PasteHunter v1.4.2 releases: Scanning pastebin with yara rules
PasteHunter is a python3 application that is designed to query a collection of sites that host publicly posted data. For all the pasts it finds it scans the raw contents against a series of yara rules looking for information that can be used by an org or a researcher.
Image: techanarchySupported Inputs
Pastehunter currently has support for the following sites:
- pastebin.com
- gist.github.com
- slexy.org
- StackExchange # There are about 176!
Supported Outputs
Pastehunter supports several output modules:
- dump to ElasticSearch DB (default).
- Email alerts (SMTP).
- Slack Channel notifications.
- Dump to JSON file.
- Dump to CSV file.
PostProcess
There are a handful of post-process modules that can run additional checks on the raw paste data.
There are a few generic options for each input.
- enabled: This turns the input on and off.
- module: This is used internally by pastehunter.
This postprocess module extracts additional information from data that includes email addresses. It will extract counts for:
- Total Emails
- Unique Email addresses
- Unique Email domains
These 3 values are then added to the metadata for storage.
- rule_list: List of rules that will trigger the postprocess module.
Base64
This postprocess will attempt to decode base64 data and then apply further processing on the new file data. At the moment this module only operates when the full paste is a base64 blob, i.e. it will not extract the base64 code that is embedded in other data.
- rule_list: List of rules that will trigger the postprocess module.
Cuckoo
If the samples match a binary file format you can optionally send the file for analysis by a Cuckoo Sandbox.
- api_host: IP or hostname for a Cuckoo API endpoint.
- api_port: Port number for a Cuckoo API endpoint.
Viper
If the samples match a binary file format you can optionally send the file to a Viper instance for further analysis.
- api_host: IP or hostname for a Cuckoo API endpoint.
- api_port: Port number for a Cuckoo API endpoint.
Entropy
This postprocess module calculates Shannon entropy on the raw paste data. This can be used to help identify binary and encoded or encrypted data.
- rule_list: List of rules that will trigger the postprocess module.
Changelog v1.4.2
Changed
- Fixed ix.io import
- Made slexy’s timeout configurable (#121)
Install
For examples of data discovered using pastehunter check out author’ tutorial here and here.
Copyright (C) 2017 kevthehermit
Source: https://github.com/kevthehermit/
