Skip to content

ScanLibarchive

Extracts files from libarchive-compatible archives.

Options

limit: Maximum number of files to extract. Defaults to 1000.

Source code in strelka/src/python/strelka/scanners/scan_libarchive.py 
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
class ScanLibarchive(strelka.Scanner):
    """Extracts files from libarchive-compatible archives.

    Options:
        limit: Maximum number of files to extract.
            Defaults to 1000.
    """

    def scan(self, data, file, options, expire_at):
        file_limit = options.get("limit", 1000)

        self.event["total"] = {"files": 0, "extracted": 0}

        try:
            with libarchive.memory_reader(data) as archive:
                # Using basically the same logic to count files
                # However, it is more technically correct to count
                # the files before trying to extract them in case an error occurs
                for entry in archive:
                    if entry.isfile:
                        self.event["total"]["files"] += 1

            with libarchive.memory_reader(data) as archive:
                for entry in archive:
                    if entry.isfile:
                        if self.event["total"]["extracted"] >= file_limit:
                            continue

                        extracted_data = b""
                        for block in entry.get_blocks():
                            extracted_data += block

                        # Send extracted file back to Strelka
                        self.emit_file(extracted_data, name=entry.pathname)

                        self.event["total"]["extracted"] += 1

        except libarchive.ArchiveError:
            self.flags.append("libarchive_archive_error")

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
application/vnd.ms-cab-compressed
application/x-cpio
application/x-debian-package
application/x-xar
cab_file
cpio_file
debian_package_file
xar_file

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Field Name
Field Type
elapsed
str
flags
list
total
dict
total.extracted
int
total.files
int

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

    test_scan_event = {
        "elapsed": 0.001,
        "flags": [],
        "total": {"files": 4, "extracted": 4},
    }