ScanPngEof Doesn't Upload Extracted File to Coordinator
ryanohoro opened this issue · 0 comments
ryanohoro commented
Describe the bug
ScanPngEof extracts files embedded after EOF from PNG files. It attaches the entire contents of the file to the event, and does not send the extracted file to the coordinator.
Steps to reproduce
./strelka-oneshot -f ../../../python/strelka/tests/fixtures/test_pe_overlay.png
cat strelka-oneshot.log | jq -rc '[.file.depth, .file.flavors.mime[0]] | @csv'
0,"image/png"
1,"application/x-empty"
Expected behavior
./strelka-oneshot -f ../../../python/strelka/tests/fixtures/test_pe_overlay.png
cat strelka-oneshot.log | jq -rc '[.file.depth, .file.flavors.mime[0]] | @csv'
0,"image/png"
1,"application/x-dosexec"
Screenshots
N/A
Release
- Release: 0.22.12.08
Additional context
The extracted file should likely NOT be attached to the event, since the design philosophy of Strelka is for lightweight, metadata-only events.