The two new endpoints `children` and `parents` allow to paginate over the large-set of parents or
children.
- The first value is the SHA1 value having children or parents.
- The second value is the number of elements to get (by default is 100 if
the value is set to 0).
- The third value is the cursor to paginate over the element (for
starting the cursor must be set to 0).
A sample usage:
~~~~
adulau@kolmogorov ~ $ curl -s http://127.0.0.1:5000/children/31C43D24d696BC5F5309CCBFA5BDEF65A7170439/10/0 | jq .
{
"children": [
"003587440172055C75130EF1A063C3BB050C3251",
"007C1E16B3F0F2E48C114E458308397953C7D224",
"014D1060C674FBBCEAFFD94B85D60AD00618B56B",
"01A2FACD61D157FC80DD0C5F6B525CC9EDE4B6DE",
"01D1A98F559966A05923A74EE239C6BBEEB0FDAC",
"01D381F2FCDD1BDF642AF83C9E96083F2C8D1C03",
"02B37BA21D1831C120C1C9C1D41893B4DB424EE7",
"02DED521ADCF17AA8818EA1142F63E05F558E668",
"0364E0EFE65D9B6502084813189B4D888C117859",
"05C9A276A0E03F7A5F99DE5CC8911583FD8FD60E"
],
"cursor": "05C9A276A0E03F7A5F99DE5CC8911583FD8FD60E",
"total": 774
}
adulau@kolmogorov ~ $ curl -s http://127.0.0.1:5000/children/31C43D24d696BC5F5309CCBFA5BDEF65A7170439/10/05C9A276A0E03F7A5F99DE5CC8911583FD8FD60E | jq .
{
"children": [
"063EC5526DA21372D77AFC3C40F694478521829B",
"0647EA948ED37383F74CC68A94E2DC3CBC2A9E4E",
"0648AAAC06A76A58CB1E999882447BBDEEA42C57",
"06A62F10F269824FFD75A917A35ACD3F2461981C",
"0727FE9E2437B15B3F879C7617973AE11E55BA13",
"074A0CA7131AE8FD9665CFE68A0C124EB6AD0170",
"075B11AE383071BDA9BE66E336C916F6E6E1F49C",
"081A336DE7D636F95F0150B7708C614592CBBDAE",
"08DF546EE44D4B7546FCE5A7B7E284CA35F1B059",
"0947CE713B69C2318CA684BBB63912621CC17A6A"
],
"cursor": "0947CE713B69C2318CA684BBB63912621CC17A6A",
"total": 774
}
~~~~
The trust level is calculated based on the number of parent to the file.
If the file has been seen on many sources, the trust level increase.
The scale of the trust level is between 0 and 100. By default, the trust
level is 50 meaning we don't know the trust. Below 50, the file is
suspicious. Above 50, we have evidences that the file is more
legitimate. The calculation is based on the number of parents seen per
file. If a file is seen more often in various sources, it increases the
trust level to reach a maximum of 100.
A user can now create a session, assign lookup results to a session
and retrieve the lookup session results in one shot.
This partially implement feature requested in issue #2 to support
DFIR sessions.
Thanks to Koen Van Impe for the idea.
- This includes a simple HTTP server for doing bulk and lookup of hashes.
- A simple DNS server to do lookup via DNS
- Various import script for NSRL
This works on a test instance.
TODO:
- Automatic script for NSRL download and import
- Bloomfilter export
- Improved documentation