Home

Awesome

Snake Scales

The official snake scales repository.

Installation

Scale can be installed in one of three ways, using snake, pip or by cloning the respository and pointing Snake to it.

Once installed Snake and the Celery workers must be restarted.

Note: Any missing dependencies or configuration settings will be reported in Snake's log!

Snake Based

The Snake command line utility can be used to install a scale.

snake install SCALE_NAME

The Snake command line utility can also be used to check the loadable state of a scale. This is very useful when a scale has multiple dependencies.

snake check SCALE_NAME

Pip Based

A scale can be installed using pip as follows:

# 1. Install the scale with pip
pip install 'git+https://github.com/countercept/snake-scales#egg=<SCALE>&subdirectory=<SCALE>'

# 2. (Optional) Copy scales conf file if present to /etc/snake/scales
export SCALE=<SCALE>
export SCALE_DIR=`python -c "import imp; print(imp.find_module('snake_${SCALE}')[1])"`
if [ -f "${SCALE_DIR}/${SCALE}.conf" ]; then cp "${SCALE_DIR}/${SCALE}.conf" "/etc/snake/scales/${SCALE}.conf.example"; fi

# 3. Install system dependencies
# If any, these will be reported in the Snake log, or usually listed in the `check` functions within components

Clone Based

All the scales from a repository can easily be added to Snake, just by cloning and pointing.

# 1. Clone the repository to the desired location
git clone https://github.com/countercept/snake-scales.git <SCALE_DIR>

# 2. Add directory to snake.conf
[snip]
snake_scale_dirs: [
  '<SCALE_DIR>'
]
[snip]

# 3. (Optional) Copy scales conf files if present to /etc/snake/scales
# Check through the scales folders and copy their .conf files if present to /etc/snake/scales

# 4. Install python requirements
# If any, either look through the setup.py files or look at the Snake log.

# 5. Install system dependencies
# If any, these will be reported in the Snake log, or usually listed in the `check` functions within components

Scales

Binwalk

Runs binwalk on a sample.

Dependencies

ClamAV

Scans a sample using ClamAV.

Dependencies

Cuckoo

Allows Snake to interact with Cuckoo, such as submitting samples to Cuckoo.

Dependencies

Configuration

VariableDefaultDescription
cuckoo_apinullURL for Cuckoo API
cuckoo_urlnullURL to Cuckoo Web UI
verifyTrueVerify SSL connection if using HTTPS

ELF

Analyse ELF files using elftools.

Exiftool

Runs exiftool on a sample.

Dependencies

Floss

Runs FireEye's floss on a binary.

Dependencies

Configuration

VariableDefaultDescription
floss_pathnullPath to floss binary
homenullPath to HOME directory, required if user does not have a HOME

NIST NSRL

Search for sample in NIST's NSRL hashes.

Configuration

VariableDefaultDescription
nsrl_pathnullPath to NSRL hashes text file

Office

Analyse a sample using olefile, oletools.

PDF

Analyse a sample using pdf-parser, pdfid and peepdf.

Dependencies

Configuration

VariableDefaultDescription
pdf_parser_pathnullPath to pdf-parser.py
pdfid_pathnullPath to pdfid.py
peepdf_pathnullPath to peepdf.py

PEFile

Analyse a sample using pefile.

Radare2

Runs radare2 on a sample.

Dependencies

Radare2 Scripts

Runs radare2 based scripts on a sample.

Dependencies

Rekall

Runs rekall on a sample.

Dependencies

Configuration

VariableDefaultDescription
cache_dirnullLocation of the profiles cache directory
repository_pathnullPath to search for profiles in, useful for no internet access

RetDec

Runs the Retargetable Decompiler on parts of a sample.

Dependencies

Configuration

VariableDefaultDescription
onlinetrueToggle between using the online instance or a local one
api_keynullAPI key required for interaction with RetDec's online instance (online)
retdec_dirnullDirectory that retdec is installed to (local)

TRiD

Runs trid on a sample.

Dependencies

Configuration

VariableDefaultDescription
trid_pathnullPath to trid
tridupdate_pathnullPath to tridupdate.py
triddefs_pathnullPath to triddefs.trd

VirusTotal

Allows Snake to interact with VirusTotal, such as querying VT for information about a sample.

Configuration

VariableDefaultDescription
api_keynullVirusTotal API key
api_privatefalseEnable private features when using private VirusTotal API key

Volatility

Run vol.py on a sample

Dependencies

Configuration

VariableDefaultDescription
vol_pathnullPath to vol.py

Yara

Scan a sample with yara.

Configuration

VariableDefaultDescription
rules_keynullPath to directory containing yara rules
blacklisted_rules[]A list of rules to ignore