SFlock2

Release 0.3.57

Sample staging and detonation utility

Homepage Repository PyPI Python

Keywords
sflock, unarchive
License
GPL-3.0
Install
pip install SFlock2==0.3.57

Documentation

sflock

example workflow

Sample staging & detonation utility to be used as unpacking engine for other analysis tools. Since version 0.3.14 sflock is compatible with Python >= 3.6

Birds tend to move around in flocks, therefore the sflock utility can digest a flock of samples, but also inverse flocks, i.e., sflock unpacks various archive file formats to extract embedded samples.

Simply put, sflock provides a staging area where binary data is investigated and split into one or more files to be analyzed further by other tools. In particular sflock focuses on integration and usage with Cuckoo Sandbox.

Installation

As-is sflock has been designed to be used to its full extent on Ubuntu/Debian-like systems. For optimal usage it is recommended to install the following packages alongside sflock. It is currently not possible to run the unpackers that require native tooling support on non-Linux platforms.

$ sudo apt-get install p7zip-full rar unace-nonfree cabextract lzip libjpeg8-dev zlib1g-dev zpaq gnupg

Installation of sflock itself may be done as follows.

$ sudo pip install -U sflock2

Or in a virtualenv environment.

(venv)$ pip install -U sflock2

Supported archives

SFlock supports a number of (semi-)archive types, sorted by extension:

  • .7z (7-Zip archive, requires native tooling)
  • .ace (ACE archive, requires native tooling)
  • .bup (McAfee quarantine files)
  • .cab (Microsoft Cabinet archive, requires native tooling)
  • .daa (PowerISO, requires included Linux native tooling)
  • .eml (MIME RFC 822 email representation)
  • .gzip (gzip compressed data, requires native tooling)
  • .iso (ISO file container, requires native tooling)
  • .lzh (LZH/LHA archive, requires native tooling)
  • .lz (Lzip compressed data, requires native tooling)
  • .msg (Outlook mail message)
  • .mso (Microsoft Office Macro reference file)
  • .pdf (Attachments embedded in PDF files)
  • .rar (RAR archive, requires native tooling)
  • .tar (Unix file archive)
  • .tar.bz2 (bzip2 compressed Unix file archive)
  • .tar.gz (gzip compressed Unix file archive)
  • .zip (ZIP archive)
  • .win (Windows imaging (WIM) image)

Security

Due to its nature of unpacking malicious archives with, depending on the extension, native tools (i.e., .7z, .ace, .cab, .daa, .gzip, .iso, .lzh, and .rar), it is important that such operations happen securely. SFlock therefore wraps execution of the native tools in zipjail, a usermode sandbox written exactly for this purpose.

Stats

Dependencies
5
Dependent packages
1
Dependent repositories
0
Total releases
43
Latest release
First release
Stars
9
Forks
13
Watchers
2
Contributors
0
Repository size
14.9 MB
SourceRank
9

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.3.42
0.3.38
0.3.41
0.3.39
0.3.37
0.3.35
0.3.40
0.3.36
0.3.44
0.3.43
See all 43 releases

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2023-12-05 10:46:14 UTC

Login to resync this project