The official snake scales repository.
Scale can be installed in one of three ways, using snake, pip or by cloning the respository and pointing Snake to it.
Once installed Snake and the Celery workers must be restarted.
Note: Any missing dependencies or configuration settings will be reported in Snake's log!
The Snake command line utility can be used to install a scale.
snake install SCALE_NAME
The Snake command line utility can also be used to check the loadable state of a scale. This is very useful when a scale has multiple dependencies.
snake check SCALE_NAME
A scale can be installed using pip as follows:
# 1. Install the scale with pip
pip install 'git+https://github.com/countercept/snake-scales#egg=<SCALE>&subdirectory=<SCALE>'
# 2. (Optional) Copy scales conf file if present to /etc/snake/scales
export SCALE=<SCALE>
export SCALE_DIR=`python -c "import imp; print(imp.find_module('snake_${SCALE}')[1])"`
if [ -f "${SCALE_DIR}/${SCALE}.conf" ]; then cp "${SCALE_DIR}/${SCALE}.conf" "/etc/snake/scales/${SCALE}.conf.example"; fi
# 3. Install system dependencies
# If any, these will be reported in the Snake log, or usually listed in the `check` functions within components
All the scales from a repository can easily be added to Snake, just by cloning and pointing.
# 1. Clone the repository to the desired location
git clone https://github.com/countercept/snake-scales.git <SCALE_DIR>
# 2. Add directory to snake.conf
[snip]
snake_scale_dirs: [
'<SCALE_DIR>'
]
[snip]
# 3. (Optional) Copy scales conf files if present to /etc/snake/scales
# Check through the scales folders and copy their .conf files if present to /etc/snake/scales
# 4. Install python requirements
# If any, either look through the setup.py files or look at the Snake log.
# 5. Install system dependencies
# If any, these will be reported in the Snake log, or usually listed in the `check` functions within components
Runs binwalk
on a sample.
- (Required) Binwalk
Scans a sample using ClamAV.
- (Required) ClamAV
Allows Snake to interact with Cuckoo, such as submitting samples to Cuckoo.
- (Required) Cuckoo
Variable | Default | Description |
---|---|---|
cuckoo_api | null | URL for Cuckoo API |
cuckoo_url | null | URL to Cuckoo Web UI |
verify | True | Verify SSL connection if using HTTPS |
Analyse ELF files using elftools
.
Runs exiftool
on a sample.
- (Required) Exiftool
Runs FireEye's floss
on a binary.
- (Required) Floss
Variable | Default | Description |
---|---|---|
floss_path | null | Path to floss binary |
home | null | Path to HOME directory, required if user does not have a HOME |
Search for sample in NIST's NSRL hashes.
Variable | Default | Description |
---|---|---|
nsrl_path | null | Path to NSRL hashes text file |
Analyse a sample using olefile
, oletools
.
Analyse a sample using pdf-parser
, pdfid
and peepdf
.
- (Optional) pdf-parser
- (Optional) pdfid
- (Optional) peepdf
Variable | Default | Description |
---|---|---|
pdf_parser_path | null | Path to pdf-parser.py |
pdfid_path | null | Path to pdfid.py |
peepdf_path | null | Path to peepdf.py |
Analyse a sample using pefile
.
Runs radare2
on a sample.
- (Required) Radare2
Runs radare2
based scripts on a sample.
- (Required) Radare2
Runs rekall
on a sample.
- (Required) Rekall
Variable | Default | Description |
---|---|---|
cache_dir | null | Location of the profiles cache directory |
repository_path | null | Path to search for profiles in, useful for no internet access |
Runs the Retargetable Decompiler on parts of a sample.
- (Required) Rardare2
Variable | Default | Description |
---|---|---|
online | true | Toggle between using the online instance or a local one |
api_key | null | API key required for interaction with RetDec's online instance (online) |
retdec_dir | null | Directory that retdec is installed to (local) |
Runs trid
on a sample.
- (Required) TRiD
Variable | Default | Description |
---|---|---|
trid_path | null | Path to trid |
tridupdate_path | null | Path to tridupdate.py |
triddefs_path | null | Path to triddefs.trd |
Allows Snake to interact with VirusTotal, such as querying VT for information about a sample.
Variable | Default | Description |
---|---|---|
api_key | null | VirusTotal API key |
api_private | false | Enable private features when using private VirusTotal API key |
Run vol.py
on a sample
- (Required) Volatility
Variable | Default | Description |
---|---|---|
vol_path | null | Path to vol.py |
Scan a sample with yara
.
Variable | Default | Description |
---|---|---|
rules_key | null | Path to directory containing yara rules |
blacklisted_rules | [] | A list of rules to ignore |