Skip to content

Real-time, container-based file scanning at enterprise scale

License

Notifications You must be signed in to change notification settings

sublime-security/strelka

 
 

Repository files navigation

Strelka Banner

Releases   |   Documentation   |   Pull Requests   |   Issues

GitHub release Build Status Pull Requests Slack License

Strelka is a real-time, container-based file scanning system used for threat hunting, threat detection, and incident response. Originally based on the design established by Lockheed Martin's Laika BOSS and similar projects (see: related projects), Strelka's purpose is to perform file extraction and metadata collection at enterprise scale.

Strelka differs from its sibling projects in a few significant ways:

  • Core codebase is Go and Python3.6+
  • Server components run in containers for ease and flexibility of deployment
  • OS-native client applications for Windows, Mac, and Linux
  • Built using libraries and formats that allow cross-platform, cross-language support

Features

Strelka is a modular data scanning platform, allowing users or systems to submit files for the purpose of analyzing, extracting, and reporting file content and metadata. Coupled with a SIEM, Strelka is able to aggregate, alert, and provide analysts with the capability to better understand their environment without having to perform direct data gathering or time-consuming file analysis.

Strelka Features

Quickstart

This section should be used as a demonstration of Strelka. Please review the documentation for details on how to properly build and deploy Strelka.

By default, Strelka is configured to use a minimal "quickstart" deployment that allows users to test the system. As noted above, this configuration is not recommended for production deployments, but may suffice for environments with very low file volume (<50k files per day). Using two Terminal windows, do the following:

Step 1: Build and Start Strelka Cluster (Docker)

# Terminal 1
$ docker-compose -f build/docker-compose.yaml up

Step 2: Build Strelka-Fileshot (File Submitter)

# Terminal 2
$ go build github.com/target/strelka/src/go/cmd/strelka-fileshot

Step 3: Add File Paths / Patterns to be Scanned to a [fileshot.yaml] file (https://github.com/target/strelka/blob/master/docs/README.md#fileshot)

  ...
  files:
    patterns:
      - '/glob/to/your/files/*.doc'
      - '/glob/to/your/files/*.exe'
  ...

Step 4: Run Strelka-Fileshot and Review Output

# Terminal 2
$ ./strelka-fileshot -c fileshot.yaml
$ cat strelka.log | jq .

Terminal 1 runs a full Strelka cluster with logs printed to stdout and Terminal 2 is used to send files to the cluster. fileshot.yaml will need the patterns field updated to identify files to scan, by default scan results will be written to ./strelka.log.

Potential Uses

With over 50 file scanners for the most common file types (e.g., exe, docx, js, zip), Strelka provides users with the ability to gain new insights into files on their host, network, or enterprise. While Strelka is not a detection engine itself (although it does utilize YARA, it can provide enough metadata to identify suspicious or malicious files. Some potential uses for Strelka include:

Strelka Uses

Additional Documentation

More documentation about Strelka can be found in the README, including:

Contribute

Guidelines for contributing can be found here.

Related Projects

Licensing

Strelka and its associated code is released under the terms of the Apache 2.0 License.

Target Banner

About

Real-time, container-based file scanning at enterprise scale

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 73.3%
  • YARA 11.2%
  • Go 10.7%
  • Dockerfile 3.6%
  • Zeek 1.2%