could be used to:

  1. filter out the uploaded file (that is abort the upload process)
  2. instead upload the file in third-party service (or in an alternative bucket of the minio instance)
  3. create a custom attribute with the download link in the parent sample

Is it reasonable to have this feature in the MWDB project or it is too much "case-management" oriented? That is will you accept pull requests about this feature?

This issue is somehow similar to #560.
@psrok1 psrok1 added type:feature New feature description e.g. which involves implementation of new components zone:backend MWDB backend core related tasks labels Oct 6, 2022
@psrok1
Copy link
Member

psrok1 commented Oct 6, 2022

Sure, I like the idea to exchange files that are malware-related but are not actually malware samples!

Another use-case are encrypted/compressed payloads by some not-yet-known algorithm that are stored in MWDB for further analysis. That's pretty common in CERT.pl as well. These can be uploaded directly to MWDB, but we don't want these partially-processed artifacts in the actual sample list.

Choosing different storage buckets is not that necessary, but might be actually useful to have these files physically in separate place e.g. to not include them in mquery scanning. But maintaining multiple storage providers sounds like another huge pull request.

@Repumba Repumba self-assigned this Dec 1, 2022
@Repumba Repumba linked a pull request Dec 12, 2022 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Repumba Repumba

Labels
type:feature New feature description e.g. which involves implementation of new components zone:backend MWDB backend core related tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature: Related files CERT-Polska/mwdb-core
3 participants
@psrok1 @vandir @Repumba